dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2506

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA
Linksys E4200
ARRIS SB6141

aefstoggaflm

Premium Member

DECLARE @S CHAR(4000)

»radsoft.net/resources/ra ··· 00.shtml
quote:
There comes a time when people just get sick of the shit and pestilence that's Windows.

Techless
Lets pretend I care
Premium Member
join:2002-07-19
Hypoluxo, Fl

Techless

Premium Member

The only OS I trust is Captain Morgan.
Graycode
join:2006-04-17

Graycode to aefstoggaflm

Member

to aefstoggaflm
They happen here too: »"declare CHAR(4000)" etc injection attacks
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

1 edit

kpatz to aefstoggaflm

Premium Member

to aefstoggaflm
What is that, some sort of IIS/SQL Server exploit?

I'll have to do some research...

EDIT: Just did... found some nasty crapola. No wonder I'm getting burned out.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to aefstoggaflm

to aefstoggaflm
said by aefstoggaflm See Profile's quoted article :

»radsoft.net/resources/ra ··· 00.shtml
quote:
There comes a time when people just get sick of the shit and pestilence that's Windows.
Sigh, another ignorant open source nutcase; this has nothing to do with Microsoft and everything to do with stupid application developers: SQL Injection is the fault of neither the operating system nor the database.

Steve

R4M0N
Brazilian Soccer Ownz Joo
join:2000-10-04
Glen Allen, VA

3 edits

R4M0N to aefstoggaflm

Member

to aefstoggaflm
Wow... that guy has gone completely off his rocker. I've only seen such an example of unreasonable hyperbole in political bickering.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to aefstoggaflm

Mod

to aefstoggaflm
The rant is silly.

My web logs are showing many of these. Apart from filling the logs, they are not doing anything, other than fetch the home page.

I agree with some of the other responders. There isn't an obvious connection to Microsoft. The problem is misconfigured web servers that are susceptible to such attacks.
nwrickert

nwrickert to R4M0N

Mod

to R4M0N
Wow... that guy has gone completely off his rocker. I've only seen such an example of unreasonable hyperbole in political bickering.
He probably has a badly setup system that can be (and perhaps has been) attacked in this way, and is trying to blame others for what is his own responsibility.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

1 recommendation

Steve to nwrickert

to nwrickert
said by nwrickert:

There isn't an obvious connection to Microsoft.
Actually, there is: this attacks web sites built on Microsoft SQL Server; they are responsible the same way that Pella is responsible if somebody breaks my (ahem) windows and robs my house.

bobince
join:2002-04-19
DE

1 edit

bobince to aefstoggaflm

Member

to aefstoggaflm
There is a little blame to throw Microsoft's way.

Though SQL injection is not their fault, the decision in SQL Server to allow multiple statements on one line exacerbates the problem.

In this example, as with the other Asprox sploits this year, the code relies on being able to terminate the statement being injected into and start a new one with a semicolon.

Some other DBMSs/access layers (eg. MySQL) disallow this. So while the web application may still be broken and insecure, it usually requires some non-trivial app-specific analysis to work out if and how the hole may be abused. And even then the damage tends to be much more limited; you won't be able to scribble exploit-iframes over every table.

For these reasons it's not really possible to write this sort of automated attack against arbitrary scripts when the database layer restricts multiple semicolon-separated statement. There is not really much valid reason to use multiple statements in a non-interactive context like a web site's data access layer, so SQL Server should really disable (or default-off) the feature to do everyone a favour.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by bobince:

There is a little blame to throw Microsoft's way.

Though SQL injection is not their fault, the decision in SQL Server to allow multiple statements on one line exacerbates the problem.
Hmmm, I have to think about this for a bit.

It's true that many SQL injection exploits rely on the fact that multiple statements can be run on a single line, but it's not a slam dunk that this is a foolish feature. There is always a tradeoff between security and usability, and this is a feature that people have wanted.

Since (at least) MySQL, Oracle, and IBM's DB2 don't allow them, I wonder how strong a case can be made for them. I suppose one could make a good case that MS-SQL ought to have an installation switch that disabled them, perhaps on a per-database basis, and I know I'd use this if building a system.

So ok, so this particular feature - which is not foolish on its face - contributes to a less secure environment. It won't make something insecure on its own, because it requires that the application make a mistake first.

But in no case does this warrant a "Microsoft is a sickness" kind of nonsense.

Steve
Graycode
join:2006-04-17

Graycode to bobince

Member

to bobince
MySQL does indeed support multiple statements similar to Microsoft's product. The major difference is that option is initially turned off in MySQL.

Also, there's quite a few active SQL Injection methods that don't involve multiple statements or a particular database vendor.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to aefstoggaflm

MVM

to aefstoggaflm
Yawn another rant from an idiot who apparently doesn't know much about databases or database coding as this is neither a Windows bug, nor a SQL Server issue, but is an example of poor coding and/or secure coding practices. SQL injection attacks can occur against pretty well any database on any OS as its a result of insecure coding or design. Want to stop SQL Injection attacks cold, use nothing but stored procedures and allow user access to nothing but stored procedures. Now the problem with that is everyone wants those lovely 'dynamic custom user reports' which implies that somewhere your going to be building SQL on the fly, OK but at least parametrize the user input so that user input can only ever be treated as data and never as SQL.

Multiple statements per line have been a common 'feature' in SQL pretty much since the dawn of SQL.

Blake

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

Actually, use of stored procedures is neither necessary nor sufficient to prevent SQL injection: one can easily create dynamic SQL inside of that stored procedure and get injected just the same as dynamic SQL used directly.

Furthermore, even if one completely manages to avoid SQL injection, that still doesn't fix the problem: if I enter my last name as (script)badstuffhere(/script) (with proper HTML < and >), then if that email address is displayed to a forum user, it can either perform cross-scripting or provide directly-bad HTML.

There is no silver bullet for this. One must perform exhaustive sanitization of SQL input, and proper HTML encoding of outputs.

It's a lot of work.

Steve

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA

1 edit

aefstoggaflm to Steve

Premium Member

to Steve
[EDIT] Removed..
Expand your moderator at work
m0d
join:2005-03-02
ireland

2 edits

m0d to aefstoggaflm

Member

to aefstoggaflm

Re: DECLARE @S CHAR(4000)

SQL Injection is not purely a Microsoft problem. In this case, it may hurt MSSQL more easily but that is not to say there are not a ton of injections out there for all platforms.

I ended up getting a ton of automated emails about this exploit. That alone was annoying enough to create a rule in .htaccess along the lines of:

RewriteEngine on

RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]
RewriteRule ^.* - [F,L]

They get access denied, I don't get a ton of junk mail per day. I would also recommend doing that for "Declare", "Select", "Insert" etc .. all of which should never be in a normal URL. You also help defend future "new" injections by doing this.

Ahh PS: Yes .. the "Microsoft angle" here would be all the compromised machines that are bot-netted .. and that perhaps IS a point.