Executive Summary
Summary | |
---|---|
Title | Rise in SQL Injection Attacks Exploiting Unverified User Data Input |
Informations | |||
---|---|---|---|
Name | KB954462 | First vendor Publication | 2008-06-24 |
Vendor | Microsoft | Last vendor Modification | 2008-06-25 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine. Mitigating Factors: This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input. General InformationOverviewPurpose of Advisory: To assist administrators with identifying and correcting vulnerable ASP and ASP.NET Web application code which does not follow best practices for secure Web application development. Advisory Status: Microsoft Security Advisory and associated tools were released. Recommendation: Review the suggested actions and configure as appropriate. It is also suggested that server administrators evaluate the effectiveness of the discussed tools and utilize them as needed. This advisory discusses the following software:
Frequently Asked QuestionsWhat is the scope of the advisory? Is this a security vulnerability that requires Microsoft to issue a security update? What causes this threat? What might an attacker use this function to do? Suggested ActionsMicrosoft has identified several tools to assist administrators. These tools cover detection, defense, and identifying possible coding which may be exploited by an attacker.
|
Original Source
Url : http://www.microsoft.com/technet/security/advisory/954462.mspx |