Blesta Addons Posted August 22, 2017 Report Share Posted August 22, 2017 in one of blesta installation , we have noticed that the client id incrementation has been changed from order to a higher number . the client IDs was 4721, 4722 .... 4730 , then it was moved directly 11784 ... then 117845, 11786 .... how this can happen? blesta? mysql issue? Quote Link to comment Share on other sites More sharing options...
0 Paul Posted August 22, 2017 Report Share Posted August 22, 2017 I've seen that happen due to Pen Testing. A malicious user may be running penetration tests on your order form. The creation of a client account fails, but a transaction is created and rolled back in MySQL. If a transaction is rolled back, the auto increment ID still cannot be used again. (See https://bugs.mysql.com/bug.php?id=6714, though not a bug as indicated by the comments) So, you should check your web server logs and/or block any attackers with mod_security or firewall rules. Quote Link to comment Share on other sites More sharing options...
0 Tyson Posted August 22, 2017 Report Share Posted August 22, 2017 It sounds like someone may have been trying to create thousands of accounts in Blesta from the order form. Creating a client happens in a database transaction, but when that transaction is rolled back the records will not exist in the database, but the auto-increment primary keys will still increase. Quote Link to comment Share on other sites More sharing options...
0 Blesta Addons Posted August 22, 2017 Author Report Share Posted August 22, 2017 I have noticed that the recaptcha is not shown in the registration form, from admin side is enabled . i should investigate why is not showing . any mod_security rule to block such attach, i don't use any mod security rule as the only website in the server if blesta. EDIT: captcha is showing well in any order form type, unless the registration client type , the recaptcha is not shown !!! i have found that the captcha was disabled from the client registration template . Quote Link to comment Share on other sites More sharing options...
0 Paul Posted August 23, 2017 Report Share Posted August 23, 2017 For mod_security, there are some popular rulesets you can use that do a pretty good job o f blocking things across the board. I'd suggest watching it to make sure there are no false positives for a little while though. http://modsecurity.org/rules.html Quote Link to comment Share on other sites More sharing options...
0 Amit Kumar Mishra Posted October 2, 2018 Report Share Posted October 2, 2018 just wondering why not client id is set to the mysql autoincremented id this may prevent it from happening as for multicompany, you may still have the present autoincrement value to be set as client id or may be fetch client id from the incremented mysql value like get the present id and set it as the client id not sure if this will be a big task or some small patch may the coders reply on this Quote Link to comment Share on other sites More sharing options...
0 Tyson Posted October 2, 2018 Report Share Posted October 2, 2018 The client ID already is the auto-increment ID. That value increments every time a record is added, whether it was apart of a failed transaction or not. activa 1 Quote Link to comment Share on other sites More sharing options...
Question
Blesta Addons
in one of blesta installation , we have noticed that the client id incrementation has been changed from order to a higher number .
the client IDs was 4721, 4722 .... 4730 , then it was moved directly 11784 ... then 117845, 11786 ....
how this can happen? blesta? mysql issue?
Link to comment
Share on other sites
6 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.