Half a Million Microsoft-Powered Sites Hit With SQL Injection

Titus Germanicus writes to tell us that a recent attack has compromised somewhere in the neighborhood of 500,000 pages with a SQL injection attack. The vulnerability seems to be limited to Microsoft's IIS webserver and is easily defeated by the end user with Firefox and "NoScript." "The automated attack takes advantage to the fact that Microsoft's IIS servers allow generic commands that don't require specific table-level arguments. However, the vulnerability is the result of poor data handling by the sites' creators, rather than a specific Microsoft flaw. In other words, there's no patch that's going to fix the issue, the problem is with the developers who failed follow well-established security practices for handling database input. The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC." Ignoring corporate spin-doctoring, there seems to be plenty of blame to go around.

Microsoft's Official View of the Situation

[eldavojohn]

Ignoring corporate spin-doctoring there seems to be plenty of blame to go around.

Well, here [informationweek.com]'s a quote directly from Bill Sisk of Microsoft (seems to be in line with this blogger):

Microsoft (NSDQ: MSFT) on Friday found itself trying to clarify that it has nothing to do with the poor coding practices that have enabled a massive SQL injection attack to affect Web sites using Microsoft IIS Web Server and Microsoft SQL Server. "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft, in a blog post. "SQL injection attacks enable malicious users to execute commands in an application's database." Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices.

So if you want Microsoft's side of the story, they can't help it that people use bad coding practices.

As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast. Stupid fast. Unfortunately for C, there are more stupid coders out there like me than genuis coders out there like ... Donald Knuth. So you will see Java rise in popularity without ever being able to live up to speed of C.

Wow, for flaim retardant reasons, take the above paragraph as my meager opinion.

Re:

[duplicate-nickname]

So, I suppose all of the LAMP sites out there vulnerable to SQL injection are the fault of Microsoft too?

http://www.google.com/search?hl=en&q=site%3Asecurityfocus.com+php+sql+injection [google.com]

Re:

[pembo13]

No, they are the fault of Linux obviously. Isn't that the normal assertion?

Re:

[SCHecklerX]

One reason I use Embedded Perl [apache.org] and never bothered with learning PHP. It actually requires effort [apache.org] to not at least escape untrusted input.

Re:Microsoft's Official View of the Situation

[Dekortage]

Well, to quote from the Hackademix FAQ on this issue [hackademix.net]... "Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts. There's no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well. SQL injections, and therefore these infections, are caused by poor coding practices during web site development. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site."

Re:

[Architect_sasyr]

Security, Usability, (Lack of) Cost. Pick Two.

I'm sure if Microsoft didn't have those features in their databases someone would complain about it pretty severely.

Also, why do we never see Oracle vulnerabilities making the front pages? During my pen-tests I am more likely to come across Oracle servers than SQL Sewer...

Re:

[gadzook33]

Thank you. I love when I have to read through comments to get a concise explanation of the problem.

Re:

[cheater512]

The thing is that only Microsoft servers are affected by this type of automated attack.

Its a Microsoft flaw in my book.

Re:

[Allador]

That is incorrect.

Only Microsoft servers are affected by this specific attack.

Nearly every language and/or platform in existence right now is capable of being hit by this type of automated attack.

Nearly every mainstream DB server allows things like INFORMATION_SCHEMA or similar metadata to be accessed in this way to generically hit all tables in a db/schema.

Every single web-based language that I've ever seen is quite capable (trivial even) to create sql-injection vulnerable pages.

MS SQL Server is particularly vulnerable

[butlerm]

Microsoft SQL Server is particularly vulnerable to SQL injection in a way that most other databases aren't. The problem is multiple statement execution just by inserting semicolons.

Catalog access isn't much of a vulnerability if an attacker cannot trivially execute SQL ad lib. with a single unchecked parameter.

Re:

[Allador]

Microsoft SQL Server is particularly vulnerable to SQL injection in a way that most other databases aren't. The problem is multiple statement execution just by inserting semicolons.

That is incorrect.

Most mainstream databases allow you to do this. Oracle and MySQL off the top of my head that I've personally done this on.

Some db adapter libraries (like one of the real simple ones in PHP for MySQL) dont let both statements get through and/or throw an error, and/or cant handle multiple result sets.

But keep in mind, an attack like this doesnt require both statements to be run in the same batch or in the same transaction, since there's no connection between the two and no result set from

Re:

[Allador]

Whoops, unclosed quote tag there.

The last three paragraphs are mine, responding to the quoted fourth-from-last.

Re:

[butlerm]

My point is that with Oracle, DB2, PostgreSQL one has to construct a compound SQL statement as a block starting with BEGIN and terminating with an END. That makes it very difficult to inject a second SQL statement. MS SQL does not have this requirement, hence the (much increased) vulnerability.

That said, I wouldn't be completely surprised if some Microsoft ADO drivers for the above databases add the same "feature" in the name of SQL Server compatibility. As for myself, I avoid Microsoft server technologie

Re:Microsoft's Official View of the Situation

[techno-vampire]

You make a tool/language/framework for developers, you better make it idiot proof

Why? It's not their responsibility to see to it that you can't write bad code for their program any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven. There's only so much MSFT can do to protect lusers against their own stupidity, and if badly trained developers write vulnerable code, it's their own damned fault. I'm no Microsoft fanboi, but even I only bash them when they deserve it.

Re:

[Nefarious Wheel]

any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven

Ref. "Unsafe at any speed" (R.Nader) and contrasting opinion "Safe at any speed" (L.Niven). The latter story was deliberate satire. Flying your car into a Roc can be inconvenient.

Re:

[Cal Paterson]

Ref. "National Highway Traffic Safety Administration" [wikipedia.org].

I'm aware this is pretty tangential, but I found it interesting that the Corvair was eventually rated to be a pretty reasonable car by the government body that Nader's book created.

Re:

[Nefarious Wheel]

Yes -- in particular I thought the later cars were a good design, and still do. They moved from swing axles to half shafts and that cured their handling woes. Nice little turbocharged mid-engine flat six, could have been a Porsche competitor if GM had just stuck to their guns and took credit for the improvement in quality instead of pretending it never happened. I guess that would have given credit to some outside person, though -- nobody outside the corporation can ever be "right". ./offtopic

Re:

[0racle]

Do you post something similar when it's a PHP app on Apache being exploited with a SQL injection and the PHP authors say it's not their fault a whole bunch of their users are idiots?

Microsoft provides a platform, that platform has problems, but in this case the platform had nothing to do with what happened. This rests entirely on web developers who didn't bother to do things correctly.

Re:

[peragrin]

While I understand that why is it only MSFT IIS and MS SQL that's affected. If apache and MS SQL was being attacked and it has happened then i could fully understand it, but only MS IIS, MS SQL sites are affected. while the flaw may not be MSFT's sole fault how could 500,00 people setup a server wrong including the DHS? Maybe MSFT's history of poor coding and security practices lead to unsafe default options? security should always be over applied and then removed in layers.

Security like clothing works

Re:

[Allador]

why is it only MSFT IIS and MS SQL that's affected

Because the code they used is based on the MS-SQL particular dialect, with some MS-SQL specific conventions.

The malware authors could have trivially used INFORMATION_SCHEMA views rather than sysobjects, and this would have been a generic attack that would have worked against most mainstream db servers.

while the flaw may not be MSFT's sole fault how could 500,00 people setup a server wrong including the DHS?

This has nothing, zero, to do with server setup or configuration. This is purely and soley, only has to do with web app developers allowing uncleansed commands to be sent from a web-browser to the underlyin

Microsoft is at fault here

[butlerm]

That is not correct. MS SQL Server is vulnerable in a way that no other database that I am aware of (Sybase perhaps) due to the way it constructs compound statements.

Oracle is not vulnerable to this type of attack, nor is DB2, nor PostgreSQL. Some databases, like MySQL, are apparently only vulnerable when using a Microsoft ADO driver - same design mistake: support for compound statements without requiring block structure (BEGIN / END) allows trivial injection of arbitrary SQL.

Re:

[Allador]

This is incorrect.

I've personally made successful sql injection attacks (in-house pen testing, not black hatting) of this sort against a variety of other platforms that had nothing to do with Microsoft, including Oracle and MySQL.

I'm not going to go into details here as I already responded in more detail to another of your posts.

Re:

[butlerm]

Please explain how you would exploit the following purposely vulnerable example in Oracle, assuming you had arbitrary control over the employee_nbr variable:

string employee_nbr;

sql = "SELECT * FROM EMPLOYEE WHERE EMPLOYEE_ID = " + employee_nbr;
Execute(sql);

In MS SQL you could submit "1; DELETE FROM EMPLOYEE" and it would be game over. The same thing doesn't work in Oracle. The best you might do is submit "1 OR 1 = 1" and get information you weren't supposed to have.

Re:

[dedazo]

As a coder, I don't agree with that. You make a tool/language/framework for developers

So stock Java protects me from things like "SELECT * FROM users WHERE Name = 'eldavojohn'; DELETE FROM orders", correct?

Wait, it doesn't. Neither does PHP or Python or Perl.

So I guess you can spin it as this somehow being Microsoft's fault, and Slashdot can post it again (and maybe again tomorrow FTW), deliberately confusing pages vs sites and using titillating article titles and editorial bylines about how corporate

Re:

[Lobster Quadrille]

Actually, PHP's mysql engine won't run that query- you cannot execute more than one query in a single mysql_query() call.

There are plenty of ways around it, but your query will fail.

Re:

[ianare]

mysql_query() [php.net] sends an unique query (multiple queries are not supported)

A query being any command, anything after the ';' is not executed.

Re:Microsoft's Official View of the Situation

[Sancho]

As others have posted, it's pretty easy to prevent multiple instruction SQL injection. That's a function of the database driver, which Microsoft controls.

It's much harder to prevent injection of additional parameters e.g. typing ' or '1'='1 into the text box--that's something that will be language and developer dependent. From my very brief scan of the details of this vulnerability, it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

This page supports my interpretation. [hackademix.net] I note, specifically:

Attackers carefully weighted the easiest spot, being a combination of

        * ASP classic, due to the poor coding standards among the average VBScripters who hardly known about prepared statements (even though they are supported)
        * ADO as the DB client layer, allowing stacked queries (multiple SQL statements together in a single string), which are not supported, for instance, by JDBC or by the mysql_query() PHP API
        * Microsoft SQL Server, because its Transact SQL supports a rich feature set including loops, metadata enumeration and Dynamic SQL (crucial for generalization), and because itâ(TM)s the most common ASP database back-end with such high-end features.

Apparently, if stacked queries weren't allowed, this wouldn't nearly so easy to exploit.

Re:

[dedazo]

it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"? Even considering that it's not necessary to write sloppy VBScript code, and that it's ridiculously easy to use ADO to put together parameterized database commands, regardless of how many resultsets they are supposed to return?

And that the lack of that feature is actual

Re:

[Sancho]

So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"?

No, that's not what I said. I said that Microsoft could have prevented it, not that they were at fault. There's a world of difference.

And that the lack of that feature is actually an advantage for platforms like PHP and Perl?

I think that the protection against multiple statements in the MySQL driver for PHP and Perl is an advantage, yes. Much in the same way that I would consider default-bounds checking in a language an advantage. It'd be even better if you could explicitly turn the feature off in order to use "unsafe" statements. The C API to MySQL allows this--I'm not sure if the PHP ver

Re:

[Allador]

You keep saying 'multiple statement protection' as if allowing multiple statements in a batch is a bad thing that should be prevented by any sane person.

Allowing multiple statements (and multiple active result sets) is a commonly used feature for many legitimate purposes. It's not something bad to be blocked. Nearly every major db platform provides this.

Some of the language-specific adapters to said sql servers never got around to implementing this feature, but its not blocked because its a security risk.

Re: SQL Server vulnerability

[butlerm]

The problem is not SQL Server's support of multiple statements, but rather the way they do it. Oracle supports multiple statements, but only in a PL/SQL begin end block, which is generally speaking impossible to inject.

SQL Server on the other hand is trivially exploitable if any parameter is unchecked, due to the way statements are chained together - no block syntax required, just a semicolon and anything goes after that.

Re:

[Jeff Molby]

So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"?

Like most MS security holes, the problem isn't that features are available, it's that they're turned on by default.

Re:

[ianare]

And that the lack of that feature is actually an advantage for platforms like PHP and Perl?

Yes. The proper way of running a large number of prepared statements is by using stored procedures.

Re:

[mrbluze]

As others have posted, it's pretty easy to prevent multiple instruction SQL injection. That's a function of the database driver, which Microsoft controls.

Actually, if we could wipe SQL off the face of the earth then we wouldn't have SQL injection attacks. I mean, for a person to be able to escape the bounds of a variable by simple insertion of code into a text field is pretty outrageous, really.

Whoever is walking around saying that they have a good product which requires programmers to use or even have to create(!) special functions to filter every bit of input to prevent injection attacks, is lying out of their posterior. It's not a good product.

Prepare

Re:

[Allador]

There are other simpler solutions that arent so painful or intrusive.

The easiest is just to use prepared/parameterized queries.

I think many of us have gone through the 'everything should be stored procedures' phase, but that really only works for a niche (albeit a large one) of app development.

Re:

[I'm Don Giovanni]

So the proper thing to do is to cut features, even if they have no inherent flaw, for fear that they might be exploited due to sloppy coding by others? That mindset has always bugged me. Seems backwards.

SQL Server is ridiculously vulnerable

[butlerm]

The problem here is that MS SQL Server supports multiple statements in the same prepare / execute block in an unsafe manner. Just insert a semicolon and off you go.

The safe way to support multiple statement execution ("query stacking") is with something like the block syntax of Oracle. Given a single unchecked entry field, the SQL Server syntax is trivially exploitable do anything the attacker wants.

Re:

[Chokolad]

> * Of course, it's not really meaningful to talk about a language protecting you from SQL injections; it's the database library that decides whether to send SQL to the database or not. I'm talking about the most popular libraries here (e.g. Perl's DBI).

And this is differnt from Microsoft offerings how?

Re:

[Qzukk]

It\\'s broken, it\\\\\'s restrictive for normal users, and is a bad idea in the same way that forgiving developer for using bad html was, but it\'s there. never used it, but I know because of some bug that it was introducing in an unrelated application.

Magic quotes is the absolute coolest thing since sliced arrays, or my name isn\\'t Jeffery O\\\\\\\\\\\\\\\\'Donnel!

Re:Microsoft's Official View of the Situation

[Sigma 7]

As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast.

A seg fault is a form of idiot proofing - it prevents rogue C-style pointers from ruining the system. The absence of seg fault means your program is overwriting various locations in memory, which potentially causes the system to crash.

If you need access to locations of memory normally protected by a seg-fault, your operating system normally provides a means to do so.

Right, but...

[Jeff Molby]

...it's weak idiot-proofing. Strong idiot-proofing makes it so the problem is never even encountered.

Re:

[TheThiefMaster]

A seg fault can happen if you try to read/write to a memory address which refers to some unmapped virtual memory, as well as it being a memory page that you don't have read/write permissions for.

In the former case there is quite literally no memory at that location to write to.

Dupe?

[TubeSteak]

500 Thousand MS Web Servers Hacked
Posted by kdawson on Friday April 25, @11:48AM
from the scream-and-shout dept.
http://it.slashdot.org/it/08/04/25/1358234.shtml [slashdot.org]

Re:Dupe?

[calebt3]

At least this one is more accurate in saying 500,000 web pages and not servers.

Re:

[pfleming]

You mean IIS can handle more than one site?

Re:

[mrbluze]

At least this one is more accurate in saying 500,000 web pages and not servers.

Yeah, for a minute I thought this was a veiled attempt at promoting Microsoft IIS as a viable product, suggesting that a lot of people were using it! Ha Ha!

Re:

[Cheapy]

/. has been quite good about dupes lately.

I think we can let it slide once and a while.

Seems familiar

[EvilGoodGuy]

Wasn't this exact item posted on Friday? http://it.slashdot.org/article.pl?sid=08/04/25/1358234 [slashdot.org]

Shameless Hibernate Plug

[eldavojohn]

You know, as an incompetent Java developer, I will take the time to explain why none of my web applications suffered from this.

I use Hibernate [hibernate.org]. I use it with Java, although I know it's now available for .NET.

A feature of Hibernate (aside from some efficient connection pooling and resource management like caching) is that you have to actually call a delete method to delete a row. Something like HibernateSession.delete(myObject); would have to be done. And while this might sound annoying or ruin some tools that are used to generate SQL statements, it protects me time and time again. Now, you can use HQL which is a bastardized version of SQL to generate similar things but, again, I think that you can't drop/delete in it (could be wrong, rarely use it).

Try passing part of an SQL string into an object property and then merge/save it into the HibernateSession. Doesn't do the SQL injection stuff the bad guys want it to. Of course, I still use regular expression common utilities to validate the input, but assuming you didn't do that ...

So why don't other people use Hibernate? Am I missing something about it that's bad?

Re:Shameless Hibernate Plug

[Cecil]

I can't speak about Hibernate specifically, but I can tell you what my first concern would be. Database frameworks usually tend to have trouble dealing with complex database designs, and if they can deal with them they are invariably much slower and less efficient than a SQL statement could be.

Some of these complexity and efficiency issues can be resolved by partial denormalization of the database design, but again, that introduces inefficiency.

Basically, the use of a high-level framework like that introduces significantly more difficulty into the already difficult problem of performance optimization. And for most people, performance is a more immediate and obvious problem that needs solving as opposed to security.

Another problem in my opinion is that there approximately a million and one different database abstraction layers like Hibernate out there. The lack of standardization makes it very difficult for any of them to gain any sort of critical mass of developers and documentation the way SQL has.

Re:

[njcoder]

I agree. Databases are complex for a reason. These tools seem to try and hide this complexity through abstraction. In doing so you lose access to some of the great features of the underlying database, which may be fine if you're using some crippled version of a database, but with more advanced databases you're locking yourself out of some great db features.

Re:

[Sancho]

Some of these complexity and efficiency issues can be resolved by partial denormalization of the database design, but again, that introduces inefficiency.

Which efficiency does this reduce? Normally, from a database perspective, normalizing increases data integrity at the expense of database efficiency, doesn't it?

Database frameworks can often deal with complex databases for read operations which, in this day and age, tend to be a high percentage of the operations that a database performs. They're probably worth using for read operations, and write operations where good performance isn't a requirement. You can always fall back on raw SQL (with stringently

Re:

[Aceticon]

Hibernate actually works best with a properly normalized database.

Performance also tends to be better than hand coded or generated SQL mostly because Hibernate comes loaded with all sorts of database access optimization (read caching, delayed writing, batch fetching, join queries to retrieve multiple related objects, etc) - which would either have to be explicitly implemented or at the very least integrated from multiple utility libraries when not using Hibernate.

The biggest downsides of Hibernate are:
- It

Re:Shameless ORM Bashing

[Foofoobar]

Yeah and ORM loads more data than you will need or use in comparison to a properly formed query moved to a separate db layer which has all the benefits of ORM with none of the bloat.

Re:

[Tim C]

Never mind Hibernate (which is great, but like all tools & frameworks only good as far as it goes and hardly faultless), just use PreparedStatemtents and the setXXX() methods and never worry about SQL injection again. This has been available since JDK1.2 ferchrisakes.

Seriously, the fact that in 2008 any site created by a "professional" web developer is vulnerable to SQL injection is little short of sickening.

Re:

[Blakey Rat]

The kind of people who write code susceptible to SQL Injection attacks don't read Slashdot, buddy. They don't go to programming classes, they don't read literature, they just do the absolute bare minimum to get by with their VB6 knowledge in the modern world.

Sorry, but that's the reality; anybody on Slashdot already knows what you're saying, and the type of people who code these bugs don't read Slashdot.

Re:

[syousef]

Hibernate has its limitations. I seem to have hit them a few times. Hibernate is great for doing simple things, but if you use any vendor specific features or really complex SQL, you may find yourself falling back to JDBC.

You are completely wrong about drop/delete in HQL. Instead of quoting references you don't have, here's the result of a quick Google search.

http://www.hibernate.org/hib_docs/reference/en/html/batch.html [hibernate.org]

Your ignorance tells me you have very simple database needs. That's the siutation in whi

Don't need Hibernate per se

[daBass]

Although I like OR-mapping frameworks, you don't need one to avoid SQL insertions. Plain old PreparedStatement in JDBC will do that job just fine also.

Re:

[Allador]

You could do this in hibernate as well. Hibernate allows you to run raw sql against the db (in addition to the HQL, you can also send raw SQL).

We've used this in the past where we had to do some fairly extreme performance optimizations for a hideous query across many joined tables, etc etc. The different db platforms required server-specific syntax to get it to perform adequately.

In addition, Hibernate is only avaialbe on Java and .NET.

This particular story is about ASP (not asp.net) pages getting hit, fo

Re:

[Cyberax]

I'm sorry. But what is 'relation model' you're speaking about?

ORM is just another way to work with database. It doesn't magically transform relative database into object database.

Dupe Dance

[jd]

Yay! We get a re-run of one of the more non-story events of recent times. The problem was spotted very quickly by IIS admins, as was noted before, and it's half a millon pages, not half a million sites. Well, unless all sites have one page and I've only been thinking they used hypertext links to more of their own content. It's unclear what percent of those sites were IIS, what were Apache (an easy server to misconfigure), and what were other web servers. Blaming it on IIS is easy, and there probably is some truth to the allegation that IIS has flaws when it comes to SQL support, but this time they almost (I said almost) have justification in crying foul when Microsoft gets blamed.

What I don't get, though, is not only does this dupe the earlier story, it dupes ALL OF THE ERRORS as well. Sheesh!

Re:

[pavera]

Wrong. This story is not the same one linked before, and it actually explains why this is an MS only problem (not all SQL injections just this one).

It is not an IIS problem it is a MS SQL Server "feature" whereby you can basically create a dynamic query that will go figure out your database schema for you, and dynamically perform updates on the table. This is not possible against Oracle, MySQL, or PostgreSQL, but MS SQL allows you to create a single query that can successfully attack any MS SQL database.

U

Had a problem once..

[thewils]

...with a user wanting to inject images from other websites into my pages.
I solved it quite nicely by translating any opening bracket to "ampersand-gt-;" (you know what I mean) and any urls were totally ignored after that.

It's a well known bug in IIS.

[dameron]

A buffer overflow in the dupcheck module leads to privilege elevation.

You can spot if pretty easily if you reload a backup from 4/25 and your web page keeps spamming out the same offensive links.

How does Apache avoid this?

[hellfire]

I'm not knowledgeable to answer this, but I know there has to be a good "in your face, Microsoft" reason why this doesn't hit servers like Apache? They point the finger at the websites and say "UR DOIN IT RONG!" and blame them. And yet, apache users don't have to worry about this. Why? That's the argument I want to have.

Re:

[graveyhead]

No such "in your face" reason exists. It's not Apache that matters here (or IIS I'm guessing), it's the database and interacting with it via some server side language.

So when someone appends a string to a query directly from a CGI variable (in an URL, after a questionmark - those are CGI vars ... blah.cgi?bar=baz) this can be used as an attack vector regardless of the platform. This error is super easy to make in PHP for example:

mysql_query('SELECT * FROM mytable WHERE foo = " . $_REQUEST['foo']);

What's hap

Re:

[Sancho]

That's close.

http://hackademix.net/2008/04/26/mass-attack-faq/#comment-7742 [hackademix.net] has a decent explanation of why this is primarily hitting IIS. SQL injection is common to many platforms, but Microsoft's database driver has some features that made it particularly easy to generalize the exploit. Specifically, prior knowledge of the table layout was apparently unnecessary to create the exploit, meaning that it was easy to hit a large number of websites in a short period of time.

Re:

[mingot]

Not really because apache is just as susceptible to this as any other web server.

Re:

[jd]

People have done SQL Injection attacks on Apache servers and probably most other servers. It seems as though this flaw is made easier on a misconfigured server, but you can misconfigure any software that uses a configuration file. It's easiest when the configuration isn't validated correctly, or when it's impossible to determine all invalid cases, or when a case may be invalid only under certan circumstances. All of these are bound to crop up on something like Apache.

Besides, there must be bugs elsewhere,

Re:

[Foofoobar]

Simple answer. mysql_real_escape_string [shiflett.org]. Instead of sanitizing data through the language which will miss byte encoded strings, alot of applications have switched to using MySQLs native mysql_real_escape_string which will catch these. Java sanitizes byte code strings as well I believe.

So it may be partially C# or just that Microsoft web devs are inherently 'dumber'.

Re:

[Foofoobar]

PHP developers? Ha! The vast majority of them would ruin us all. It's just that having worked in heterogenous shops and monogomous shops (always all Microsoft), Linux people understand protocols and multiple platforms and undecstand what they are doing and the underlying mechanics far better than their Microsoft counterparts; Linux people can learn Microsoft technologies but Microsoft people freezeup, freakout and panic when they have to work with an open protocol or something not handled for them by Micro

Re:

[Foofoobar]

You're the exception that proves the rule.

Re:

[Foofoobar]

Well if PHP had a decent way to do prepared statements like JAVA, I'd say 'hallelujah brother'. But they don't... and the current methodology allows for the same error of byte code strings to be entered. Which is why you have to use mysql_real_escape_string to avoid byte code strings being used for sql injection.

JAVA on the other hand is far more prepared (no pun intended) for this.

Re:

[Joe U]

Because the automated injection script was written for asp/asp.net and Apache rarely uses asp or asp.net.

Please scan your news sites for past and future php scripts if it makes you feel any better.

Re:

[cliveholloway]

There are two parts to this:

- no untainting of CGI data
- bad DB interaction practices

Now, I don't do ASP, so I'm unaware of the exact details, but in Perl (and any CGI language), it's always insane NOT to untaint your input submitted by users - even if (especially if!) you have set the values in hidden fields. Something like

my $id=0; # $id must be an integer under 100
$q->param('id') =~ /^(\d{1,2})$/
and $id = $1;


And, as to the SQL injection itself, if ASP doesn't have placehol

Re:

[Allador]

And, as to the SQL injection itself, if ASP doesn't have placeholders, I would blame MicroSoft. Interpolating fields into DB statements is just asking for trouble.

Using ASP/ADO/MSSQL there are several ways to protect against this.

1. Use prepared statements (also sometimes called parameterized queries, and what you're calling placeholders).

2. Use stored procedures and pass parameters.

3. Clean the form fields before putting them into your sql statement (the php approach, and also the least safe).

Re:

[ralphdaugherty]

And yet, apache users don't have to worry about this. Why? That's the argument I want to have.

Because the likely first step is bad guys in China scanning Google search results for web pages ending in .asp or .aspx. They then retrieve the pages and fill in forms with an SQL statement containing javascript code as a string and submit the page. All of this is automated.

In this case, it's SQL Server specific SQL syntax that retrieves field layouts for the database, then inserts thia attacker's javascript string

Coldfusion Anyone?

[oni]

Has anyone ever heard of a SQL injection vulnerability in a Coldfusion app? I know some smartass is going to say, "that's because nobody uses it" but that's not true. If there are a million ASP apps out there and 500,000 SQL injection vulnerabilities, then there have to be at least 100,000 coldfusion sites. Show me the 50,000 coldfusion SQL injections. Or show me 10,000, or 5,000 or even just 1.

I have some experience with coldfusion and it is my opinion that a SQL injection vulnerability is pretty diffi

Re:

[S'harien]

ColdFusion is most certainly vulnerable to SQL injection if you are not religiously using the CFQUERYPARAM tag inside your queries. Of course the database being queried needs to support multiple SQL statements in a single query (MySQL does, Access does not, can't speak for any others). http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html [adobe.com]

Re:

[CodeBuster]

I have some experience with coldfusion

coldfusion is dead or dying. You are the first person that I have heard mention it in years. If people are going to choose a proprietary solution for their web application server needs then they generally choose IIS with ASP.NET; otherwise the choice is probably PHP on Apache or Ruby on Rails.

So maybe everyone should switch to a safer language, eh?

The problem here is not the language it is the use of that language in ways that are specifically warned against as being dangerous. The power to create complex applications brings with it the possibility of self-des

Re:

[oni]

coldfusion is dead or dying.

LOL. I guess you're the netcraft bot. Languages don't live or die based on what a bunch of fanboys with no actual programming skill put on their resume. **everybody** claims that know C++ but very few people do. By contrast, **nobody** bothers to put coldfusion on their resume unless they actually have experience with it. In other words, the numbers for the sexy (meaning, talked about on slashdot) languages are way over inflated, and the numbers for other languages are actua

Re:

[kiddygrinder]

nice idea, but i think the problem is more people doing things on the cheap instead of getting a real web dev so i don't think telling people to spend a large chunk of cash on coldfusion is going to fix it.

Re:

[Sancho]

If I were guessing, I'd say that Coldfusion has a fairly low market share. The main reason that I'd say this is that it's a) an expensive solution that b) isn't Microsoft.

Lots of people pick free solutions. Lots of people who don't pick free solutions know about IIS and MS SQL. They stick with Microsoft because it's the brand, and it's a one-stop shop for support. There are also a lot more VBS/.Net developers than Coldfusion ones, so developers will be cheaper.

That said, there are 38,000 hits from Googl

Re:

[XMyth]

I'd rather eat cat vomit than write web apps with ColdFusion.

Thanks for the suggestion though.

Quicky Question

[udippel]

From what I understand from just flippering through the summary,
The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC
the infection requires that a local user on that database box browses the net, and hits a malicious site?

I really wonder, if users on database-running PC are supposed to browse the net, for pr0n, or what?

Am I correct that my fictitious boxen are free from danger, if I have n

Re:

[cervo]

I think you misunderstand the article. The attack injects javascript code into the text fields of the database. The attack is done by someone exploiting SQL injection on the website. Nothing to do with a web surfing account on the database computer. The attack inserts Javascript into every text field. If it was a message forum, this might be the from fields of an e-mail, the message text of posts, the subject fields of posts, etc.... Regular users using the forum are suddenly exposed to the javascript.

Re:

[UnknowingFool]

From my understanding, most sites employ a generic user for the db side of the things. The tricky part has to do with escape characters.

In my simple pseudo-example, I visit a shoe company site, ABC Shoes. They have a nifty product catalog search. As a hacker, I notice that the url string to search for green shoes contains: "select product_name from products where color='green'". I can change the url string to: "select product_name from products where color='green'; truncate users; insert into users (u

little-bobby-tables-strikes-again dept

[cyberstealth1024]

from the little-bobby-tables-strikes-again dept.

Awesome xkcd reference! http://xkcd.com/327/ [xkcd.com]

The only story here...

[NullProg]

Is that Linux, BSD, Sun, AIX, and whatever are just as vulnerable when it comes to dumb programmers.

The million dollar question is what platform and which web server is it easier to reinstall to get the site back up.
I think Linux and BSD have the advantage.

Enjoy,

Re:

[Skapare]

Is that Linux, BSD, Sun, AIX, and whatever are just as vulnerable when it comes to dumb programmers.

The million dollar question is what platform and which web server is it easier to reinstall to get the site back up.
I think Linux and BSD have the advantage.

Actually, the damage is to the database. The fix is to restore from a backup taken from before the attack, resyncronize with records sanitized for the inserted bad data, fix the vulnerable code, and bring the database and web application back up.

In related news...

[gmuslera]

Half a Millon Slashdot-Powered Stories Hit with Dupe Injection

This is NOT an IIS problem

[ShaunC]

The exploit in question has nothing to do with IIS, period, whatsoever. It's being targeted at servers that run IIS because those are the ones most likely to have SQL Server as their database back-end. Plenty of companies have deployed a Linux/Apache/PHP stack that talks to a SQL Server backend via FreeTDS [freetds.org], for example, and some of them will be getting hit by this, despite not running a single instance of IIS.

The query being used is exploiting features in Microsoft SQL Server, combined with a couple of external factors. Developers who have failed to check and sanitize user input, and DBAs who have not properly secured their databases. In order for your website to be owned through this attack:

1. You must be running Microsoft SQL Server as your database platform
2. Your web application must be vulnerable to SQL injection
3. The SQL Server user that your web application authenticates as must have SELECT and UPDATE access to the sysobjects table

Notice that nowhere in that list is IIS mentioned. In addition, plenty of shops meet the first criterion above, without meeting either of the other two. Unfortunately it's all too common that web applications are configured to use the "sa" account, or some functionally-equivalent clone thereof.

If your web application can query dbo.sysobjects and get anything other than "Server: Msg 229, Level 14, State 5, Line 1" in response, it's time to hire an additional DBA. If your web application allows random queries to be passed into SQL Server in the first place, it's time to hire an additional developer. In either case, make "security" a bullet-point on the job posting.

This IS an SQL problem (in part)

[Skapare]

I agree that this is not an IIS problem. IIS is just a convenient target. And it may also be the case that users of IIS are less likely to do proper data sanitation than those who can't use IIS. But I would argue that SQL is a major target of blame.

Long long ago when I first learned of SQL, it was described as a command line language which would allow people to do innovative database searches. I saw several examples of such. The lecturer was even typing them in manually. It sure looked like a really

Dynamic SQL was once an anomaly

[butlerm]

Twenty or so years ago, using dynamically generated SQL was expensive, slow, and hard to program. The vast majority of SQL applications were written with SQL statically embedded in C, FORTRAN, or COBOL dialects that had to be translated to the base language using a precompiler.

Parameters were bound by name to host language variables, and the precompiler handled the mapping to the underlying database library. Much more secure than dynamic SQL without bound parameters.

Of course as computers got faster, the p

Solutions

[tjstork]

Everyone keeps looking at this like it is an attack on IIS and SQL Server, but the actual body of code attacked is actually JavaScript. If the client doesn't have Javascript, then nothing bad happens - with this sort of attack.

Now, there are other attacks that rely on SQL injection... and the prevention is arguably worse than the disease. These days, a lot of DBAs will say that best practice in SQL Server or any sort of database is often said to be against using SQL directly, and wrapping everything in st

This is typical for a dupe

[panaceaa]

Actually, most dupes on Slashdot are a couple days apart like this one. After that they fail to be news and tend not to get reposted.

The extreme cases are actually measured in the years or hours. There's multiple cases of an article being duped 2-3 years later, especially when they're industry studies on how people use technology or occasionally about scientific discoveries. For the latter, it's often that a university announces they've done something and then publishes the results, which results in two

Re:

[sootman]

I'd be extremely impressed if someone could get a story approved that started with "Slashdot [slashdot.org] reports that..."

Re:

[ForumTroll]

Bad programmers write bad code despite the language. I don't want to use a language that places a ridiculous number of restrictions on me merely because someone somewhere might find a way to fuck up. Furthermore, validating input is a library problem not a language problem, and practically every language has libraries for escaping input. Nobody is to blame but the developers of the project being exploited.

Re:

[Jaime2]

but unless you provide the validation tool, its still your fault - you the language designer

I'll bet 90% of the coding errors were done by developers who said "I hate those Visual Studio wizards Microsoft has for data access. I can do it better myself." Sure, the wizards aren't the best way to build an application, but at least they prevent SQL injection. I meet these people every day... they think they know a lot about programming, but really they are people with 20 years of experience just barely making applications work and developing more and more bad practices every day.

It's fine to rejec

Re:

[XMyth]

Microsoft is working towards eliminating the root of this problem (the problem being tunneled languages like SQL) with the addition of LINQ to .NET.