> Now this is real bad for shared hosting customers. > Cause even if we protect our sites, that SQL simply > queries all tables in the SQL server. So, if you > found your data compromise, the leak may have been > caused by other sites that are using the same SQL > machine, duh!
On SQL Server the sysobjects and syscolumns tables are per-database, so any script that queries those will only see the tables and such for the database it's running inside of. This particular attack will stay within the database being queried and not go outside, so if your site is hit with this attack it's a sure sign that there is a problem in your code somewhere that let it in. Given that, I have seen SQL injection attacks that will go try to query the 'master' database on SQL Server, look at the sysdatabases table, and then go crawl through every database it can get access to (and if it can get to master, it's a good bet it can get to everything else). Those are the really nasty ones. If the hosting company is at all competent, they will have a unique username and password for each client database (or each client shared among your databases) which can't access other client databases. Not only does it help contain SQL injection attacks, it keeps other hosting clients out of your databases (and you out of theirs). -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310466 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
