Encrypt the SQL connection string in ASP Page using VB Script

TheMSsForum.com: The Microsoft Software Forum

Hi All,
My SQL server got hacked 2 times. Using SSL is not an option in my
company noe. I got 2 days to encrypt the SQL connection.How do I encrypt the
connection string.
Connection string is as follows.
strcon="Driver=SQL
Server;Server=test;UID=uid;PWD=pwd;Database=test;DSN=\\test\C$\test.dsn"

I wam will to change any thing in the SQL server too. But I don't have
access to Webserver.I know some application is reading the password from the
ASP page
and logging into the system.

Please help.It is very urgent and I am kind of panic now.

SMV
Top

Re: Encrypt the SQL connection string in ASP Page using VB Script by Bob

Bob
Fri Mar 07 11:00:08 CST 2008

SMV wrote:
> Hi All,
> My SQL server got hacked 2 times. Using SSL is not an option in my
> company noe. I got 2 days to encrypt the SQL connection.How do I
> encrypt the connection string.
> Connection string is as follows.
> strcon="Driver=SQL
>
Server;Server=test;UID=uid;PWD=pwd;Database=test;DSN=\\test\C$\test.dsn"
>
> I wam will to change any thing in the SQL server too. But I don't have
> access to Webserver.I know some application is reading the password
> from the ASP page
> and logging into the system.
>
> Please help.It is very urgent and I am kind of panic now.
>
I've never done it so all I can offer is this:
http://www.google.com/search?sourceid=navclient&aq=t&ie=UTF-8&rls=GGLD,GGLD:2003-36,GGLD:en&q=vbscript+encryption

That said, I find it doubtful that an "application" without physical
access to the machine could read information from an asp page, unless
you've incorrectly configured your web server to serve .asp pages rather
than sending them to asp.dll to be processed.

Are you sure you haven't been the victim of a SQL Injection exploit? If
you have, you can encrypt your connection string all you want and you
will still be vulnerable. Here are some links:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

You should consider continuing this conversation if necessary over at
.inetserver.asp.general

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Top

Re: Encrypt the SQL connection string in ASP Page using VB Script by SMV

SMV
Fri Mar 07 12:49:00 CST 2008

Thanks for the information about Encryption.
Looks like it is a SQL injection.
What are the steps I need to do to prevent the SQL injection.Thanks.


"Bob Barrows [MVP]" wrote:

> SMV wrote:
> > Hi All,
> > My SQL server got hacked 2 times. Using SSL is not an option in my
> > company noe. I got 2 days to encrypt the SQL connection.How do I
> > encrypt the connection string.
> > Connection string is as follows.
> > strcon="Driver=SQL
> >
> Server;Server=test;UID=uid;PWD=pwd;Database=test;DSN=\\test\C$\test.dsn"
> >
> > I wam will to change any thing in the SQL server too. But I don't have
> > access to Webserver.I know some application is reading the password
> > from the ASP page
> > and logging into the system.
> >
> > Please help.It is very urgent and I am kind of panic now.
> >
> I've never done it so all I can offer is this:
> http://www.google.com/search?sourceid=navclient&aq=t&ie=UTF-8&rls=GGLD,GGLD:2003-36,GGLD:en&q=vbscript+encryption
>
> That said, I find it doubtful that an "application" without physical
> access to the machine could read information from an asp page, unless
> you've incorrectly configured your web server to serve .asp pages rather
> than sending them to asp.dll to be processed.
>
> Are you sure you haven't been the victim of a SQL Injection exploit? If
> you have, you can encrypt your connection string all you want and you
> will still be vulnerable. Here are some links:
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
> http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
> http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
>
> You should consider continuing this conversation if necessary over at
> ..inetserver.asp.general
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>
>
Top

Re: Encrypt the SQL connection string in ASP Page using VB Script by Bob

Bob
Fri Mar 07 12:58:32 CST 2008

? Prevention is covered in the links I provided.
Essentially, it's a mult-step approach:
1. Do not trust user inputs. Validate all user inputs in server-side
code.
2. Do not use dynamic sql (concatenation) to incorporate user inputs
into your sql statements - use parameters instead.

SMV wrote:
> Thanks for the information about Encryption.
> Looks like it is a SQL injection.
> What are the steps I need to do to prevent the SQL injection.Thanks.
>
>
> "Bob Barrows [MVP]" wrote:
>
>> SMV wrote:
>>> Hi All,
>>> My SQL server got hacked 2 times. Using SSL is not an option in
>>> my company noe. I got 2 days to encrypt the SQL connection.How do I
>>> encrypt the connection string.
>>> Connection string is as follows.
>>> strcon="Driver=SQL
>>>
>>
Server;Server=test;UID=uid;PWD=pwd;Database=test;DSN=\\test\C$\test.dsn"
>>>
>>> I wam will to change any thing in the SQL server too. But I don't
>>> have access to Webserver.I know some application is reading the
>>> password from the ASP page
>>> and logging into the system.
>>>
>>> Please help.It is very urgent and I am kind of panic now.
>>>
>> I've never done it so all I can offer is this:
>>
http://www.google.com/search?sourceid=navclient&aq=t&ie=UTF-8&rls=GGLD,GGLD:2003-36,GGLD:en&q=vbscript+encryption
>>
>> That said, I find it doubtful that an "application" without physical
>> access to the machine could read information from an asp page, unless
>> you've incorrectly configured your web server to serve .asp pages
>> rather than sending them to asp.dll to be processed.
>>
>> Are you sure you haven't been the victim of a SQL Injection exploit?
>> If you have, you can encrypt your connection string all you want and
>> you will still be vulnerable. Here are some links:
>> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
>> http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
>> http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
>>
>> You should consider continuing this conversation if necessary over at
>> ..inetserver.asp.general
>>
>> --
>> Microsoft MVP -- ASP/ASP.NET
>> Please reply to the newsgroup. The email account listed in my From
>> header is my spam trap, so I don't check it very often. You will get
>> a quicker response by posting to the newsgroup.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Top