| Author |
Message |
Colin Bowern
Guest
|
 Posted:
Thu Oct 28, 2004 1:40 am Post subject:
Commerce Server and SQL Injection Attacks |
|
|
Probably best never to assume so I thought I'd ask -- Does Commerce Server's
interface to SQL check for SQL injection attacks?
Thanks,
Colin |
|
| Back to top |
|
 |
Nihit Kaul [MSFT]
Guest
|
| Posted:
Tue Nov 02, 2004 8:04 am Post subject:
RE: Commerce Server and SQL Injection Attacks |
|
|
Hi Colin,
Do you have any particular APIs that you wanted to know about? Not sure
what you mean by the interface to SQL?
Thanks,
Nihit Kaul[MSFT]
Commerce Server
http://blogs.msdn.com/nihitk
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
--------------------
From: "Colin Bowern" <colinbowern@nospam.indimensions.com>
Subject: Commerce Server and SQL Injection Attacks
Date: Wed, 27 Oct 2004 16:40:24 -0400
Lines: 7
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <#HaovUGvEHA.3872@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: wiggum.indimensions.net 207.188.77.210
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.commerceserver.general:15031
X-Tomcat-NG: microsoft.public.commerceserver.general
Probably best never to assume so I thought I'd ask -- Does Commerce
Server's
interface to SQL check for SQL injection attacks?
Thanks,
Colin |
|
| Back to top |
|
|
Colin Bowern
Guest
|
| Posted:
Wed Nov 03, 2004 1:24 am Post subject:
Re: Commerce Server and SQL Injection Attacks |
|
|
About the product in general. There are interfaces to SQL for the Profiles,
Catalog, Data Warehouse, etc. If I update a profile or add an item to a
catalog or query an item from any one of these subsystems will they be
susceptable to SQL injection attacks? I'm assuming after the last few
security bulletins around SQL that the CS2002 product group would have to
have undergone a security review. Just want to make sure that this is the
case so I don't have to worry about it (or if there is no certaintly maybe I
will).
Cheers!
Colin
"Nihit Kaul [MSFT]" <nihitk@online.microsoft.com> wrote in message
news:3uzTEBIwEHA.3956@cpmsftngxa10.phx.gbl...
| Quote: | Hi Colin,
Do you have any particular APIs that you wanted to know about? Not sure
what you mean by the interface to SQL?
Thanks,
Nihit Kaul[MSFT]
Commerce Server
http://blogs.msdn.com/nihitk
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
--------------------
From: "Colin Bowern" <colinbowern@nospam.indimensions.com
Subject: Commerce Server and SQL Injection Attacks
Date: Wed, 27 Oct 2004 16:40:24 -0400
Lines: 7
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <#HaovUGvEHA.3872@TK2MSFTNGP11.phx.gbl
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: wiggum.indimensions.net 207.188.77.210
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.commerceserver.general:15031
X-Tomcat-NG: microsoft.public.commerceserver.general
Probably best never to assume so I thought I'd ask -- Does Commerce
Server's
interface to SQL check for SQL injection attacks?
Thanks,
Colin
|
|
|
| Back to top |
|
|
Nihit Kaul [MSFT]
Guest
|
| Posted:
Wed Nov 03, 2004 2:21 am Post subject:
Re: Commerce Server and SQL Injection Attacks |
|
|
Hi Colin,
From a general product wide perspective - Yes - we have undergone thorough
security reviews for the full-product and CS 2002 has also been tested for
SQL injection in various APIs etc. However there is always the possibilty
of bugs in some particular APIs - so if you are concerned about a
particular API or behaviro or stored proc etc. you are ping this alias for
the specifics on that API itself.
Thanks,
Nihit Kaul[MSFT]
Commerce Server
http://blogs.msdn.com/nihitk
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
--------------------
From: "Colin Bowern" <colinbowern@nospam.indimensions.com>
References: <#HaovUGvEHA.3872@TK2MSFTNGP11.phx.gbl>
<3uzTEBIwEHA.3956@cpmsftngxa10.phx.gbl>
Subject: Re: Commerce Server and SQL Injection Attacks
Date: Tue, 2 Nov 2004 14:24:31 -0500
Lines: 59
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <OO5vTGRwEHA.3872@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: wiggum.indimensions.net 207.188.77.210
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!tornado.fastwebnet.it!tiscali!new
sfeed1.ip.tiscali.net!news.maxwell.syr.edu!msrtrans!TK2MSFTNGP08.phx.gbl!TK2
MSFTNGP11.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.commerceserver.general:15054
X-Tomcat-NG: microsoft.public.commerceserver.general
About the product in general. There are interfaces to SQL for the
Profiles,
Catalog, Data Warehouse, etc. If I update a profile or add an item to a
catalog or query an item from any one of these subsystems will they be
susceptable to SQL injection attacks? I'm assuming after the last few
security bulletins around SQL that the CS2002 product group would have to
have undergone a security review. Just want to make sure that this is the
case so I don't have to worry about it (or if there is no certaintly maybe
I
will).
Cheers!
Colin
"Nihit Kaul [MSFT]" <nihitk@online.microsoft.com> wrote in message
news:3uzTEBIwEHA.3956@cpmsftngxa10.phx.gbl...
| Quote: | Hi Colin,
Do you have any particular APIs that you wanted to know about? Not sure
what you mean by the interface to SQL?
Thanks,
Nihit Kaul[MSFT]
Commerce Server
http://blogs.msdn.com/nihitk
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
--------------------
From: "Colin Bowern" <colinbowern@nospam.indimensions.com
Subject: Commerce Server and SQL Injection Attacks
Date: Wed, 27 Oct 2004 16:40:24 -0400
Lines: 7
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <#HaovUGvEHA.3872@TK2MSFTNGP11.phx.gbl
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: wiggum.indimensions.net 207.188.77.210
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.commerceserver.general:15031
X-Tomcat-NG: microsoft.public.commerceserver.general
Probably best never to assume so I thought I'd ask -- Does Commerce
Server's
interface to SQL check for SQL injection attacks?
Thanks,
Colin
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in