CGISecurity Logo

Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers

"There’s been a lot of noise and violent thrashing over the last couple
days regarding a flaw that was originally believed to be a flaw in
Microsoft’s IIS (Internet Information Server), but has since been
pointed out as simply a well thought out SQL Injection attack.

For those of you who aren’t familiar with SQL Injection
attacks, it’s a pretty well known web application attack vector that
exists in high volume on dynamic applications, say for instance, on
your banking site. SQL Injection allows an attacker to subvert the
logic of the currently running SQL query in order to interact with data
more interesting to the attacker, bypass authentication/authorization,
or run arbitrary commands on the operating system of the database
server. "

Article Link: http://blogs.zdnet.com/security/?p=1059