Subject FW: Another buffer overflow on IIS
Author Claudio Valderrama C.
I thought you would find this letter interesting. As I understand, this
person worked in the past for an INET security company and moved to MS last
year, again as a security expert. So, if you still think that Access is an
option for an average loaded site, think twice, please.


-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@...]On Behalf Of David LeBlanc
Sent: Lunes 25 de Diciembre de 2000 17:58
Subject: Re: Another buffer overflow on IIS

At 06:57 PM 12/19/2000 -0300, Jair Pedro wrote:
>An especific SQL instruction works fine under MS-Office, but in a ASP page,
>it causes the CPU usage to grow up until it reaches 100%, and the only
>alternative is to turn off the machine.

Perhaps there are some language difficulties here. What you describe is a
denial of service attack, not a buffer overflow. The two situations have
drastically different implications. An .asp page with some programming
error could possibly cause the same thing to happen.

I wouldn't encourage people to use Access on a web server for anything
other than a very small application with few users. All access to the
database becomes single-threaded.

Also, if you are in the position of allowing untrusted users to add content
to a web site, they most certainly should not be allowed access to
databases without at least some webmaster review, and it is best not to
allow them to add content with scripts at all. Even if the problem you note
were not present, there are a large number of ways to cause problems given
the same preconditions.

David LeBlanc