Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: bertrand.schmitt () ARKADIA COM (Bertrand Schmitt)
Date: Sat, 26 Feb 2000 17:03:27 +0100

If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!

Within product.asp dept_id is picked up and used to construct a SQL

"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")

Further down the page a, b, c, d, e, f and g are response.writed to the

Think about what happens if the URL above is modified to

http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]