Home page logo

bugtraq logo Bugtraq mailing list archives

BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)
Date: Fri, 25 Feb 2000 09:11:17 -0800

Forwarded to the list from a contributor who wishes to remain anonymous:

-----Begin Forwarded Message-----
The link from one page to another is


Within product.asp dept_id is picked up and used to construct a SQL

"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")

Further down the page a, b, c, d, e, f and g are response.writed to the

Think about what happens if the URL above is modified to

http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table

If a bogus dept_id is used the second unioned statement returns a result
set in its place and gets displayed on the page!!

I know this is possible on a number of large commercial sites.

The interesting fact is that this is just within a dogey piece of code
produced by site server.  The same technique is viable for any database
acessing asp that uses parameters from either get or post.

No special tools are needed, this can be done by direct typing in the
location bar.

The implications like being able to loop through the sysobjects table to
get a complete table structure of a database,etc are frightening.
-----End Forwarded Message-----

This is a known issue with several web applications that use an SQL
database. More information on this particular case, including patch
locations, is available at:

Thank you,
Ben Greenbaum
Director of Site Content
Security Focus

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]