Dunno about the buffer overflow question (I've been toying with similar
ideas), but it's generally a bad idea for the client to be able to get
backend error messages of any kind. Have you checked to see if you can get
an ODBC error message? Try adding a single quote or an SQL keyword such as
' OR' to the argument and see if you can pull off an SQL Injection attack.
Kevin.
----- Original Message -----
From: "Dan Richardson" <dan.richardsonat_private>
To: <pen-testat_private>
Sent: Saturday, November 17, 2001 3:00 PM
Subject: ASP code testing
> I'm currently testing some ASP code on an e-commerce site. My question
> is could this be used to execute a buffer overflow exploit?
>
> The following URL:
>
> http://www.asite.com/show/showsomething.asp?ID=5
>
> Will retrieve a legitmate item from the database. By playing with the
> number a bit-
>
> http://www.asite.com/show/showsomething.asp?ID=32767
>
> Will generate
>
> ADODB.Field error '80020009'
>
> Either BOF or EOF is True, or the current record has been deleted.
> Requested operation requires a current record.
>
> But if I bump that number up to 32768 (unsigned integer limit)-
>
> Microsoft VBScript runtime error '800a0006'
>
> Overflow: 'cint'
>
> /show/showsomething.asp, line x
>
>
> Thanks
>
> Dan
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 14:09:50 PST