block select on sysobjects

  • All,

    Recently a victim of a sql injection attack on our server. The exploit queried the sysobjects table and then pasted malicious code throughout varchar/text field of our database.

    What I want to do, which I appreciate will only deal with this method of sql injection attack, is to restrict the user we use to query table to only the relevant database. Being a bit of a novice on the sql admin front, I'm not sure how to go about this and what the most appropriate role for such a user should be.

    I appreciate you help in advance.

    Bilal

  • Martin Harrison (7/16/2008)


    All,

    Recently a victim of a sql injection attack on our server. The exploit queried the sysobjects table and then pasted malicious code throughout varchar/text field of our database.

    What I want to do, which I appreciate will only deal with this method of sql injection attack, is to restrict the user we use to query table to only the relevant database. Being a bit of a novice on the sql admin front, I'm not sure how to go about this and what the most appropriate role for such a user should be.

    I appreciate you help in advance.

    Bilal

    Ideally, you should remove all user access to the tables and use stored procedures instead. If you do this then the user will not be able to read from sysobjects. Bottom line, if a user has access to a table then they can view that table in sysobjects.

    If that is not possible, then the next best thing is to remove update/delete/insert permissions from all tables. That way, even if they can see the tables they cannot update them.

    That said, you really ought to look at using stored procedures exclusively. And you'd also need to use the relevant middle-tier objects properly in order avoid the injection attack in the first place.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply