Hackers turn Cleveland into malware server

I'm glad issues like this is getting some press again. Worms like these can bring the internet to standstill.

Anyone remember that SQL Server worm a few years back? After that everyone made sure SQL Server was patched up!
 
Anyone remember that SQL Server worm a few years back? After that everyone made sure SQL Server was patched up!

n00b admins might forget to patch their SQL installs - or they think they'll be safe and not patch it...

...and it'll start again.
 
Not administrator's fault

Actually this is not due to bad admin procedures or a sql server open to the internet:

A SQL injection attack works as follows: you find a script which accepts parameters...which is used to query a database.

You then call that script directly with *SQL commands in the parameter*.

For instance, if the parameter was ?surname=Jones, then you can be pretty sure the script will run a "where surname='jones'..." query...and this is where you attack: by adding SQL to the parameter for instance:

?surname=jones;insert into table ('email') values ('java script to execute')

The script will now update the table and next time a surname is read and displayed, a java script will execute.

Nothing the hostmaster or sysadmin can do about this - it's a developer problem.

Specifically, a developer should ALWAYS check the validity of his parameters before he runs a query to the database. A simple way to do this is to:
- truncate at a reasonable length (ie a surname should not be longer than say 55 chars)
- replace quote signs with " ` "
- replace escape chars such as "--" and ";" with something else
- replace spaces in the input with something like   or _

in principle, accept and store the data in such a way that a valid SQL command cannot be formulated.

Now consider that every script that accepts input parameters used to query a database has to be sanitized as above.... :((

For more detail, here is a good article on SQL injection:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html


Regards
Waldo
www.cozahost.com
 
Last edited:
Top
Sign up to the MyBroadband newsletter
X