lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <117C14E37DABD242A0EE9ABB759F29D50DE2E0@webmail.tccnet.co.uk>
From: richard at tccnet.co.uk (Richard Stevens)
Subject: sql injection question

Thanks to all that replied for the confirmation. I will notify the vendor in the morning.
 
Many Thanks,
 
Richard
 
 
 

	-----Original Message----- 
	From: Manuel [ekerazha] [mailto:ekerazha@...oo.it] 
	Sent: Wed 15/10/2003 17:48 
	To: full-disclosure@...ts.netsys.com 
	Cc: 
	Subject: R: [Full-Disclosure] sql injection question
	
	

	Yeah... you are vulnerable to sql-injection.
	You have to replace the single quotes with two quotes in the postdata
	received from the search form.
	
	ASP Ex: Replace(Request.Querystring("SOMETHING"), "'", "' '")
	
	Byeee ;-)
	
	P.S.
	Excuse me for my english :S
	
	-----Messaggio originale-----
	Da: full-disclosure-admin@...ts.netsys.com
	[mailto:full-disclosure-admin@...ts.netsys.com] Per conto di Richard Stevens
	Inviato: mercoled? 15 ottobre 2003 17.58
	A: full-disclosure@...ts.netsys.com
	Cc: David Rees
	Oggetto: [Full-Disclosure] sql injection question
	
	Quick question for the list, if I may,
	
	We have a third party application that we are piloting for using as web
	store front end.
	
	I have no idea on programming sql at all, but have read of some of the sql
	injection techniques on this list.
	
	In the search box on the app, by inserting  ' followed by a space, the
	following message is generated:
	
	----------------------------------------------------------------------------
	----
	
	Technical Information (for support personnel)
	
	Error Type:
	Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
	[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near
	' insert into @promtable select a.ItemCode, a.SysNumber, a.TechDescription,
	a.InvoiceDescription, a.Classification, a.ProductGrou'.
	/eshop/search.asp, line 265
	
	
	Browser Type:
	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
	
	Page:
	GET
	/eshop/search.asp?SessionId=PR10006210200315411635Q3TLJ310ELW679PQ7Y&QuickSe
	arch=%27+
	
	Time:
	Wednesday, October 15, 2003, 4:45:30 PM
	
	
	
	
	Also, the password for SA is stored in clear text in the site in a text
	config file. This would not strike me as being sensible.
	
	These are both ringing alarm bells !
	
	From this info, would you assume it would be easy for someone skilled in sql
	injection to get unauthorised access to the database?.. or is it not that
	simple?
	
	The input seems to be filtered correctly on the logon.asp, as entering these
	characters has no apparent effect.
	
	TIA
	
	Richard
	
	_______________________________________________
	Full-Disclosure - We believe in it.
	Charter: http://lists.netsys.com/full-disclosure-charter.html
	
	_______________________________________________
	Full-Disclosure - We believe in it.
	Charter: http://lists.netsys.com/full-disclosure-charter.html
	


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ