[14043] in bugtraq
Re: BID 994,
daemon@ATHENA.MIT.EDU (Bertrand Schmitt)
Sun Feb 27 23:02:18 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <BEDFBD9FD17CD3118F7400105ACCDC86D9EC@lanfeust.corp.arkadia.com>
Date: Sat, 26 Feb 2000 17:03:27 +0100
Reply-To: Bertrand Schmitt <bertrand.schmitt@ARKADIA.COM>
From: Bertrand Schmitt <bertrand.schmitt@ARKADIA.COM>
X-To: Ben Greenbaum <bgreenbaum@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <BEDFBD9FD17CD3118F7400105ACCDC86085DDC@lanfeust.corp.arkadia.com>
If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!
Within product.asp dept_id is picked up and used to construct a SQL
statement.
"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")
Further down the page a, b, c, d, e, f and g are response.writed to the
page.
Think about what happens if the URL above is modified to
http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table
