Might not be with SQLi, but I have heard of some XSS vulnerabilities.
Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, June 16, 2010 5:44 AM To: NT System Admin Issues Subject: RE: Time to verify your IIS setup I'm not aware that SharePoint is vulnerable to SQL Injection attacks at all. If you've ever debugged SharePoint, you'll see that most of it uses OLEDB under the covers with parametised queries. Cheers Ken From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Wednesday, 16 June 2010 7:10 AM To: NT System Admin Issues Subject: RE: Time to verify your IIS setup SQLI and Blind SQLi are fun... You just need to go to some OWASP meetings, it will start to make a lot of sense, that and scare the living crap out of you, on how poorly web applications are written and how much they are relied on to access very sensitive information in the organization. Plus a poor written web app actually increases your attack surface within the organization due to the multitude of people that can hack at the web interface that couldn't do that as easily through traditional thick client solutions. ( Not saying the Thick client is better) Now think of how secure or basically insecure your Sharepoint sites are and possible SQLi/XSS vulnerabilities lying in those beasts, and it seems to be the new craze in collaboration, but what about the information stored in the website itself? Who can access should it even be in Sharepoint? Can you encrypt it at rest? Lots of interesting scenarios and fun questions abound.. Now that will make ya head hurt sometimes... EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: David [mailto:blazer...@gmail.com] Sent: Tuesday, June 15, 2010 6:50 PM To: NT System Admin Issues Subject: Re: Time to verify your IIS setup That just makes my head hurt. On Tue, Jun 15, 2010 at 3:18 PM, Kurt Buff <kurt.b...@gmail.com> wrote: Here's an update on the issue: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection. html On Tue, Jun 15, 2010 at 14:45, Andrew S. Baker <asbz...@gmail.com> wrote: > More important to me is, "How many discrete managers of IIS > systems/environments does this represent?" > I mean, on one level, if a single ISP hosting 500 discrete sites for clients > is a victim, that's not exactly the same thing as those 500 clients failing > to manage this risk. > On the other hand (and from a more practical standpoint), they're still > victims just the same... > -ASB: http://XeeSM.com/AndrewBaker ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~