"It's pretty sophisiticated, actually. But it's easily protected against by
simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx
accounts. (Well, and of course by practicing good programming of the ASP
page in the first place. But even with poor ASP code, if you set up the DB
correctly the particular attack fails.)"


I aplogize in advance if this is a stupid question, but in SQL Server 2005,
how do you deny access for the IUSR and IWAM accounts?


Thanks,
Adam

"Old Pedant" wrote:

>
>
> "Bob Barrows [MVP]" wrote:
> > shank wrote:
> > > 2) I don't see how they could have known the Table name or the column
> > > names. Same question as #1 I guess.
> >
> > Same answer - by causing error messagess that poor coding practice allow to
> > be returned to the user.
>
> No, not really. Oh, it's poor coding practice, but the original injection
> (not seen here) is code that goes and reads the system tables and tries to
> discover all user table names and all user VARCHAR, NVARCHAR, TEXT, NTEXT
> field names and *THEN* injects the JavaScript into all those fields.
>
> It's pretty sophisiticated, actually. But it's easily protected against by
> simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx
> accounts. (Well, and of course by practicing good programming of the ASP
> page in the first place. But even with poor ASP code, if you set up the DB
> correctly the particular attack fails.)
>
> If you care, I think I can find a copy of the actual injection attack code
> still lurking, showing how it loops on all the tables and fields.

Adam wrote:
> I aplogize in advance if this is a stupid question, but in
> SQL Server 2005, how do you deny access for the IUSR and
> IWAM accounts?

The same way you do any other accounts. But most of us do not use trusted
connections for our web apps, meaning that the login used in your connection
string should have restricted rights.

In our case, we almost always give that login NO RIGHTS, then grant EXECUTE
permissions on a procedure-byprocedure basis.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.

I have the solution to this problem...

I work at a news channal. Recently we launch our news websit and it was
DAILY ATTACKED this script. as a result, we used to restore the privous
database backup to avoid this problem. But after research, i have
written a script for every table effected. Now that the website is
smoothly working.

I can provide this solution to you as well, but i will charge money for
it. For contact my e-mail address is hammad_siddiqui--at--yahoo.com.

*** Sent via Developersdex http://www.developersdex.com ***

hammad siddiqui wrote:
> I have the solution to this problem...
>
> I work at a news channal. Recently we launch our news websit and it
> was DAILY ATTACKED this script. as a result, we used to restore the
> privous database backup to avoid this problem. But after research, i
> have written a script for every table effected. Now that the website
> is smoothly working.
>
> I can provide this solution to you as well, but i will charge money
> for it. For contact my e-mail address is hammad_siddiqui--at--yahoo.com.
>
LOLOLOLOLOL
ROFL

There are freely available scripts in several places. I hope nobody finances
this leech.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

"hammad siddiqui" <hammad_siddiqui--at--yahoo.com> wrote in message
news:%23serZOC3IHA.1420--at--TK2MSFTNGP06.phx.gbl...
>
> I have the solution to this problem...
>
> I work at a news channal. Recently we launch our news websit and it was
> DAILY ATTACKED this script. as a result, we used to restore the privous
> database backup to avoid this problem. But after research, i have
> written a script for every table effected. Now that the website is
> smoothly working.
>
> I can provide this solution to you as well, but i will charge money for
> it. For contact my e-mail address is rip_off_merchant--at--yahoo.com.
>

If I launched a web site that was attacked like this, I would expect to be
fired or sued - not charge people money for fixing my mistakes.

--
Mike Brind
Microsoft MVP - ASP/ASP.NET

It is one type of virus.use trigger and check inserted data.use this
code

Create TRIGGER [Check_Code]
ON [EPI_TenderDetails]
after INSERT,UPDATE
AS
declare
@Bus varchar(150)
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;

if exists (select * from inserted)
select @Bus=TenderNo from inserted
if @bus like '%<script%' or @bus like '%script>%'
rollback
-- Insert statements for trigger here

END

*** Sent via Developersdex http://www.developersdex.com ***

"subrata roy" wrote:
> ...if exists (select * from inserted)
> select @Bus=TenderNo from inserted
> if @bus like '%<script%' or @bus like '%script>%'
> rollback
> -- Insert statements for trigger here ...

This does not address the core problem. Reaching your trigger implies that
injection has occurred. There is no guarantee that the next attack will use
SCRIPT tags.

For that matter, this nonsense forbids potential legitimate cases for
inserting SCRIPT tags. Imagine if a SQL injection forum kept rejecting your
post because you described the thing it was "protecting itself" against.

Bah.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.