 |
|
|
|
|
|
|
|
|
|
|
2008-05-28, 07:38 AM
|
#1 |
|
Lonewolf Internet Sales
Join Date: Mar 2005
Location: Houston
Posts: 4,826
 |
Mornin' y'all,
Not sure WTF I'm doing up this early. Woke up needing to visit the little webmasters room, then couldn't get back to sleep. One of my few remaining mainstream clients suffered an SQL injection hack into their content management database within the last few days. I spent most of yesterday afternoon/evening removing the injected javascript snippet. Today's task is locating the security hole that allowed the hack and closing it.  is on, help yourself... |
|
|
|
2008-05-28, 08:38 AM
|
#2 |
|
Where there's a will, I want to be in it.
Join Date: Aug 2003
Location: Looz-e-anna
Posts: 1,015
|
Kind of off the "good morning" topic, but I'd be really interested to know how that works out Toby. I've got some SQL databases running on some of our mainstream stuff so I'm always looking out for that kind of stuff.
__________________
Submit your free sites to Free Sex Pics |
|
|
|
|
2008-05-28, 11:58 AM
|
#3 | |
|
Lonewolf Internet Sales
Join Date: Mar 2005
Location: Houston
Posts: 4,826
|
Quote:
In this case it was on a Windoze box running ASP code on a huge site initially created by someone else 6 or 7 years ago. Any page that pulls dynamic content based on URL parameters is susceptible IF those parameters aren't properly validated before being used to query the database. The solution in this case was relatively simple. Since the parameter is the index number for the specific page (ex: detail.asp?ID=69) all that has to be done is to convert the parameter value to a long integer before using it in the query string. The ASP function CLng does the job. |
|
|
|
|
 |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Hybrid Mode
