Scripts got inserted into our database AGAIN.

 To be honest, I don't know how much more of this I can take... this will be the 3rd time in a week and no matter how much I do.. it doesn't seem to solve the issue.

Back to work... Website will be down until further notice.

 Mum's business website had a few attacks like this recently too, people adding little scripts to the ends of pages... We ended up changing ISPs because the one we were with didn't even bother changing the password for us to try stop them... They didn't even seem that concerned that their servers had been compromised!

If you can get your ISP to change your account password maybe try something like a password form this site... That's as secure as a password can be, so unless they somehow don't need to guess the password, it will stop em I hope...

I'm pulling a late night tonight recoding many of the pages to be MUCH more secure so these scripts can't be inserted into our database. I do have a feeling that this won't happen after I do this. Plus we have access to our own database and I'm having a few new securities added there as well.

It'll take a couple of days to work it all out, but I'm slowing plowing through it. I have 55 pages to recode at this point :( And probably half of them are very complex ... taking up to 1 hour each.

I'm really sorry for the trouble... please bear with us. I feel very confident after the site is back online that we won't see this happen again.

 Good luck getting everything straightened out. My bank account will be waiting for you!  Going to nab something off my wishlist as soon as the site is back up.  GODSPEED 2 YA

anyways. there's a pair of hangies in my wishlist that are calling my name, so I'll be keeping an eye out for when the site gets back up again. good luck, and I hope everyone who has had to pull long hours this week at BAF has a relaxing and fun halloween weekend. : )

 Hey...It seems the big security holeshave been abused.

If you need some help finding and fixing them, I would help you out (btw i was also emailing you about those security issues).

Mostly the site wasn't protected for simple XSS attacks..Seems like SQL Injection was possible aswell..So you haven't validated and sanitised the users input and the GETs and POSTs.

If you need some help, let me know (xxxfanta@googlemail.com).

Hope the site will be fine soon..Need some jewelery for Christmas ^^

Greetz,
FaNtA

xxxfanta:

 Hey...It seems the big security holeshave been abused.

If you need some help finding and fixing them, I would help you out (btw i was also emailing you about those security issues).

Mostly the site wasn't protected for simple XSS attacks..Seems like SQL Injection was possible aswell..So you haven't validated and sanitised the users input and the GETs and POSTs.

 

If you need some help, let me know (xxxfanta@googlemail.com).

Hope the site will be fine soon..Need some jewelery for Christmas ^^

Greetz,
FaNtA

Can you PM me? Even though much of the information was sanitized the problem was InLine SQL. I'm in the process of converting all pages to use Stored Procedures :/ FUN FUN 

This should solve the issue... but if you have anything else to add.. lemme know ;)