BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)

[bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)]

Forwarded to the list from a contributor who wishes to remain anonymous:

-----Begin Forwarded Message-----
The link from one page to another is

http://hostname/product.asp?dept_id=100

Within product.asp dept_id is picked up and used to construct a SQL
statement.

"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")

Further down the page a, b, c, d, e, f and g are response.writed to the
page.

Think about what happens if the URL above is modified to

http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table

If a bogus dept_id is used the second unioned statement returns a result
set in its place and gets displayed on the page!!

I know this is possible on a number of large commercial sites.

The interesting fact is that this is just within a dogey piece of code
produced by site server.  The same technique is viable for any database
acessing asp that uses parameters from either get or post.

No special tools are needed, this can be done by direct typing in the
location bar.

The implications like being able to loop through the sysobjects table to
get a complete table structure of a database,etc are frightening.
-----End Forwarded Message-----

This is a known issue with several web applications that use an SQL
database. More information on this particular case, including patch
locations, is available at:
http://www.securityfocus.com/bid/994

Thank you,
Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com