aleksl - 11:38 pm on Jun 11, 2010 (gmt 0)

Vamm, there's no "list of affected software". It is a SQL injection, and your software either has an issue, or not. The problem is every form and every dynamic parameter that is used on a page can be a vulnerability. And even if you had software that was tested, and added modifications, you may have introduced a vulnerability yourself.

If you are affected:

The quick-and-dirty way to protect yourself is deny all permissions on Sys* database tables (and other sys* objects) to SQL server user that is used by your web application.

You may have to modify some queries, such as start doing "Select count(*)" again instead of hitting sys tables to get record counts. Small price to pay for security.