Although this attack targets websites powered by Microsoft SQL Server, databases such
as Oracle are also vulnerable to this attack.
The attacks "are a very sophisticated form of SQL injection," Qualys CTO Wolfgang
Kandek told TechNewsWorld. "Normally, SQL injection is targeted to one table. With
this attack, they used a generic mechanism of the underlying database to make it work
on a much broader set of applications."
The attacks have targeted sites running IIS and ASP that have an MS-SQL database.
However, they are not exploiting a particular flaw in these applications -- the exploit
could have been written to target any database -- Oracle or WebSphere, for example.
Rather, the code exploits what security researchers are bemoaning as an elementary
lapse in Web security on the part of developers installing the databases.
In addition to this attack, the article mentions another one, specific to SQL Server,
on the horizon:
"The underlying database servers are often misconfigured to have an extended stored
procedure xp_cmdshell enabled," Belani told TechNewsWorld. "This setting allows an
attacker to execute commands at the operating system level post compromise via SQL
injection. This level of access is hard to come by in other database servers like
Oracle."
Full story at http://www.technewsworld.com/edpick/62783.html?welcome=1209477802.
The root cause of these attacks is insecure web application design, which allows SQL
code to be inserted into a page request and executed in the following database query.
This is an old technique known as SQL Injection.
If you're not familiar with SQL Injection, you need to be, since it's a very basic
flaw with serious ramifications. I recommend highly reading 19
Deadly Sins of Software Security for very good introductions to some very basic
design issues.
