Penetration Testing mailing list archives

ASP code testing

From: "Dan Richardson" <dan.richardson () paradise net nz>
Date: Sun, 18 Nov 2001 12:00:06 +1300

I'm currently testing some ASP code on an e-commerce site. My question
is could this be used to execute a buffer overflow exploit?

The following URL:

http://www.asite.com/show/showsomething.asp?ID=5

Will retrieve a legitmate item from the database. By playing with the
number a bit-

http://www.asite.com/show/showsomething.asp?ID=32767

Will generate 

ADODB.Field error '80020009' 

Either BOF or EOF is True, or the current record has been deleted.
Requested operation requires a current record.

But if I bump that number up to 32768 (unsigned integer limit)-

Microsoft VBScript runtime error '800a0006' 

Overflow: 'cint' 

/show/showsomething.asp, line x


Thanks

Dan



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

ASP code testing Dan Richardson (Nov 18)
- Re: ASP code testing Bojo (Nov 19)
- Re: ASP code testing Kevin Spett (Nov 19)
- RE: ASP code testing Omar Koudsi (Nov 19)
- <Possible follow-ups>
- Re: ASP code testing rudi carell (Nov 19)