HackerSafe Vulnerability - MS SQL Database Error Disclosure Vulnerability > Discussions

July 30, 2010 Login |

Home
FAQs
       SQL Server FAQ
       SQL Injection FAQ
       SQL Security Checklist
       SQL Server-Related Products
       SQL Server/MSDE-Based Applications
       SQL Server Version Database
Tools
       Lockdown Script
       Free Tools
       Free Analysis
       Group Policy Templates
       Commercial Tools
Community
       Discussions
       Links
About
Search

SQL Security Forums

Note: SQLSecurity.com does not allow nor require registration due to privacy concerns for users. SQLSecurity.com is open and anonymous for all. Please report any abuse or profanity.

Unanswered

Active Topics

Forums

Forums > Discussions > SQL Server Security

Subject: HackerSafe Vulnerability - MS SQL Database Error Disclosure Vulnerability

Prev Next

Add Reply

Author

Messages

longbow (guest)

03/18/2008 9:19 AM	Quote Reply Alert
I am attempting to get a HackerSafe certification on our site. We are failing "MS SQL Database Error Disclosure Vulnerability" and need to prevent certain characters in a page in our shopping cart. These characters are ' " ( ) ; - and \| I am not all that familiar with coding this sotr of thing. The page is an asp page. Can anyone suggest how this is dome? Point out a good reference? Below is what they want us to do. -------------------- Implement content parsing on data input fields including URL parameters. Remove the following characters from any user or dynamic database input: (examples in VBScript) ' (escape the single quote) input = replace( input, "'", "''" ) " (double quote) input = replace( input, """", "" ) ) (close parenthesis) input = replace( input, ")", "" ) ( (open parenthesis) input = replace( input, "(", "" ) ; (semi-colon) input = replace( input, ";", "" ) - (dash) input = replace( input, "-", "" ) \| (pipe) input = replace( input, "\|", "" ) --------------------------- Here is the code from the page that needs to be modified ------------------------- <%@ LANGUAGE="VBScript.Encode" %> <!--#include file="GetOrder.asp"--> <!--#include file="codepage.asp"--> <!--#include file="ADOVBS.inc"--> <!--#include file="IASUtil.asp"--> <% ReRun = FGETVar("ReRun","N0","s") If ReRun = "N0" Then 'Coming through first time 'Set Reorder flag to 1 Session("Reorder") = 1 If Request.Cookies("SalesCart3").HasKeys Then If Request.Cookies("SalesCart3")("rememberme") = "ON" then Email = Request.Cookies("SalesCart3")("email") Password = Request.Cookies("SalesCart3")("password") Rememberme = Request.Cookies("SalesCart3")("rememberme") End If End If RetrieveDate = Cstr(Date-31) Else 'coming through as a reorder retrieve stuff from submission and resave cookie RetrieveDate = FGETVar("RetrieveDate","N/A","s") Password = FGETVar("Password","N/A","s") Email = FGETVar("Email","N/A","s") Rememberme = FGETVar("Rememberme","OFF","s") If Rememberme = "ON" Then Response.Cookies("SalesCart3").Expires = Date()+366 Response.Cookies("SalesCart3")("email") = Email Response.Cookies("SalesCart3")("password") = Password Response.Cookies("SalesCart3")("rememberme") = Rememberme Else Response.Cookies("SalesCart3").Expires = Date()-1 Response.Cookies("SalesCart3")("email") = "NA" Response.Cookies("SalesCart3")("password") = "NA" Response.Cookies("SalesCart3")("rememberme") = "OFF" End If End IF 'READ STUFF to Database Dim objSimpleAdo, rstRS, SQLStmt If Len(Password) = 0 and Len(Email) = 0 Then Email = "N/A" Password = "N/A" End If If Session ("ChkPayment") = 0 Then EmailField = "email" EmailDisplay = "Bill to" Else EmailField = "shipemail" EmailDisplay = "Ship to" End If SQLStmt = "SELECT DISTINCTROW customer., payment., order.* FROM (customer INNER JOIN payment ON customer.Orderid = payment.Orderid) INNER JOIN [order] ON customer.Orderid = order.Orderid " SQLStmt = SQLStmt & "WHERE Password='" & Password SQLStmt = SQLStmt & "' and " & EmailField & "='" & Email & "' and Order.OrderDate >= " & RetrieveDate & "; " Set SimpleAdo = New CSimpleAdo SimpleAdo.setConnectionString = Session("ConnectionString") Set RS = SimpleAdo.getRecordSet(SQLStmt) 'Do stuff with the record set %> <div align="center"> <center> <table border="0" width="100%"> <tr> <td width="100%"> <!--Copyright (C) 1995-2003 ComCity Corporation. All Rights Reserved. SalesCart Family of Products. --> <p align="center"><strong><font size="2" color="#CE0000"> <map name="FPMap0"> <area alt="Home" coords="4, 4, 62, 59" shape="rect" href="http://www.mydomain.com/default.asp"></map> <img border="0" src="../images/logo/headder3.gif" usemap="#FPMap0"></font></strong><br> <strong><font size="2" color="#CE0000"><br> </font></strong></p> <div align="center"> <table border="0" width="690" id="table1" cellspacing="0" cellpadding="0"> <tr> <td width="50"> </td> <td width="230"> <img src="chkout_view.gif" alt="" width="526" height="40"></td> <td width="230" align="center"><script src=https://seal.verisign.com/getseal?host_name=www.mydomain.com&size=S&use_flash=YES&use_transparent=NO></script></td> </tr> <tr> <td width="690" colspan="3"> <p align="center"> </td> </tr> </table> </div> <form> method="POST" action="reorder2.asp" onsubmit="return FrontPage_Form1_Validator(this)" language="JavaScript" name="FrontPage_Form1"> <div align="center"> <table border="1" width="500" cellspacing="0" cellpadding="2" bordercolordark="#000000" bordercolorlight="#000000" style="border-collapse: collapse"> <tr> <td width="100%" bgcolor="#000080" colspan="2"> <p align="center"> <font face="Verdana" color="#FFB13E"> <b>Retrieving Past Orders</b></font></td> </tr> <tr> <td width="50%" bgcolor="#000080"> <font face="Verdana" size="2" color="#FFFFFF">Your (<%=EmailDisplay%>) <b>Email Address:</b></font></td> <td width="50%" bgcolor="#000080"> <!--webbot bot="Validation" s-data-type="String" b-allow-letters="TRUE" b-allow-digits="TRUE" b-value-required="TRUE" i-minimum-length="4" --><input type="text" name="Email" size="30" value="<%=Email%>" style="font-family: Arial; color: #000000; font-size: 10pt"></td> </tr> <tr> <td width="50%" bgcolor="#000080"> <font face="Verdana" size="2" color="#FFFFFF">Your <b>Password:</b></font></td> <td width="50%" bgcolor="#000080"> <input type="text" name="Password" size="30" value="<%=Password%>" style="color: #000000; font-family: Arial"></td> </tr> <tr> <td width="100%" bgcolor="#000080" colspan="2"> <font face="Verdana" size="2" color="#FFFFFF">I Want to <b>Retrieve ALL Previous Orders after:</b></font><font color="#FFFFFF" face="Arial" size="2"> <input type="text" name="RetrieveDate" size="8" value="<%= Cstr(Date-31)%>" style="color: #000000; font-family: Arial"><br> </font></td> </tr> <tr> <td width="100%" bgcolor="#000080" colspan="2"> <p align="center"><b><font color="#FFFFFF" face="Arial" size="2"><input type="checkbox" name="Rememberme" value="ON" <% If Rememberme = "ON" Then response.write ("checked") End if %> > </font><font color="#FFFFFF" face="Verdana" size="2">Remember My Settings</font></b><br> </td> </tr> <tr> <td width="100%" bgcolor="#FFFFFF" colspan="2"> <p align="center"> <input border="0" src="retrieve.gif" name="I1" type="image"></td> </tr> </table> </div> <input type="hidden" name="Rerun" value="Yes"> </form> <p align="center"><font face="Verdana" size="4"><b>Orders</b></font></p> <% If CheckRS(RS) = "False" Then Response.Write ("<p align='center'><b>No Previous Orders Found!</b></p>") End If Do While CheckRS(RS) If CurrentRecord = 0 then %> <div align="center"> <table border="1" cellpadding="2" width="690" bgcolor="#000080" bordercolorlight="#000000" bordercolordark="#000000" style="border-collapse: collapse"> <tr> <td width="12%" valign="middle" align="center"> <font face="Verdana" size="2" color="#FFFFFF"><b>Order#</b></font></td> <td width="12%" valign="middle" align="center"> <font face="Verdana" size="2" color="#FFFFFF"><b>Order Date</b></font></td> <td width="12%" valign="middle" align="center"> <font face="Verdana" size="2" color="#FFFFFF"><b>Grand Total</b></font></td> <td width="12%" valign="middle" align="center"> </td> <td width="13%" valign="middle" align="center"> </td> </tr> <%End If%> <tr> <td width="12%" valign="middle" align="center" bgcolor="#DDDDDD"> <font face="Arial" size="2"><%= RS("OrderID") %></font></td> <td width="12%" valign="middle" align="center" bgcolor="#DDDDDD"> <font face="Arial" size="2"><%= RS("OrderDate") %></font></td> <td width="12%" valign="middle" align="center" bgcolor="#DDDDDD"> <font face="Arial" size="2"><%= MyCurrency(RS("GrandTotal")) %></font></td> <td width="12%" valign="middle" align="center"> <form> method="POST" action="reorder3.asp"> <p><input type="submit" value="Review Items" name="Items"></p> <input type="hidden" name="PreviousOrder" value="<%= RS("OrderID") %>"><input type="hidden" name="Email" value="<%= Email%>"><input type="hidden" name="Password" value="<%= Password%>"> </form> </td> <td width="12%" valign="middle" align="center"> <form> method="POST" action="reorder4.asp"> <p><input type="submit" value="Place Entire Order in Cart" name="Items"></p> <input type="hidden" name="PreviousOrder" value="<%= RS("OrderID") %>"><input type="hidden" name="Email" value="<%= Email%>"><input type="hidden" name="Password" value="<%= Password%>"> </form> </td> <% RS.MoveNext CurrentRecord = CurrentRecord + 1 Loop Set SimpleAdo = Nothing Set RS = Nothing CurrentRecord = 0 Session("Reorder") = 1 %> </tr> </table> </div> <p align="center"></p> <table border="0" cellpadding="2" cellspacing="3" width="100%"> <tr> <td width="33%" bordercolor="#800000"></td> <td width="260" bgcolor="#000080" bordercolor="#000080" style="border: 2px solid #000000; padding-left: 4px; padding-right: 4px; padding-top: 1px; padding-bottom: 1px" height="28"> <p align="center"><strong> <font face="Verdana" color="#FFFFFF" size="2">Present Order ID: </font><font color="#00FF00" face="Tahoma" size="4"> <%= Order%></font><font color="#FFFFFF" size="2"> </font> </strong></td> <td width="33%" bordercolor="#800000"></td> </tr> </table> </td> </tr> </table> </center> </div> <div align="center"> <table width="690" border="0" style="border-collapse: collapse" bordercolor="#111111" id="table2"> <tr> <td align="middle" width="258"> </td> <td align="middle" width="306"> </td> <td align="middle" width="216"> </td> </tr> <tr> <td align="middle" width="258"><font size="2"><font face="Verdana"><b> Phone:</b> 603-497-2281 <br> <b>Fax:</b> 603-497-3783<br> </font> <b> <a style="font-family: Verdana; font-size: 10pt; color: #0000FF; font-weight: bold" href="mailto:info@mydomain.com">Email Us<font face="Verdana"> </font> </a></b> </font></td> <td align="middle" width="306"><font size="2" face="Verdana"><b>Address:</b> <br> P.O. Box xx<br> xxxxx, NH 030xx</font></td> <td align="middle" width="216"><strong><font face="Verdana" size="2">All Prices are US dollars</font></strong></td> </tr> <tr> <td align="middle" width="792" colSpan="3" bgcolor="#D4D4D4"> <font face="Verdana" size="2">Copyright © 2006 mydomain, Inc. All Rights Reserved. </font></td> </tr> </table> </div> --------------------- many thanks in advanced

Chip Andrews
Posts:113

03/19/2008 8:11 PM	Quote Reply Alert
You're not going to like this but what you need to do is get yourself a developer who understands how to perform safe data access. There is no "quick fix" to your problem unfortunately. In nutshell, you need to find someone to change all of the adhoc SQL code in this page (and the rest of the application) into parameterized queries that clearly define what is query and what is data. You can look at the SQL Injection FAQ on this site or http://msdn2.microsoft.com/en-us/library/ms161953.aspx Chip

Add Reply

Forums > Discussions > SQL Server Security > HackerSafe Vulnerability - MS SQL Database Error Disclosure Vulnerability

Quick Reply

Username:
Subject:
Body:

ActiveForums 3.6