-
Posted to
Security
by
eftennis
on
05-13-2008, 8:22 AM
I had the same problem with denying select permission to my sys tables. I ended up going to my hosting provider and their sql admin gave me this script. This worked and allowed me to deny my asp login account from selecting the sys objects table.
use [my_admin_sql_login]
GO
DENY SELECT ON [sys].[sysobjects] TO ...
-
Posted to
Security
by
eftennis
on
05-08-2008, 12:49 AM
Your idea of denying select access to the sys objects seems to make the most sense of any ideas I have read about sql injectors. That would appear to be a foolproof way of at least stopping the current attackers.
Has this worked for you?
I tried to go in and do this, but, my sql login account does not appear to have ...
-
Posted to
Security
by
eftennis
on
04-20-2008, 12:51 PM
Thanks. That is the first proof I have seen as to how this works.
We added a logging function to our sql calls to try to trap for this type of information.
We have been adding a common script to the top of all of our pages to look for "offending" data in the url parms or the form variables. Seems like a ...
-
Posted to
Security
by
eftennis
on
04-18-2008, 3:17 PM
We were hit as well last week by a similar one. aspder
Now, last night we were hit by the nihaorr1 attack. Last nights was a little more sophisticated. It inserted script logic into various fields in the database. We ran sql queries to clean it out since no data was removed.
It appears ...