Hello,
We're running a hosted CMS system based on ASP and SQL server 2005. Now we've encountered a typical SQL injection attack, where the "hacker" tries to execute an sql query in the querystring or through forms.
The query selects * from sysobjects and syscolumns and then iterates through all tables and add a url to all fields. We're in the unfortunate situation that we do not have a systems administrator or engineer on location and we need this fixed by today or sunday at the latest. We of course have access to the database, but we're novices in everything related to roles, permissions, users, schemas etc.
Revising the code is not an option at this time, as the codebase is huge. We've come to the conclusion that this particular attack can be eliminated by removing the webusers permission to select from the sysobjects and syscolumns tables, but we do not know how to actually do it.
What we are looking for is therefore a step by step guide on how to remove those permissions. We're running on Windows Server 2003 and as mentioned SQL server 2005.
Hope someone can help, if you need more info please feel free to comment.
Thanks on advance.
Start Free Trial
