On Sun, Apr 19, 2009 at 5:57 PM, Gary Browne <[email protected]> wrote: > Hi all, > > We've been getting errors on these suspicious looking URLs. I don't know > much about SQL injection but could this be what's being attempted here?
Sure looks like it to me! I'm not quite sure what they're trying to accomplish there, except that varchar(8000) looks awfully big -- trying for an overflow? > If so, what is the likelihood of success and what can we do to safeguard > against such attacks (if it is, indeed, an attack). Well, I'm not a dev or a security expert, so take my opinion with a heaping teaspoon of salt, but I believe that all DSpace database requests go through a layer that (among other things) sanitizes inputs. This ought to make SQL injection pretty difficult, though I'm not prepared to say "impossible." The browse system in DSpace is pretty obtuse as well; if it doesn't get precisely the input it expects, it blows up, as you've seen. (I have an amusing bug story related to the obtuseness of the browse system around version 1.4.1 or thereabouts, but I'll spare you! The bug has been fixed since then.) Another minimal safeguard may be that DSpace doesn't run on MySQL, which is what most injection attempts target. Minor differences in syntax may or may not afford additional protection. (I've never had to use DECLARE, but a cursory glance through documentation indicates that PostgreSQL syntax for it isn't the same as MySQL, so I don't think the above attack would ever work on a PostgreSQL application.) Dorothea -- Dorothea Salo [email protected] Digital Repository Librarian AIM: mindsatuw University of Wisconsin Rm 218, Memorial Library (608) 262-5493 ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
