[10639] in bugtraq
Re: Advisory: NT ODBC Remote Compromise
daemon@ATHENA.MIT.EDU (Vittal Aithal)
Wed May 26 13:50:43 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <D0CD3D370F64D211A25900104BAD8D595AAB8C@RMAIL>
Date: Wed, 26 May 1999 09:01:26 +0100
Reply-To: Vittal Aithal <vittal.aithal@REVOLUTIONLTD.COM>
From: Vittal Aithal <vittal.aithal@REVOLUTIONLTD.COM>
To: BUGTRAQ@NETSPACE.ORG
Just to clarify my earlier posting;
The code I posted was server-side ASP Javascript. As a number of people
have/will point out, running it at the client isn't going to help.
I suspect the same methodology could be applied for other environments
(coldfusion / perl DBI::DBD / php / etc).
cheers
vittal
--
Vittal Aithal
Revolution Ltd <tel: 0181 267 1000> <fax: 0181 267 1066>
<vittal.aithal@revolutionltd.com> <http://www.revolutionltd.com/>
<vittal.aithal@bigfoot.com> <http://www.bigfoot.com/~vittal.aithal/>
> -----Original Message-----
> From: Bigby Findrake [mailto:bigby@HOME.SHIVA.EU.ORG]
> Sent: 25 May 1999 22:43
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Re: Advisory: NT ODBC Remote Compromise
>
>
> On Tue, 25 May 1999, Vittal Aithal wrote:
>
> > Here's some javascript stuff that'll clean up quotes and
> things before
> > having them sent off in a sql query... only tested with
> access, so YMMV.
>
> Do keep in mind that while this will stop people from using the
> aforementioned exploits *only when using your forms*. It is still
> possible to download your web pages, remove the javascript
> hooks, and then
> submit their information, or call the CGI(if method GET is
> accepted) by
> hand and get around such security measures.
>
