Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN SQL Injection Vulnerability? I.E. How did this happen?DNN SQL Injection Vulnerability? I.E. How did this happen?
Previous
 
Next
New Post
5/22/2008 1:24 PM
 

Yup, you were correct, an entire column had the <script> tags appended to them. Thank you.

I use a DBO qualifier for my tables, CMS_HostSettings. 

If this was another applications .asp or .aspx that was comprimised, that is some pretty intense logic to look for tables eh?

 

 
New Post
5/22/2008 1:41 PM
 

Using a DB search stored procedure:
http://vyaskn.tripod.com/search_all_columns_in_all_tables.htm

I found many more records that were infected, some in DNN.

Thought it might help others who might have this same problem.

 

 
New Post
5/22/2008 5:40 PM
 

All,

sorry to hear about your issues, I thought I would post some of my thoughts here.

SQL Injection attacks rely on the ability of the hacker/program to inject arbitrary sql code onto existing sql statements (known as "dynamic sql"). Typically this happens when hackers find a way to concatenate new statements to existing statment often via querystring parameters e.g. "somepage.aspx?someid=1" get's changed to "somepage.aspx?someid=1;delete from users" . If the underlying code concatenates the someid text into a dynamic query then the additional query get's carried out.

DotNetNuke uses stored procedures instead of dynamic sql. This means that sql injection attacks are almost impossible (this is a development best practice). I believe we do use SQL injection in one core proc but it’s careful to not allow injection attacks so I don’t believe this is a core problem.

I took a check for the b.js payload indicated by one of the posters, and see that there are a large number of sites of all technologies that have that file(http://www.google.co.uk/search?hl=en&q=b.js&meta=). A short time ago there was a huge increase in sql injection attacks that are commonly believed to have been caused by automated attacks that leveraged search engines to find targets (http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html has some good details on this and contains a link with some tips to clean up these entries). These were not dotnetnuke specific,  but rather looking for any site that might allow dynamic sql. A number of popular 3rd party use dynamic sql, so perhaps one of them has a parameter that was found and used by this attack. I would recommend that people with access to their IIS logs take a look in there as it's likely you'll see the requests that caused the issue(s), and that will help you pinpoint the attack points and whether they're modules or other applictions (if an unrelated application is running with a database user with a high privileges a single site could allow sql injection across all databases on a server)

Note: the code to iterate through lists of tables, columns and users via sql injection is actually quite straightforward and very well known (basically it uses tables such as syscolumns/systables/sysusers etc.), most sql injection attacks do not need to know the underlying database to exploit it. In fact it's usually one of the signatures of a generic attack that data is changed in multiple places as the tools used don't know what (if any) data stored in the database will be displayed on a webpage.

Thanks,
Cathal


Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
5/22/2008 6:38 PM
 

For those running DNN in conjunction with other applications, I would strongly recommend running DNN in its own application pool under a unique (ie; not NETWORK SERVICE) account, and ensuring that that account is the only IIS-related account that has access to the DNN database.  Since DNN is relatively insulated from these sorts of attacks, the primary infection paths will be through cross-contamination and third-party modules.  While this is a bit more work, proper application pool / SQL server configuration can virtually eliminate the former method of infection.

As I recall, in my own installation, the DNN application pool only has execute permission on the stored procedures, and can't even directly access the tables themselves.

Brandon


Brandon Haynes
BrandonHaynes.org
 
New Post
5/22/2008 7:44 PM
 

Using a DB search stored procedure:
http://vyaskn.tripod.com/search_all_columns_in_all_tables.htm

I found many more records that were infected, some in DNN.

Thought it might help others who might have this same problem.

 

 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN SQL Injection Vulnerability? I.E. How did this happen?DNN SQL Injection Vulnerability? I.E. How did this happen?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out