Site Server User Input Unvalidated

Site Server Commerce has a problem with the Volcano Coffee sample site as well as the same Custom-site created by the Site Builder Wizard.

According to Microsoft"s bulletin on the matter, the samples could allow inappropriate access to a database on the Web site. Quoting from the bulletin, "The code \[used in the sample sites\] requests an identification number as one of the inputs, but does not validate it before using it in a database query. As a result, a malicious user could, instead of entering an appropriate input, provide SQL commands.  If this were done, the SQL commands would be executed as part of the query, and could be used to create, modify, delete or read data in the database."

This is exactly the same issue that has allowed numerous e-commerce sites to become compromised regardless of their server platform. Even non-Microsoft platforms are vulnerable to unchecked user script input.

Warning: if you have used code from the sample site to develop your own Web-based applications then be absolutely certain to examine your code from instances where user input is not properly validated.

VENDOR RESPONSE

CREDITS
Discovered by Nick Southwell