Star SQL Injection Attacks on IIS Web Servers
Linked by Thom Holwerda on Mon 28th Apr 2008 19:22 UTC, submitted by Hakime
Law and Order Last week, The Washington Post reported that hundreds of thousands of IIS webservers were hacked. Code was placed on them that installed malware on visitors' computers. Among the infectees were websites from the UK government and the United Nations. Initial reports said the attackers used a security vulnerability in Microsoft's IIS, but the company published more information on the attacks today, and denies IIS was compromised.
E-mail Print r 1   · Read More · 20 Comment(s) http://osne.ws/f6y
Thread beginning with comment 311749
To read all comments associated with this story, please click here.
Three Words
by linumax on Mon 28th Apr 2008 20:23 UTC
linumax
Member since:
2007-02-07

Always Sanitize Input

Reply Bookmark Score: 8

RE: Three Words
by Kroc on Mon 28th Apr 2008 20:49 in reply to "Three Words"
Kroc Member since:
2005-11-10

I can imagine the IT weekly article:
Businesses: sanitise your programmers!

Reply Parent Bookmark Score: 1

RE: Three Words
by A.H. on Mon 28th Apr 2008 21:11 in reply to "Three Words"
A.H. Member since:
2005-11-11

Two words: stored procedures

Three words: No dynamic SQL

Reply Parent Bookmark Score: 1

RE[2]: Three Words
by gonzo on Mon 28th Apr 2008 21:24 in reply to "RE: Three Words"
gonzo Member since:
2005-11-10

Two words: stored procedures

Two words: Not necessarily.

Three words: No dynamic SQL

Two words: Unless parameterized.

Reply Parent Bookmark Score: 10

RE[2]: Three Words
by jayson.knight on Mon 28th Apr 2008 22:21 in reply to "RE: Three Words"
jayson.knight Member since:
2005-07-06

Two words: stored procedures

Three words: No dynamic SQL


Actually the solution is simple: Always use parameterized queries. Never ever ever use string concatenation. Not everyone is a fan of sprocs, and they've actually fallen out of favor more lately now that ORM's are more mainstream and easier to use.

Reply Parent Bookmark Score: 4

RE: Three Words
by google_ninja on Mon 28th Apr 2008 23:34 in reply to "Three Words"
google_ninja Member since:
2006-02-05

It's funny, I was reviewing some of our coding policy docs the other day (basically a 200+ page ppt), one of the many gems I found in it was "Treat all input as evil".

I want that on a shirt.

Edited 2008-04-28 23:34 UTC

Reply Parent Bookmark Score: 2

RE: Three Words
by StephenBeDoper on Wed 30th Apr 2008 15:52 in reply to "Three Words"
StephenBeDoper Member since:
2005-07-06

Or - at the *very* least - create a DB user with read-only permissions for the publicly-accessible portions of a web-based app (no write privs. == injection no worky).

Reply Parent Bookmark Score: 2