As somebody starts telling about vulnaribilty by SQL intection, be aware
that it is culprit in this case.
All was it alone that you cannot reach a Jet database direct over the
Internet.
Well you may not be able to reach the database directly , this is in my
situation also the case with SQL server , in my company ( and for a fact
all the companies i worked for and with ) the SQL servers are also not
directly connected to the internet ( WAN ) but located on a LAN through a
seperate NIC on the Webserver .
But doest this make them safe for SQL injection ? ! , sure not ! as SQL
injection is mostly done through the URI or through user input fields wich
are availlable in the presentation layer . and it doesn`t mather wich
database it is ACCESS , MSSQL , MYSQL , ORACLE , DB2 etc etc etc the only 2
things you need is a Developer who doesn`t understand the concept and a
"wannabe" hacker who does understand it.
This is the reasson why i followed a course at
http://www.madison-gurkha.com/en/index.php where i found out with my
Development laptop that Microsoft already implemented a lot of counter
measures in the framework , and you almost have to write explicit code to
allow SQL injection , 2 of the biggest mistakes is
allowing string concatation to the db backend directly from the GUI ,
making detailed DB exceptions visible to the presentation layer
And believe me with the knowledge you get at such a course you can bring a
lot of websites or programs down , i believe that 80% of developers are not
aware of the risk they take with certain implementations , at one company i
was at a audit ( where we checked code that was written by other working
companies and / or by outsourced projects ) able to delete production
tables or getting valuable information from the GUI as customer info ,
passwords or wich database and or how the table structure was by deliberily
crashing the app with malicious data entry .
so hint :
Use a safe data access mode cause there is nothing as worse as that your
employer hires those guys of madison or simular to them to investigate what
has gone wrong and that there conclusion is that the developer of the
product made some common mistakes regarding SQL injection , i wonder what
will happen if this is in a company where the core business and so value is
within the data . I know for sure that i would be sent home as i work at
such a company , where the audit sure should take place if we were missing
data or it has gone corupted .
Personaly i write always at least a three tiered app , my presentation layer
will never expose anything about my database the user only has to know that
his data could not get stored or that there is a unexpected exception at the
database level but he doesn`t have to know that "a unexpected data error
occured at SQL.Client Insert into DBO.Users .......................... "
this seemingly harmless error tells me already that i now only have to focus
on MS SQL vulnerabilities and that there exists a table named Users
well i hope i made my point clear
Michel Posseth
