aefstoggaflmOpen Source Fan Premium Member join:2002-03-04 Bethlehem, PA Linksys E4200 ARRIS SB6141
|
DECLARE @S CHAR(4000)» radsoft.net/resources/ra ··· 00.shtmlquote: There comes a time when people just get sick of the shit and pestilence that's Windows.
|
|
TechlessLets pretend I care Premium Member join:2002-07-19 Hypoluxo, Fl |
Techless
Premium Member
2008-Aug-29 5:17 pm
The only OS I trust is Captain Morgan. |
|
|
to aefstoggaflm
|
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH 1 edit |
to aefstoggaflm
What is that, some sort of IIS/SQL Server exploit?
I'll have to do some research...
EDIT: Just did... found some nasty crapola. No wonder I'm getting burned out. |
|
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to aefstoggaflm
Sigh, another ignorant open source nutcase; this has nothing to do with Microsoft and everything to do with stupid application developers: SQL Injection is the fault of neither the operating system nor the database. Steve |
|
R4M0NBrazilian Soccer Ownz Joo join:2000-10-04 Glen Allen, VA 3 edits |
to aefstoggaflm
Wow... that guy has gone completely off his rocker. I've only seen such an example of unreasonable hyperbole in political bickering. |
|
|
to aefstoggaflm
The rant is silly.
My web logs are showing many of these. Apart from filling the logs, they are not doing anything, other than fetch the home page.
I agree with some of the other responders. There isn't an obvious connection to Microsoft. The problem is misconfigured web servers that are susceptible to such attacks. |
|
nwrickert |
to R4M0N
Wow... that guy has gone completely off his rocker. I've only seen such an example of unreasonable hyperbole in political bickering. He probably has a badly setup system that can be (and perhaps has been) attacked in this way, and is trying to blame others for what is his own responsibility. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA
1 recommendation |
to nwrickert
said by nwrickert: There isn't an obvious connection to Microsoft. Actually, there is: this attacks web sites built on Microsoft SQL Server; they are responsible the same way that Pella is responsible if somebody breaks my (ahem) windows and robs my house. |
|
1 edit |
to aefstoggaflm
There is a little blame to throw Microsoft's way.
Though SQL injection is not their fault, the decision in SQL Server to allow multiple statements on one line exacerbates the problem.
In this example, as with the other Asprox sploits this year, the code relies on being able to terminate the statement being injected into and start a new one with a semicolon.
Some other DBMSs/access layers (eg. MySQL) disallow this. So while the web application may still be broken and insecure, it usually requires some non-trivial app-specific analysis to work out if and how the hole may be abused. And even then the damage tends to be much more limited; you won't be able to scribble exploit-iframes over every table.
For these reasons it's not really possible to write this sort of automated attack against arbitrary scripts when the database layer restricts multiple semicolon-separated statement. There is not really much valid reason to use multiple statements in a non-interactive context like a web site's data access layer, so SQL Server should really disable (or default-off) the feature to do everyone a favour. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2008-Aug-30 12:12 pm
said by bobince:There is a little blame to throw Microsoft's way. Though SQL injection is not their fault, the decision in SQL Server to allow multiple statements on one line exacerbates the problem. Hmmm, I have to think about this for a bit. It's true that many SQL injection exploits rely on the fact that multiple statements can be run on a single line, but it's not a slam dunk that this is a foolish feature. There is always a tradeoff between security and usability, and this is a feature that people have wanted. Since (at least) MySQL, Oracle, and IBM's DB2 don't allow them, I wonder how strong a case can be made for them. I suppose one could make a good case that MS-SQL ought to have an installation switch that disabled them, perhaps on a per-database basis, and I know I'd use this if building a system. So ok, so this particular feature - which is not foolish on its face - contributes to a less secure environment. It won't make something insecure on its own, because it requires that the application make a mistake first. But in no case does this warrant a "Microsoft is a sickness" kind of nonsense. Steve |
|
|
to bobince
MySQL does indeed support multiple statements similar to Microsoft's product. The major difference is that option is initially turned off in MySQL.
Also, there's quite a few active SQL Injection methods that don't involve multiple statements or a particular database vendor. |
|
|
to aefstoggaflm
Yawn another rant from an idiot who apparently doesn't know much about databases or database coding as this is neither a Windows bug, nor a SQL Server issue, but is an example of poor coding and/or secure coding practices. SQL injection attacks can occur against pretty well any database on any OS as its a result of insecure coding or design. Want to stop SQL Injection attacks cold, use nothing but stored procedures and allow user access to nothing but stored procedures. Now the problem with that is everyone wants those lovely 'dynamic custom user reports' which implies that somewhere your going to be building SQL on the fly, OK but at least parametrize the user input so that user input can only ever be treated as data and never as SQL.
Multiple statements per line have been a common 'feature' in SQL pretty much since the dawn of SQL.
Blake |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2008-Aug-31 9:42 am
Actually, use of stored procedures is neither necessary nor sufficient to prevent SQL injection: one can easily create dynamic SQL inside of that stored procedure and get injected just the same as dynamic SQL used directly.
Furthermore, even if one completely manages to avoid SQL injection, that still doesn't fix the problem: if I enter my last name as (script)badstuffhere(/script) (with proper HTML < and >), then if that email address is displayed to a forum user, it can either perform cross-scripting or provide directly-bad HTML.
There is no silver bullet for this. One must perform exhaustive sanitization of SQL input, and proper HTML encoding of outputs.
It's a lot of work.
Steve |
|
aefstoggaflmOpen Source Fan Premium Member join:2002-03-04 Bethlehem, PA 1 edit |
to Steve
[EDIT] Removed.. |
|
your moderator at work
hidden :
|
m0d join:2005-03-02 ireland 2 edits |
to aefstoggaflm
Re: DECLARE @S CHAR(4000)SQL Injection is not purely a Microsoft problem. In this case, it may hurt MSSQL more easily but that is not to say there are not a ton of injections out there for all platforms.
I ended up getting a ton of automated emails about this exploit. That alone was annoying enough to create a rule in .htaccess along the lines of:
RewriteEngine on
RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC] RewriteRule ^.* - [F,L]
They get access denied, I don't get a ton of junk mail per day. I would also recommend doing that for "Declare", "Select", "Insert" etc .. all of which should never be in a normal URL. You also help defend future "new" injections by doing this.
Ahh PS: Yes .. the "Microsoft angle" here would be all the compromised machines that are bot-netted .. and that perhaps IS a point. |
|