Re: Pen-tester's analysis of .NET security?
From: Frank Knobbe (frank_at_knobbe.us)
Date: 03/25/04
- Previous message: Kelly Winters: "RE: Oracle DB Audity"
- In reply to: Frank Knobbe: "Re: Pen-tester's analysis of .NET security?"
- Next in thread: Jeff Bryner: "Re: Pen-tester's analysis of .NET security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Lachniet, Mark" <mlachniet@sequoianet.com> Date: Wed, 24 Mar 2004 17:24:12 -0600
Sorry, gotta correct myself.
> Can't help with white papers, but while doing reviews of sites "powered
> by ASP.NET" I noticed that these mostly use ADODB connections which *MAY*
> escape quotes.
The web app I'm looking at currently was not vulnerable to quotes. But I
just came across additional quote escaping before the command string
hits the ADODB.Command object. Perhaps ADODB is still vulnerable.
In either case, never trust the OS. :)
-Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Kelly Winters: "RE: Oracle DB Audity"
- In reply to: Frank Knobbe: "Re: Pen-tester's analysis of .NET security?"
- Next in thread: Jeff Bryner: "Re: Pen-tester's analysis of .NET security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
