The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SQL Injection

Discussion in 'Security' started by nitaish, Oct 3, 2008.

  1. nitaish

    nitaish Well-Known Member
    PartnerNOC

    Joined:
    Jan 6, 2006
    Messages:
    123
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Mulund, India, India
    Hello All,

    I want to know how can I protect the websites hosted on Cpanel server against SQL injections. There are a few websites which are being infected with SQL injections, some of them being pure html pages.
     
    vishal gupta likes this.
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Three things you can do to keep yourself safe:

    (1) Install mod_security and get a set of rules that block sql injections;

    (2) Switch to using suphp if you don't already as it will stop them learning other sql passwords from your server;

    (3) Install the configserver.com firewall CSF which will block anyone trying repeated sql injections (ie anyone raising repeated mod_security alerts). This will block anyone repeatedly trying to hack you, which minimizes your exposure.
     
    vishal gupta likes this.
  3. Alan Meyer

    Alan Meyer Registered

    Joined:
    Aug 29, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    My experience with SQL injection blockers is that they are a mixed blessing. SQL uses keywords that appear all the time in ordinary English like "select", "insert", and so on, and the blocker installed where I worked wasn't tuned perfectly to recognize true SQL. Sometimes it blocked legitimate input. Also, everything could be working fine but we'd get an update from the blocker vendor and it would break something. So you might want to try SQL blockers, but they may or may not work well for you.

    Another option is to have a meeting with the users and go over the issues. If they design their web forms with security in mind, they can prevent any SQL injection by never allowing anything that comes in from a web page to be executed against a database. This is not hard to do, it just requires that you stop thinking like a decent human being and think instead like a hacker - how could I put something in this form that will cause a problem. [I know, it's sad.]

    If their current web processing allows SQL injection (which it obviously does) this will require some work on the programmer's part to fix. But it will also sensitize them to what the issues are and help them to design their future web forms more securely.

    If, on the other hand, the users have gotten their web pages from somewhere else and don't have the expertise to fix the problem, then I guess there's no option but to use an injection blocker.

    Good luck.

    Alan
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    All Alan has said is great advice. The only thing I'd add is that, if you use a reasonable set of rules, you will get many of the injection attacks. If you use an overly strong set of rules, you'll also block legitimate application use.

    With the set of mod_security rules we use, the protection isn't absolute but we've had only one false positive in the last year or so.

    There's simply no substitute for fixing the application!
     
Loading...

Share This Page