I know this one has probably been covered but I am sending it anyways
because I have inherited several web sites where I have had to patch this
hole.

If in the global.asa or in your ado connectionstring you use sa or an
account with special rights, and you don't filter out the semi-colon someone
can do something very damaging to your machine. Even if they are a normal
user they could probably do something damaging by just guessing. see
example below.

I know that on Cert they recommend only accepting alpha-numeric characters
but they also recommend excluding only special characters which ; is not one
of them. This one is easily reproducible, even though it will only affect
some people.

Create this as a form and then put in the User ID field

999;exec sp_addlogin 'BadUser'

example Code:

<%
dim lngUserID
dim lngPassword
strUserID = request("txtUserID")
dim adoConn
dim adors
set adoConn = server.CreateObject("ADODB.connection")
set adors = server.CreateObject("ADODB.Recordset")
adoConn.open Application("conDOTS_ConnectionString")

strSQL = "Select * from tblUsers where User_Id = "&strUSerID
adors.Open strSQL, adoconn
if not adors.eof then
        strEmail = adors("user_email")
        strPassword = adors("password")
end if
adors.close

strSubject = "Password Request"
strBody = "Your Password is:"&strPassword
mailsent = fun_SendMail(strEmail,strEmail,strSubject,strBody)
end if
Session.abandon
%>
<body>

<form ACTION="forgotpass.asp" METHOD="POST">
Please enter your user id:&nbsp;&nbsp;
<input type="text" name="txtUserID"><br>
<br>
<input type="submit" value="Submit">
<input type="hidden" name="forgot" value="1">
</form>
</body>
</html>

If someone were to come to this form then they could put in the User ID
field

12;exec sp_addlogin 'BadUser'

and it would execute both commands. Of course, even without administrative
rights but it is more difficult and would take gueswork, they can still do
something potentially damaging and you should filter out the ; period.

I apologize if I am wasting your time and this has been covered. I have
searched and not found anything specific for this problem. My reason for
sending this is that I have inherited a few sites and they all had local SQL
Server machines and used sa to sign in. I know this is bad design and I
don't think it is common knowledge how devestating not filtering out special
characters is.

----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=237&UL;=/syndication/vi
nfo/
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]