Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at Sûnnet Beskerming.

Username: | Password: Contact us to request an account

SQL Injections Strike Again

One of the golden rules of developing websites is that any time that users are able to enter data of any sort on the site, that data should be validated before anything is done with it in the site's back end. This process of validation is designed not only to provide the site with usable input, but also to ensure any weaknesses in the site's code aren't inadvertently exploited due to misplaced punctuation.

Correctly validated input is also an essential element of having a secure site, whether those who are probing your security are doing so for malicious reasons or not. Getting it right can be difficult, even for companies that are in the business of Information Security.

Of the various forms of website vulnerabilities that result from improperly validated user input, SQL injection (SQLi) is one of the more dangerous. Improperly validated input that is passed directly to a database could allow an attacker to pass SQL commands as part of their input. With this going direct to the database it allows the attacker to retrieve data or take control over the database in the worst case. Just how bad a problem SQLi is depends on the level of permissions granted to the website when it interacts with the database server. A tightly restricted database user account will limit an SQLi to data extraction from databases and tables that the site normally interacts with. On the other hand, a fully privileged database account (sadly all too common for many sites) can allow an attacker to add, read, delete data and manipulate the database setup, or even have full access to all other databases on the database server.

All this through nothing more than text entered on a website.

It is still a major problem, with recent reports identifying more than 100,000 sites that have been compromised since November as a result of a single coordinated attack. It isn't just everyday sites that come under attack, with Kaspersky coming under renewed attack. Although the attack wasn't against the main Kaspersky site, a successful attack against branded partner sites still is an embarrassing result for the Information Security software developer.

15 December 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.