Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
The New SQL Injection Attack
December 11th, 2009
a new, extremely sophisticated SQL injection attack that may have already infected up to 300,000 Web pages has been detected. Perpetrators are using SQL injection to push a malicious iframe that is named script src=hxxp://318x.com into Web servers. (An iframe is an HTML structure that enables another HTML document to be put into an HTML page.)
What does it mean?Does it mean many web servers were vulnerable of SQL injection at the same time?How?Or is it a worm using SQL injection?
Is it about a security hole in MS SQL server?Anyone knows more technical details?
There are so many websites that are vulnerable to SQLi. It was a regular SQL injection attack, but the one who did this used those methods in SQL that require the FILE permission (SELECT ... INTO FILE, LOAD DATA INFILE, LOAD_FILE()), which is turned on by the most hosts by default, and was able to inject HTML into files.