SQL Injection ready-to-publish

SophosLabs have been tracking the recent spate of SQL Injections (1, 2 ..) and this weekend noticed a worrying trend. While investigating an occurrence of Mal/Badsrc-C on a news site I noticed that most of the affected pages contained content from a news syndication service.


After some more digging on Google I found other news sites with content from the same news syndication group also affected by an SQL Injection.


What is happening here? Is the news agency (Agence France Presse) supplying news containing SQL injections?

It doesn’t look like Agence France Presse (AFP) is supplying news affected by Mal/Badrsc-C. If they were we would be seeing a higher volume of news sites infected. Looking on the AFP website at what they do provide.


A ‘ready-to-publish Microsoft “.Net”‘ suggests that to syndicate this feed you must be using an MS ASP/SQL backend. Poor coding in this environment can leave a site susceptible to an SQL injection. What I believe to have happened is that the news sites have setup a machine to syndicate news from the AFP and forgotten about it. Thus, leaving themselves open to an SQL injection.

SophosLabs published a blog last month on Avoiding SQL injection attacks and anybody syndicating content should read it.