Site Server User Input Unvalidated

Site Server User Input Unvalidated

Reported February 18, 2000 by Nick Southwell
Microsoft Site Server Commerce 3.0


Site Server Commerce has a problem with the Volcano Coffee sample site as well as the same Custom-site created by the Site Builder Wizard.

According to Microsoft"s bulletin on the matter, the samples could allow inappropriate access to a database on the Web site. Quoting from the bulletin, "The code \[used in the sample sites\] requests an identification number as one of the inputs, but does not validate it before using it in a database query. As a result, a malicious user could, instead of entering an appropriate input, provide SQL commands.  If this were done, the SQL commands would be executed as part of the query, and could be used to create, modify, delete or read data in the database."

This is exactly the same issue that has allowed numerous e-commerce sites to become compromised regardless of their server platform. Even non-Microsoft platforms are vulnerable to unchecked user script input.

Warning: if you have used code from the sample site to develop your own Web-based applications then be absolutely certain to examine your code from instances where user input is not properly validated.


Microsoft has issued a patch for Site Server as well as a FAQ regarding this matter. No Support Online article was available at the time of this writing.

Discovered by Nick Southwell

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.