Microsoft IIS blamed for mass SQL injection attacks

So in the past week slashdot has made two post over this including many other sites.  Apparently there is a bot running the net attempting sql injection on a specific brand of sites.  Nothing to write home about correct?  This one is nothing particularly special in that if your asp page is open to sql injection and you run MSSQL server you are open to the bot.  The bot floods the database with a specific javascript include which runs malicious code when it is pulled from the database.

What is particularly annoying with all of this is that bad coding practices are the root cause for all of this.  You have sites like slashdot blatantly spinning the issue around on Microsoft.  Sorry, I have criticisms of MS just like everybody else, but this is flat our preventable by sanitizing your queries.  Instead of writing a sensationalist post spouting big 6 digit numbers and throwing around the word vulnerability, how about trying to understand the problem.  When I first saw this article being a webmaster I naturally wanted to find out why the REAL issue was instead of wading through a page of spin. 

If you want the REAL story on what this is all about read this well written explanation of the problem.

Tagged: , , ,