[Mediawiki-l] Possible SQL Injection

[Liz Kim]

This may be more of an Apache question but was wondering if any other
MediaWiki users have seen this...

There was someone who we assume has been trying to break into our web system
request URLS such as

/index.php?title=%53%70%65%63%69%61%6C%3A%52%65%63%65%6E%74%63%68%61%6E%67%65%73&d
ays=14&limit=100&hidepatrolled=1%27%2F%2A%4E%2A%2F%6F%72%2F%2A%4E%2A%2F1%3D1%2F%2A%4E%2A%2F%61%6E%64%2F%2A%4E%2A%2F1%3D1%2F%2A%4E%2A%2F%61%6E%64%2F%2A%4E%2A%
2F2%3D2%2F%2A%4E%2A%2F%61%6E%64%2F%2A%4E%2A%2F%27%61%27%3D%27%61

which in turn really is...

/index.php?title=Special%3ARecentchanges&days=14&limit=100&hidepatrolled=1%27%2F*N*%2For%2F*N*%2F1%3D1%2F*N*%2Fand%2F*N*%2F1%3D1%2F*N*%2Fand%2F*N*%2F2%3D2%2F*N*%2Fand%2F*N*%2F%27a%
27%3D%27a

Some requests look like possible SQL injections..

/index.php?title=Special%3ARecentchanges%2F*N*%2For%2F*N*%2F(select%2F*N*%2Fcount(*)%2F*N*%2Ffrom%2F*N*%2FINFORMATION_SCHEMA.tables%2F*N*%2Fwhere%2F*N*%2Fadmin_loginname%3Dadmin_loginname)%3D-1%2F*N*%2Fand%2F*N*%2F0%3D0&hidepatrolled=1&days=14&limit=100&hideanons=1

We haven't seen this happening in a while now but we cannot be 100% positive
that the visitor was not successful in getting in..

Thanks!