Re: Pen-tester's analysis of .NET security?

From: Frank Knobbe (frank@knobbe.us)
Date: Wed Mar 24 2004 - 18:24:12 EST

• Next message: Nexus: "Re: Oracle DB Audity"
• Previous message: Kelly Winters: "RE: Oracle DB Audity"
• In reply to: Frank Knobbe: "Re: Pen-tester's analysis of .NET security?"
• Next in thread: Jeff Bryner: "Re: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry, gotta correct myself.

> Can't help with white papers, but while doing reviews of sites "powered
> by ASP.NET" I noticed that these mostly use ADODB connections which *MAY*
> escape quotes.

The web app I'm looking at currently was not vulnerable to quotes. But I
just came across additional quote escaping before the command string
hits the ADODB.Command object. Perhaps ADODB is still vulnerable.

In either case, never trust the OS. :)

-Frank

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Nexus: "Re: Oracle DB Audity"
• Previous message: Kelly Winters: "RE: Oracle DB Audity"
• In reply to: Frank Knobbe: "Re: Pen-tester's analysis of .NET security?"
• Next in thread: Jeff Bryner: "Re: Pen-tester's analysis of .NET security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT