Forwarded to the list from a contributor who wishes to remain anonymous: -----Begin Forwarded Message----- The link from one page to another is http://hostname/product.asp?dept_id=100 Within product.asp dept_id is picked up and used to construct a SQL statement. "select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID") Further down the page a, b, c, d, e, f and g are response.writed to the page. Think about what happens if the URL above is modified to http://hostname/product.asp?dept_id=100000 union select credit_card_number,null,null,null,null,null, null from Credit_Card_table If a bogus dept_id is used the second unioned statement returns a result set in its place and gets displayed on the page!! I know this is possible on a number of large commercial sites. The interesting fact is that this is just within a dogey piece of code produced by site server. The same technique is viable for any database acessing asp that uses parameters from either get or post. No special tools are needed, this can be done by direct typing in the location bar. The implications like being able to loop through the sysobjects table to get a complete table structure of a database,etc are frightening. -----End Forwarded Message----- This is a known issue with several web applications that use an SQL database. More information on this particular case, including patch locations, is available at: http://www.securityfocus.com/bid/994 Thank you, Ben Greenbaum Director of Site Content Security Focus http://www.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:19 PDT