I think there is a small security threat in the ASP stats code.
When reading through the code i didnt see any checking/cleaning of the pid data,
this could be exploited by an attacker to gain access to your data base
and if u were using the same data base as the rest of your web site
then the attacker could have allot of sensitive information.
I gather MSSQL is exactly the same as MySql when it comes to injection exploits, if so the user could simply change the pid query and inject SQL in a pids var.
Code: Select all
?pid=101704187&pid=101704187&pid=SELECT * FROM `pid2142` WHERE 1
thats just an example it wont work but its not hard to modify that so it would.
correct me if I'm wrong but I'm sure i didn't see any cleaning anywhere in the script.