Block SQL Injection

Payam Chychi pchychi at gmail.com
Thu Apr 21 07:07:57 MSD 2011


I was easy... So you would use some admins stupidity to backup 23
years of experience? That makes no sense to me but hey its ok, its the
internet after all

Hope you find an answer to your problem

On 4/20/11, Cliff Wells <cliff at develix.com> wrote:
> On Wed, 2011-04-20 at 17:43 -0700, Payam Chychi wrote:
>> Cliff Wells wrote:
>> > On Thu, 2011-04-21 at 04:22 +0700, Joe wrote:
>> >
>> >> Put a daily backup on your databases. :)
>> >>
>> >
>> > That doesn't really solve the issue. Once someone has compromised the
>> > database, they can usually leverage that to gain wider system access.
>> >
>> > Cliff
>> >
>> >
>> >
>> > _______________________________________________
>> > nginx mailing list
>> > nginx at nginx.org
>> > http://nginx.org/mailman/listinfo/nginx
>> >
>> >
>> how does exploiting your db = wider system breach? sorry but that makes
>> no sense
>
> Easy. What data does your database store? Quite probably usernames and
> passwords. A fundamental truth is that people often use the same
> passwords for multiple services. If you can obtain the password for a
> company's CMS or Webmail application, chances are you now have their
> password for multiple services.
>
> For a recent and well-publicized example of this type of intrusion,
> Members of Anonymous hacked HBGary's database via a SQL-injection attack
> on their CMS, which eventually led to compromised email accounts.  They
> then leveraged this to obtain more sensitive information via social
> engineering (using a stolen email address to get ssh passwords).
>
> http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
>
>>  and ive been doing system/network security & networking for
>> over 10 years.
>
> Well, I've been doing it for 23 years, so give yourself a little more
> time.
>
> Regards,
> Cliff
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>

-- 
Sent from my mobile device

Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer



More information about the nginx mailing list