Linked by Thom Holwerda on Mon 28th Apr 2008 19:22 UTC, submitted by Hakime
Legal Last week, The Washington Post reported that hundreds of thousands of IIS webservers were hacked. Code was placed on them that installed malware on visitors' computers. Among the infectees were websites from the UK government and the United Nations. Initial reports said the attackers used a security vulnerability in Microsoft's IIS, but the company published more information on the attacks today, and denies IIS was compromised.
Order by: Score:
stupid article title...
by BlackTiger on Mon 28th Apr 2008 20:13 UTC
BlackTiger
Member since:
2005-07-22

So stupid title!!!

When IIS suddenly became a "sql server" to manage SQL queries!?!?!

Only stupid "developers" can allow "sql injection attack".

Reply Score: 9

Three Words
by linumax on Mon 28th Apr 2008 20:23 UTC
linumax
Member since:
2007-02-07

Always Sanitize Input

Reply Score: 8

RE: Three Words
by Kroc on Mon 28th Apr 2008 20:49 UTC in reply to "Three Words"
Kroc Member since:
2005-11-10

I can imagine the IT weekly article:
Businesses: sanitise your programmers!

Reply Score: 1

RE: Three Words
by A.H. on Mon 28th Apr 2008 21:11 UTC in reply to "Three Words"
A.H. Member since:
2005-11-11

Two words: stored procedures

Three words: No dynamic SQL

Reply Score: 1

RE[2]: Three Words
by gonzo on Mon 28th Apr 2008 21:24 UTC in reply to "RE: Three Words"
gonzo Member since:
2005-11-10

Two words: stored procedures

Two words: Not necessarily.

Three words: No dynamic SQL

Two words: Unless parameterized.

Reply Score: 10

RE[2]: Three Words
by jayson.knight on Mon 28th Apr 2008 22:21 UTC in reply to "RE: Three Words"
jayson.knight Member since:
2005-07-06

Two words: stored procedures

Three words: No dynamic SQL


Actually the solution is simple: Always use parameterized queries. Never ever ever use string concatenation. Not everyone is a fan of sprocs, and they've actually fallen out of favor more lately now that ORM's are more mainstream and easier to use.

Reply Score: 4

RE: Three Words
by google_ninja on Mon 28th Apr 2008 23:34 UTC in reply to "Three Words"
google_ninja Member since:
2006-02-05

It's funny, I was reviewing some of our coding policy docs the other day (basically a 200+ page ppt), one of the many gems I found in it was "Treat all input as evil".

I want that on a shirt.

Edited 2008-04-28 23:34 UTC

Reply Score: 2

RE: Three Words
by StephenBeDoper on Wed 30th Apr 2008 15:52 UTC in reply to "Three Words"
StephenBeDoper Member since:
2005-07-06

Or - at the *very* least - create a DB user with read-only permissions for the publicly-accessible portions of a web-based app (no write privs. == injection no worky).

Reply Score: 2

IIS?
by WereCatf on Mon 28th Apr 2008 20:59 UTC
WereCatf
Member since:
2006-02-15

The first comment posted on the article already explains the whole issue at hand:

By default this tool searches for Microsoft ASP pages (an IIS specific web development technology) and injects a Microsoft SQL Server specific payload: these defaults, maybe, have generated the false perception that an IIS vulnerability is involved, while the infection is just leveraging trivial coding errors made by the web developers.

So, perhaps some poor default values combined with not-so-good programming caused this. It's not specifically IIS bug or anything like that at all. Switching to Linux and using Apache won't help either if you can't make your code secure. So, remember all web devs out there: ALWAYS check any variables you pass to SQL server that they are fully valid and will not contain any intended characters there.

Reply Score: 3

RE: IIS?
by google_ninja on Mon 28th Apr 2008 23:32 UTC in reply to "IIS?"
google_ninja Member since:
2006-02-05

whats sad is that you don't even have to. Use parameterized queries or stored procs and the framework will do the checking for you.

There is simply no excuse in the asp world for "SELECT " + fields + " FROM Tables" anymore.

Reply Score: 3

v great news
by satan666 on Mon 28th Apr 2008 21:57 UTC
RE: great news
by jayson.knight on Mon 28th Apr 2008 22:24 UTC in reply to "great news"
jayson.knight Member since:
2005-07-06

I love these Chinese.
Imagine how many will sue Microsoft over data and hardware loss!
It would be awesome!


Microsoft has clauses in their EULA's that explicitly prohibit anyone suing them for data loss. Actually, almost ALL software/hardware vendors have these clauses, so don't go thinking they are unique to MS. And don't think you're protected if you live in Europe or whatnot. Imagine all the bogus claims that would be made if those clauses didn't exist.

Reply Score: 5

RE[2]: great news
by melkor on Tue 29th Apr 2008 04:15 UTC in reply to "RE: great news"
melkor Member since:
2006-12-16

And this is what I have a real problem with - why should they be protected? If they have produced a flawed product, that results in a loss to me, or my business, they *should* be responsible. Period. Imagine if you bought a new Ford, and due to manufacturing issues the steering wheel collapsed and crashed as a result - you *can* sue Ford for damages etc.

Why should software companies not have the same laws applied to them that every other consumer manufacturer has to agree to?

Dave

Reply Score: 2

RE[3]: great news
by elsewhere on Tue 29th Apr 2008 04:38 UTC in reply to "RE[2]: great news"
elsewhere Member since:
2005-07-13

Why should software companies not have the same laws applied to them that every other consumer manufacturer has to agree to?


And why do you think they don't? If software causes you tangible harm or loss, you have the same legal recourse as for any other product. EULAs are not a shield against that, in fact, they're not a shield against much, really.

The same rules apply, you simply need to show a direct cause-effect relationship between the product and your damage, and quantify that damage. The problem is that when it comes to software, that is easier said than done, but it's doable. Software manufacturers operate under the same laws as every other manufacturer, an EULA doesn't absolve them of responsibility.

Reply Score: 3

RE[4]: great news
by melkor on Tue 29th Apr 2008 10:06 UTC in reply to "RE[3]: great news"
melkor Member since:
2006-12-16

Not from what I see. See Thom's article on Dutch laws and how EULAs are considered contracts under Dutch law. If you sign that contract saying you won't sue, then you're screwed. I suspect a great deal many countries will be the same as the Netherlands, caring more for the big corporations and rich, and bugger all for the average person.

Dave

Reply Score: 2

RE: great news
by umccullough on Mon 28th Apr 2008 23:05 UTC in reply to "great news"
umccullough Member since:
2006-01-26

I love these Chinese.


Why would you assume the people behind these attacks are actually Chinese? Just because the websites that host the vulnerabilities are in China doesn't mean the people who put those there are as well.

We're talking about crackers here - they're not likely to just throw up their malicious code on any old domain they happen to own.

Reply Score: 2

Dumb Question....
by JPowers on Mon 28th Apr 2008 23:23 UTC
JPowers
Member since:
2007-11-10

If the issue is that someone attacked the server an injected code into the MS-SQL server, then how are the client systems being infected?

The best I can see is that they injected code to turn on a back door so they could modify the web-server.

Thus the security issue is also on the client pc's. They are allowing a web site to install anything the server wants on their pc. SQL Injection shouldn't work on the client since the DB is located on the server.

What types of clients are being infected? And since MS verified that it was a server issue, what is MS's advice on how to protect the client from the servers?

Reply Score: 1

RE: Dumb Question....
by emission on Tue 29th Apr 2008 00:13 UTC in reply to "Dumb Question...."
emission Member since:
2005-07-21

The client injection is caused by javascript code that's injected into the database. In other words...

1. SQL injection puts Javascript into he database
2. Injected database content is shown on the page
3. Javascript opens windows with malware

So, the client injection part of this could have been stopped if the web sites used proper HTML encoding of the database output.

Reply Score: 2

Explorer and Mozilla?
by TechGeek on Tue 29th Apr 2008 03:07 UTC
TechGeek
Member since:
2006-01-14

Can this occur through both Mozilla and IE or is it just limited to IE?

Reply Score: 2

RE: Explorer and Mozilla?
by elsewhere on Tue 29th Apr 2008 04:43 UTC in reply to "Explorer and Mozilla?"
elsewhere Member since:
2005-07-13

Can this occur through both Mozilla and IE or is it just limited to IE?


The issue is with a server-side "exploit", it has nothing to do with the client browser. You could hack together a script to do the same thing, without even using a browser. The issue is lazy coding on the part of the web developers, it's not a browser issue.

Reply Score: 2