Site Wizard Input Validation Vulnerability

On some of the sample sites and on custom-built sites created by the Site Builder Wizard, a Request.Querystring variable is directly appended to a SQL statement. Because this variable is not validated, it is possible for additional text to be appended. If this were done, the SQL commands would be executed as part of the query and could be used to create, modify, delete, or read data in the database.

Issue

Two sample web sites provided as part of Site Server 3.0, Commerce Edition do not follow security best practices; the code generated by one of the wizards is affected by the same problem. The code requests an identification number as one of the inputs, but does not validate it before using it in a database query. As a result, a malicious user could, instead of entering an appropriate input, provide SQL commands. If this were done, the SQL commands would be executed as part of the query, and could be used to create, modify, delete or read data in the database.

The vulnerability only affects sites that have either deployed the code at issue here, or have used the code as a model for developing custom code. Customers who have deployed the code should apply the patch to ensure that security best practices are followed. Customers who have used the code as a guide in developing their own should refer to the Knowledge Base article referenced below for specific code changes.

Affected Products

• Microsoft Site Server 3.0, Commerce Edition

Download

Patch: http://www.microsoft.com/downloads/Release.asp?ReleaseID=18767

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: February 18, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<