SQL Injection affects multiple database-backed applications (SQL_Injection)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature heuristically detects an SQL injection attempt by weighing various DDL, DML, operators, functions, keywords and symbols of the SQL programming language.

False positives

Default risk level

High risk vulnerability High

Sensors that have this signature

RealSecure Network: XPU 27.040, RealSecure Server Sensor: XPU 27.040, BlackICE PC Protection: 3.6cqk, BlackICE Server Protection: 3.6.cqk, Proventia Network IDS: XPU 27.040, Proventia Network MFS: XPU 27.040, Proventia-G 1.1 and earlier: XPU 27.040, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2050, Proventia Network IPS: XPU 27.040, Proventia Desktop: 2050, Proventia Server IPS for Linux technology: 27.040, Virtual Server Protection for Vmware: 1.0

Systems affected

Various vendors Any application

Type

Suspicious Activity

Vulnerability description

Multiple products that use data in SQL queries are vulnerable to SQL injection. Attackers can use SQL injection techniques to exploit Web sites and applications that implement SQL queries without first removing potentially harmful characters. Using SQL injection, attackers can create and modify tables, and possibly gain complete control over the database, host computer, and network of trusted computers.

How to remove this vulnerability

Review every parameter of every script that interacts with a Web site or application. If testing the script yields any form of database error message in any part of the response (including hidden fields and headers), then the application is vulnerable to SQL injection.

These guidelines can help minimize the possibility of SQL injection and mitigate the risk:

If you have the ability to modify the script or application, implement strict filtering over all variables (using a default-deny regular expression) for any characters or strings that could be used maliciously. It is safer to build a regular expression that permits only alphanumeric characters (for example, s/^[0-9a-zA-Z]//g), as opposed to enumerating every forbidden character and possibly missing a few, rendering the application vulnerable.
Limit database rights so that the Web application only has access to essential stored procedures.
Remove stored procedures and scripts that are not essential for the Web application.

References

SPI Dynamics White Paper
SQL Injection: Are Your Web Applications Vulnerable?
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

ISS X-Force
SQL Injection affects multiple database-backed applications
http://www.iss.net/security_center/static/8783.php