locked
Microsoft Source Code Analyzer for SQL Injection not warning RRS feed

  • Question

  • The following code does cause any warnings when run through MSCA for SQL Injection.

     

    Code Snippet

    <%
    '-- OPEN CONNECTION TO DATABASE
     if lcase(left(request.ServerVariables("SERVER_NAME"),4)) = "www." then
      strconn = "PROVIDER=SQLOLEDB;DATA SOURCE=dbserver1;DATABASE=dbname;USER ID=dbuser;PASSWORD=dbpwd;"
      Set conn = Server.CreateObject("ADODB.Connection")
     else
      strconn = "PROVIDER=SQLOLEDB;DATA SOURCE=dbserver2;DATABASE=dbname;USER ID=dbuser;PASSWORD=dbpwd;"
      Set conn = Server.CreateObject("ADODB.Connection")
     end if

     'strconn = "PROVIDER=SQLOLEDB;DATA SOURCE=dbserver;DATABASE=dbname;USER ID=dbuser;PASSWORD=dbpwd;"
     'Set conn = Server.CreateObject("ADODB.Connection")

     conn.open strconn

     strUsername = lcase(request("username"))
     strPassword = request("password")

     query = "SELECT passwrd FROM users WHERE email_name = '" & strUsername & "'"
     Set rs = conn.Execute(query)
    %>

     

     

    If the two commented lines are uncommented, it still does not raise any warnings but if you remove the IF..ELSE..END IF statement, it generates the correct warning.

    Thursday, July 3, 2008 11:51 PM

Answers

  • Hi Shawn,

    Thank you for reporting this, we will fix it in the next version of the tool.

    Thanks,

    Bala.

    Tuesday, July 8, 2008 2:41 AM

All replies

  • Hi Shawn,

    Thank you for reporting this, we will fix it in the next version of the tool.

    Thanks,

    Bala.

    Tuesday, July 8, 2008 2:41 AM
  • Hi Shawn,

        We have released an updated version of the tool that should find this issue. Please look at http://blogs.msdn.com/sqlsecurity/archive/2008/07/12/microsoft-source-code-analyzer-for-sql-injection-july-2008-ctp.aspx for more details on this version.

     

    Thanks,

    Bala Neerumalla

    Saturday, July 12, 2008 12:48 AM
  • Thank you.  It fixed that missed warning, but I found another with the July CTP.

     

    Code Snippet

    <%
     strConnString = "PROVIDER=SQLOLEDB;DATA SOURCE=dbserver;DATABASE=dbname;USER ID=dbuser;PASSWORD=dbpass;"

      Set conn = Server.CreateObject("ADODB.Connection")
      conn.open strConnString

      sql = "SET XACT_ABORT ON" & vbCrLf 'Line 5
      sql = sql & "BEGIN TRANSACTION" & vbCrLf 'Line 6

      varRegID = request("RegID")

      sql = sql & "UPDATE regSchools SET "
      sql = sql & "Completed = 'Y' "
      sql = sql & "WHERE Registration_ID = " & varRegID & vbCrLf

      sql = sql & "COMMIT TRANSACTION" & vbCrLf 'Line 11
      sql = sql & "SET XACT_ABORT OFF" & vbCrLf 'Line 12

      conn.execute sql
    %>

     

     

    If lines 5,6,11 and 12 are commented out, it outputs the correct error message.
    Monday, July 14, 2008 11:45 PM
  • And another one not being catched, but it's a little more obscure.

     

    Code Snippet

    <%
     strConnString = "PROVIDER=SQLOLEDB;DATA SOURCE=dbserver;DATABASE=dbname;USER ID=dbuser;PASSWORD=dbpass;"
      Set conn = Server.CreateObject("ADODB.Connection")
      conn.open strConnString

     'Key/Data pairs should be in the form of <input name="field-1"> where prefix is column name and suffix is record ID
     'Dangerous request item could be modified to something like <input name="field-1;drop table">
      For Each Key in Request.Form
        intDash = instr(key, "-")
        if intDash = 0 then
          strField = key
        else
          strField = left(key, intDash - 1)
          strFieldID = mid(key, intDash + 1)
        end if

        sql = "UPDATE regGroups SET Etype = " & replace(request(key),"'","''") & " WHERE Group_ID = " & strFieldID & vbCrLf
      Next

      conn.execute sql
    %>

     

     

    Tuesday, July 15, 2008 12:08 AM