RE: Looking for SQL security details

From: Guillaume Lavoix (glavoix_at_altadis.com)
Date: 02/09/04

Next message: Jamie Fullerton: "MS04-006 patch.. error in verbage?"

Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #175"
Maybe in reply to: Sarbjit Singh Gill: "Looking for SQL security details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: ssgill@gilltechnologies.com
Date: Mon, 9 Feb 2004 17:06:54 +0100

I advice you to go to the famous and great page:

http://www.sans.org/top20/#w2

It specifically about MS SQL, but you'll get some gal SQL information too .

For the rest:

http://www.SQLsecurity.com/forum/applicationslistgridall.aspx

With off course the main page where you get all that you need:

http://www.SQLsecurity.com/

Sincerely,
Guillaume

-----Mensaje original-----
De: Sarbjit Singh Gill [mailto:ssgill@gilltechnologies.com]
Enviado el: domingo, 08 de febrero de 2004 16:25
Para: focus-ms@securityfocus.com
Asunto: Looking for SQL security details

Greetings

I am preparing for a "10 Steps To Help Secure SQL Server 2000" presentation.
I would have to carry out demos of vulnerabilities, hacks, break-in. All I
have are microsoft Security Guides. They aren't efficient enough for a
full-blown demos.

Please advice how do I begin.

Regards
Gill

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
---------------------------------------------------------------------------

Next message: Jamie Fullerton: "MS04-006 patch.. error in verbage?"

Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #175"
Maybe in reply to: Sarbjit Singh Gill: "Looking for SQL security details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: SQL Slammer doing the rounds again?
... SQL Slammer doing the rounds again? ... "I used to hate writing assignments, ... > Security Business Unit ... > at the largest, most highly-anticipated industry ...
(Incidents)
Re: sql injection query
... escapes the values so this alone greatly enhances security. ... there was a post here a while ago about Validating SQL ... these regex's were very good] so he had no worries about Injection. ... wanted to know if I call a storedprocedure like this I would be similarly ...
(microsoft.public.dotnet.framework.adonet)
[NEWS] IBM Informix Web DataBlade Vulnerable to Auto-decoding of HTML Entities
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HTML encoded strings are automatically being decoded when used in SQL ... When a string has been ... $'ed it should thus be safe to use it in an SQL query, ...
(Securiteam)
Re: Microsoft Informational Alert
... > PSS Security Response Team Alert - SQL Security Recommendations ... > PRODUCTS AFFECTED: SQL Server ... Secure your SA login account with a non-NULL password. ...
(microsoft.public.security)
Re: sql injection - missed it at bh/defcon + follow on query.
... sql injection - missed it at bh/defcon + follow on query. ... >I got thro' a login by putting ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)