LizaMoon mass SQL injection continues to spread

A new large-scale SQL injection exploit has been making the rounds for the past few days, and we are starting to see it show up on a small number of customer sites.

If a site visitor has complained that they received a security warning when visiting your site, you may have been affected by the LizaMoon SQL injection. This websense article goes into the details of the exploit.

Has your site been compromised?

The LizaMoon SQL injection inserts the following line into the code on a page (or pages) of your site:


Note that the domain name may be different, but the URL will always point to the ur.php file. You can search your site files and database for ur.php to see if you are affected by this exploit.

You can also check Google’s Safe Browsing advisory to see if any problems have been detected with your site:

http://google.com/safebrowsing/diagnostic?site=YourHostedDomainName.com

It is not yet known which application or applications are being targeted by the current exploit, so if you use any third party applications you may want to confirm with the application’s authors that they are not vulnerable to SQL injection.

What the hell is SQL injection anyway?

In a nutshell, SQL injection is a method used to run queries on a site’s database through an insecure web application. Any web application that accepts user input is susceptible to SQL injection if that user input is not “sanitized,” or filtered to remove certain characters. If you do not sanitize or check user input, SQL commands can be run by entering malicious data into a user input field and sending it to the database.

It’s important to stress that SQL injection does not exploit a vulnerability in the SQL server itself, but rather in a web application.

Sanitizing user input will protect you from any SQL injection, so it’s definitely worth double checking your own code, and pestering the authors of third party code to let them know that security is important to you.

2 thoughts on “LizaMoon mass SQL injection continues to spread

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.