[Full-Disclosure] sql injection question

From: Richard Stevens (richard_at_tccnet.co.uk)
Date: 10/15/03

Next message: Menashe Eliezer: "[Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail"

Previous message: 3APA3A: "Few issues previously unpublished in English"
Next in thread: Frederic Charpentier: "RE : [Full-Disclosure] sql injection question"
Reply: Frederic Charpentier: "RE : [Full-Disclosure] sql injection question"
Reply: Manuel [ekerazha]: "R: [Full-Disclosure] sql injection question"
Maybe reply: Richard Stevens: "RE: [Full-Disclosure] sql injection question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Wed, 15 Oct 2003 16:57:52 +0100

Quick question for the list, if I may,

We have a third party application that we are piloting for using as web store front end.

I have no idea on programming sql at all, but have read of some of the sql injection techniques on this list.

In the search box on the app, by inserting ' followed by a space, the following message is generated:

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' insert into @promtable select a.ItemCode, a.SysNumber, a.TechDescription, a.InvoiceDescription, a.Classification, a.ProductGrou'.
/eshop/search.asp, line 265

Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Page:
GET /eshop/search.asp?SessionId=PR10006210200315411635Q3TLJ310ELW679PQ7Y&QuickSearch=%27+

Time:
Wednesday, October 15, 2003, 4:45:30 PM

Also, the password for SA is stored in clear text in the site in a text config file. This would not strike me as being sensible.

These are both ringing alarm bells !

From this info, would you assume it would be easy for someone skilled in sql injection to get unauthorised access to the database?.. or is it not that simple?

The input seems to be filtered correctly on the logon.asp, as entering these characters has no apparent effect.

TIA

Richard

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Menashe Eliezer: "[Full-Disclosure] Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail"

Previous message: 3APA3A: "Few issues previously unpublished in English"
Next in thread: Frederic Charpentier: "RE : [Full-Disclosure] sql injection question"
Reply: Frederic Charpentier: "RE : [Full-Disclosure] sql injection question"
Reply: Manuel [ekerazha]: "R: [Full-Disclosure] sql injection question"
Maybe reply: Richard Stevens: "RE: [Full-Disclosure] sql injection question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Error in Select From Clause
... To help reduce some of the SQL injection techniques replace all single ... quotes with double quotes for anything of a string type value and always ...
(microsoft.public.vb.general.discussion)
Re: Error in Select From Clause
... "Veign" wrote: ... > To help reduce some of the SQL injection techniques replace all single ... > quotes with double quotes for anything of a string type value and always ...
(microsoft.public.vb.general.discussion)