Mass SQL Injection Attack Hits Sites Running IIS

Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

Re:Wrong tag

[Michael+Kristopeit]

it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.

Re:Wrong tag

[endikos]

Not saying it is a problem with SQL. Some SQL statements are being injected into a script, which is then happily executing them. The problem is with the script, but SQL is being injected into it... which is why its known as SQL injection. The term does not imply that the root of the problem is with SQL itself. It's a variant of Code Injection, but with SQL instead...

Re:Wrong tag

[BitterOak]

it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.

Mod parent up. According to the GP "it is wrong to picture this as a lack or shortcoming of sql. sql is doing what query it is given to it. nothing else." That's precisely the problem! Most security vulnerabilities are the result of software doing exactly what it is told to do!

So... it is really due to CPU's? Re:Wrong tag

[Fubari]

it is due to sql...

Huh? It happened because they use sql?
Following that line of thought,
isn't it really due to the use
of CPU's in those servers?

Re:So... it is really due to CPU's? Re:Wrong tag

[DaTroof]

How about we try an analogy that's a little closer to the original topic? Let's say the exploit injected system commands instead of SQL commands. The fault wouldn't lie with the operating system, even though that's what was ultimately compromised. It would lie with the script that failed to sanitize input properly.

Same thing with SQL. The problem isn't the query language itself. The problem is how the script executes queries.

Re:Poor programing practices, NOT IIS or SQL at fa

[Galestar]

Here's a more accurate version: Anyone writing code that doesn't sanitize input needs to find a new line of work.

Fixed that for you

Re:If it is platform independent

[Dragonslicer]

SQL injection is completely independent of web server, programming language, and database system. An idiot can write vulnerable code in any language, using any database system, and run it on any web server. My guess about why this is only targeting IIS is that the attack is against some specific ASP.NET code, so the vulnerability isn't in IIS, but the vulnerable code only runs on IIS.

Re:holy shit.

[omni123]

Perhaps someone should describe variable parametrization to you? A language that implemented it would take a variable in place of the 'userid' statement from the DELETE FROM users WHERE userid = userid; this variable would not allow any escape characters to be a part of it and therefore destroy injection possibilities.

When was the last time C had injection (buffer overflows are another story!)? It doesn't. Because if you have void func(int arg) you can't call func(1; exit(1)). This is a fundamental flaw in SQL and technologies that use ORM (i.e. a variable parametrization layer on top) do not regularly deal with issues like this.