Block SQL Injection
Cliff Wells
cliff at develix.com
Thu Apr 21 05:36:28 MSD 2011
On Wed, 2011-04-20 at 17:43 -0700, Payam Chychi wrote:
> Cliff Wells wrote:
> > On Thu, 2011-04-21 at 04:22 +0700, Joe wrote:
> >
> >> Put a daily backup on your databases. :)
> >>
> >
> > That doesn't really solve the issue. Once someone has compromised the
> > database, they can usually leverage that to gain wider system access.
> >
> > Cliff
> >
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> >
> >
> how does exploiting your db = wider system breach? sorry but that makes
> no sense
Easy. What data does your database store? Quite probably usernames and
passwords. A fundamental truth is that people often use the same
passwords for multiple services. If you can obtain the password for a
company's CMS or Webmail application, chances are you now have their
password for multiple services.
For a recent and well-publicized example of this type of intrusion,
Members of Anonymous hacked HBGary's database via a SQL-injection attack
on their CMS, which eventually led to compromised email accounts. They
then leveraged this to obtain more sensitive information via social
engineering (using a stolen email address to get ssh passwords).
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
> and ive been doing system/network security & networking for
> over 10 years.
Well, I've been doing it for 23 years, so give yourself a little more
time.
Regards,
Cliff
More information about the nginx
mailing list