(ot) URL Hack Attempt Leaves Me Scractching My Head To Ben Forta

Ben,     Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))...   how about changing cfquery so that by default, only ONE sql statment can be sent.  Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery?  (Like "select email from users where id=1; drop table users") Al   

> how about changing cfquery so that by default... NO NO NO NO NO NO NO NO!!!!!!!! I've use nested SQL all the time, and I've got over 100 web sites up. Validate and use REREPLACE and CFQUERYPARAM and you're fine. Don't ever make a function change that kills existing code written correctly. Robert B. Harrison Director of Interactive services Austin & Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be &.

+Infinity. (I'd add some sort of really intelligent comment, but, well, Robert already covered that part.) ----- Excess quoted text cut - see Original Post for more -----

Sorry for the outburst, but that scared me. I could just see me telling all my clients, well, that used to work. Sorry about that. :-) Robert B. Harrison Director of Interactive services Austin & Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be &. Forta +Infinity. (I'd add some sort of really intelligent comment, but, well, Robert already covered that part.) ----- Excess quoted text cut - see Original Post for more -----

OK.. You are right.. drop my request.. but I would request 3 other enhancements to dreamweaver to make these changes easier: 1. Put the sql queryparam on the main  CF toolbar.. 2. When you right click the file name in the Files area you can select PUT..   I would like to add that functionality to the tab with the filename on the top toolbar.  So you can right click the tab and select put, instead of having to search in the list for the file name. 3. When I  open a page that has an object tag on it, I get a warning that I screwed up  and would I like dreamweaver to fix it.  How about adding  to that a checking for cfqueryparams when you save a page with cfquerries in it and warn when there are none? I think I got it under control.. at least on my most popular sites.  Luckily the others are way down in the google rankings..  

I find it useful on occasion with INSERT then SELECT @IDENTITY Ben Forta Ben,     Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))...   how about changing cfquery so that by default, only ONE sql statment can be sent.  Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery?  (Like "select email from users where id=1; drop table users") Al   

I also use this to get the new key on inserted records, and have used cfqueryparam for years to protect against this sort of attack, and for performance reasons. Functionality shouldn't be sacrificed just to protect careless developers from themselves. John Forta I find it useful on occasion with INSERT then SELECT @IDENTITY Forta Ben,     Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))...   how about changing cfquery so that by default, only ONE sql statment can be sent.  Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery?  (Like "select email from users where id=1; drop table users") Al   

Al Musella, DPM wrote: >     Seeing as how this type of sql injection attack is succeeding so > much (even my favorite fishing website has been down for days due to > it (it is a .cfm site))... >   how about changing cfquery so that by default, only ONE sql > statment can be sent. That is a *very* bad idea since it would require CF to understand SQL. And not just SQL as the standard defines it, but every dialect implemented by every database. There is no way that CF would be able to reliably do that. If you want an example of how bad this would be just try and see what happens if you take one of your current datasources, go to advanced properties and unselect every operation except SELECT. Then run the following statements: <cfquery ...> -- x DROP TABLE x </cfquery> <cfquery ...> SELECT 'test some string ; DROP c' FROM x </cfquery> <cfquery ...> SET nocount on DROP TABLE x SET nocount off </cfquery> ColdFusion is a CFML engine. Everything that isn't CFML should be treated as opaque. (And the current 'feature' to limit SQL operations should be ripped out.) Jochem

That is more a function of the db.  I know that by default, MySQL does not allow multiple sql statements.  You have to change a setting to allow this. I suppose this could be added to CF as well, but it would have to allow multiples by default, so that it would be backwards compatible.  So you'd still have to remember to switch it off. -- Josh Forta ----- Excess quoted text cut - see Original Post for more -----

If you spent more time securing your variables then it wouldnt be much of a problem.. E.G if you create a database field lname char(50), in CF check the length before passing that variable to your CFQUERY.. There's isnumeric() to check for numbers, there's ways to help protect yourself from this without going to the extreme that you suggest ----- Excess quoted text cut - see Original Post for more -----

>>That is more a function of the db. Exact, and I don't see how CF could prevent from multiple execution. It should compile the SQL code for that, and it does not. Unless ODBC/JDBC drivers have a function to disable it. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

>>  how about changing cfquery so that by default, only ONE sql >>statment can be sent.  Let us override that with a parameter in >>cfquery or a cfprocessing driective type of thing in our application.cfm.. Pretty good idea. >>I doubt many people use multiple sql statements in one cfquery, Also note that certain databses, like Access won't allow multiple statements anyway. ... I know, I know, some ayatollah will say "NEVER use *Access*"... -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

I have to hand it to Claude - he definitely has confidence :) Forta >>  how about changing cfquery so that by default, only ONE sql   >>statment can be sent.  Let us override that with a parameter in  >>cfquery or a cfprocessing driective type of thing in our application.cfm.. Pretty good idea. >>I doubt many people use multiple sql statements in one cfquery, Also note that certain databses, like Access won't allow multiple statements anyway. .... I know, I know, some ayatollah will say "NEVER use *Access*"... -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

>>I have to hand it to Claude - he definitely has confidence Well, unless ODBC and JDBC have some function to enable/disable multi statements, It would certainly be much trouble to implement this in CF. I've checked rapidly in the ODBC docs, and I don't see any reference to multi statement. Anyway, if the option was available, it shouldn't be the default, for sure. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: http://qpscanner.riaforge.org/ anybody knows what happenned? Radek On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans < schneegans@internetique.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Hmm, it appears to be down-- and Ray is on vacation.  I can post it on my blog temporarily if I need to. Today is Operation cf_SQLprotect! http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect ~Brad Forta > RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: > > http://qpscanner.riaforge.org/ > > anybody knows what happenned? > > Radek

I have it installed already, but other guys in forums asking for scanner so I suggest that one and when I came to riaforge it didnt work so I was wondering why. Thanks anyway, but I think on your new page u should post it there too to download from your server or blog with credits of RiaForge. Radek ----- Excess quoted text cut - see Original Post for more -----

What do you think about this solution for sites with 5000 files: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9259 and scroll to or just press CTRL+F and find on the page: Luis Melo Says: July 24th, 2008 at 9:51 am<http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html#comment-9228>; What do you think about it? ----- Excess quoted text cut - see Original Post for more -----

>What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo

Ok gonna check that out thanks. ----- Excess quoted text cut - see Original Post for more -----

>Ok gonna check that out thanks. I just uploaded a new version that includes the cookie scope, and commonly used CGI vars as well. While this has been a headache to deal with, at least it might convince more of my customers to get around to updating their sites. ;-) It often doesn't matter how often you tell them that updating is important to keep their sites secure from attacks, they just don't want to spend the money to do it...until they actually get hit. --- Mary Jo

Tell me about it I told one of my customers E- commerce store to backup often DB (if u do some edits to DB make a backup!!!) and told him to buy hard-drive or RAID 1 or RAID 5 solution to backup the DB ansd website, he said no no no expensive, 6 days ago he got hit cause who made this site never used cfqueryparams and I showed him what happenned. He freaked out and told me buy those hard drives :) They react after hit - always !!!! Cause they wanna save money. Thanks for the update of the .cfm gonna look at it. Radek ----- Excess quoted text cut - see Original Post for more -----

To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';            // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read Forta >What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo

>This will fix a problem in which a long string containing too many back >references for non-word chars can cause a stack overflow. As much as I love >CF, I find the native regex implementation sadly lacking. Thanks for the update... I'm not sure if any of my customers are using a host that disables use of CreateObject with java classes, but that would be a possible concern with this change. But I have only run into that once before, so shouldn't be a major issue. I'm thinking for my own application, I'll just load the pattern matcher into a persistent scope so there won't be too much performance hit running it on every page request. >My apologies to anyone already using it, I guess this is what I get being >drawn into posting code I hadn't had a chance to fully test. If anyone has >problems with, or enhancements to the above, please let me know. I don't know how many of my customers tried the first one I put up, but haven't gotten anything but positive feedback so far, and I haven't put out any new release with it included yet, so thanks for posting the enhancement, I'll give it a good test and let you know if I run into problems. I'll give it a test on Railo as well and make sure it doesn't run into any bumps on it either. >Also, thank you to Mary Jo for adding me to the credits. My surname is Read >FYI in case you still desire to include me. Well, I always try to give credit where it is due, and already had put you on there, just glad to add your surname as well. --- Mary Jo

Gabriel, Nice job on this.  Looks like it works rather spendidly. -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';            // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read

Gabriel... would you post the page in complete working order with your code modifications? Thanks! Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';            // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read Forta >What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo

Che, I tested a working example of his code... I posted on my blog if you want the skinny. http://www.coldfusionmuse.com -Mark Forta Gabriel... would you post the page in complete working order with your code modifications? Thanks! Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';            // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read Forta >What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo

Thanks Mark. So, the function checkSQLInject(str) and the function checkforattack() are no longer needed from Mary's original blocker.cfm file? Forta Che, I tested a working example of his code... I posted on my blog if you want the skinny. http://www.coldfusionmuse.com -Mark Forta Gabriel... would you post the page in complete working order with your code modifications? Thanks! Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';            // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read Forta >What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo

Che, That depends... Mary Jo's function does all the scope checking for you ... So you might want to use the reMatcher.reset().find() in Mary Jo's function in place of the call to checkSQLInject() inside of the checkforattack() function. That would make use of Gabriel's cod, but keep all the looping/checking inside of Mary Jo's function. You get the best of both worlds that way :)  The code on my blog is a working example, but it's not "drop in" ready - you would still need to check the form and cookie scope for example... So either way you will need to do some tweaking to get it to work for you situation. -Mark Forta Thanks Mark. So, the function checkSQLInject(str) and the function checkforattack() are no longer needed from Mary's original blocker.cfm file? Forta Che, I tested a working example of his code... I posted on my blog if you want the skinny. http://www.coldfusionmuse.com -Mark Forta Gabriel... would you post the page in complete working order with your code modifications? Thanks! Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view';            // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read Forta >What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo

>The code on my blog is a working example, but it's not >"drop in" ready - you would still need to check the form and cookie scope >for example... So either way you will need to do some tweaking to get it to >work for you situation. I'm going to post an updated version of my tool later today, just want to run a few tests on it first. As I noted on your blog though Mark, the original RegEx was Gabriel's work as well. I just used it to create the scanner tool. My ability to write regular expressions is rudimentary at best. ;-) --- Mary Jo

Version 2 of the scanner I did is now available here: http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18 This has *not* been heavily tested as of yet, so use at your own risk! --- Mary Jo

>This has *not* been heavily tested as of yet, so use at your own risk! There was a little mistake in the scanner I posted earlier that could cause it to hang, if anyone downloaded it before, please grab the updated copy. In just some basic iteration checking, the new version does appear to be significantly more efficient, with an average of 1.5 ms to process a large form submission, versus about 10 ms with the old method. So thanks Gabriel, nice improvement! --- Mary Jo

RIAForge is back up ... Forta I have it installed already, but other guys in forums asking for scanner so I suggest that one and when I came to riaforge it didnt work so I was wondering why. Thanks anyway, but I think on your new page u should post it there too to download from your server or blog with credits of RiaForge. Radek > Hmm, it appears to be down-- and Ray is on vacation.  I can post it on my > blog temporarily if I need to. > > Today is Operation cf_SQLprotect! > > http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-eve r-International-Operation-cfSQLprotect ----- Excess quoted text cut - see Original Post for more -----

Thanks Ben. I just got done posting it on my blog just in case.  Both scanners can be found here: http://www.codersrevolution.com/index.cfm/2008/7/25/Today-is-Operation-cfSQLprotect ~Brad Forta > RIAForge is back up ...

I don't believe DMBS's like MSSQL have a single statement option.  As it has already been pointed out, MySQL does and it is the default. The setting is on a per connection level.  If you are using MySQL and know that most of the time you will only have one statement, then create two datasource-- one that allows it and one that does not.  Use as needed.  The inherent problem with any of this is it still require the programmer to: 1) use the correct datasource and not be lazy 2) properly secure the queries that allow the multiple statements and not be lazy Worst of all, not all SQL injection attacks require a second statement!!! Many attacks use a union to pull additional data out in a select and that is _totally_ allowed in MySQL in single statement mode. Basically, the we as the programmers don't get out of this one.  We have to be relied upon to consistently do SOMETHING whether it is use the correct datasource etc. So here's the thing, if you are going to go through trouble to do ANYTHING, just make sure that we always use cfqueryparam-- that is the only option that will always work without many gotcha's.  I think that is energy better spent. ~Brad Forta ----- Excess quoted text cut - see Original Post for more -----

>     Seeing as how this type of sql injection attack is > succeeding so much (even my favorite fishing website has been > down for days due to it (it is a .cfm site))... >   how about changing cfquery so that by default, only ONE sql > statment can be sent.  Let us override that with a parameter > in cfquery or a cfprocessing driective type of thing in our > application.cfm.. The problem with this, as Jochem points out, is that it would require CF to parse SQL. This is a losing battle, as each database will do different things when given an SQL batch. What if databases automatically escape Unicode character sequences? Then CF would have to do the same. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!

Is there a kind of way to stop the botnet from spamming websites? Hacker has to stop it? or right now if it is automated is there any way? Radek ----- Excess quoted text cut - see Original Post for more -----

> What do you think about this solution for sites with 5000 files It may be satisfactory for a temporary fix, to give you enough time to fix your 5000 files. It is almost certainly unsuitable as a permanent solution. This part is fairly vague: "Checks all FORM and URL input for SQL injection code" What does that mean, exactly? Also, this doesn't protect against injection strings in the Cookie or CGI scopes. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information!