Hi, I've got a meeting Monday with one of our clients regarding general security of their website. Most of their IIS config needs sorting out from what I saw last visit, but their ASP code I'm sure is potentially vulnerable. I've tested their logon (www.blah.com/logon.asp) script with the following. While I'll have access to the code Monday, I'd like to be able to go in with something revealing right off (usually makes people sit up and pay attention). Username: ' OR ''=' Password: <blank> Yields an 'account is locked out message' rather than a password failure message regardless of what is put in the password field. If I use single quotes Username: sdf' Password: <blank> or asdf' I get: XYZQBusiness::boMember.CheckValidUser error '80040001' Invalid advise flags /_some_dir/verifpwd.asp, line xx The site allows for users to register as 'guests' for the logon process, the username format follows: Username: blahat_private Password: somepassword Being from a networking background and not much of a SQL guru, would it be possible to enumerate further data from the database and potentially gain an account listing? Passwords of legitimate users? It is possible that they are accessing the DB with an 'sa' logon, could this code be exploited to start attacking the box? Thanks in advance, Dan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 14:19:10 PST