clear search search
  1. Administration

SQL Injection - Preventive Measures

over 13 years ago | Article no. 3771
0 stars 0 ratings

THIS ARTICLE APPLIES TO:

Knowledgebase all versions

ISSUE DESCRIPTION:

Measures to prevent SQL Injection

ROOT CAUSE:

SOLUTION OR WORK AROUND:

This document provides few recommendations to prevent SQL injection from occurring.

 

We recommend three steps that you need to perform to prevent SQL injection:

 

-         Install and configure UrlScan Security tool.

-         Revoke the grant for the kbadmin user on sysobjects and syscolumns.

-         Modify the article.asp* file

 

Install and configure UrlScan Security Tool:

 

The Microsoft article below will provide you detailed information on how to use UrlScan Security tool.

 

http://technet.microsoft.com/en-us/security/cc242650.aspx

 

Please download and install the tool. After installing, the values of the UrlScan.ini file need to be modified. The UrlScan.ini file is located under C:\Windows\system32\inetsrv\urlscan folder.

 

Open the UrlScan.ini in the Notepad.

 

1.      In the file, under “RequestLimits”, look for “MaxQueryString”. The default value of "MaxQueryString" is 2048. It needs to be modified to 1024.

2.      If your KB version is 7.0.x, then remove “.asp” under “DenyExtensions”.

3.      Now, reset IIS.

 

Revoke the grant for the kbadmin user on SysObjects and SysColumns.

 

Revoking the select permissions of the kbadmin user on SysObjects and SysColumns and also denying the select permissions of Public to SP_Help will prevent the intruder from getting the information on the DB schema for Moxie Software KnowledgeBase. The steps to deny and grant permissions are provided below:

 

To revoke the permissions:

 

Use ECRMKB

Deny

Select ON SysColumns TO KBAdmin

Go

 

Use ECRMKB

Deny

Select ON SysObjects TO KBAdmin

Go

 

Use MASTER

DENY

Execute ON SP_Help TO Public

Go

 

Important: Whenever you upgrade the product to a new version or when you apply a hotfix, you will need to grant permissions before starting the upgrade process.

 

To grant the permissions:

 

Use ECRMKB

Grant

Select ON SysColumns TO KBAdmin

Go

 

Use ECRMKB

Grant

Select ON SysObjects TO KBAdmin

Go

 

Use MASTER
Grant

Execute ON SP_Help TO Public

Go

 

Modify the article.asp/article.aspx file.

 

Modify the article.asp* page located in [KBData]\articlesPublished\ClientID\KBID, where

 

[KBData] = the folder where the Knowledgebase content resides on the File System,

ClientID = 12 for on premise deployments, and

KBID = ID of each Knowledgebase created for that clientid (e.g. [KBData]\articlespublished\12\1, [KBData]\articlespublished\12\2, etc).

 

Open the article.asp* file and include the following few lines in the beginning of the content of article.asp*. Save and close the file. You may have to do this for each of the article.asp* file located in the KBID folders.


<%

if not Request.QueryString("aid") is nothing then

      if IsNumeric(Request.QueryString("aid")) = false then response.end

end if

 

%>

 

<%

if not Request.QueryString("aid") is nothing then

if IsNumeric(Request.QueryString("aid")) = false then response.end

end if

%>

AFFECTED SYSTEMS & USERS:

ADDITIONAL INFORMATION:

ESCALATION PROCEDURE:

If you have additional questions, please contact our Support team at 877-373-7848 (option 2) or via email at cimsupport@moxiesoft.com.