WebApp Sec mailing list archives

RE: ODBC Injection

From: "DAN MORRILL" <dan_20407 () msn com>
Date: Wed, 30 Nov 2005 13:16:54 +0000

Don't use access, access has no security model. Use Oracle or MS SQL or adatabase that you can segment everything off to proceedures, don't allownested triggers, build the e-commerce site so that it calls nothing butstored proceedures, and sanitizes the data at the web page, and at thestored proceedure.


Just my 2 cents.
r/d

Sometimes MSN E-mail will indicate that the mesasge failed to be delivered.Please resend when you get those, it does not mean that the mail box is bad,merely that MSN mail is over worked at the time.

From: "John Cobb" <johnc () nobytes com>
To: <webappsec () securityfocus com>
Subject: ODBC Injection
Date: Wed, 30 Nov 2005 11:38:53 -0000
MIME-Version: 1.0

Received: from outgoing.securityfocus.com ([205.206.231.27]) bybay0-mc2-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 30Nov 2005 03:46:14 -0800Received: from outgoing.securityfocus.com by outgoing.securityfocus.comvia smtpd (for mx2.hotmail.com [65.54.244.40]) with ESMTP; Wed, 30Nov 2005 03:23:07 -0800Received: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid040782378A8; Wed, 30 Nov 2005 04:08:04 -0700 (MST)

Received: (qmail 15179 invoked from network); 30 Nov 2005 11:44:52 -0000
X-Message-Info: JGTYoYF78jHFMP6CbfCFMasEfsVrXhk4T6J8Qu2hYZQ=
Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <webappsec.list-id.securityfocus.com>
List-Post: <mailto:webappsec () securityfocus com>
List-Help: <mailto:webappsec-help () securityfocus com>
List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
Delivered-To: mailing list webappsec () securityfocus com
Delivered-To: moderator for webappsec () securityfocus com
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: AcX1oqPz4JWPUGGmTk+Q1tfkSg65bg==

X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 onfirebird.worldhq.net

X-Virus-Status: Clean
Return-Path: webappsec-return-7204-dan_20407=msn.com () securityfocus com

X-OriginalArrivalTime: 30 Nov 2005 11:46:15.0137 (UTC)FILETIME=[AB3E0510:01C5F5A3]


Hello All,

I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have
found some injection:

http://test.com/test.asp?sIdProduct=1

I get the following error when I insert alpha characters rather than
numbers.
I cannot manipulate this much, does anybody have any suggestions?

Eg:

http://test.com/test.asp?sIdProduct=test


Database operations error:

ODBC driver does not support the requested properties.

SELECT * FROM Products WHERE idProduct = test

ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/test.asp, line 135

Thanks

John Cobb
www.nobytes.com


_________________________________________________________________

Dont just search. Find. Check out the new MSN Search!http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Current thread:

ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)