From: Wanderley J. Abreu Junior [storm@UNIKEY.COM.BR]
Sent: Thursday, July 29, 1999 3:32 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Yet Another ODBC Bugged ASP Sample Page

Dear Team,

            Exploiting ODBC Features that come with your sample programs is
not a mistery for any of us. So Let me add one more ASP Sample with similar
troubles:

             http://server/ASPSamp/AdvWorks/equipment/catalog_type.asp
              or yet
             http://server/AdvWorks/equipment/catalog_type.asp

            It lets you execute shell comands like the other scripts. It is
a Active Server  Page so it runs the query as a local user and doesn't need
any type of Remote Data Service to access the DSN. It just require the
default DSN (advworks) set.

            The Exploit command line can be for instance :


http://server/AdvWorks/equipment/catalog_type.asp?ProductType=|shell("cmd+/c
+dir+c:\")|

            Sorry if this SERIOUS security failure was already reported.

Regards,

             Wanderley Junior