SQL Code

["Dan Richardson" <dan.richardson () paradise net nz>]

Hi,

I've got a meeting Monday with one of our clients regarding general
security of their website. Most of their IIS config needs sorting out
from what I saw last visit, but their ASP code I'm sure is potentially
vulnerable.

I've tested their logon (www.blah.com/logon.asp) script with the
following. While I'll have access to the code Monday, I'd like to be
able to go in with something revealing right off (usually makes people
sit up and pay attention).

Username: ' OR ''='
Password: <blank>

Yields an 'account is locked out message' rather than a password failure
message regardless of what is put in the password field. 

If I use single quotes 

Username: sdf'
Password: <blank> or asdf'

I get:

XYZQBusiness::boMember.CheckValidUser error '80040001'

Invalid advise flags

/_some_dir/verifpwd.asp, line xx

The site allows for users to register as 'guests' for the logon process,
the username format follows:

Username: blah () blah com
Password: somepassword

Being from a networking background and not much of a SQL guru, would it
be possible to enumerate further data from the database and potentially
gain an account listing? Passwords of legitimate users? It is possible
that they are accessing the DB with an 'sa' logon, could this code be
exploited to start attacking the box?

Thanks in advance,

Dan





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/