Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Bug Databases Microsoft Programming Software News IT

Half a Million Microsoft-Powered Sites Hit With SQL Injection 222

Titus Germanicus writes to tell us that a recent attack has compromised somewhere in the neighborhood of 500,000 pages with a SQL injection attack. The vulnerability seems to be limited to Microsoft's IIS webserver and is easily defeated by the end user with Firefox and "NoScript." "The automated attack takes advantage to the fact that Microsoft's IIS servers allow generic commands that don't require specific table-level arguments. However, the vulnerability is the result of poor data handling by the sites' creators, rather than a specific Microsoft flaw. In other words, there's no patch that's going to fix the issue, the problem is with the developers who failed follow well-established security practices for handling database input. The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC." Ignoring corporate spin-doctoring, there seems to be plenty of blame to go around.
This discussion has been archived. No new comments can be posted.

Half a Million Microsoft-Powered Sites Hit With SQL Injection

Comments Filter:
  • Ignoring corporate spin-doctoring there seems to be plenty of blame to go around.
    Well, here [informationweek.com]'s a quote directly from Bill Sisk of Microsoft (seems to be in line with this blogger):

    Microsoft (NSDQ: MSFT) on Friday found itself trying to clarify that it has nothing to do with the poor coding practices that have enabled a massive SQL injection attack to affect Web sites using Microsoft IIS Web Server and Microsoft SQL Server. "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft, in a blog post. "SQL injection attacks enable malicious users to execute commands in an application's database." Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices.
    So if you want Microsoft's side of the story, they can't help it that people use bad coding practices.

    As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast. Stupid fast. Unfortunately for C, there are more stupid coders out there like me than genuis coders out there like ... Donald Knuth. So you will see Java rise in popularity without ever being able to live up to speed of C.

    Wow, for flaim retardant reasons, take the above paragraph as my meager opinion.
    • Re: (Score:3, Insightful)

      So, I suppose all of the LAMP sites out there vulnerable to SQL injection are the fault of Microsoft too?

      http://www.google.com/search?hl=en&q=site%3Asecurityfocus.com+php+sql+injection [google.com]
      • by pembo13 ( 770295 )
        No, they are the fault of Linux obviously. Isn't that the normal assertion?
      • One reason I use Embedded Perl [apache.org] and never bothered with learning PHP. It actually requires effort [apache.org] to not at least escape untrusted input.
    • by techno-vampire ( 666512 ) on Monday April 28, 2008 @05:13PM (#23230518) Homepage
      You make a tool/language/framework for developers, you better make it idiot proof


      Why? It's not their responsibility to see to it that you can't write bad code for their program any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven. There's only so much MSFT can do to protect lusers against their own stupidity, and if badly trained developers write vulnerable code, it's their own damned fault. I'm no Microsoft fanboi, but even I only bash them when they deserve it.

      • any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven

        Ref. "Unsafe at any speed" (R.Nader) and contrasting opinion "Safe at any speed" (L.Niven). The latter story was deliberate satire. Flying your car into a Roc can be inconvenient.

        • Re: (Score:3, Interesting)

          Ref. "National Highway Traffic Safety Administration" [wikipedia.org].

          I'm aware this is pretty tangential, but I found it interesting that the Corvair was eventually rated to be a pretty reasonable car by the government body that Nader's book created.
          • Yes -- in particular I thought the later cars were a good design, and still do. They moved from swing axles to half shafts and that cured their handling woes. Nice little turbocharged mid-engine flat six, could have been a Porsche competitor if GM had just stuck to their guns and took credit for the improvement in quality instead of pretending it never happened. I guess that would have given credit to some outside person, though -- nobody outside the corporation can ever be "right". ./offtopic
    • Re: (Score:3, Insightful)

      by 0racle ( 667029 )
      Do you post something similar when it's a PHP app on Apache being exploited with a SQL injection and the PHP authors say it's not their fault a whole bunch of their users are idiots?

      Microsoft provides a platform, that platform has problems, but in this case the platform had nothing to do with what happened. This rests entirely on web developers who didn't bother to do things correctly.
      • Re: (Score:3, Interesting)

        by peragrin ( 659227 )
        While I understand that why is it only MSFT IIS and MS SQL that's affected. If apache and MS SQL was being attacked and it has happened then i could fully understand it, but only MS IIS, MS SQL sites are affected. while the flaw may not be MSFT's sole fault how could 500,00 people setup a server wrong including the DHS? Maybe MSFT's history of poor coding and security practices lead to unsafe default options? security should always be over applied and then removed in layers.

        Security like clothing works
        • Re: (Score:3, Insightful)

          by Allador ( 537449 )

          why is it only MSFT IIS and MS SQL that's affected

          Because the code they used is based on the MS-SQL particular dialect, with some MS-SQL specific conventions.

          The malware authors could have trivially used INFORMATION_SCHEMA views rather than sysobjects, and this would have been a generic attack that would have worked against most mainstream db servers.

          while the flaw may not be MSFT's sole fault how could 500,00 people setup a server wrong including the DHS?

          This has nothing, zero, to do with server setup or configuration. This is purely and soley, only has to do with web app developers allowing uncleansed commands to be sent from a web-browser to the underlyin

          • That is not correct. MS SQL Server is vulnerable in a way that no other database that I am aware of (Sybase perhaps) due to the way it constructs compound statements.

            Oracle is not vulnerable to this type of attack, nor is DB2, nor PostgreSQL. Some databases, like MySQL, are apparently only vulnerable when using a Microsoft ADO driver - same design mistake: support for compound statements without requiring block structure (BEGIN / END) allows trivial injection of arbitrary SQL.
            • by Allador ( 537449 )
              This is incorrect.

              I've personally made successful sql injection attacks (in-house pen testing, not black hatting) of this sort against a variety of other platforms that had nothing to do with Microsoft, including Oracle and MySQL.

              I'm not going to go into details here as I already responded in more detail to another of your posts.
              • by butlerm ( 3112 )
                Please explain how you would exploit the following purposely vulnerable example in Oracle, assuming you had arbitrary control over the employee_nbr variable:

                string employee_nbr;

                sql = "SELECT * FROM EMPLOYEE WHERE EMPLOYEE_ID = " + employee_nbr;
                Execute(sql);

                In MS SQL you could submit "1; DELETE FROM EMPLOYEE" and it would be game over. The same thing doesn't work in Oracle. The best you might do is submit "1 OR 1 = 1" and get information you weren't supposed to have.

    • Re: (Score:3, Insightful)

      by dedazo ( 737510 )

      As a coder, I don't agree with that. You make a tool/language/framework for developers

      So stock Java protects me from things like "SELECT * FROM users WHERE Name = 'eldavojohn'; DELETE FROM orders", correct?

      Wait, it doesn't. Neither does PHP or Python or Perl.

      So I guess you can spin it as this somehow being Microsoft's fault, and Slashdot can post it again (and maybe again tomorrow FTW), deliberately confusing pages vs sites and using titillating article titles and editorial bylines about how corporate

      • Re: (Score:3, Informative)

        Actually, PHP's mysql engine won't run that query- you cannot execute more than one query in a single mysql_query() call.

        There are plenty of ways around it, but your query will fail.
      • by Sancho ( 17056 ) * on Monday April 28, 2008 @06:13PM (#23231084) Homepage
        As others have posted, it's pretty easy to prevent multiple instruction SQL injection. That's a function of the database driver, which Microsoft controls.

        It's much harder to prevent injection of additional parameters e.g. typing ' or '1'='1 into the text box--that's something that will be language and developer dependent. From my very brief scan of the details of this vulnerability, it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

        This page supports my interpretation. [hackademix.net] I note, specifically:

        Attackers carefully weighted the easiest spot, being a combination of

                * ASP classic, due to the poor coding standards among the average VBScripters who hardly known about prepared statements (even though they are supported)
                * ADO as the DB client layer, allowing stacked queries (multiple SQL statements together in a single string), which are not supported, for instance, by JDBC or by the mysql_query() PHP API
                * Microsoft SQL Server, because its Transact SQL supports a rich feature set including loops, metadata enumeration and Dynamic SQL (crucial for generalization), and because itâ(TM)s the most common ASP database back-end with such high-end features.
        Apparently, if stacked queries weren't allowed, this wouldn't nearly so easy to exploit.
        • Re: (Score:3, Insightful)

          by dedazo ( 737510 )

          it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

          So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"? Even considering that it's not necessary to write sloppy VBScript code, and that it's ridiculously easy to use ADO to put together parameterized database commands, regardless of how many resultsets they are supposed to return?

          And that the lack of that feature is actual

          • by Sancho ( 17056 ) *

            So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"?

            No, that's not what I said. I said that Microsoft could have prevented it, not that they were at fault. There's a world of difference.

            And that the lack of that feature is actually an advantage for platforms like PHP and Perl?

            I think that the protection against multiple statements in the MySQL driver for PHP and Perl is an advantage, yes. Much in the same way that I would consider default-bounds checking in a language an advantage. It'd be even better if you could explicitly turn the feature off in order to use "unsafe" statements. The C API to MySQL allows this--I'm not sure if the PHP ver

            • by Allador ( 537449 )
              You keep saying 'multiple statement protection' as if allowing multiple statements in a batch is a bad thing that should be prevented by any sane person.

              Allowing multiple statements (and multiple active result sets) is a commonly used feature for many legitimate purposes. It's not something bad to be blocked. Nearly every major db platform provides this.

              Some of the language-specific adapters to said sql servers never got around to implementing this feature, but its not blocked because its a security risk.
          • The problem is not SQL Server's support of multiple statements, but rather the way they do it. Oracle supports multiple statements, but only in a PL/SQL begin end block, which is generally speaking impossible to inject.

            SQL Server on the other hand is trivially exploitable if any parameter is unchecked, due to the way statements are chained together - no block syntax required, just a semicolon and anything goes after that.
          • So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"?

            Like most MS security holes, the problem isn't that features are available, it's that they're turned on by default.
          • by ianare ( 1132971 )

            And that the lack of that feature is actually an advantage for platforms like PHP and Perl?
            Yes. The proper way of running a large number of prepared statements is by using stored procedures.
        • As others have posted, it's pretty easy to prevent multiple instruction SQL injection. That's a function of the database driver, which Microsoft controls.

          Actually, if we could wipe SQL off the face of the earth then we wouldn't have SQL injection attacks. I mean, for a person to be able to escape the bounds of a variable by simple insertion of code into a text field is pretty outrageous, really.

          Whoever is walking around saying that they have a good product which requires programmers to use or even have to create(!) special functions to filter every bit of input to prevent injection attacks, is lying out of their posterior. It's not a good product.

          Prepare

        • So the proper thing to do is to cut features, even if they have no inherent flaw, for fear that they might be exploited due to sloppy coding by others? That mindset has always bugged me. Seems backwards.
      • The problem here is that MS SQL Server supports multiple statements in the same prepare / execute block in an unsafe manner. Just insert a semicolon and off you go.

        The safe way to support multiple statement execution ("query stacking") is with something like the block syntax of Oracle. Given a single unchecked entry field, the SQL Server syntax is trivially exploitable do anything the attacker wants.

    • by Sigma 7 ( 266129 ) on Monday April 28, 2008 @05:38PM (#23230752)

      As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast.
      A seg fault is a form of idiot proofing - it prevents rogue C-style pointers from ruining the system. The absence of seg fault means your program is overwriting various locations in memory, which potentially causes the system to crash.

      If you need access to locations of memory normally protected by a seg-fault, your operating system normally provides a means to do so.
      • Right, but... (Score:3, Insightful)

        by Jeff Molby ( 906283 )
        ...it's weak idiot-proofing. Strong idiot-proofing makes it so the problem is never even encountered.
      • A seg fault can happen if you try to read/write to a memory address which refers to some unmapped virtual memory, as well as it being a memory page that you don't have read/write permissions for.

        In the former case there is quite literally no memory at that location to write to.
  • Dupe? (Score:5, Informative)

    by TubeSteak ( 669689 ) on Monday April 28, 2008 @05:06PM (#23230440) Journal
    500 Thousand MS Web Servers Hacked
    Posted by kdawson on Friday April 25, @11:48AM
    from the scream-and-shout dept.
    http://it.slashdot.org/it/08/04/25/1358234.shtml [slashdot.org]
  • Wasn't this exact item posted on Friday? http://it.slashdot.org/article.pl?sid=08/04/25/1358234 [slashdot.org]
  • by eldavojohn ( 898314 ) * <eldavojohn@gm a i l . com> on Monday April 28, 2008 @05:10PM (#23230494) Journal
    You know, as an incompetent Java developer, I will take the time to explain why none of my web applications suffered from this.

    I use Hibernate [hibernate.org]. I use it with Java, although I know it's now available for .NET.

    A feature of Hibernate (aside from some efficient connection pooling and resource management like caching) is that you have to actually call a delete method to delete a row. Something like HibernateSession.delete(myObject); would have to be done. And while this might sound annoying or ruin some tools that are used to generate SQL statements, it protects me time and time again. Now, you can use HQL which is a bastardized version of SQL to generate similar things but, again, I think that you can't drop/delete in it (could be wrong, rarely use it).

    Try passing part of an SQL string into an object property and then merge/save it into the HibernateSession. Doesn't do the SQL injection stuff the bad guys want it to. Of course, I still use regular expression common utilities to validate the input, but assuming you didn't do that ...

    So why don't other people use Hibernate? Am I missing something about it that's bad?
    • by Cecil ( 37810 ) on Monday April 28, 2008 @05:34PM (#23230710) Homepage
      I can't speak about Hibernate specifically, but I can tell you what my first concern would be. Database frameworks usually tend to have trouble dealing with complex database designs, and if they can deal with them they are invariably much slower and less efficient than a SQL statement could be.

      Some of these complexity and efficiency issues can be resolved by partial denormalization of the database design, but again, that introduces inefficiency.

      Basically, the use of a high-level framework like that introduces significantly more difficulty into the already difficult problem of performance optimization. And for most people, performance is a more immediate and obvious problem that needs solving as opposed to security.

      Another problem in my opinion is that there approximately a million and one different database abstraction layers like Hibernate out there. The lack of standardization makes it very difficult for any of them to gain any sort of critical mass of developers and documentation the way SQL has.
      • by njcoder ( 657816 )
        I agree. Databases are complex for a reason. These tools seem to try and hide this complexity through abstraction. In doing so you lose access to some of the great features of the underlying database, which may be fine if you're using some crippled version of a database, but with more advanced databases you're locking yourself out of some great db features.

      • by Sancho ( 17056 ) *

        Some of these complexity and efficiency issues can be resolved by partial denormalization of the database design, but again, that introduces inefficiency.

        Which efficiency does this reduce? Normally, from a database perspective, normalizing increases data integrity at the expense of database efficiency, doesn't it?

        Database frameworks can often deal with complex databases for read operations which, in this day and age, tend to be a high percentage of the operations that a database performs. They're probably worth using for read operations, and write operations where good performance isn't a requirement. You can always fall back on raw SQL (with stringently

      • Hibernate actually works best with a properly normalized database.

        Performance also tends to be better than hand coded or generated SQL mostly because Hibernate comes loaded with all sorts of database access optimization (read caching, delayed writing, batch fetching, join queries to retrieve multiple related objects, etc) - which would either have to be explicitly implemented or at the very least integrated from multiple utility libraries when not using Hibernate.

        The biggest downsides of Hibernate are:
        - It
    • Yeah and ORM loads more data than you will need or use in comparison to a properly formed query moved to a separate db layer which has all the benefits of ORM with none of the bloat.
    • by Tim C ( 15259 )
      Never mind Hibernate (which is great, but like all tools & frameworks only good as far as it goes and hardly faultless), just use PreparedStatemtents and the setXXX() methods and never worry about SQL injection again. This has been available since JDK1.2 ferchrisakes.

      Seriously, the fact that in 2008 any site created by a "professional" web developer is vulnerable to SQL injection is little short of sickening.
    • Re: (Score:3, Insightful)

      by Blakey Rat ( 99501 )
      The kind of people who write code susceptible to SQL Injection attacks don't read Slashdot, buddy. They don't go to programming classes, they don't read literature, they just do the absolute bare minimum to get by with their VB6 knowledge in the modern world.

      Sorry, but that's the reality; anybody on Slashdot already knows what you're saying, and the type of people who code these bugs don't read Slashdot.
    • by syousef ( 465911 )
      Hibernate has its limitations. I seem to have hit them a few times. Hibernate is great for doing simple things, but if you use any vendor specific features or really complex SQL, you may find yourself falling back to JDBC.

      You are completely wrong about drop/delete in HQL. Instead of quoting references you don't have, here's the result of a quick Google search.

      http://www.hibernate.org/hib_docs/reference/en/html/batch.html [hibernate.org]

      Your ignorance tells me you have very simple database needs. That's the siutation in whi
    • Although I like OR-mapping frameworks, you don't need one to avoid SQL insertions. Plain old PreparedStatement in JDBC will do that job just fine also.

    • by Allador ( 537449 )
      You could do this in hibernate as well. Hibernate allows you to run raw sql against the db (in addition to the HQL, you can also send raw SQL).

      We've used this in the past where we had to do some fairly extreme performance optimizations for a hideous query across many joined tables, etc etc. The different db platforms required server-specific syntax to get it to perform adequately.

      In addition, Hibernate is only avaialbe on Java and .NET.

      This particular story is about ASP (not asp.net) pages getting hit, fo
  • Dupe Dance (Score:3, Informative)

    by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Monday April 28, 2008 @05:13PM (#23230520) Homepage Journal
    Yay! We get a re-run of one of the more non-story events of recent times. The problem was spotted very quickly by IIS admins, as was noted before, and it's half a millon pages, not half a million sites. Well, unless all sites have one page and I've only been thinking they used hypertext links to more of their own content. It's unclear what percent of those sites were IIS, what were Apache (an easy server to misconfigure), and what were other web servers. Blaming it on IIS is easy, and there probably is some truth to the allegation that IIS has flaws when it comes to SQL support, but this time they almost (I said almost) have justification in crying foul when Microsoft gets blamed.

    What I don't get, though, is not only does this dupe the earlier story, it dupes ALL OF THE ERRORS as well. Sheesh!

    • by pavera ( 320634 )
      Wrong. This story is not the same one linked before, and it actually explains why this is an MS only problem (not all SQL injections just this one).

      It is not an IIS problem it is a MS SQL Server "feature" whereby you can basically create a dynamic query that will go figure out your database schema for you, and dynamically perform updates on the table. This is not possible against Oracle, MySQL, or PostgreSQL, but MS SQL allows you to create a single query that can successfully attack any MS SQL database.

      U
  • ...with a user wanting to inject images from other websites into my pages.
    I solved it quite nicely by translating any opening bracket to "ampersand-gt-;" (you know what I mean) and any urls were totally ignored after that.
  • A buffer overflow in the dupcheck module leads to privilege elevation.

    You can spot if pretty easily if you reload a backup from 4/25 and your web page keeps spamming out the same offensive links.
  • I'm not knowledgeable to answer this, but I know there has to be a good "in your face, Microsoft" reason why this doesn't hit servers like Apache? They point the finger at the websites and say "UR DOIN IT RONG!" and blame them. And yet, apache users don't have to worry about this. Why? That's the argument I want to have.
    • No such "in your face" reason exists. It's not Apache that matters here (or IIS I'm guessing), it's the database and interacting with it via some server side language.

      So when someone appends a string to a query directly from a CGI variable (in an URL, after a questionmark - those are CGI vars ... blah.cgi?bar=baz) this can be used as an attack vector regardless of the platform. This error is super easy to make in PHP for example:

      mysql_query('SELECT * FROM mytable WHERE foo = " . $_REQUEST['foo']);

      What's hap
      • Re: (Score:3, Informative)

        by Sancho ( 17056 ) *
        That's close.

        http://hackademix.net/2008/04/26/mass-attack-faq/#comment-7742 [hackademix.net] has a decent explanation of why this is primarily hitting IIS. SQL injection is common to many platforms, but Microsoft's database driver has some features that made it particularly easy to generalize the exploit. Specifically, prior knowledge of the table layout was apparently unnecessary to create the exploit, meaning that it was easy to hit a large number of websites in a short period of time.
    • by mingot ( 665080 )
      Not really because apache is just as susceptible to this as any other web server.
    • by jd ( 1658 )
      People have done SQL Injection attacks on Apache servers and probably most other servers. It seems as though this flaw is made easier on a misconfigured server, but you can misconfigure any software that uses a configuration file. It's easiest when the configuration isn't validated correctly, or when it's impossible to determine all invalid cases, or when a case may be invalid only under certan circumstances. All of these are bound to crop up on something like Apache.

      Besides, there must be bugs elsewhere,

    • Simple answer. mysql_real_escape_string [shiflett.org]. Instead of sanitizing data through the language which will miss byte encoded strings, alot of applications have switched to using MySQLs native mysql_real_escape_string which will catch these. Java sanitizes byte code strings as well I believe.

      So it may be partially C# or just that Microsoft web devs are inherently 'dumber'.

    • by Joe U ( 443617 )
      Because the automated injection script was written for asp/asp.net and Apache rarely uses asp or asp.net.

      Please scan your news sites for past and future php scripts if it makes you feel any better.

    • There are two parts to this:

      - no untainting of CGI data
      - bad DB interaction practices

      Now, I don't do ASP, so I'm unaware of the exact details, but in Perl (and any CGI language), it's always insane NOT to untaint your input submitted by users - even if (especially if!) you have set the values in hidden fields. Something like

      my $id=0; # $id must be an integer under 100
      $q->param('id') =~ /^(\d{1,2})$/
      and $id = $1;


      And, as to the SQL injection itself, if ASP doesn't have placehol
      • by Allador ( 537449 )

        And, as to the SQL injection itself, if ASP doesn't have placeholders, I would blame MicroSoft. Interpolating fields into DB statements is just asking for trouble.

        Using ASP/ADO/MSSQL there are several ways to protect against this.

        1. Use prepared statements (also sometimes called parameterized queries, and what you're calling placeholders).

        2. Use stored procedures and pass parameters.

        3. Clean the form fields before putting them into your sql statement (the php approach, and also the least safe).

    • And yet, apache users don't have to worry about this. Why? That's the argument I want to have.

      Because the likely first step is bad guys in China scanning Google search results for web pages ending in .asp or .aspx. They then retrieve the pages and fill in forms with an SQL statement containing javascript code as a string and submit the page. All of this is automated.

      In this case, it's SQL Server specific SQL syntax that retrieves field layouts for the database, then inserts thia attacker's javascript string
  • Has anyone ever heard of a SQL injection vulnerability in a Coldfusion app? I know some smartass is going to say, "that's because nobody uses it" but that's not true. If there are a million ASP apps out there and 500,000 SQL injection vulnerabilities, then there have to be at least 100,000 coldfusion sites. Show me the 50,000 coldfusion SQL injections. Or show me 10,000, or 5,000 or even just 1.

    I have some experience with coldfusion and it is my opinion that a SQL injection vulnerability is pretty diffi
    • Re: (Score:2, Informative)

      by S'harien ( 779928 )
      ColdFusion is most certainly vulnerable to SQL injection if you are not religiously using the CFQUERYPARAM tag inside your queries. Of course the database being queried needs to support multiple SQL statements in a single query (MySQL does, Access does not, can't speak for any others). http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html [adobe.com]
    • I have some experience with coldfusion

      coldfusion is dead or dying. You are the first person that I have heard mention it in years. If people are going to choose a proprietary solution for their web application server needs then they generally choose IIS with ASP.NET; otherwise the choice is probably PHP on Apache or Ruby on Rails.

      So maybe everyone should switch to a safer language, eh?

      The problem here is not the language it is the use of that language in ways that are specifically warned against as being dangerous. The power to create complex applications brings with it the possibility of self-des

      • by oni ( 41625 )
        coldfusion is dead or dying.

        LOL. I guess you're the netcraft bot. Languages don't live or die based on what a bunch of fanboys with no actual programming skill put on their resume. **everybody** claims that know C++ but very few people do. By contrast, **nobody** bothers to put coldfusion on their resume unless they actually have experience with it. In other words, the numbers for the sexy (meaning, talked about on slashdot) languages are way over inflated, and the numbers for other languages are actua
    • nice idea, but i think the problem is more people doing things on the cheap instead of getting a real web dev so i don't think telling people to spend a large chunk of cash on coldfusion is going to fix it.
    • by Sancho ( 17056 ) *
      If I were guessing, I'd say that Coldfusion has a fairly low market share. The main reason that I'd say this is that it's a) an expensive solution that b) isn't Microsoft.

      Lots of people pick free solutions. Lots of people who don't pick free solutions know about IIS and MS SQL. They stick with Microsoft because it's the brand, and it's a one-stop shop for support. There are also a lot more VBS/.Net developers than Coldfusion ones, so developers will be cheaper.

      That said, there are 38,000 hits from Googl
    • by XMyth ( 266414 )
      I'd rather eat cat vomit than write web apps with ColdFusion.

      Thanks for the suggestion though.
  • From what I understand from just flippering through the summary,
    The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC
    the infection requires that a local user on that database box browses the net, and hits a malicious site?

    I really wonder, if users on database-running PC are supposed to browse the net, for pr0n, or what?

    Am I correct that my fictitious boxen are free from danger, if I have n
    • Re: (Score:3, Informative)

      by cervo ( 626632 )
      I think you misunderstand the article. The attack injects javascript code into the text fields of the database. The attack is done by someone exploiting SQL injection on the website. Nothing to do with a web surfing account on the database computer. The attack inserts Javascript into every text field. If it was a message forum, this might be the from fields of an e-mail, the message text of posts, the subject fields of posts, etc.... Regular users using the forum are suddenly exposed to the javascript.
    • From my understanding, most sites employ a generic user for the db side of the things. The tricky part has to do with escape characters.

      In my simple pseudo-example, I visit a shoe company site, ABC Shoes. They have a nifty product catalog search. As a hacker, I notice that the url string to search for green shoes contains: "select product_name from products where color='green'". I can change the url string to: "select product_name from products where color='green'; truncate users; insert into users (u

  • from the little-bobby-tables-strikes-again dept.
    Awesome xkcd reference! http://xkcd.com/327/ [xkcd.com]
  • Is that Linux, BSD, Sun, AIX, and whatever are just as vulnerable when it comes to dumb programmers.

    The million dollar question is what platform and which web server is it easier to reinstall to get the site back up.
    I think Linux and BSD have the advantage.

    Enjoy,
    • by Skapare ( 16644 )

      Is that Linux, BSD, Sun, AIX, and whatever are just as vulnerable when it comes to dumb programmers.

      The million dollar question is what platform and which web server is it easier to reinstall to get the site back up.
      I think Linux and BSD have the advantage.

      Actually, the damage is to the database. The fix is to restore from a backup taken from before the attack, resyncronize with records sanitized for the inserted bad data, fix the vulnerable code, and bring the database and web application back up.

  • Half a Millon Slashdot-Powered Stories Hit with Dupe Injection
  • by ShaunC ( 203807 ) on Monday April 28, 2008 @07:41PM (#23232174)
    The exploit in question has nothing to do with IIS, period, whatsoever. It's being targeted at servers that run IIS because those are the ones most likely to have SQL Server as their database back-end. Plenty of companies have deployed a Linux/Apache/PHP stack that talks to a SQL Server backend via FreeTDS [freetds.org], for example, and some of them will be getting hit by this, despite not running a single instance of IIS.

    The query being used is exploiting features in Microsoft SQL Server, combined with a couple of external factors. Developers who have failed to check and sanitize user input, and DBAs who have not properly secured their databases. In order for your website to be owned through this attack:
    1. You must be running Microsoft SQL Server as your database platform
    2. Your web application must be vulnerable to SQL injection
    3. The SQL Server user that your web application authenticates as must have SELECT and UPDATE access to the sysobjects table
    Notice that nowhere in that list is IIS mentioned. In addition, plenty of shops meet the first criterion above, without meeting either of the other two. Unfortunately it's all too common that web applications are configured to use the "sa" account, or some functionally-equivalent clone thereof.

    If your web application can query dbo.sysobjects and get anything other than "Server: Msg 229, Level 14, State 5, Line 1" in response, it's time to hire an additional DBA. If your web application allows random queries to be passed into SQL Server in the first place, it's time to hire an additional developer. In either case, make "security" a bullet-point on the job posting.
    • I agree that this is not an IIS problem. IIS is just a convenient target. And it may also be the case that users of IIS are less likely to do proper data sanitation than those who can't use IIS. But I would argue that SQL is a major target of blame.

      Long long ago when I first learned of SQL, it was described as a command line language which would allow people to do innovative database searches. I saw several examples of such. The lecturer was even typing them in manually. It sure looked like a really

      • Twenty or so years ago, using dynamically generated SQL was expensive, slow, and hard to program. The vast majority of SQL applications were written with SQL statically embedded in C, FORTRAN, or COBOL dialects that had to be translated to the base language using a precompiler.

        Parameters were bound by name to host language variables, and the precompiler handled the mapping to the underlying database library. Much more secure than dynamic SQL without bound parameters.

        Of course as computers got faster, the p
  • Everyone keeps looking at this like it is an attack on IIS and SQL Server, but the actual body of code attacked is actually JavaScript. If the client doesn't have Javascript, then nothing bad happens - with this sort of attack.

    Now, there are other attacks that rely on SQL injection... and the prevention is arguably worse than the disease. These days, a lot of DBAs will say that best practice in SQL Server or any sort of database is often said to be against using SQL directly, and wrapping everything in st

If all else fails, lower your standards.

Working...