[14030] in bugtraq
BID 994,
daemon@ATHENA.MIT.EDU (Ben Greenbaum)
Fri Feb 25 19:22:04 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.10.10002250905420.19235-100000@www.securityfocus.com>
Date: Fri, 25 Feb 2000 09:11:17 -0800
Reply-To: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
From: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Forwarded to the list from a contributor who wishes to remain anonymous:
-----Begin Forwarded Message-----
The link from one page to another is
http://hostname/product.asp?dept_id=100
Within product.asp dept_id is picked up and used to construct a SQL
statement.
"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")
Further down the page a, b, c, d, e, f and g are response.writed to the
page.
Think about what happens if the URL above is modified to
http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table
If a bogus dept_id is used the second unioned statement returns a result
set in its place and gets displayed on the page!!
I know this is possible on a number of large commercial sites.
The interesting fact is that this is just within a dogey piece of code
produced by site server. The same technique is viable for any database
acessing asp that uses parameters from either get or post.
No special tools are needed, this can be done by direct typing in the
location bar.
The implications like being able to loop through the sysobjects table to
get a complete table structure of a database,etc are frightening.
-----End Forwarded Message-----
This is a known issue with several web applications that use an SQL
database. More information on this particular case, including patch
locations, is available at:
http://www.securityfocus.com/bid/994
Thank you,
Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com
