Bugtraq mailing list archives
Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: bertrand.schmitt () ARKADIA COM (Bertrand Schmitt)
Date: Sat, 26 Feb 2000 17:03:27 +0100
If you use Stored Procedure calls in your ASP pages this can't happen!! Manually creating SQL statements within ASP is poor design : not as efficient and secured as storing them in your database server (as stored procedures) and making a call to them without speaking of coding properly : you do you reuse these pieces of code?! Within product.asp dept_id is picked up and used to construct a SQL statement. "select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID") Further down the page a, b, c, d, e, f and g are response.writed to the page. Think about what happens if the URL above is modified to http://hostname/product.asp?dept_id=100000 union select credit_card_number,null,null,null,null,null, null from Credit_Card_table
Current thread:
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Bertrand Schmitt (Feb 26)
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Jefferson Ogata (Feb 28)
- <Possible follow-ups>
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Smith, Eric V. (Feb 28)
- nmh security update Ruud de Rooij (Feb 28)
- EZshopper version 3.0 - Last followup Servio Medina (Feb 28)
- ht://Dig remote information exposure Geoff Hutchison (Feb 28)
- All the recent SQL vulnerabilities Duncan Simpson (Feb 28)
- HP Omniback remote DoS Jon (Feb 28)
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Nick Southwell (Feb 29)