Block SQL Injection

Cliff Wells cliff at develix.com
Thu Apr 21 05:36:28 MSD 2011


On Wed, 2011-04-20 at 17:43 -0700, Payam Chychi wrote:
> Cliff Wells wrote:
> > On Thu, 2011-04-21 at 04:22 +0700, Joe wrote:
> >   
> >> Put a daily backup on your databases. :)
> >>     
> >
> > That doesn't really solve the issue. Once someone has compromised the
> > database, they can usually leverage that to gain wider system access.
> >
> > Cliff
> >
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> >
> >   
> how does exploiting your db = wider system breach? sorry but that makes 
> no sense

Easy. What data does your database store? Quite probably usernames and
passwords. A fundamental truth is that people often use the same
passwords for multiple services. If you can obtain the password for a
company's CMS or Webmail application, chances are you now have their
password for multiple services.

For a recent and well-publicized example of this type of intrusion,
Members of Anonymous hacked HBGary's database via a SQL-injection attack
on their CMS, which eventually led to compromised email accounts.  They
then leveraged this to obtain more sensitive information via social
engineering (using a stolen email address to get ssh passwords).

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

>  and ive been doing system/network security & networking for 
> over 10 years.

Well, I've been doing it for 23 years, so give yourself a little more
time.

Regards,
Cliff





More information about the nginx mailing list