Register   Login
Support  »  Product Forums
     
  Latest Posts  
captcha still proken
by StatisticsIO on 11/23/2008 6:11 AM
RE: Comments RSS feeds
by StatisticsIO on 11/23/2008 6:09 AM
Regions and Copuntry List scripts for Location Types
by rodneyjoyce on 11/23/2008 4:56 AM
RE: BUG: Sort by: Price
by usheen on 11/23/2008 1:23 AM
RE: News Articles 301 Redirect
by mcox on 11/22/2008 11:16 PM
RE: I cant get rss feeds to work correctly
by davidthomson on 11/22/2008 11:14 PM
Google Maps
by bmurphy on 11/22/2008 11:11 PM
RE: News Articles 301 Redirect
by swebster on 11/22/2008 10:47 PM
RE: News Articles 301 Redirect
by mcox on 11/22/2008 10:22 PM
RE: News Articles 301 Redirect
by swebster on 11/22/2008 9:22 PM
  Forums  
Forums > General > DotNetNuke Questions
Subject: SQL Injection Issue
Prev Next
You are not authorized to post a reply.

Author Messages
Sue BoothbyUser is Offline
Silver Membership
Nuke Newbie
Nuke Newbie
Posts:6
10/14/2008 10:08 AM  

We had a SQL Injection attack on our website over the weekend. Several of our tables had HTML code in all the rows of some fields (looks like varchar fields) with a script tag reference to a file on an external site that would have loaded into the resulting HTML code if it had ever been incorporated into a page.

Fortunately, or not, one of those tables was the Users table and the site was disabled due to a string conversion error and we don't believe any pages were actually built with the malicious code.

Have you ever heard of this before? Do your modules protect against SQL injection attacks?

We're trying to prevent this from happening in the future and are asking all our module vendors this question.

Thanks.
Steve TopilnyckyUser is Offline
Gold Membership
Nuke Wiz
Nuke Wiz
Posts:175
10/14/2008 11:14 AM  

Sue,

I have been hit continuously with SQL Injection Attack attempts. When I first discovered it I contacted Scott and he was a tremendous help.

Here is some more detail on what that attack is trying to do:-

http://ppshein.wordpress.com/tag/dos/

There is an article on sql injection with DNN here:-

http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/1930/Default.aspx

In my case I was not compromised however with each attack it was throwing exceptions. The continuous attacks cased a DoS situation.

I have since installed URLScan from Microsoft.  Since I installed URLScan on Sept 20th,  I have had 4,271 attempts as of this writing.

I decoded the encrypted URL and saw the complete code. They are attempting to insert some JS code from an external site, so when the page loads the code would fire. I attempted to manually download to code to see what they were trying to, but it got flagged by my AntiVirus as a Trojan.. That was enough for me.  I did check my tables and it appears that they were unsuccessful in their attempts.

 
--
Regards,
Steve Topilnycky
Top Cat Computing | Marine Corps League - Westchester County Detachment | ArGoStuff | Young Marines of Westchester
Scott McCullochUser is Offline
Administrators
Nuke Master
Nuke Master
Posts:12448
10/15/2008 4:38 AM  
SQL injection is primarily caused by older scripts that picked parameters out of a url and directly inserted them in queries formed in code.

DNN encourages stored procedures and each parameter is controlled by type, vastly reducing the impact of a SQL injection attack.

I've done some work previously in exposing SQL injection, so I'm confident that the modules here do not suffer from it.
Scott McCulloch
Site Administrator
Sue BoothbyUser is Offline
Silver Membership
Nuke Newbie
Nuke Newbie
Posts:6
10/15/2008 11:46 AM  
Thank you, Scott & Steve, for your replies.
You are not authorized to post a reply.
Forums > General > DotNetNuke Questions > SQL Injection Issue


ActiveForums 3.7
Terms Of Use   Privacy Statement   Copyright 2002-2008 Ventrian   Page generated in 0.5625 seconds