SQL Security Vulnerability in Poorly Designed Applications

Recently there had been a wide spread exploit that targets poorly designed applications on Windows based platform. The exploit is not a result of a security hole in Windows, IIS nor SQL. Rather, it is the result of web application not properly validating user input code before passing it to the SQL server.

The vulnerability had gained recently a high profile when few hackers were able to hack into the United Nations website and tens of thousands of others.

Therefore, it is imperative that you check your application code for any vulnerabilities that can lead to potential hack of your database and possibly the whole server.

For more information on this exploit, please visit the following sites:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580

http://hackademix.net/2008/04/26/mass-attack-faq

On our end, we’ve tightened the security on the servers as much as possible without compromising accessibility. However, due to this vulnerability being the result of poor application coding, the best way to protect your site is to validate user inputs before passing them to the SQL server. The references included above will give your web developer a better idea how the exploit works.

If you have any questions or concerns about this issue or others, please don’t hesitate to contact our support department.

UPDATE: Techtarget has good article on how to test your application at: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci996071,00.html Basically, if your application passes variables in the URL as in home.asp?a=value , then try to see if you pass a=val’ue if this would break MSSQL. If it does, then you may have a problem there.

UPDATE: This is a good Blog about things can be done to help find the problem in the code (URLScan 3, Scrawlr, MSCASI):

http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx

UPDATE: This is another great article on Cross-Site Scripting and ASP .NET, though not directly related to SQL issue, it does underlie the importance of properly designed code

http://forum.dotnetpanel.com/blogs/dan/archive/2009/02/11/cross-site-scripting-in-asp-net.aspx