[11182] in bugtraq
Yet Another ODBC Bugged ASP Sample Page
daemon@ATHENA.MIT.EDU (Wanderley J. Abreu Junior)
Thu Jul 29 17:10:30 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <002901bed994$7765cca0$0cd66520@storm>
Date: Thu, 29 Jul 1999 04:32:05 -0300
Reply-To: "Wanderley J. Abreu Junior" <storm@UNIKEY.COM.BR>
From: "Wanderley J. Abreu Junior" <storm@UNIKEY.COM.BR>
X-To: Microsoft Product Security Response Team <secure@microsoft.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Dear Team,
Exploiting ODBC Features that come with your sample programs is
not a mistery for any of us. So Let me add one more ASP Sample with similar
troubles:
http://server/ASPSamp/AdvWorks/equipment/catalog_type.asp
or yet
http://server/AdvWorks/equipment/catalog_type.asp
It lets you execute shell comands like the other scripts. It is
a Active Server Page so it runs the query as a local user and doesn't need
any type of Remote Data Service to access the DSN. It just require the
default DSN (advworks) set.
The Exploit command line can be for instance :
http://server/AdvWorks/equipment/catalog_type.asp?ProductType=|shell("cmd+/c
+dir+c:\")|
Sorry if this SERIOUS security failure was already reported.
Regards,
Wanderley Junior
