Block SQL Injection
cliff at develix.com
Thu Apr 21 05:36:28 MSD 2011
On Wed, 2011-04-20 at 17:43 -0700, Payam Chychi wrote:
> Cliff Wells wrote:
> > On Thu, 2011-04-21 at 04:22 +0700, Joe wrote:
> >> Put a daily backup on your databases. :)
> > That doesn't really solve the issue. Once someone has compromised the
> > database, they can usually leverage that to gain wider system access.
> > Cliff
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> how does exploiting your db = wider system breach? sorry but that makes
> no sense
Easy. What data does your database store? Quite probably usernames and
passwords. A fundamental truth is that people often use the same
passwords for multiple services. If you can obtain the password for a
company's CMS or Webmail application, chances are you now have their
password for multiple services.
For a recent and well-publicized example of this type of intrusion,
Members of Anonymous hacked HBGary's database via a SQL-injection attack
on their CMS, which eventually led to compromised email accounts. They
then leveraged this to obtain more sensitive information via social
engineering (using a stolen email address to get ssh passwords).
> and ive been doing system/network security & networking for
> over 10 years.
Well, I've been doing it for 23 years, so give yourself a little more
More information about the nginx