Active InfoActive Info  Display List of Info MembersMemberlist  Search The InfoSearch  HelpHelp
  RegisterRegister  LoginLogin
ASPBanner Unlimited Version 8.0
 CJWSoft Support Info : ASPBanner Unlimited Version 8.0
Subject Info: sql injection A d d - P o s tAdd P o s t
Author
Message << Prev Info | Next Info >>
grmorgan
New User
New User


Joined: May/29/2009
Online Status: Offline
Info: 1
Added: May/29/2009 at 12:20pm | IP Logged Quote grmorgan
I've been running ASPBanner 8.1 Unlimited without trouble for several years now.

Today, I saw this in place of one my banners:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression '(Banner_ID = 146;create table t) AND Banner_Day = #2009-05-29#'.

In trying to find where that "create table t" would have come from, I saw that the tempstats folder had a file named:

2009-05-29_146;create table t_jiaozhu(jiaozhu varchar(200))_clicks.tmp

so it looks like someone has figured out how to hit the banner system with a request that actually tries to store its own crud into the database.

Has anyone seen this before, and can you recommend a barrier to it?
Back to Top View grmorgan's Profile Search for other info by grmorgan
 
cwilliams
Admin Group
Admin Group
Avatar
CJWSoft Web Software Developer

Joined: April/06/2004
Online Status: Offline
Info: 1769
Added: May/29/2009 at 5:04pm | IP Logged Quote cwilliams
was corrected quite a while back.. I sent an email to everyone but as we all know emails don't always get to people..

I am pm-ing you the 8.3 download which has sql injection prevention methods in it..

just backup/use your existing database and also all the files in the data/config folder...

but copy in the new files over what is there...

__________________
Best Regards, Christopher Williams www.CJWSoft.com
Back to Top View cwilliams's Profile Search for other info by cwilliams Visit cwilliams's Homepage
 
tparrow
New User
New User


Joined: August/26/2008
Location: United States
Online Status: Offline
Info: 2
Added: November/12/2009 at 8:55am | IP Logged Quote tparrow
We're having the same problem.  Can you email me the fix too?  tparrow@boatus.com 

__________________
Terri Parrow Botsford
Back to Top View tparrow's Profile Search for other info by tparrow
 
cwilliams
Admin Group
Admin Group
Avatar
CJWSoft Web Software Developer

Joined: April/06/2004
Online Status: Offline
Info: 1769
Added: November/12/2009 at 12:14pm | IP Logged Quote cwilliams
pm'd to u

__________________
Best Regards, Christopher Williams www.CJWSoft.com
Back to Top View cwilliams's Profile Search for other info by cwilliams Visit cwilliams's Homepage
 

If you wish to make a comment to this info you must first login
If you are not already registered you must first register

  A d d - P o s tAdd P o s t
Printable version Printable version

Info Jump
You cannot add new info in this area
You cannot add to info in this area
You cannot delete your info in this area
You cannot edit your info in this area
You cannot create polls in this area
You cannot vote in polls in this area

vbscript active server pages ASP vbscript SQL database informix oracle SQL Server Perl CGI Delphi PHP source code code sample samples program CJWSoft ASPProtect ASPBanner ASPClassifieds www.aspprotect.com, www.powerasp.com,www.aspclassifieds.com,www.aspphotogallery.com,www.codewanker.com