"There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack.

For those of you who aren’t familiar with SQL Injection attacks, it’s a pretty well known web application attack vector that exists in high volume on dynamic applications, say for instance, on your banking site. SQL Injection allows an attacker to subvert the logic of the currently running SQL query in order to interact with data more interesting to the attacker, bypass authentication/authorization, or run arbitrary commands on the operating system of the database server. "

Article Link: http://blogs.zdnet.com/security/?p=1059