RE : [Full-Disclosure] sql injection question
From: Frederic Charpentier (fcharpentier_at_xmcopartners.com)
Date: 10/15/03
- Previous message: 3APA3A: "[Full-Disclosure] Few issues previously unpublished in English"
- In reply to: Richard Stevens: "[Full-Disclosure] sql injection question"
- Next in thread: Manuel [ekerazha]: "R: [Full-Disclosure] sql injection question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Richard Stevens'" <richard@tccnet.co.uk>, <full-disclosure@lists.netsys.com> Date: Wed, 15 Oct 2003 18:46:47 +0200
It is probably a sql injection problems.
The script featuring the "search box" function must control every char
the user can enter ! ( ' ` ; --). You must allow
only alphabetique char.
There are certainly built-in funtion which perform that on your
framework.
Frederic Charpentier, XMCO.
-----Message d'origine-----
De : full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] De la part de Richard
Stevens
Envoyé : mercredi 15 octobre 2003 17:58
À : full-disclosure@lists.netsys.com
Cc : David Rees
Objet : [Full-Disclosure] sql injection question
Quick question for the list, if I may,
We have a third party application that we are piloting for using as web
store front end.
I have no idea on programming sql at all, but have read of some of the
sql injection techniques on this list.
In the search box on the app, by inserting ' followed by a space, the
following message is generated:
------------------------------------------------------------------------
--------
Technical Information (for support personnel)
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC
SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' insert
into @promtable select a.ItemCode, a.SysNumber, a.TechDescription,
a.InvoiceDescription, a.Classification, a.ProductGrou'.
/eshop/search.asp, line 265
Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Page:
GET
/eshop/search.asp?SessionId=PR10006210200315411635Q3TLJ310ELW679PQ7Y&Qui
ckSearch=%27+
Time:
Wednesday, October 15, 2003, 4:45:30 PM
Also, the password for SA is stored in clear text in the site in a text
config file. This would not strike me as being sensible.
These are both ringing alarm bells !
From this info, would you assume it would be easy for someone skilled in
sql injection to get unauthorised access to the database?.. or is it not
that simple?
The input seems to be filtered correctly on the logon.asp, as entering
these characters has no apparent effect.
TIA
Richard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: 3APA3A: "[Full-Disclosure] Few issues previously unpublished in English"
- In reply to: Richard Stevens: "[Full-Disclosure] sql injection question"
- Next in thread: Manuel [ekerazha]: "R: [Full-Disclosure] sql injection question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
