|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
Free Web 2.0 Code Generator! Generate data entry and reporting .NET Web apps in minutes. Quickly create visually stunning, feature-rich apps that are easy to customize and ready to deploy. Download Now!
|
|
#1
November 27th, 2006, 09:48 AM
|
|||
|
|||
|
Access IIF security leak
I've just been experimenting with a few IIF queries in ASP access and I have had some strange results.
Code:
sql = SELECT id, name, IIF(section1_enabled = true,section1,' ') as sect1 WHERE name = '" & page "'" It's a simple function that checks if the true/false section1_enabled is true. If it is then return section1 otherwise return a HTML space. At first I thought the result from the query was just being truncated, but it seems that some of the text at the end of the string is from a different database. I did some googling with a string of text and found a site on the same webserver, so it seems that my query has queried someone elses database I found this quote Quote:
http://exchangeadvisor.com/doc/12013 but I can't seem to find much else on this security issue. Anyone have any info about this? Didn't know if this was an ASP, Access or Server issue.
__________________
CyberTechHelp
|
|
#2
November 27th, 2006, 10:59 AM
|
|||
|
|||
|
Moved to the security forum.
I don't ever use IIF, but I can't imagine that the function would somehow magically use a different DB. Perhaps there is some caching issue somewhere?
__________________
====== Doug G ====== I didn't attend the funeral, but I sent a nice letter saying I approved of it. --Mark Twain
|
|
#3
November 28th, 2006, 05:06 AM
|
|||
|
|||
|
Quote:
Thanks, I will ask the webhost about it's caching settings.
|
|
#4
November 29th, 2006, 09:41 AM
|
|||
|
|||
|
I may have found a reason for the truncation
http://www.everythingaccess.com/tut...-of-Memo-fields It doesn't explain the output of irreverent text that doesn't exist in the database.
|
|
#5
November 29th, 2006, 11:36 AM
|
||||
|
||||
|
if the host has one database for all the hosted users
it can explain things.. but it's really hard to believe any host will be so dumb. can you replicate the situation or does it happen only sometimes? can you post example or link?
|
|
#6
November 30th, 2006, 05:57 AM
|
|||
|
|||
|
http://computer-helpforum.com/asp/temp/IIFtest.asp
It may not happen every time. You may have to refresh the page several times. You may also have to wait a minute or so between refreshes. You can see that the database field "section1" is populated with dummy HTML/text. The "sect1" recordset var is truncated at "consectetuer adipiscing e" Alot of the time it will just be truncated (which I now believe to be because the memo field is converted to a text field during the IIF), but sometimes irreverent text will be added to the end of the string. This added text could be HTML code or part of a querystring or just text. Here is an screenshot I have just taken http://computer-helpforum.com/asp/temp/IIFTest_1.jpg And here is another http://computer-helpforum.com/asp/temp/IIFTest_2.jpg You will see from the source code that HTML td code has been added and this has broken the rest of the HTML ps. None of this added text is in any of my pages/scripts/databases on my webspace. Here is the script (stripped down basic example for testing) Code:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open Server.MapPath("IIFtest.mdb")
page = "home"
sql = "SELECT id, name, section1, " &_
"IIF(section1_enabled,section1,'Empty') as sect1 " &_
"FROM pages WHERE name = '" & page & "'"
'set rs=Server.CreateObject("ADODB.recordset")
'rs.Open sql, conn
set rs = conn.execute(sql)
If Not rs.EOF Then
id = rs("id")
page = rs("name")
section1 = rs("section1")
section1_HTML = Server.HTMLEncode(rs("section1"))
sect1 = rs("sect1")
sect1_HTML = Server.HTMLEncode(rs("sect1"))
End If
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
<style type="text/css">
<!--
.code {
font-family: "Courier New", Courier, mono;
font-size: 12px;
color: #000000;
background-color: #CCCCCC;
padding: 5px;
border: thin dashed #000000;
margin: 10px;
}
-->
</style>
</head>
<body>
<p>section1</p>
<div class="code"><%= section1 %></div>
<p>section1 HTMLEncode</p>
<div class="code"><%= section1_HTML %></div>
<p>sect1</p>
<div class="code"><%= sect1 %></div>
<p>sect1 HTMLEncode</p>
<div class="code"><%= sect1_HTML %></div>
</body>
</html>
<%
rs.close
conn.close
%>
Database
|
|
#7
November 30th, 2006, 08:04 AM
|
||||
|
||||
|
man that's the most weird and bizarre thing I've seen!
attached is my own screen shot proving it's not local problem of your host. it's truncating the text after 255 characters: Code:
<h1>Header1</h1> <p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Praesent vestibulum molestie lacus. Aenean nonummy hendrerit mauris. Phasellus porta. Fusce suscipit varius mi.Lorem ipsum dolor sit amet, consectetuer adipiscing e in my case, it added some date and time. (3/10/2006 15:50:22) further debug proved it's not even related to the "section1" field - check this code for example: Code:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open Server.MapPath("IIFtest.mdb")
page = "home"
sql = "SELECT id, name, section1, " &_
"IIF(section1_enabled, '" & MultiString(50, "aa bb cc") & "', 'Empty') as sect1 " &_
"FROM pages WHERE name = '" & page & "'"
'set rs=Server.CreateObject("ADODB.recordset")
'rs.Open sql, conn
set rs = conn.execute(sql)
If Not rs.EOF Then
id = rs("id")
page = rs("name")
section1 = rs("section1")
section1_HTML = Server.HTMLEncode(rs("section1"))
sect1 = rs("sect1")
sect1_HTML = Server.HTMLEncode(rs("sect1"))
End If
Function MultiString(n, s)
Dim result, x
result = ""
For x=1 To n
result = result&s
Next
MultiString = result
End Function
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
<style type="text/css">
<!--
.code {
font-family: "Courier New", Courier, mono;
font-size: 12px;
color: #000000;
background-color: #CCCCCC;
padding: 5px;
border: thin dashed #000000;
margin: 10px;
}
-->
</style>
</head>
<body>
<p>section1</p>
<div class="code"><%= section1 %></div>
<p>section1 HTMLEncode</p>
<div class="code"><%= section1_HTML %></div>
<p>sect1</p>
<div class="code"><%= sect1 %></div>
<p>sect1 HTMLEncode</p>
<div class="code"><%= sect1_HTML %></div>
</body>
</html>
<%
rs.close
conn.close
%>
if you give IIF return value with more than 255 characters it would truncate it and add some weird stuff. this leads me to believe that IIF take this information from the computer memory hijacking memory not its own (buffer overflow) if it's true it's really really bad thing! Last edited by Shadow Wizard : November 30th, 2006 at 08:07 AM.
|
|
#8
November 30th, 2006, 08:39 AM
|
|||
|
|||
|
That could be it!. Doug mentioned caching, but I never thought that it could be using the server's memory/buffer.
Ha, wait till I update my support ticket and tell the hosts  Cheers Shadow 
|
|
#9
December 1st, 2006, 05:53 PM
|
||||
|
||||
|
yep that must be the server memory, as Doug said such
text can't just magically appear...
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
