Expand my Community achievements bar.

SOLVED

Unexpected values from Adobe New/Repeat Visitor plug-in

Avatar

Level 1
Level 1
12/20/22 2:23:12 PM

Starting in November we saw Adobe capture weird values in the eVar we have set up for New/Repeat visitor that uses the plug-in. Here are some examples:

New'and(select*from(select+sleep(2))a/**/union/**/select+1)='
"New""and(select*from(select+sleep(2))a/**/union/**/select+1)="""
New'and(select'1'from/**/cast(md5(1952298297)as/**/int))>'0
"New""and(select*from(select+sleep(0))a/**/union/**/select+1)="""
New'and(select*from(select+sleep(0))a/**/union/**/select+1)='

 

The two instances in which this has happened, all values were captured on the same day, same time, same everything and are only one visit, one visitor, one everything. The only values that should show up should only be New, Repeat or Unspecified. Has anyone else come across this?

Views

266

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
12/20/22 9:30:26 PM

That looks like someone was running a web vulnerability test on your website (or actively trying to hack your website to find SQL Injection vulnerabilities).

 

This is not a result of the plugin; but rather a result of a tool trying to check for SQL Injection vulnerabilities by inserting SQL code everywhere possible.

 

I suspect this was the result of a internal security audit, a tool that will test benign SQL code and see if they get any results back that look like the SQL commands ran. Unfortunately, this sometimes results in Adobe dimensions unintentionally picking up those commands and storing them as text values.

 

You should check with your DevOps / IT / Security departments and see if they are the ones running the tests... if not, this could potentially be someone trying to find a vulnerability to exploit.... just because you see the commands in your data does not necessarily mean you are vulnerable; but if this wasn't your team, you should do your due diligence in trying to identify where it's coming from (and make sure that your site is secure).

View solution in original post

Views

256

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
12/20/22 9:30:26 PM

That looks like someone was running a web vulnerability test on your website (or actively trying to hack your website to find SQL Injection vulnerabilities).

 

This is not a result of the plugin; but rather a result of a tool trying to check for SQL Injection vulnerabilities by inserting SQL code everywhere possible.

 

I suspect this was the result of a internal security audit, a tool that will test benign SQL code and see if they get any results back that look like the SQL commands ran. Unfortunately, this sometimes results in Adobe dimensions unintentionally picking up those commands and storing them as text values.

 

You should check with your DevOps / IT / Security departments and see if they are the ones running the tests... if not, this could potentially be someone trying to find a vulnerability to exploit.... just because you see the commands in your data does not necessarily mean you are vulnerable; but if this wasn't your team, you should do your due diligence in trying to identify where it's coming from (and make sure that your site is secure).

Views

257

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply