RE: iframe attack
2008/05/20 15:26:18
(permalink)
This problem has nothing to do with Microsoft, it has to do with poor coding practices in many applications used these days in ASP, PHP, and ASP.NET where the programmer didn't bother to do a 'validation' on the form submitted data before inserting it into an SQL query. Thus an attacker can craft say a POST to a form application like default.aspx used by Hosting Controller, and instead of using a username for the form field 'Username' they would craft their own SQL commands that either SELECT, UPDATE, or DELETE for example data from any of the tables within that database. Thus they could craft an sql query that goes thru each table, each field on that table and modifies it to say whatever they want. Now if HC checks the username submitted data to make sure it doesn't contact any of these SQL commands within it before using it for an SQL query then we are fine. If HC directly uses the submitted data in an sql query without doing any prevalidation then its only a matter of time that our SQL databases will get destroyed by these script kiddies.....