The number of SQL Injection attacks across the Internet continue to rise. I’m seeing regular posting on the SANS RSS feed related to SQL Injection and XSS these days and clients are finding that applications they thought were not vulnerable turn out to be vulnerable because of patches and custom mods they’ve had made to them.  For most site owners this meant going back to the developers and getting updates and this is generally costly and time consuming. Fortunately, Microsoft has stepped up to the plate and brought us a little relief in the form of URLScan 3.0 beta/go-live release.

Here’s a few links to get you to good stuff and hopefully save the day:

Microsoft Security Bulletin: http://www.microsoft.com/technet/security/advisory/954462.mspx

Link to download HP’s custom SQL injection scanner and how to use it. They created this for Microsoft to help you identify possible vulnerabilities in your site.

A source code analysis application that can help identify vulnerable code in your application.

UrlScan 3.0 Beta. I’m generally opposed to installing beta software on a production webserver but I think if you’re getting hammered, it’s probably better to just bite the bullet and do it.  As you probably know UrlScan was for the most part built into IIS 6 but it doesn’t have querystring filtering, this build does and it works with IIS5.1 and later including our beloved IIS 7.0. Kudos to the IIS Team!

Word of caution

Word of caution, I’ve installed this for a few people and a couple times it wouldn’t load after the initial install (Beta software). My fix for this was to install the ISAPI filter directly on the website in question. I used Filemon to watch for when it triggered and referenced the log files to tweak out false positives from there. Each site is unique so you’ll need to tweak your settings accordingly.

Another useful tool

LogParser is another great tool for reviewing your server logs and searching for information such as hack attempts. Steve Schofield has a nice write up about using LogParser and URLScan.

A few FAQ’s on this subject:

Q: Is it Microsoft’s fault and if not then who’s fault is it?
A: It’s yours and your developer’s fault. As hackers evolve so much our techniques to combat them.  Coding methods and ways to access SQL server have changed over the years as a result of this and if you haven’t had your site updated, then it’s your fault.

Q: I just moved my website to a new server and I’m getting hacked now and I wasn’t before. It’s the new server right?
A: No. This is a new type of worm if you will that affecting websites the fact that you changed hosts, websites or applications probably doesn’t have anything to do with it at all. This really started to become a huge problem around late April of this year and we’ve watched it grow into a bigger problem since then.

Q: Is URLScan the answer to my prayers?
A: Consider it a stopgap you’ll be able to employ until you’ve had your web applications updated. You really need to get your application secured.

Q: I haven’t been attacked, how do I know if I’m vulnerable?
A: Use the two tools above and also you might want to hire a service to do website security scans. If you’re hosted with Applied Innovations you can you get free quarterly security scans from scanalert.com.

Q: What kinds of applications are vulnerable? Is it just shopping carts?
A: Every application that accesses a database server of any kind is potentially vulnerable.

Q: My website is written in XXXX language and it’s supposed to be very secure, am I vulnerable?
A: Potentially, YES! Any web application that uses a database can be vulnerable.

With the new addition to the family I’ve got a renewed interest in taking photographs (and video) and ofcourse sharing them. Yeah, I’m one of those Dads.  So today I wanted to crop a image for William’s website (yeah, not even 5 days old and he’s already got his own website at http://williamcoburn.net ). The image I wanted to crop and enhance was of the wallpaper border in his room of Pooh Bear.  The only tools I had available on my desktop were picasa and snag-it.

So the first thing I started to do was download a trial of photoshop elements or paint shop pro (I miss the days JASC provided it). Then it struck me that Adobe recently made an online version of photoshop available called adobe photoshop express. I created a free account, uploaded the image was able to enhance, rotate and crop it within 5 minutes and the finished product is visible on William’s site.

So here’s a few online photo editors available for free (I love freebies):

Adobe Photoshop Express - Adobe’s actually late to the game but they have the name and reputation to bring them to #1 pretty quickly if not already.

FotoFlexer -  This is actually my favorite of the ones I played with tonight. It has a lot of features the others don’t seem to have and little gadgets I love like inserting your own face in a picture, creating little inspirational posters, etc.

Splashup - It seemed pretty basic to me and I really didn’t get that involved with it.

Picnik - I enjoyed using this one and found it really intuitive.

I also found a couple ASP.NET projects that seemed to offer basic features and could make a nice little runner up. Who knows maybe you’ll see photoeditor.jesscoburn.com before long

Here’s William Henry Coburn, 8lbs 2oz, 19.5 inches (I’ll leave out the silly joke this time). Unfortunately my attempt to blog post from my cell phone via email failed miserably. But here’s a couple pictures from the first 24 hours.

First Williams Nursery (because I spent a god awful amount of time painting that darn thing)

Williams Very First Baby Picture (being held up by his mommy’s OB Dr. Newman)

Daddy Snips the cord (not nearly as easy as it looks on TV but 10X more gross as you can see from the blood squirts)

Here’s the grandparents and Auntie Louise getting their first look at him (they still have those smiles on).

Strike A Pose …

Finally, Daddy doing for the first time what daddy is going to do the most for the next few years… changing the nappy…and dodging the stream of pee (he almost got me)

I was attending The Parallels Summit this week and while up there the wife sent me a MMS picture on my phone.  The doctor had a 3D sonograph made so I give you the first 3D picture of our baby due sometime in June of 2008:

The folks over at Early Impact (makers of ProductCart) have released a tool to help remove JavaScript code from a SQL database that may have been hacked as part of the SQL Injection attacks taking place today on the Internet.  Here’s the details from their newsletter and a link to the SQL query you can execute.  Please be warned, I haven’t tested this so make sure you have a backup before executing it (just in case):

If your database is hacked

If your store is hacked (JavaScript code added to fields such as product names and descriptions), follow these steps

• Turn off the store
• Clean up the database by either:
  • Restoring a back-up copy
  • Running a query symmetrical to the offending query (download the SQL query here). Load the query in MS SQL query analyzer and run it multiple times until it says that “0 rows were affected”. Ask your Web master to do this for you, or open a support ticket with Early Impact. Note that this method might not be 100% effective.
• Make sure that you have installed the updated files above (and any other files that might be released related to this Security Alert).
• Re-open the store