Bugtraq mailing list archives

Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)

From: bertrand.schmitt () ARKADIA COM (Bertrand Schmitt)
Date: Sat, 26 Feb 2000 17:03:27 +0100


If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!

Within product.asp dept_id is picked up and used to construct a SQL
statement.

"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")

Further down the page a, b, c, d, e, f and g are response.writed to the
page.

Think about what happens if the URL above is modified to

http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table

Current thread:

Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Bertrand Schmitt (Feb 26)
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Jefferson Ogata (Feb 28)
- <Possible follow-ups>
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Smith, Eric V. (Feb 28)
  - nmh security update Ruud de Rooij (Feb 28)
  - EZshopper version 3.0 - Last followup Servio Medina (Feb 28)
  - ht://Dig remote information exposure Geoff Hutchison (Feb 28)
  - All the recent SQL vulnerabilities Duncan Simpson (Feb 28)
  - HP Omniback remote DoS Jon (Feb 28)
  - Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Nick Southwell (Feb 29)