July 1, 2008 at 8:20 am
Hello all,
We have come under attack from a sql injection, cursoring through sysobjects and syscolumns to locate, and run updates against, various tables in the database that sits behind our website.
Surely by explicitly denying select access on sysobjects and syscolumns to the login running the website, the hack cannot work? Has anybody had any experience of this approach? (Obviously we'd be assuming that the website's sql code doesn't need access to these tables).
Any advice gratefully received.
Thanks
James
July 1, 2008 at 10:29 am
Suggest you read "Trouble Shooting Metadata Visibility"
http://msdn2.microsoft.com/en-us/library/ms190785.aspx
scroll to the bottom of the page and review:
"Metadata Visibility Configuration"
http://msdn.microsoft.com/en-us/library/ms187113.aspx
Plus search this site for many, many articles discussing injection attacks, and how to thwart them.
Also search Microsoft for a new tool recently announced by Microsoft to help analyze your code for areas potentially open to injection attack.
http://support.microsoft.com/kb/954476
Hope this helps.
July 1, 2008 at 10:49 am
Should work, and there are some new tools from Microsoft to help check for SQL Injection.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply