OSNews:

OSNews: http://www.osnews.com/story/19690/SQL_Injection_Attacks_on_IIS_Web_Servers Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Tue, 24 Nov 2009 20:41:09 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com stupid article title... http://osnews.com/thread?311745 http://osnews.com/thread?311745 So stupid title!!!

When IIS suddenly became a "sql server" to manage SQL queries!?!?!

Only stupid "developers" can allow "sql injection attack". Mon, 28 Apr 2008 20:13:00 GMT donotreply@osnews.com (BlackTiger) Comments Three Words http://osnews.com/thread?311749 http://osnews.com/thread?311749 Always Sanitize Input Mon, 28 Apr 2008 20:23:00 GMT donotreply@osnews.com (linumax) Comments RE: Three Words http://osnews.com/thread?311755 http://osnews.com/thread?311755 I can imagine the IT weekly article:
Businesses: sanitise your programmers! Mon, 28 Apr 2008 20:49:00 GMT donotreply@osnews.com (Kroc) Comments IIS? http://osnews.com/thread?311756 http://osnews.com/thread?311756 The first comment posted on the article already explains the whole issue at hand:

By default this tool searches for Microsoft ASP pages (an IIS specific web development technology) and injects a Microsoft SQL Server specific payload: these defaults, maybe, have generated the false perception that an IIS vulnerability is involved, while the infection is just leveraging trivial coding errors made by the web developers.

So, perhaps some poor default values combined with not-so-good programming caused this. It's not specifically IIS bug or anything like that at all. Switching to Linux and using Apache won't help either if you can't make your code secure. So, remember all web devs out there: ALWAYS check any variables you pass to SQL server that they are fully valid and will not contain any intended characters there. Mon, 28 Apr 2008 20:59:00 GMT donotreply@osnews.com (WereCatf) Comments RE: Three Words http://osnews.com/thread?311758 http://osnews.com/thread?311758 Two words: stored procedures

Three words: No dynamic SQL Mon, 28 Apr 2008 21:11:00 GMT donotreply@osnews.com (A.H.) Comments RE[2]: Three Words http://osnews.com/thread?311761 http://osnews.com/thread?311761 Two words: stored procedures

Two words: Not necessarily.

Three words: No dynamic SQL

Two words: Unless parameterized. Mon, 28 Apr 2008 21:24:00 GMT donotreply@osnews.com (gonzo) Comments great news http://osnews.com/thread?311764 http://osnews.com/thread?311764 I love these Chinese.
I have a suggestion for them:
Make a virus that will completely destroy the infected Windows server after infecting other servers, of course.
Imagine how many will sue Microsoft over data and hardware loss!
It would be awesome! Mon, 28 Apr 2008 21:57:00 GMT donotreply@osnews.com (satan666) Comments RE[2]: Three Words http://osnews.com/thread?311766 http://osnews.com/thread?311766

Two words: stored procedures

Three words: No dynamic SQL

Actually the solution is simple: Always use parameterized queries. Never ever ever use string concatenation. Not everyone is a fan of sprocs, and they've actually fallen out of favor more lately now that ORM's are more mainstream and easier to use. Mon, 28 Apr 2008 22:21:00 GMT donotreply@osnews.com (jayson.knight) Comments RE: great news http://osnews.com/thread?311767 http://osnews.com/thread?311767

I love these Chinese.
Imagine how many will sue Microsoft over data and hardware loss!
It would be awesome!

Microsoft has clauses in their EULA's that explicitly prohibit anyone suing them for data loss. Actually, almost ALL software/hardware vendors have these clauses, so don't go thinking they are unique to MS. And don't think you're protected if you live in Europe or whatnot. Imagine all the bogus claims that would be made if those clauses didn't exist. Mon, 28 Apr 2008 22:24:00 GMT donotreply@osnews.com (jayson.knight) Comments RE: great news http://osnews.com/thread?311779 http://osnews.com/thread?311779

I love these Chinese.

Why would you assume the people behind these attacks are actually Chinese? Just because the websites that host the vulnerabilities are in China doesn't mean the people who put those there are as well.

We're talking about crackers here - they're not likely to just throw up their malicious code on any old domain they happen to own. Mon, 28 Apr 2008 23:05:00 GMT donotreply@osnews.com (umccullough) Comments Dumb Question.... http://osnews.com/thread?311786 http://osnews.com/thread?311786 If the issue is that someone attacked the server an injected code into the MS-SQL server, then how are the client systems being infected?

The best I can see is that they injected code to turn on a back door so they could modify the web-server.

Thus the security issue is also on the client pc's. They are allowing a web site to install anything the server wants on their pc. SQL Injection shouldn't work on the client since the DB is located on the server.

What types of clients are being infected? And since MS verified that it was a server issue, what is MS's advice on how to protect the client from the servers? Mon, 28 Apr 2008 23:23:00 GMT donotreply@osnews.com (JPowers) Comments RE: IIS? http://osnews.com/thread?311789 http://osnews.com/thread?311789 whats sad is that you don't even have to. Use parameterized queries or stored procs and the framework will do the checking for you.

There is simply no excuse in the asp world for "SELECT " + fields + " FROM Tables" anymore. Mon, 28 Apr 2008 23:32:00 GMT donotreply@osnews.com (google_ninja) Comments RE: Three Words http://osnews.com/thread?311790 http://osnews.com/thread?311790 It's funny, I was reviewing some of our coding policy docs the other day (basically a 200+ page ppt), one of the many gems I found in it was "Treat all input as evil".

I want that on a shirt.Edited 2008-04-28 23:34 UTC Mon, 28 Apr 2008 23:34:00 GMT donotreply@osnews.com (google_ninja) Comments RE: Dumb Question.... http://osnews.com/thread?311794 http://osnews.com/thread?311794 The client injection is caused by javascript code that's injected into the database. In other words...

1. SQL injection puts Javascript into he database
2. Injected database content is shown on the page
3. Javascript opens windows with malware

So, the client injection part of this could have been stopped if the web sites used proper HTML encoding of the database output. Tue, 29 Apr 2008 00:13:00 GMT donotreply@osnews.com (emission) Comments Explorer and Mozilla? http://osnews.com/thread?311816 http://osnews.com/thread?311816 Can this occur through both Mozilla and IE or is it just limited to IE? Tue, 29 Apr 2008 03:07:00 GMT donotreply@osnews.com (TechGeek) Comments RE[2]: great news http://osnews.com/thread?311823 http://osnews.com/thread?311823 And this is what I have a real problem with - why should they be protected? If they have produced a flawed product, that results in a loss to me, or my business, they *should* be responsible. Period. Imagine if you bought a new Ford, and due to manufacturing issues the steering wheel collapsed and crashed as a result - you *can* sue Ford for damages etc.

Why should software companies not have the same laws applied to them that every other consumer manufacturer has to agree to?

Dave Tue, 29 Apr 2008 04:15:00 GMT donotreply@osnews.com (melkor) Comments RE[3]: great news http://osnews.com/thread?311824 http://osnews.com/thread?311824

Why should software companies not have the same laws applied to them that every other consumer manufacturer has to agree to?

And why do you think they don't? If software causes you tangible harm or loss, you have the same legal recourse as for any other product. EULAs are not a shield against that, in fact, they're not a shield against much, really.

The same rules apply, you simply need to show a direct cause-effect relationship between the product and your damage, and quantify that damage. The problem is that when it comes to software, that is easier said than done, but it's doable. Software manufacturers operate under the same laws as every other manufacturer, an EULA doesn't absolve them of responsibility. Tue, 29 Apr 2008 04:38:00 GMT donotreply@osnews.com (elsewhere) Comments RE: Explorer and Mozilla? http://osnews.com/thread?311825 http://osnews.com/thread?311825

Can this occur through both Mozilla and IE or is it just limited to IE?

The issue is with a server-side "exploit", it has nothing to do with the client browser. You could hack together a script to do the same thing, without even using a browser. The issue is lazy coding on the part of the web developers, it's not a browser issue. Tue, 29 Apr 2008 04:43:00 GMT donotreply@osnews.com (elsewhere) Comments RE[4]: great news http://osnews.com/thread?311864 http://osnews.com/thread?311864 Not from what I see. See Thom's article on Dutch laws and how EULAs are considered contracts under Dutch law. If you sign that contract saying you won't sue, then you're screwed. I suspect a great deal many countries will be the same as the Netherlands, caring more for the big corporations and rich, and bugger all for the average person.

Dave Tue, 29 Apr 2008 10:06:00 GMT donotreply@osnews.com (melkor) Comments RE: Three Words http://osnews.com/thread?312146 http://osnews.com/thread?312146 Or - at the *very* least - create a DB user with read-only permissions for the publicly-accessible portions of a web-based app (no write privs. == injection no worky). Wed, 30 Apr 2008 15:52:00 GMT donotreply@osnews.com (StephenBeDoper) Comments