Hi Contanio, Newer versions of DSpace (4.x or above) now use Apache Solr for all browse and search interfaces (instead of direct database access for browsing). This means that such a SQL injection attack would no longer be possible (since the browse interface never even executes SQL, it simply queries the Solr indexes).
I should also mention that, per our DSpace Software Support Policy [1], all DSpace 1.x.x versions (including 1.8.3 and below) are "End of Life" (EOL). This means that, while we'll do our best to still help answer questions for 1.x.x versions, we no longer directly support or patch these older versions. Therefore, we do recommend upgrading to either 3.4, 4.3 or 5.1 (which are all still under support). These releases also patch several other security vulnerabilities recently discovered (see the release notes for each): * 5.1 Release Notes: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes * 4.3 Release Notes: https://wiki.duraspace.org/display/DSDOC4x/Release+Notes * 3.4 Release Notes: https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.4+Notes Finally, if you are considering upgrading, please note that DSpace 5 now includes an easier upgrade process. It will automatically upgrade/migrate your existing data (i.e. database contents, search/browse indexes) from any prior version of DSpace (1.x.x, 3.x or 4.x). Good luck, Tim [1] DSpace Software Support Policy: https://wiki.duraspace.org/display/DSPACE/DSpace+Software+Support+Policy On 2/27/2015 3:55 AM, cotanio wrote: > Hi everyone, > > We have recently received attempts to compromise the security of our > repository DSpace (v 1.6.2) via SQL Injection attacks using TOR. We have > seen access to: > > [dspace_url]/browse > > Some hosts are: > > tor-exit-node.7by7.de > tor-exit.mensrea.org > tor2.t-3.net > .......... > > Have you been attacked by this or similar type? Is there a patch or newer > versions of DSpace that solve this problem? > > Thanks in advance, > > A greeting. > > > > -- > View this message in context: > http://dspace.2283337.n4.nabble.com/TOR-SQL-injection-attack-tp4676813.html > Sent from the DSpace - Tech mailing list archive at Nabble.com. > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > DSpace-tech mailing list > DSpace-tech@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/dspace-tech > List Etiquette: > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
