SQL Injection affects multiple database-backed applications (SQL_Injection)

About this signature or vulnerability

Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Desktop, Proventia Network IPS, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network:

This signature heuristically detects an SQL injection attempt by weighing various DDL, DML, operators, functions, keywords and symbols of the SQL programming language.

False positives

Default risk level

High risk vulnerability High

Sensors that have this signature

Proventia Server IPS for Linux technology: 27.040, Proventia-G 1.1 and earlier: XPU 27.040, Proventia Network MFS: XPU 27.040, Proventia Desktop: 2050, Proventia Network IPS: XPU 27.040, BlackICE Server Protection: 3.6.cqk, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2050, BlackICE PC Protection: 3.6cqk, RealSecure Server Sensor: XPU 27.040, RealSecure Network: XPU 27.040

Systems affected

Powie pForum: 1.14, Joseph Engo phpGroupWare: 0.9.12, MySQL MySQL, Microsoft Windows XP, XOOPS XOOPS: RC1.0, AdCycle AdCycle: 1.12 to 1.17, Les VanBrunt AdRotate Pro: 2.0, Compaq Tru64, Microsoft Windows Me, Microsoft Windows 2000, Microsoft Windows 98SE, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft SQL Server, SCO SCO Unix, Microsoft Windows 98, IBM OS2, Sun Solaris, Linux Kernel, WindRiver BSDOS, HP HP-UX, SGI IRIX, IBM AIX, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Suspicious Activity

Vulnerability description

Multiple products that use data in SQL queries are vulnerable to SQL injection. Attackers can use SQL injection techniques to exploit Web sites and applications that implement SQL queries without first removing potentially harmful characters. Using SQL injection, attackers can create and modify tables, and possibly gain complete control over the database, host computer, and network of trusted computers.

How to remove this vulnerability

Review every parameter of every script that interacts with a Web site or application. If testing the script yields any form of database error message in any part of the response (including hidden fields and headers), then the application is vulnerable to SQL injection.

These guidelines can help minimize the possibility of SQL injection and mitigate the risk:

If you have the ability to modify the script or application, implement strict filtering over all variables (using a default-deny regular expression) for any characters or strings that could be used maliciously. It is safer to build a regular expression that permits only alphanumeric characters (for example, s/^[0-9a-zA-Z]//g), as opposed to enumerating every forbidden character and possibly missing a few, rendering the application vulnerable.
Limit database rights so that the Web application only has access to essential stored procedures.
Remove stored procedures and scripts that are not essential for the Web application.

References

SPI Dynamics White Paper
SQL Injection: Are Your Web Applications Vulnerable?
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

ISS X-Force
SQL Injection affects multiple database-backed applications
http://www.iss.net/security_center/static/8783.php