31 July 2008

Shock! Horror! Not!

This looks bad:

Open source software names such as Joomla!, Drupal, WordPress and Linux are now alongside large proprietary software firms including IBM, Microsoft, Apple, Sun, Cisco, and Oracle in the IBM Internet Security Systems ‘Midyear Trend Statistics’ report.

But wait, there's more:

It is the first time that community-developed open source software such as the Drupal and Joomla! content-management software packages for the web also showed up on the list. Tom Cross, X-Force researcher at IBM ISS, said Drupal and Joomla! are open source packages that "have both been vulnerable to SQL injection attacks".

Er, this would be Microsoft SQL Server injection attacks, running on Windows, yes? And that's an open source vulnerability? I think not....

5 comments:

Tom Cross said...

First, nearly all database products support SQL, not just Microsoft's SQL server. This includes Open Source databases like MySQL and PostgreSQL. SQL injection is an attack that could be performed against any database and web application that supports SQL.

In this case, both Drupal and Joomla have had SQL injection vulnerabilities in the past few months. Those vulnerabilities are bugs in the Drupal and Joomla code, which both projects have done a good job patching quickly. The fact that they show up on this list means that people are paying attention to their security flaws and attempting to fix them, which is as much as sign of their success as an indication of failure.

glyn moody said...

Thanks for the correction. I did wonder whether this might be the case when I read the report, but it wasn't clear.

Maybe we need another way of describing this, since I tend to associate SQL injection attacks with Microsoft, probably because of things like this:

http://www.pcworld.com/businesscenter/article/146048/mass_sql_injection_attack_targets_chinese_web_sites.html

glyn moody said...

Whoops, that URL is truncated.

Maybe this will work....

Roy Schestowitz said...

Yeah, 500,000 Windows sites were defaced some months ago though. SQL Server -- all injections.

glyn moody said...

Indeed: I immediately associate SQL injections with SQL Server.