NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-02

Subject: Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: Bertrand Schmitt (bertrand.schmittARKADIA.COM)
Date: Sat Feb 26 2000 - 10:03:27 CST

Next message: Darren Reed: "Re: A DDOS defeating technique based on routing"
Previous message: Jeff Stevens: "TrendMicro OfficeScan tmlisten.exe DoS"
Next in thread: Jefferson Ogata: "Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Next in thread: Smith, Eric V.: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Maybe reply: Bertrand Schmitt: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Reply: Jefferson Ogata: "Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!

Within product.asp dept_id is picked up and used to construct a SQL
statement.

"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")

Further down the page a, b, c, d, e, f and g are response.writed to the
page.

Think about what happens if the URL above is modified to

http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table

Next message: Darren Reed: "Re: A DDOS defeating technique based on routing"
Previous message: Jeff Stevens: "TrendMicro OfficeScan tmlisten.exe DoS"
Next in thread: Jefferson Ogata: "Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Next in thread: Smith, Eric V.: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Maybe reply: Bertrand Schmitt: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Reply: Jefferson Ogata: "Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]