Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: jogata () NODC NOAA GOV (Jefferson Ogata)
Date: Mon, 28 Feb 2000 15:23:56 -0500

Bertrand Schmitt wrote:

If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!

Actually, it can be argued that using stored procedures is in general bad
design, as it buries your business rules down in the database layer. At the
same time, reliance on stored procedures usually locks you into a single
database vendor, thereby making the system unportable.

A better design is middleware written in a proper, portable language that can
enforce your business rules and validate all input thoroughly, and narrows the
access to the database to a well-defined, well-protected interface. Programmers
can then make major mistakes in the interface code without risking database
compromise. In addition, using middleware gives you the opportunity of using a
language such as Perl that is well adapted to input validation and string
manipulation, and all the advantages of *real* code reuse.

I find the idea of transmitting unvalidated input directly to the database and
leaving validation to the unportable stored procedure code to be distinctly
unsettling, and of no benefit to security.

Within product.asp dept_id is picked up and used to construct a SQL

"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")

Further down the page a, b, c, d, e, f and g are response.writed to the

Think about what happens if the URL above is modified to

http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table

Jefferson Ogata <jogata () nodc noaa gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]