RE: ODBC Injection

Don't use access, access has no security model. Use Oracle or MS SQL or a 
database that you can segment everything off to proceedures, don't allow 
nested triggers, build the e-commerce site so that it calls nothing but 
stored proceedures, and sanitizes the data at the web page, and at the 
stored proceedure.

Just my 2 cents.
r/d



Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.






> From: "John Cobb" <johnc@nobytes.com>
> To: <webappsec@securityfocus.com>
> Subject: ODBC Injection
> Date: Wed, 30 Nov 2005 11:38:53 -0000
> MIME-Version: 1.0
> Received: from outgoing.securityfocus.com ([205.206.231.27]) by 
> bay0-mc2-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 30 
> Nov 2005 03:46:14 -0800
> Received: from outgoing.securityfocus.com by outgoing.securityfocus.com     
>      via smtpd (for mx2.hotmail.com [65.54.244.40]) with ESMTP; Wed, 30 
> Nov 2005 03:23:07 -0800
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 
> 040782378A8; Wed, 30 Nov 2005 04:08:04 -0700 (MST)
> Received: (qmail 15179 invoked from network); 30 Nov 2005 11:44:52 -0000
> X-Message-Info: JGTYoYF78jHFMP6CbfCFMasEfsVrXhk4T6J8Qu2hYZQ=
> Mailing-List: contact webappsec-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <webappsec.list-id.securityfocus.com>
> List-Post: <mailto:webappsec@securityfocus.com>
> List-Help: <mailto:webappsec-help@securityfocus.com>
> List-Unsubscribe: <mailto:webappsec-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:webappsec-subscribe@securityfocus.com>
> Delivered-To: mailing list webappsec@securityfocus.com
> Delivered-To: moderator for webappsec@securityfocus.com
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> Thread-Index: AcX1oqPz4JWPUGGmTk+Q1tfkSg65bg==
> X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on 
> firebird.worldhq.net
> X-Virus-Status: Clean
> Return-Path: webappsec-return-7204-dan_20407=msn.com@securityfocus.com
> X-OriginalArrivalTime: 30 Nov 2005 11:46:15.0137 (UTC) 
> FILETIME=[AB3E0510:01C5F5A3]
>
> Hello All,
>
> I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have
> found some injection:
>
> http://test.com/test.asp?sIdProduct=1
>
> I get the following error when I insert alpha characters rather than
> numbers.
> I cannot manipulate this much, does anybody have any suggestions?
>
> Eg:
>
> http://test.com/test.asp?sIdProduct=test
>
>
> Database operations error:
>
> ODBC driver does not support the requested properties.
>
> SELECT * FROM Products WHERE idProduct = test
>
> ADODB.Recordset error '800a0e78'
>
> Operation is not allowed when the object is closed.
>
> /test.asp, line 135
>
> Thanks
>
> John Cobb
> www.nobytes.com

_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/