Re: ASP code testing
From: Bojo (bojo_alex@yahoo.com)Date: 11/18/01
- Previous message: Dan Richardson: "ASP code testing"
- In reply to: Dan Richardson: "ASP code testing"
- Next in thread: Kevin Spett: "Re: ASP code testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <001601c17082$0fc5b880$0100a8c0@Bojo> From: "Bojo" <bojo_alex@yahoo.com> To: <pen-test@securityfocus.com> Subject: Re: ASP code testing Date: Mon, 19 Nov 2001 00:38:08 +0200
I am ASP programmer. I don't think that some buffer overflow can occur in
your case because scripting engine checks bounds of data types.
In your case somewhere is line of code like:
v = Request.QueryString("id")
i = CInt(v)
First - in this case your ids are limited to 32767 - check your data that if
this is possible.
Solution is to replace this with: i = CLng(v) (hope all is clear here)
But I have seen this and you must check for code like this:
v = Request.QueryString("id")
Query = "Select * from table where table_id = " & v
ExecQuery(Query)
....
That is - there is no cast to integer and as parameter can be passed
anything and it is concatenated directly to Query.
You can execute something like
http://www.asite.com/show/showsomething.asp?ID=32767;Update+Salary+Set+value
+=+value*2+Where+name='Dan'
the semicolumn (;) is terminator for batch querys in sql server and ADO 2.5
and later will execute this correctly ;)
----- Original Message -----
From: "Dan Richardson" <dan.richardson@paradise.net.nz>
To: <pen-test@securityfocus.com>
Sent: Sunday, November 18, 2001 1:00 AM
Subject: ASP code testing
Regards
Bojidiar Alexandrov
> I'm currently testing some ASP code on an e-commerce site. My question
> is could this be used to execute a buffer overflow exploit?
>
> The following URL:
>
> http://www.asite.com/show/showsomething.asp?ID=5
>
> Will retrieve a legitmate item from the database. By playing with the
> number a bit-
>
> http://www.asite.com/show/showsomething.asp?ID=32767
>
> Will generate
>
> ADODB.Field error '80020009'
>
> Either BOF or EOF is True, or the current record has been deleted.
> Requested operation requires a current record.
>
> But if I bump that number up to 32768 (unsigned integer limit)-
>
> Microsoft VBScript runtime error '800a0006'
>
> Overflow: 'cint'
>
> /show/showsomething.asp, line x
>
>
> Thanks
>
> Dan
>
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ >---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Dan Richardson: "ASP code testing"
- In reply to: Dan Richardson: "ASP code testing"
- Next in thread: Kevin Spett: "Re: ASP code testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
