Back to qualys.com
5 posts

Thwarting SQL Injection: Defense in Depth

SQL as a language is vulnerable to injection attacks because it allows mixing of instructions and data, which attackers can conveniently exploit to achieve their nefarious objectives.

The root cause behind successful SQL injection attacks is the execution of user-supplied data as SQL instructions. This classic cartoon illustrates the perils of trusting user inputs, and how they can lead to a successful SQLi attack:

From the webcomic xkcd:

Did you really name your son Robert'); DROP TABLE Students;--

Continue reading …

Drupal SQL Critical Vulnerability and How Qualys Can Help

On October 15, 2014, Drupal, a free, open source software used to create and manage websites, announced the existence of a vulnerability in its Drupal 7 database API abstraction layer. The vulnerability allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

Continue reading …

Patch Tuesday August 2014 – Update

Update: Microsoft has modified the bulletin MS14-045 for Windows and excluded the patch for the font handling vulnerability CVE-2014-1819. The patch can cause the system to lockup (BSOD) and present problems with fonts that are not installed in the default location. Microsoft recommends uninstalling KB2982791 at this time. For more information take a look at the KB article itself. We are interested to know how widespread these problems are. Were you affected? Do you install important level patches immediately or do you wait for a cool-off period? These questions are important especially when you consider the availability of 1-day exploits, where attackers reverse engineer patches to find new attack vectors:

1-day

This example is taken from the capability description of commercial exploit tool (Gamma’s FinFly) but it illustrates the capabilities that a good attack team has.

Original: It is August Patch Tuesday, the week after Black Hat and DEF CON and we are getting nine bulletins from Microsoft with a total of 41 vulnerabilities addressed plus a new version of Adobe Flash. In addition Microsoft is introducing some new capabilities for automatic ActiveX blocking and announced the phase out of old browsers. All in all, a pretty busy Patch Tuesday with 2 patches that address 0-day vulnerabilities that are seeing attacks in the wild – Internet Explorer and Adobe Flash.

Continue reading …

August 2014 Patch Tuesday Preview

While the Black Hat security conference is ongoing in Las Vegas (stay tuned to this blog for a rundown of our favorite presentations), Microsoft has published their Advance Notice for the month of August. That document gives us an idea of the size of next week’s Patch Tuesday: we will get nine bulletins affecting a wide variety of Microsoft software including Internet Explorer, Windows, Office, SQL Server and Sharepoint. Two of the bulletins are rated “critical,” as they allow for Remote Code Execution (RCE) and a third one for Microsoft Office OneNote also provides RCE capabilities.

Continue reading …

Postgres Announces Upcoming Security Patch

Last week, the PostgreSQL Project advised its users of an upcoming security patch for a critical security vulnerability in their database server software. All currently supported versions are affected and the patch will be released on Thursday, April 4th. To our knowledge this is the first time that an Open Source project has pre announced a vulnerability and upcoming patch. We expect the release to fix a Remote Code Execution vulnerability in this popular database engine and recommend all PostgreSQL users to upgrade to a secure version as soon as possible, especially if your database server is connected directly to the Internet. The Shodan search engine currently lists over 30,000 systems that have an accessible PostgreSQL server on the Internet.

Underscoring the severity of the vulnerability is an announcement by Heroku, a popular cloud application platform, that has started forcibly upgrading all of customers’ PostgreSQL installations with the patch.

We will update this post as soon as more information becomes available.