December 2008 - Posts
Now it's time to rejoice and be positive. Following my different posts about the latest SQL injection attacks, I got all sort of comments.
Roughly half of the commenters saying I am a moron, why you don't go back to school and protect your databases, it's all your fault, don't blame OUR Microsoft!
The other half being more positive and more indulgent and trying to know more about the threat, even thanking me for breaking the news.
I feel myself closer to the latter crowd, because those are the guys who share the pain, and like to see some answers, rather than being just plain negative.
Yes I admit I was strong in the headline of my first post on the subject, but the message was towards Microsoft, to make them moving a bit. Yes I am some time opinionated but it's always for the good cause. And I got the reaction I wanted from Microsoft, with different replies, all positive.
Now back to the problem of SQL injection. I think that the new threat posed by the trojan recently is that it used a flaw in Internet Explorer to be able to expose a cookie to a request stream and execute some SQL command. Basically what the T-SQL do is reading the sysobjects table from the master table, and paste inormation in a temporary table, using this infoemation to get all the details about tables and text fields, then populating the tables randomly with some javascript script.
Really nasty! Anyway the only way I was able to block it was to create a low level access user for my front end web application, and revoking EXECUTE rights for this particular user at the server level.
Not enough, you need also to remove the EXECUTE rights at the Master table level. I tried to remove the full access to the Master table for this user, but for some unknown reasons, ADO.NET needs to have some access to this table, probably in the case like mine where I use ExecuteScalar.
Another approach would be to use a Windows user running on low level, but it didn't work for me, the connection was refused with this message:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. If anyone knows more about that let me know?
So far it had workswell for me and I encourage everyone to do the same. Now I wish that in the future, Microsoft release a version of SQL Server with all the dangerous things disabled by default.
After all, they did that with Windows Server 2008, and it has been an enormous relief to manage a server where you know that everything you don't need is locked down.
Finally even if I have some good knowledge of SQL Server, I wish they could make the security settings a tad more easier to manage and understand. I like the granualrity approach, but it's a little bit complicated for some basc stuff (try to understand the difference between Grant and With Grant!)
UPDATE: As one reader points out you need to check or add some attributes in your config files, like forcing cookies to be in httponly mode.
Check Liam post for the details and more security locks.
Read more:
- REVOKE command http://msdn.microsoft.com/en-us/library/ms187719(SQL.90).aspx
- Protect from SQL injection http://msdn.microsoft.com/en-us/library/ms998271.aspx
- Vulnerability in Internet Explorer Could Allow Remote Code Execution by Roger Halbheer
http://blogs.technet.com/rhalbheer/archive/2008/12/13/vulnerability-in-internet-explorer-could-allow-remote-code-execution.aspx
Following my last post on the subject of SQL injection, this story is far from being finished. First thanks to all your comments, I really applied most of the advices, licke checking against query string vulnerabilities,XSS, etc...
I don't use dynamic SQL queries, only stored procedures. I don't say it's perfect but all the basics are covered.
But the attacks are still going on. I know from which server it's coming on, but I still don't know how they do it. However I raise the alarm again today, because of few things I discovered:
- The number of sites attacked is growing up by the minutes, on Google 11000 results found yesterday searching for jpdog.3322, this morning 27000!!
- All the attacked pages are all .ASP or .ASPX, not a single HTML file or PHP.
- I changed many times the database username and password, and of course the same in my connection strings, and the attack continue.
It looks like the nasty code is able to read the web config file, which is a very serious security flaw if it's the case.
So far the only way I found to block the database access was to create a user with all database permissions denied except Select. I can see in my SQL logs the constant Login failed for the user xxx... (one try every two minutes)
I urgently request from Microsoft now an answer on the matter, because I don't think now this is just a simple SQL injection attack, but something more dangerous.
Hi folks
Raise the alarm, it seems a nasty new worm is on the loose. Sadly too late for me, my SQL database has been infected twice in the past ten days, and even if I have some backup I lost some data :-(
I identified the culprit as Jpdog.3322 and it comes as a javascript code. Now it’s really serious thing, last week when I google it, I had 6 pages of results, now today more than 11000 results and going on strongly. If you search for it, you will see that nobody has really offered so far a remedy to eradicate this stuff. Most of the results I can find here are lots and lots of website affected. I have no clue how to escalate the issue to Microsoft. I tried with Symantec and Avast but so far no reply. Our databases were damaged, the worm has modified the content of most of the text fields, making the data totally useless. I was thinking first of a flaw in IE, but for this project, my users are requested to use Firefox only. I then thought about SQL injection, but this is quite unlikely regarding the way that the data is managed. The SQL Server 2005 software runs with Windows 2008 Server.
The origin of this is not clear but it looks all back to China.
Thanks for the help if you have any clue. I will surely secure more my database, not sure if I can get rid of sa login at all? My users are logged under another account anyway but be very careful.
It looks innocent at first but it could make your data totally obsolete, or even worst, spread around without your knowledge. Great now I am stuck with a big issue just before Christmas, not cool :-(
UPDATE: I am now using URLScan Filter from Microsoft which should be part of the default IIS in my opinion
Check here for this tool
When a browser requests an ASP.NET page from a web server, the ASP.NET engine takes that request through a number of steps that, together, generate the resulting markup, which is returned to the requesting browser for display. The stages in this process are referred to as the HTTP Pipeline and perform tasks like authentication, authorization, and having the requested page render its content. During one of the later stages in the HTTP Pipeline the rendered markup is handed off to a response filter which, if supplied, has an opportunity to inspect and modify the markup before it is returned to the requesting browser.
With a little bit of code you can create your own response filters and associate them with a particular page, a particular type of page (such as ASP.NET resources that generate HTML), or for all ASP.NET resources. And if you are using IIS 7's integrated mode you can have your filter work with the output of any content type. This article provides an overview of response filters and shows two such filters: a naive filter that strips out whitespace to reduce the size of the markup sent over the wire, and a filter that adds a copyright message to the bottom of all web pages. You can download these two filters, along with a simple demo application, at the end of this article, with examples in both C# and Visual Basic.
Read more
Evolutility is a generic web UI for database applications. With it you can build CRUD (Create, Read, Update, Delete) web applications simply by providing the metadata describing your application UI and database mapping. No hand-coding is required.
Read more...
Join our next webcast! 11th December 2008
Developers.ie invites all our members to attend our regular webcast.
Our next speaker is Stephen Toub, Senior Program Manager on the Parallel Computing Platform team at Microsoft
Parallel programming with .NET
Summary:
With the Microsoft .NET Framework today, correctly introducing parallelism into libraries and applications is difficult, time consuming, and error-prone. However, as the hardware industry shifts towards multi-core and manycore processors, the key to high-performance applications is parallelism. The .NET Framework 4.0 offers solutions to help make writing parallel applications significantly easier. In this webcast, we explore Parallel LINQ-to-Objects (PLINQ), the Task Parallel Library (TPL), and new coordination data structures in order to provide a look at the next generation of parallel programming with .NET.
This will be broadcast live on Wednesday 11th of December 16:00 GMT (Irish time!)
All the connection details to the show will be sent to you a few days prior to the start of the webcast.
This event is free but you need to visit our Webcasts section to register!
Join our next webcast! 3rd of December 2008
Developers.ie invites all our members to attend our regular webcast.
Our next speaker is Josh Holmes, Microsoft Architect Evangelist.
Leveraging IronRuby in Silverlight
Summary:
Join Josh Holmes as he talks about his two favorite technologies – IronRuby and Silverlight.
A perfect joining of two great technologies – IronRuby brings the dynamic abilities to your code that XAML gives your UI.
From animations to logic to simple HTML DOM manipulation - it's all possible and a lot of fun.
This will be broadcast live on Wednesday 3rd of December at 16:00 (Irish time!)
All the connection details to the show will be sent to you a few days prior to the start of the webcast.
This event is free but you need to visit our Webcasts page on Developers.ie to register!
FireShot is an in-browser tool for Firefox and Internet Explorer that allows you to take screenshots and then annotate, edit, organize and export them. Screen-grabbing is a common activity for Web developers to document previews of Web application prototypes and share them with clients, and FireShot gives you a feature-packed in-browser option to manage and streamline your screenshot needs.
Fangs is an in-browser tool for Firefox that emulates what a screen reader “sees” when visiting a Web page. Its function is simple: to output a transcript of what a screen reader will read out to a user when a Web page is visited. It’s a helpful tool for quickly analyzing if you’ve structured your content effectively so that it’s understandable and usable by vision-impaired individuals, without forcing you to learn to use (and purchase) a screen-reader application such as JAWS or Windows Eyes.
YSlow is a Firefox extension created by Yahoo! developers that integrates with Firebug (therefore you need to have Firebug enabled for it to work). YSlow analyzes a Web page for front-end performance and, in its simplest usage, gives you a letter grade (A being the best and F being the poorest) for each of the best practices for speeding up your website.
YSlow also allows you to inspect in detail things that are essential for a high-performance website. For example, the Stats view gives you the total size of a Web page and a summary of items that are loaded when the Web page is requested (i.e. style sheets, JavaScript files, Flash objects and images), so that you can hunt down the bottlenecks that cause a Web page to load slowly.
The Components view outlines every single component of a Web page in tabular format and allows you to inspect it to see attributes such as size, expiration date (for cached files), whether it uses server-side compression (Gzip) and response time (how long the component took to load).
More Posts
Next page »