1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

asp.net hole

Discussion in 'Members' Lounge' started by pissedoffsol, Oct 7, 2004.

  1. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    The security hole involves a bug in ASP.NET's handling of URLs, known as "canonicalization." If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. The technique may also work if a space is subsituted for the slash. Security researchers say the bug operates differently in Mozilla browsers and Internet Explorer.
     
  2. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    hrm, sorry for the quad post- i kept getting an error about the susbscription tracker.

    anyone else see that?
     
  3. BodyDroppedNikes

    BodyDroppedNikes ...PENDEJO.... VIP

    Messages:
    10,593
    Likes Received:
    103
    Joined:
    Sep 28, 2002
    Location:
    caught in a mosh...
    nope but i sure as hell dont know what you just said either....LOL
     
  4. 90 accord

    90 accord Chicks dig the box Moderator VIP

    Messages:
    5,008
    Likes Received:
    21
    Joined:
    Sep 29, 2002
    Location:
    Mesa, AZ


    :withstupid:
     
  5. B16

    B16 Super Moderator VIP

    Messages:
    11,539
    Likes Received:
    534
    Joined:
    Sep 30, 2002
    Location:
    yay area, CA
    JSP > ASP
    that is all
     
  6. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    php > all the rest.

    free + awesome language + tons of services = php

    you can't beat it.
     
  7. B16

    B16 Super Moderator VIP

    Messages:
    11,539
    Likes Received:
    534
    Joined:
    Sep 30, 2002
    Location:
    yay area, CA
    wow, sounds just like java!! ;)
     
  8. phunky.buddha

    phunky.buddha Admin with a big stick Admin VIP

    Messages:
    28,465
    Likes Received:
    228
    Joined:
    Sep 30, 2002
    Location:
    Dallas / Fort Worth, TX
    Yeah... Mozilla has issues interpreting the links in my web page code- it turns the "/" into "%5C" or something and fails to go to the next page.
     
  9. Airjockie

    Airjockie Watanabe Whore!!!

    Messages:
    11,238
    Likes Received:
    166
    Joined:
    Jan 21, 2003
    Location:
    Meriden, CT, USA
    :wacko: :wtf: :gives: :shrug: :shrug2: :hmm: :bonk: :poke: :poop: :lolhammer: :question: :imfucktard: :alcoholic: :beta: :dunno: :toilet: :fosho:
     
  10. corvetteguy

    corvetteguy Senior Member

    Messages:
    888
    Likes Received:
    0
    Joined:
    Sep 29, 2002
    Location:
    Bristol ,CT
    Bri what was that string again

    ' or 1=1 __ :lol:
     
  11. B16

    B16 Super Moderator VIP

    Messages:
    11,539
    Likes Received:
    534
    Joined:
    Sep 30, 2002
    Location:
    yay area, CA
    i think thats the security hole php had. haha, php sucks. :)
     
  12. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    no, that was ASP 3.

    php uses // or # for comments, not '

    and it was ' OR 1=1 --
     
  13. mdlax1

    mdlax1 Senior Member

    Messages:
    936
    Likes Received:
    1
    Joined:
    Jan 2, 2003
    Location:
    On the Proverbial picked fence of Insanity....
    you can only imagine me and B's situation.. coding in ASP and ASP.net then coding all our freelance in PHP

    it's night and day.. B you ever fuck with CF? i took a advanced SQL class at EEI, chick was using CF to run their SQL queries cuase they were too damn cheap to buy SQL server.

    shit is so easy.. does all the compiling work on it's own
     
  14. B16

    B16 Super Moderator VIP

    Messages:
    11,539
    Likes Received:
    534
    Joined:
    Sep 30, 2002
    Location:
    yay area, CA
    no, it wasn't in the commenting. and it was php.

    how it works is, say you have a username and password field. you put in the username, and for password you put ' OR 1=1.
    what this does, is the single ' ends the text for the password, then puts in another where clause, OR 1=1, making it always true, which would return that row. :)
     
  15. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home


    i hate cfm. i hate tag-based shit. i hate asp.net.
    i code in normal asp all day, but its really not so much asp as it is sql coding and making sp's and views and such...

    home, its all php.


    and the office is SLOOWLY heading my php word, and we are slowing started to move some things to php.
     
  16. Cashizslick

    Cashizslick !i!i!i!i!i!i!i!i!i!i!i!

    Messages:
    5,751
    Likes Received:
    37
    Joined:
    Aug 15, 2003


    :confused:
     
  17. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home


    yes, yes it was. and it was def asp.
    vette guy used to work with me, and we did it at night hacvking into asp sites. he can back me up on this.

    ' is NOT a comment in php.

    the reason it worked was, when you entered that string as the password with any username, it would compile like this...

    select * from users where username = 'anynamehere' AND password = '' OR 1=1 --

    which, as you can see, the password will ALWAYS be true- so, all you needed was the name of the administrator and you could log yourself in as the admin.

    the -- is a sql comment, which will stop the rest of the line from compiling in the stored procedure.

    B16, try again :)
     
  18. B16

    B16 Super Moderator VIP

    Messages:
    11,539
    Likes Received:
    534
    Joined:
    Sep 30, 2002
    Location:
    yay area, CA
    i still dont see where commenting has anythig to do with it? as far as the ' goes.
    but, it was php that did this, maybe asp did as well, but i know for a fact older php let you do this as well.

    pissedoffsol, try again :)
     
  19. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    show me where php did this.

    -- is the comment at the end of the statement which is why it only worked in stored procedures.

    a query in the actual asp page would render an error, not a comment.

    asp = '
    sql server = --

    for comments.
     
  20. B16

    B16 Super Moderator VIP

    Messages:
    11,539
    Likes Received:
    534
    Joined:
    Sep 30, 2002
    Location:
    yay area, CA
Verification:
Draft saved Draft deleted

Share This Page