WHID 2008-53: "SQL by Design" leaks Thousands of SSNs at an Oklahoma Gov site

Alex Papadimoulis hits again with a report on leakage of information on Oklahoma's Department of Corrections web site. The detailed report is very interesting and highlights one of the worse types of SQL injection out there: remote SQL by design.

A unique form of SQL injection, or even just a close sibling, remote SQL by design is a vulnerability in which the web application accepts SQL statements from the client in the normal course of operation. The SQL statement might be used in a hidden field, or generated on the fly by a client side script. In any case, it is extremely difficult to prevent alteration of the SQL statement by a user in such applications, making the applications highly vulnerable.

To find for yourself how common is this vulnerability, just Google for SELECT, FROM and WHERE in the URL. Amazing.