Main Area and Open Discussion > General Software Discussion
Lizamoon Attack Targets SQL Injection Vulnerability
Renegade:
http://www.pcworld.com/businesscenter/article/224125/lizamoon_attack_what_you_need_to_know.html
The world was rocked today by LizaMoon--a SQL injection attack which has compromised well over one million Websites. No need to panic, though. A little information and common sense are all you need to make sure that LizaMoon is nothing more than a minor annoyance.
What Happened?
LizaMoon is a SQL injection attack that inserts malicious code on otherwise legitimate sites. However, don't let the fact that it is called SQL injection cause you to jump to the conclusion that there is a flaw in Microsoft SQL Server.
An FAQ from Websense--the security firm credited with the initial discovery of LizaMoon--explains, "Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in un-sanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the Web application isn't filtering input from the user correctly."
--- End quote ---
Ahem...
Nuff said. :)
barney:
Nuff said. :)
-Renegade (April 02, 2011, 10:56 PM)
--- End quote ---
Well-l-l-l ... maybe not :). Most anything I've seen for sanitization involves regular expressions. Not something many Web masters cleave unto, much less understand. Until the script providers - PHP, JS, et. al., actually provide cleansing routines, many Web folk just aren't/won't be qualified for cleansing of that nature. (Of course, if it's provided in the language, any baddie past the script-kiddie stage will likely overcome it unless it's really good ;D.)
Professional sites have no excuse, of course, but then, how many sites on the Web are really professional :-\? And how many of those sites were hit :P?
Injection attacks are no joke, but there's really not a lot out there to make folk aware how dangerous they can be, and even less on practical advice on avoidance of such. (Learn, as a command, is neither practical nor effective :(.)
Renegade:
There are abstraction layers that you can use to take care of things for you. There really is not excuse. Nobody should ever be writing SQL statements dynamically in a production system, and especially in a front-facing production system.
f0dder:
Nobody should ever be writing SQL statements dynamically in a production system, and especially in a front-facing production system.-Renegade (April 03, 2011, 02:00 AM)
--- End quote ---
Well, you definitely shouldn't be doing it the string-concatenation way, that's for sure - but technologies like LINQ uses dynamic SQL under the hood :)
I'm pretty miffed that a lot of people still are doing string-concatenated SQL by hand. Like, wtf? It's insecure, it's slow, and if you're using a SQL provider that doesn't support bound arguments... go hang yourself.
Renegade:
Nobody should ever be writing SQL statements dynamically in a production system, and especially in a front-facing production system.-Renegade (April 03, 2011, 02:00 AM)
--- End quote ---
Well, you definitely shouldn't be doing it the string-concatenation way, that's for sure - but technologies like LINQ uses dynamic SQL under the hood :)
I'm pretty miffed that a lot of people still are doing string-concatenated SQL by hand. Like, wtf? It's insecure, it's slow, and if you're using a SQL provider that doesn't support bound arguments... go hang yourself.
-f0dder (April 03, 2011, 06:35 AM)
--- End quote ---
That's exactly what I mean. There's an abstraction layer there that takes care of it for you. Why would anyone want to do it themselves? :)
I think I probably phrased that wrong, but you obviously know what I mean.
Navigation
[0] Message Index
[#] Next page
Go to full version