WebApp Sec mailing list archives
RE: ODBC Injection
From: "DAN MORRILL" <dan_20407 () msn com>
Date: Wed, 30 Nov 2005 13:16:54 +0000
Don't use access, access has no security model. Use Oracle or MS SQL or a database that you can segment everything off to proceedures, don't allow nested triggers, build the e-commerce site so that it calls nothing but stored proceedures, and sanitizes the data at the web page, and at the stored proceedure.
Just my 2 cents. r/dSometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time.
From: "John Cobb" <johnc () nobytes com> To: <webappsec () securityfocus com> Subject: ODBC Injection Date: Wed, 30 Nov 2005 11:38:53 -0000 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.27]) by bay0-mc2-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 30 Nov 2005 03:46:14 -0800 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mx2.hotmail.com [65.54.244.40]) with ESMTP; Wed, 30 Nov 2005 03:23:07 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 040782378A8; Wed, 30 Nov 2005 04:08:04 -0700 (MST)Received: (qmail 15179 invoked from network); 30 Nov 2005 11:44:52 -0000 X-Message-Info: JGTYoYF78jHFMP6CbfCFMasEfsVrXhk4T6J8Qu2hYZQ= Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <webappsec.list-id.securityfocus.com> List-Post: <mailto:webappsec () securityfocus com> List-Help: <mailto:webappsec-help () securityfocus com> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com> Delivered-To: mailing list webappsec () securityfocus com Delivered-To: moderator for webappsec () securityfocus com X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcX1oqPz4JWPUGGmTk+Q1tfkSg65bg==X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on firebird.worldhq.netX-Virus-Status: Clean Return-Path: webappsec-return-7204-dan_20407=msn.com () securityfocus comX-OriginalArrivalTime: 30 Nov 2005 11:46:15.0137 (UTC) FILETIME=[AB3E0510:01C5F5A3]Hello All, I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have found some injection: http://test.com/test.asp?sIdProduct=1 I get the following error when I insert alpha characters rather than numbers. I cannot manipulate this much, does anybody have any suggestions? Eg: http://test.com/test.asp?sIdProduct=test Database operations error: ODBC driver does not support the requested properties. SELECT * FROM Products WHERE idProduct = test ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /test.asp, line 135 Thanks John Cobb www.nobytes.com
_________________________________________________________________Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Current thread:
- ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)