According to research presented at the Black Hat security conference in Amsterdam SQL injection attacks open the door to much more serious exploits.New techniques prey on design flaws in three of the most popular databases: MySQL, PostgreSQL, and Microsoft SQL Server. SQL injections are the result of applications that fail to vet user-supplied input entered into website fields. Hackers can abuse this failure to access private information (database and the operating system that runs web site) by entering valid commands. With one of new techniques, it is possible to exploit buffer overflow flaws in the database, and take complete control of servers running SQL Server (without patch from February). A separate technique allows exploiting a SQL injection vulnerability to finagle a command shell from servers running MySQL and PostgreSQL. The designer of a popular security tool, called SQLMap, plans to offer an update that will help to detect the new type of attacks. White Hat Security, a firm that specializes in web application security, estimates at least 16 of the top 1,000 websites suffer from the bug. The percentage of threatened websites is about 33 percent, and fixing the epidemic could cost from $3 billion to $8.5 billion. To fully protect against the new attack, administrators will need to take a hard look at the way their databases are configured. But because many of his attacks rely on database design flaws that allow local privileges to be ported remotely, even that best practice isn't enough to prevent some of the attacks. The original news can be found at TheRegistar web site.
