|
03.07.06
SQL Injections Abound
 By
John Stith
Danish security firm Secunia reported on
Monday several moderately critical vulnerabilities in various
software products that allow SQL injection attacks. Products
like Gregarius, Total Ecommerce, Akarrus Social Bookmarking
Engine and others.
SQL injections are
vulnerabilities occurring in the database layer of an application.
It's created with the incorrect escaping of dynamically-generated
string literals embedded in SQL statements.
Secunia also reported a problem in WordPress with SQL injection issues. "Input is passed to the ‘User-Agent' HTTP header when commenting on an article isn't properly sanitized before being used in a SQL query."
French Security Incident Response Team (FrSIRT) has also been reporting a number of SQL injection attacks. They've picked up on the vulnerabilities in programs like Pixelpost, NMDeluxe, Php-Stats and several others.
In most cases, there's an additional vulnerability listed as well. With the SQL injection problems, the biggest problem consistently remains the lack of sanitation. Unfortunately, Lysol can't be used on these problems.
For example, in the Total Ecommerce problem, the "input passed to the ‘id' parameter in index.asp isn't properly sanitized before being used in an SQL query." This leads to possible exploitations to manipulate the SQL queries by injecting arbitrary SQL code.
While there are patches for many of these products, it's still something to watch out for regarding most products one might use. Make sure the good sanitation methods are in place and this shouldn't be a regular problem.
As more and more software is available with SQL, companies must become ever-more vigilant in order to protect their information. Getting patches and other updastes is critical.
About the Author:
John Stith is a staff writer for WebProNews covering technology and business.
|
