[thelist] Website Hacked?
Todd Richards
todd at promisingsites.com
Wed May 28 21:53:13 CDT 2008
On Wednesday, May 28, 2008 7:38 PM, Chris Anderson wrote:
> That would obviously depend on language/platform being used. What are you
using again (in case I can help)?
Classic ASP, so it looks like some of your examples were valid for me! :)
> Actually, it would have been okay - if you used the cleansed integer.
> (i.e. the value of the string *after* it had been converted to an integer)
> For example, if you used Val(id) in ASP to see if that converts without
> error, it will convert "300;INJECTED SQL" as 300.
> If you then use id in the SQL it will append "300;INJECTED SQL". If
> however you did the following:
> cleanId = Val(id)
> Query = "select this from that where id =" & cleanId
> It would have been fine, because cleanId will only hold an integer
> (If using a type-safe language, converting the id to an integer variable
> then using that would be even safer)
OK, that does make more sense to me. I was "checking" the ID, but then
using the same ID and not the "clean" version of it. Doh!
> It depends on language/platform on *how* but the safest way is to aim to
> handle all errors by showing the user a standard error page with NO
> information on it (except general stuff like "An error occurred, and the
> admin has been notified"). This page should be the same whatever the
> error (you might even wish to use a basic HTML file). The details of the
> error can be stored in logs (event logs, text files, etc) and/or emailed
> to someone (you, admin, etc)
ASP and IIS6. I do use a custom 404 page that emails me the errors, which
is how I saw the attack happen. But I need to look a little closer at how
it is handling the errors to make sure that nothing is being given up in the
attempts.
Thanks again!
Todd
More information about the thelist
mailing list