Die geistigen Wirrungen des Sebastian Bauer
Donnerstag, 1. März 2007
Knorr.de SQL Injection and XSS Vulnerabilities
Author: Sebastian Bauer
Web: http://blog.gjl-network.net
Date: 01/12/07
Vuln. website: http://www.knorr.de
Vulnerability: SQL Injection (Login authentication bypass), XSS
Significance: Very Critical
---------------------------------------------------------
Detailed description:
The site knorr.de is using a MS SQL database server and IIS as web server. The programming language used is ASP (Active Server Pages).
There is a vulnerability using the login field of the site. Since user input will not be escpaed, it is vulnerable against SQL injection attacks.
The SQL string to authenticate the user can be escaped using single quotes. Since the database server is MS SQL it is possible to easily create a valid SQL query and ignore the rest of the SQL query by adding ;-- which ends the current query and defines the rest as comment.
Web: http://blog.gjl-network.net
Date: 01/12/07
Vuln. website: http://www.knorr.de
Vulnerability: SQL Injection (Login authentication bypass), XSS
Significance: Very Critical
---------------------------------------------------------
Detailed description:
The site knorr.de is using a MS SQL database server and IIS as web server. The programming language used is ASP (Active Server Pages).
There is a vulnerability using the login field of the site. Since user input will not be escpaed, it is vulnerable against SQL injection attacks.
The SQL string to authenticate the user can be escaped using single quotes. Since the database server is MS SQL it is possible to easily create a valid SQL query and ignore the rest of the SQL query by adding ;-- which ends the current query and defines the rest as comment.
"Knorr.de SQL Injection and XSS Vulnerabilities" vollständig lesen
Suche
Kategorien
Tag Cloud
überwachung überwachungsstaat anonym apache car design dhtml gforce giiforce google hockenheim html it allgemein javascript kammscher lfs lfsworld live for speed mein roadster php PHP Conf. / Webinale 2007 piraten piratenpartei privatsphäre querbeschleunigung render roadster security server smart spritpreise stasi2.0 touristenfahrten ubuntu web2.0 wii wiimote wiiremote wiiremotej wwweb
Beliebteste Einträge
Gallerie
Links
Statistiken
Letzter Artikel: 09.01.2009 08:00
182 Artikel wurden geschrieben
146 Kommentare wurden abgegeben
Verwaltung des Blogs
Sprachauswahl
Protected by
