|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: ODBC Injection
From: DAN MORRILL (dan_20407
msn.com)
Date: Wed Nov 30 2005 - 07:16:54 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Don't use access, access has no security model. Use Oracle or MS SQL or a
database that you can segment everything off to proceedures, don't allow
nested triggers, build the e-commerce site so that it calls nothing but
stored proceedures, and sanitizes the data at the web page, and at the
stored proceedure.
Just my 2 cents.
r/d
Sometimes MSN E-mail will indicate that the mesasge failed to be delivered.
Please resend when you get those, it does not mean that the mail box is bad,
merely that MSN mail is over worked at the time.
>From: "John Cobb" <johncnobytes.com>
>To: <webappsecsecurityfocus.com>
>Subject: ODBC Injection
>Date: Wed, 30 Nov 2005 11:38:53 -0000
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.27]) by
>bay0-mc2-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 30
>Nov 2005 03:46:14 -0800
>Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
> via smtpd (for mx2.hotmail.com [65.54.244.40]) with ESMTP; Wed, 30
>Nov 2005 03:23:07 -0800
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid
>040782378A8; Wed, 30 Nov 2005 04:08:04 -0700 (MST)
>Received: (qmail 15179 invoked from network); 30 Nov 2005 11:44:52 -0000
>X-Message-Info: JGTYoYF78jHFMP6CbfCFMasEfsVrXhk4T6J8Qu2hYZQ=
>Mailing-List: contact webappsec-helpsecurityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <webappsec.list-id.securityfocus.com>
>List-Post: <mailto:webappsecsecurityfocus.com>
>List-Help: <mailto:webappsec-helpsecurityfocus.com>
>List-Unsubscribe: <mailto:webappsec-unsubscribesecurityfocus.com>
>List-Subscribe: <mailto:webappsec-subscribesecurityfocus.com>
>Delivered-To: mailing list webappsecsecurityfocus.com
>Delivered-To: moderator for webappsecsecurityfocus.com
>X-Mailer: Microsoft Office Outlook, Build 11.0.5510
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>Thread-Index: AcX1oqPz4JWPUGGmTk+Q1tfkSg65bg==
>X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on
>firebird.worldhq.net
>X-Virus-Status: Clean
>Return-Path: webappsec-return-7204-dan_20407=msn.comsecurityfocus.com
>X-OriginalArrivalTime: 30 Nov 2005 11:46:15.0137 (UTC)
>FILETIME=[AB3E0510:01C5F5A3]
>
>Hello All,
>
>I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have
>found some injection:
>
>http://test.com/test.asp?sIdProduct=1
>
>I get the following error when I insert alpha characters rather than
>numbers.
>I cannot manipulate this much, does anybody have any suggestions?
>
>Eg:
>
>http://test.com/test.asp?sIdProduct=test
>
>
>Database operations error:
>
>ODBC driver does not support the requested properties.
>
>SELECT * FROM Products WHERE idProduct = test
>
>ADODB.Recordset error '800a0e78'
>
>Operation is not allowed when the object is closed.
>
>/test.asp, line 135
>
>Thanks
>
>John Cobb
>www.nobytes.com
>
>
>
>
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]