Scott Vanderlip - President - Internet Software Sciences

Internet security is an increasingly important requirement of any application that resides on the Internet. Internet Software Sciences reviews potential security issues and responds to them accordingly. Back in 2003, a Web+Center user identified a potential security vulnerability in the Web+Center software that we carefully reviewed. As a result, we added an extensive set of routines to thwart this kind of attack and even immediately notify Web+Center administrators of such occurences.

The particular form of attack is loosely referred to as SQL injection and most database driven web-applications are vulnerable to it unless active measures are taken to protect against it.

Wikipedia defines SQL Injection as:

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

For example, let's say you have a simple HTML web-based form that asks for your first name like:

SELECT * From Users where FirstName='John'

Select * from Users where FirstName='John";DROP TABLE Users

A special module called Valid_Data_Check.inc located in the language directory contains the routines that does extensive data validation for SQL-injection. This routine is called in many of the Web+Center form interfaces to prevent SQL-Injection abuses. Additional data verification routines could be added to this routine by you if needed.

If a potential SQL-injection violation is found, the processing of that form will immediately abort further accesses to the database and immediately email a special alert notification with the subject line of: Web+Center Caution - Possible security Violation attempt to the first administrator level technician registered in the database with an valid email address.

Our Web+Center support site servers that also use Web+Center for our external customer support have had a number of unsuccessful SQL-Injection attempts to attack our database and below is a real email that was recently automatically sent to our company security advisory member via our SQL-injection checking code. This attack was logged from an IP address of 213.6.192.103. This was eventually mapped back to a DSL provider in Palestine. The initial WHOIS inquiry using the Network Solutions WHOIS application returned the fact that this address was registered at the RIPE NCC (Network Control Center) in the Netherlands. A subsequent query to the RIPE whois facility (http://www.db.ripe.net/whois) identified actual internet provider of the perpetrator.

If you get emails with the Subject line of Web+Center Caution - Possible security Violation attempt, this email is auto-generated by Web+Center as a result of a user possibly attempting SQL-injection or it could be an accidential entry of some semi-colon or special SQL control characters in some form fields that Web+Center is programmed to scan for.

You can verify that your SQL-injection checking code is in place by attempting to log into the Tech+center or customer+center with a valid CSS-XXXX or customer Login ID and then enter password that contains a semi-color (;). You should be prompted with a web-page that says Invalid Data and requires you to go back and re-enter your information. Your administrator should get an alert email from Web+Center system.

SAMPLE Security Advisory Message sent from Web+Center

From: "Customer Support/Help Desk"
To: "UserX"
Sent: Sunday, January 11, 2009 3:44 PM
Subject: Web+Center Caution - Possible security violation attempt

Caution - this email is an advisory alert that The Web+Center has detected an apparent attempt to compromise system security. A user has entered data into a Form field that might be innocent, but has suspicious characteristics. Relevant details of this action are as follows:
Suspected Perpetrator = Unknown User Not Yet Logged In
Date = 1/11/2009
Time = 3:44:18 PM
Field Name = Case Number
Field Value = 549') and 1=convert(int,(select top 1 table_name from information_schema.tables))--sp_password
Error Code = 4
--------------------------------
Cookie Id =
Form Fields =
Local Address = 168.143.174.18
Path_Info = /ISSSupportCustomerV5/ViewCase.asp
Query_String =
Casenum=549%27)%20and%201=convert(int,(select%20top%201%20table_name%20from% 20information_schema.tables))--sp_password
Remote_Address = 213.6.192.103
Remote_Host = 213.6.192.103
Script_Name = /ISSSupportCustomerV5/ViewCase.asp
Server_Name = helpdesk.inet-sciences.com
URL = /ISSSupportCustomerV5/ViewCase.asp
--------------------------------
The meaning of the error code is as follows:
Error Code = 1 - The string contains a semi-colon.
Error Code = 2 - The string contains two or more apostrophes.
Error Code = 4 - The string contains two adjacent hyphens.
Error Code = 99 - The string resulted in a compromised read of the database.
These error-codes are additive. Any other error-code value is the sum of two or more of the above codes.

Then on a occasional basis, make sure that the backups you saved are in fact useable. Many people save backup copies regularly - only to find they are unusable (for any number of reasons) when the time comes.

From that application folder and the database backup, you can completely recover the complete environment necessary for you to resume operations in case of a loss, either through machine failure or malicious attack.