Security assessment on stored proc vulnerability

From: Calvin Wood (calvin_wood2004@hotmail.com)
Date: Fri May 14 2004 - 23:13:43 EDT


I have just started on a security audit for a client, and through the course
of my work, I have discovered one vulnerability associated with the client's
web user authentication page.

The page authenticates the user using HTTPS by transmitting username and
password to a back end MS SQL 2000 db via a form. The authentication is then
carried out by a stored proc. It would return a recordset object to the
front end ASP page if the username/password combination is valid. The ASP
page essentially does this

SQLStr="exec IdentifyUser '" & UserName & "','" & Password & "'"
conn.open connstr
set cmd.ActiveConnection=conn
set rs=cmd.Execute SQLStr

if rs.EOF
invalid username/password combination
else
valid username/password
end if
...

Now I noticed that the SQLStr is built from the form variable, and it is
vulnerable to SQL injection. This is a definite vulnerability. However, in
my report, I need to specify whether the risk is low/moderate/high. This is
the area I need help on.

The database user associated with the asp page has full access right to all
the tables - however, it can not drop/create objects (i.e., stored proc,
tables, triggers what have you). While it's possible to inject another sql
statement, I believe it would be hard to inject a valid statement. You would
need to guess the table name/column name. And you wouldn't know whether you
guessed it correctly due to deferred name resolution of SQL Server.

I am currently tempted to classify it as a low security risk. However, I
just want to find out if anyone else would disagree.

Thanks in advance

_________________________________________________________________
Personalise your mobile chart ringtones and polyphonics. Go to
http://ringtones.com.au/ninemsn/control?page=/ninemsn/main.jsp

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT