SQL Injection removal
Dear Experts,
We are using IIS6 and SQL Server 2005 to host our clients websites. One of our websites has been listed by Google with the warning 'This site may harm your computer.'
Having investigated this it would appear that the site is suffering from some kind of SQL Injection attack. I have run the HP Scrawler tool which confirms that three pages are 'confirmed verbose'. Having thereafter looked at these pages I cannot see anything strange in the code. I have tried to find some information with regard to solving this problem but as yet have been unable to find a cure.
We also have SQL server 2008 installed on the server - would it help if I used SQL 2008 to host the database?
Any help would be hugely appreciated.
Regards
Grant
We are using IIS6 and SQL Server 2005 to host our clients websites. One of our websites has been listed by Google with the warning 'This site may harm your computer.'
Having investigated this it would appear that the site is suffering from some kind of SQL Injection attack. I have run the HP Scrawler tool which confirms that three pages are 'confirmed verbose'. Having thereafter looked at these pages I cannot see anything strange in the code. I have tried to find some information with regard to solving this problem but as yet have been unable to find a cure.
We also have SQL server 2008 installed on the server - would it help if I used SQL 2008 to host the database?
Any help would be hugely appreciated.
Regards
Grant
CCongdon is exactly correct. The problem comes in when a user tries to add SQL commands to the fields in your pages like
;select * from syslogins;
if your fields are not checked and the user has permissions then the user could get all the information requested or execute commands as desired. This is a very simplified example.
;select * from syslogins;
if your fields are not checked and the user has permissions then the user could get all the information requested or execute commands as desired. This is a very simplified example.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
We had that happen. Here's part of what's wrong. Say you're running an e-commerce site, right? And when you go to a product page, you'll do something like a URL that says http://www.whatever.com/pr
And that's fine...unless you allow dbo (Database owner) rights to your DB through the user name.
I had this happen to a client recently (I didn't make the site myself). Here's what I did to correct the problem:
1) I wrote an ASP script that sanatized my db
2) I made two SQL login accounts. One that had DBReader rights, and the other was DBWriter. The one with DBR is for showing stuff, and DBW is for putting stuff in.
3) Sanatize your Request variables before using them! For instance, if your product id is numeric field, the check to see if the Request.QueryString in the above example can be parsed as a number! If not, then drop it. Strip odd characters (such as quote, double quote, and semi-colons) from your data before mating it to a SQL statement. Better yet, use a parameterized query or stored procedure to recall your data from the DB.