Penetration Testing mailing list archives
Re: ASP code testing
From: "Bojo" <bojo_alex () yahoo com>
Date: Mon, 19 Nov 2001 00:38:08 +0200
I am ASP programmer. I don't think that some buffer overflow can occur in your case because scripting engine checks bounds of data types. In your case somewhere is line of code like: v = Request.QueryString("id") i = CInt(v) First - in this case your ids are limited to 32767 - check your data that if this is possible. Solution is to replace this with: i = CLng(v) (hope all is clear here) But I have seen this and you must check for code like this: v = Request.QueryString("id") Query = "Select * from table where table_id = " & v ExecQuery(Query) .... That is - there is no cast to integer and as parameter can be passed anything and it is concatenated directly to Query. You can execute something like http://www.asite.com/show/showsomething.asp?ID=32767;Update+Salary+Set+value +=+value*2+Where+name='Dan' the semicolumn (;) is terminator for batch querys in sql server and ADO 2.5 and later will execute this correctly ;) ----- Original Message ----- From: "Dan Richardson" <dan.richardson () paradise net nz> To: <pen-test () securityfocus com> Sent: Sunday, November 18, 2001 1:00 AM Subject: ASP code testing Regards Bojidiar Alexandrov
I'm currently testing some ASP code on an e-commerce site. My question is could this be used to execute a buffer overflow exploit? The following URL: http://www.asite.com/show/showsomething.asp?ID=5 Will retrieve a legitmate item from the database. By playing with the number a bit- http://www.asite.com/show/showsomething.asp?ID=32767 Will generate ADODB.Field error '80020009' Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record. But if I bump that number up to 32768 (unsigned integer limit)- Microsoft VBScript runtime error '800a0006' Overflow: 'cint' /show/showsomething.asp, line x Thanks Dan --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- ASP code testing Dan Richardson (Nov 18)
- Re: ASP code testing Bojo (Nov 19)
- Re: ASP code testing Kevin Spett (Nov 19)
- RE: ASP code testing Omar Koudsi (Nov 19)
- <Possible follow-ups>
- Re: ASP code testing rudi carell (Nov 19)