House of Fusion
Home of the ColdFusion Community

Search cf-talk

December 02, 2008

<<   <   Today   >   >>
Su Mo Tu We Th Fr Sa
   1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31       

ColdFusion News

Adobe® ColdFusion® 8 Faster than ever
Upgrade Today

Adobe® ColdFusion® 8 The most dramatic release to date
Free Trial

Adobe® ColdFusion® 8 - There’s never been
A better time to be a ColdFusion Developer
Free Trial

Search over 2,500 ColdFusion resources here  >>>      
Home /  Groups /  ColdFusion Talk (CF-Talk)

SQL injection attack on House of Fusion

  << Previous Post |  RSS |  Sort Oldest First |  Sort Latest First |  Subscribe to this Group Next >> 
Sorry for the problems with the House of Fusion site. We've been under
Michael Dinowitz
08/08/08 10:22 A
Yeah, I've gotten a couple today.. but fortunately when Ray built
Scott Stewart
08/08/08 10:36 A
Covering the bases with cfqueryparam is one thing, being mobbed is another.
Michael Dinowitz
08/08/08 10:43 A
and your absolutely right, I've gotten two and query params covered it,
Scott Stewart
08/08/08 10:49 A
> I'm almost flattered that someone thought my site was important enough
Tom Chiverton
08/08/08 11:33 A
Ouch....
Scott Stewart
08/08/08 11:44 A
Which explains why House of Fusion is being so heavily hit. We're literally
Michael Dinowitz
08/08/08 11:44 A
Yep, I turned e-mail notifications off too, leave it on and you can
Ben Forta
08/08/08 11:54 A
Preach it Brother Ben!
Greg Morphis
08/08/08 11:59 A
Geez Ben, tell how you really feel...
Alan Rother
08/08/08 11:59 A
Ben,
Mark Kruger
08/08/08 12:01 P
Tell us how you really feel Ben. :)
Brad Wood
08/08/08 12:02 P
Yep, was curious about that too. I modified Justin's script to not send
Ben Forta
08/08/08 12:09 P
I think alot of us are doing that now.
Alan Rother
08/08/08 12:12 P
Well.......
Andrew Scott
08/11/08 04:40 A
Dang, the brutes thought of everything. I even tried a test to see if the
Brad Wood
08/08/08 12:24 P
very few bots accept cookies. I've never actually seen one that does,
Wil Genovese
08/08/08 12:30 P
>>very few bots accept cookies. I've never actually seen one that does,
Claude Schneegans
08/08/08 12:51 P
>>.... If you use CF to write the bot, for instance ;-)
Gerald Guido
08/08/08 06:15 P
Well, at its most basic level, the process of "accepting a cookie" is really
Brad Wood
08/08/08 01:14 P
Hmmm...
Andrew Scott
08/11/08 04:41 A
Actually, if you read by blog analysis of the zombies:
Brad Wood
08/11/08 11:27 A
> I'm fairly convinced this bot used the Internet Explorer on the victims
Tom Chiverton
08/11/08 11:42 A
> Dang, the brutes thought of everything. I even tried a test to see if the
Brad Wood
08/08/08 12:40 P
Brad,
Mark Kruger
08/08/08 01:03 P
That makes a bit of sense. One difference would probably be if the
Brad Wood
08/08/08 01:09 P
blocking the IPs would probably stop the attacks, but analyzing them is
Andy Matthews
08/08/08 04:08 P
Yeah, I'm well aware of the near impossibility of ever tracking IP address
Brad Wood
08/08/08 04:25 P
> Yeah, I'm well aware of the near impossibility of ever tracking IP address
Eric P
08/08/08 05:06 P
>>Then 20-30 minutes later he would show up again with a different IP.
Claude Schneegans
08/08/08 05:17 P
> >>Then 20-30 minutes later he would show up again with a different IP.
Eric P
08/08/08 05:26 P
> The problem becomes even more difficult to enforce
Brad Wood
08/08/08 07:05 P
<< Also, I'd like to explore the possibility of reporting compromised people to their ISPs. >>
Terry Ford
08/08/08 05:09 P
Well I guess I'm glad I am not the only one dealing with this. I implemented
Matt Robertson
08/08/08 05:49 P
Here are my top 50: Note that the top 1 is in the same subnet as your
Al Musella, DPM
08/09/08 12:39 P
Now look at how many of those are from Asia Pacific Network Info Centre
Bobby Hartsfield
08/09/08 01:02 P
Bobby, what have you been using to look up the origin of the IPs en masse?
Brad Wood
08/09/08 01:35 P
I wrote something a long time ago to automate grabbing specified info from
Bobby Hartsfield
08/09/08 04:44 P
I guess i'm missing something, Bobby. Why does a big share of the
Mike Kear
08/09/08 04:53 P
Because the majority of the IPs I've seen from this one belong to them... as
Bobby Hartsfield
08/09/08 05:37 P
I'd tell you to watch what you suggest on a public forum, but heck-- we
Brad Wood
08/09/08 11:50 P
Suggesting and getting caught doing are 2 different things. IF
Bobby Hartsfield
08/10/08 08:39 A
> Suggesting and getting caught doing are 2 different things. IF
denstar
08/11/08 05:30 P
I'm using WhosOn, an IIS server monitor. It does an auto look up on the
Jenny Gavin-Wear
08/21/08 01:06 A
So far I have done a small non-representative sample of IP's and found
Wil Genovese
08/08/08 05:11 P
> on. So go ahead and just block THE WORLD.
Brad Wood
08/08/08 07:01 P
blocking the IPs would probably stop the attacks, but analyzing them is
Andy Matthews
08/08/08 04:18 P
Ben Forta wrote:
Ian Skinner
08/08/08 12:30 P
Darn, I blew my cover! ;-)
Ben Forta
08/08/08 12:37 P
Ben Forta said ....>
Mike Kear
08/08/08 01:17 P
Mike,
Mark Kruger
08/08/08 02:00 P
Hysterical!!
Andy Matthews
08/08/08 02:22 P
We've also noticed these SQL injection attempts rear their head the
Eric P
08/08/08 02:45 P
They might be doing a screen scrape looking for an error message to see if
Brad Wood
08/08/08 02:56 P
Our site has now seen just over 200,000 attack attempts over the past 48 hours,
Terry Ford
08/08/08 03:50 P
I'm using ionic isapi with the following
Michael Dinowitz
08/08/08 03:58 P
> Here's the rewrite I'm using (linux apache) to keep traffic off the app server.
Matt Williams
08/08/08 07:04 P
Scratch that. declare is case sensitive. Seems to work now.
Matt Williams
08/08/08 07:09 P
Has anyone written a broad-spectrum script (i.e. scrubs URL variables, form
Pete Ruckelshaus
08/08/08 10:54 P
Pete,
Mark Kruger
08/09/08 12:32 A
>1) It protects only against known threats. In order to be excluded we have
Mary Jo Sminkey
08/09/08 11:04 A
> >1) It protects only against known threats. In order to be excluded we
David Lakein
08/12/08 07:15 P
> I also had a concern about thread safety; it's caching the java.util.
Mary Jo Sminkey
08/20/08 02:41 P
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do.
David Moore, Jr.
08/20/08 04:33 P
> I am currently using the SQLprev.cfm from Jochem to stop the onslaught
Mary Jo Sminkey
08/20/08 04:51 P
> I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do.
Justin Scott
08/20/08 05:05 P
When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks.
David Moore, Jr.
08/20/08 05:19 P
> When you say "Update Your Code", are you saying using <cfqueryparam>?
Mary Jo Sminkey
08/20/08 05:37 P
David Moore, Jr. wrote:
Ian Skinner
08/20/08 05:39 P
> Not trying to pick a fight, becuase I am sure you have forgotten more code
Josh Nathanson
08/20/08 05:39 P
And this is where I am. I have been using CF since 4.5. Very Scary. Glad I have found this list. I am sure to learn a lot. I will try to read and not bother.
David Moore, Jr.
08/20/08 05:43 P
> When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks.
Justin Scott
08/20/08 05:45 P
Justin,
David Moore, Jr.
08/20/08 05:59 P
> I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do?
Justin Scott
08/20/08 06:21 P
Consider me connected. At the same time, I will try not to just suck the life out of the list and provide substance where I can. I was a morning radio announcer for 20 years before becoming a web programmer, so if you can't remember the name of that song or artist - just ask. :)
David Moore, Jr.
08/20/08 06:31 P
Don't feel bad, David. I am a freelance CF programmer. I spend most
Mike Kear
08/20/08 06:47 P
> P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go
Mary Jo Sminkey
08/20/08 11:34 P
>Actually I am a pacifist at heart and always try to not lose my temper (serves me well with customers, particularly the endlessly annoying ones!)
David Moore, Jr.
08/20/08 11:59 P
As someone who was hit by the attack on the first day. I will say I've
Kelly
08/20/08 05:51 P
>is <cfqueryparam> something a lot of programmers really use?
Eric Cobb
08/20/08 06:03 P
Eric,
Mark Kruger
08/20/08 06:07 P
Well, it is my goal :) not there yet...> Subject: Re: SQL injection attack on House of Fusion> From: cftalk@ecartech.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 16:59:26 -0500> > >is <cfqueryparam> something a lot of programmers really use?> > > Only the good ones. ;)> > > Thanks,> > Eric> > David Moore, Jr. wrote:> > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > > > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>.> > > > ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. > > My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks for basic SQL keywords with a semicolon in URL variables. > It's a quick and dirty way to give you some protection from bots > short-term while your code base is updated to use best practices and > secure coding methods. Mary Jo's is more thorough in that it checks > additional variable scopes, and can help protect better against > hand-drafted attacks, but may have a higher p> otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > > > > > > > >
David Moore, Jr.
08/20/08 06:09 P
A while ago I read a totally rivetting book called "The Art Of
Mike Kear
08/20/08 06:36 P
Funny,
Sandra Clark
08/21/08 02:13 P
So, I have found like the "Mother Load" of good programmers who really care about Cold Fusion and take the time to do it right? Becuase every peice of code I have ever gotten from Adobe Exchange or Purchase from other sites has never had <cfqueryparam>. And I know Ben is going to shoot me, because looking back at some of his Advanced books now I see where he says I should be using it.
David Moore, Jr.
08/20/08 06:19 P
> So, I have found like the "Mother Load" of good programmers who really care about Cold Fusion and take the time to do it right?
Justin Scott
08/20/08 06:30 P
> Eric is pretty good at the Smack Down too, Eric The Great takes David
Mary Jo Sminkey
08/20/08 11:37 P
Mary Jo,
David Moore, Jr.
08/20/08 11:48 P
David Moore, Jr. wrote:
Jochem van Dieten
08/21/08 12:55 A
OK. I thought it was from you. I was sent an email with the link to SQLprev.cfm in an email and they referenced I use your suggestion in the email as well. I stuck the two together.> David Moore, Jr. wrote:> > I am currently using the SQLprev.cfm from Jochem
David Moore, Jr.
08/21/08 12:59 A
I've upgraded to the latest version of Mary Jo's tool to filter attempts at SQL injection. It works well, but I found three interesting false positives today.
Matthew Smith
08/22/08 08:23 P
> Can anyone suggest a modification to the code
Mary Jo Sminkey
08/22/08 09:16 P
> My site has community profiles for cities and towns. The URL for these
Mary Jo Sminkey
08/22/08 09:17 P
Mary Jo,
Matthew Smith
08/23/08 12:18 P
> I've done some additional testing and have found that the prior
Mary Jo Sminkey
08/23/08 03:24 P
I think it goes:
denstar
08/08/08 11:22 P
Seeing code solutions to this is cool. but imho its best left to your router/firewall to handle. I'd contact the provider to have them put some better controls in place. These are scenarios that almost delve into why cisco has the zero day features on their gear..
Dana Kowalski
08/11/08 12:27 P
Security in layers.
Wil Genovese
08/11/08 12:48 P
I've tried this on a windows apache server, but it doesn't seem to be
Raymond Camden
08/08/08 11:51 P
A simple look at the docs would state why, but it doesn't appear to
denstar
08/09/08 12:09 A
You can keep it in a different .conf file, and use the Include
denstar
08/09/08 12:11 A
Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so
Raymond Camden
08/09/08 12:16 A
Strange. And it looks like it /should/ work in the server conf too.
denstar
08/09/08 12:37 A
non-wrapped (and it was grabbed off the web somewhere):
denstar
08/09/08 12:51 A
Theoretically, it would be possible to write a code-review type tool
denstar
08/09/08 12:59 A
No go. It's not life or death - Im still using cfqueryparam, but I'd
Raymond Camden
08/09/08 09:09 A
Ok, I've noticed that when I go to
Raymond Camden
08/09/08 09:16 A
Ray,
Wil Genovese
08/09/08 10:02 A
Still no go for me. I appreciate the help from all.
Raymond Camden
08/09/08 10:19 A
Hi Ray,
Terry Ford
08/09/08 12:56 A
> Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so
Matt Williams
08/09/08 07:36 A
Depending on your default directory settings in httpd.conf, you may
Jon Clausen
08/09/08 08:55 A
Terry Ford wrote:
Jochem van Dieten
08/09/08 06:28 A
Nimda did not use SQL injection as any sort of primary vector.
Terry Ford
08/09/08 11:27 A
Terry Ford wrote:
Jochem van Dieten
08/09/08 11:56 A
Hysterical!!
Andy Matthews
08/08/08 02:28 P
> even if it is from parasitic bottom-feeding bots created by
Rick Faircloth
08/08/08 01:40 P
I've heard that in Saudi Arabia, a thief has the offending member removed at
Dave Long
08/08/08 02:13 P
>I've heard that in Saudi Arabia, a thief has the offending member removed at
Larry Lyons
08/10/08 09:02 P
You assume much.
William Seiter
08/10/08 11:19 P
You haven't been around teenage boys much recently. That and the XBox are the ONLY things they would miss.
Dave Morris
08/10/08 11:32 P
In the last 7 hours since i set up a counter on it, i've had 2792 on
Mike Kear
08/08/08 10:47 A
Sorry for the "top posting", where are we now in terms of best practice for cf8 protection again sql injection attack? Going through 136+ posts seems a bit too much, many thanks. Some one who has closely monitored this thread probably could help.
Don L
08/15/08 03:55 P
> Sorry for the "top posting", where are we now in terms of best practice for cf8 protection again sql injection attack? Going through 136+ posts seems a bit too much, many thanks. Some one who has closely monitored this thread probably could help.
Justin Scott
08/15/08 04:09 P
But I know all this, I thought the sql injection attack went beyond it, thanks anyway, Justin.
Don L
08/15/08 04:18 P
On Fri, Aug 15, 2008 at 1:12 PM, D
Charlie Griefer
08/15/08 04:30 P
> But I know all this, I thought the sql injection attack went beyond it, thanks anyway, Justin.
Justin Scott
08/15/08 04:34 P
As an FYI: for those that did use Apache configs to stop this attack, if you
Wil Genovese
08/15/08 04:52 P
I am still getting around 50 to 75 attacks a day on about 20 of my websites. I applied the solution from JOCHEM that aborts the attach in the application.cfm file and then sends me an email.
David Moore
08/20/08 02:07 P
>>Not as far as technique, but it was much larger in scale than most of us
Claude Schneegans
08/15/08 06:37 P
They completely stopped on the 11th, but they are back to day spelling it
Brad Wood
08/15/08 06:56 P
And changed
Al Musella, DPM
08/15/08 10:11 P
What I'm curious about, is that there seems to be noone you can report this to?
Mark Mandel
08/16/08 01:02 A
> What I'm curious about, is that there seems to be noone you can report this to?
denstar
08/16/08 04:13 A
Mark Mandel wrote:
Jochem van Dieten
08/16/08 05:41 A
LOL...
Andrew Scott
08/16/08 06:45 A
Andrew Scott wrote:
Jochem van Dieten
08/16/08 08:19 A
Hmmm,
Andrew Scott
08/16/08 09:45 A
Andrew Scott wrote:
Jochem van Dieten
08/16/08 10:38 A
Hmm,
Andrew Scott
08/16/08 11:13 A
Andrew Scott wrote:
Jochem van Dieten
08/16/08 11:33 A
Have you ever done any GORM work?
Andrew Scott
08/16/08 11:40 A
--
Andrew Scott
08/16/08 11:17 A
You'll be happy to know that CF9 is rumoured to include Hibernate with
James Holmes
08/16/08 11:39 A
Man your about 6 months late with that news....
Andrew Scott
08/16/08 11:41 A
>I can't vouch for php, .Net but at least in the Java world ORM reduces that
Dominic Watson
08/16/08 12:33 P
So for six months you've known the feature is coming yet you're still
James Holmes
08/16/08 10:19 P
No I am not arguing about it, I am saying that there is no reason that
Andrew Scott
08/16/08 10:55 P
There are always trade-offs.
denstar
08/16/08 11:49 P
Well at the end of the day, I am currently using hibernate in ColdFusion
Andrew Scott
08/17/08 12:08 A
> Well at the end of the day, I am currently using hibernate in ColdFusion
denstar
08/17/08 12:38 A
LoL...
Andrew Scott
08/17/08 05:23 A
>But hey I am not complaining...
Dave Francis
08/17/08 11:32 A
> Andrew Scott wrote:
denstar
08/16/08 11:17 A
Actually,
Andrew Scott
08/16/08 11:28 A
> I haven't mentioned this before because I do believe that filtering
Brad Wood
08/16/08 12:14 P
>> I haven't mentioned this before because I do believe that filtering
David Moore
08/16/08 12:46 P
I'm doing the request filtering in apache so that it never even
denstar
08/16/08 07:24 P
denstar wrote:
Jochem van Dieten
08/17/08 04:12 A
> denstar wrote:
denstar
08/17/08 05:52 A
denstar wrote:
Jochem van Dieten
08/17/08 12:48 P
Hello folks:
Qing Xia
08/19/08 10:58 A
> denstar wrote:
denstar
08/25/08 03:22 P
> Filtering means "allow unless it matches". A security
Justin D. Scott
08/17/08 11:45 A
>>they are back.
Claude Schneegans
08/16/08 10:54 A
> They completely stopped on the 11th, but they are back to day spelling it
mac jordan
08/16/08 04:52 A
I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums.
David Moore
08/16/08 12:20 P
> I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums.
Dominic Watson
08/16/08 12:38 P
David,
Mark Kruger
08/16/08 12:41 P
Man... at this point, after reading about all of these problems with
Rick Faircloth
08/16/08 01:43 P
Rick,
Andrew Scott
08/16/08 10:42 P
Andrew,
Rick Faircloth
08/17/08 08:20 A
Yeah, well my personal blog is on a shared hosting. But it uses Ray's
Andrew Scott
08/17/08 10:14 A
Another not so common approach, is spamstop.
Andrew Scott
08/16/08 10:39 P
>>Going through 136+ posts seems a bit too much, many thanks.
Claude Schneegans
08/15/08 06:35 P
>Sorry for the problems with the House of Fusion site. We've been under
David Moore
08/16/08 12:14 P
Just got nailed myself - dammit - 15 years of knowledge.
Peter Tilbrook
08/26/08 06:52 A
Open the website log with word and do a search for DECLARE
Al Musella, DPM
08/26/08 11:01 A
> Just got nailed myself - dammit - 15 years of knowledge.
denstar
08/26/08 03:29 P
> I've love to get my hands on an infected machine, but that
Dave Watts
08/08/08 01:12 P
> > ... by despicable scum-sucking feeble-excuse-for-a-
Dave Watts
08/08/08 02:11 P
I propose a baseball bat. It works well with both genders.
Michael Dinowitz
08/10/08 11:36 P
Wait, sorry. This is a cf-community thread, not a cf-talk one. It will be
Michael Dinowitz
08/10/08 11:37 P
> Anyway, I propose the dot-com millionaires who left us stuck
Dave Watts
08/11/08 12:14 A
Ah. You're from the "blame the victim" school.
Dave Morris
08/11/08 08:49 A
Ummm but is it not your website that YOU left vulnerable? If you
Greg Morphis
08/11/08 10:07 A
> I'm sure they exist even for CF 4.0
Justin Scott
08/11/08 10:11 A
And that girl who was raped should not have been wearing a skirt.
Dave Morris
08/11/08 10:19 A
I see it as different than pointing fingers.. You ALLOWED it to happen
Greg Morphis
08/11/08 10:23 A
This would probably be more productively viewed as as
Rick Faircloth
08/11/08 10:48 A
Rick,
Mark Kruger
08/11/08 11:28 A
Actually is was Dave Morris who originally used rape to compare the 2.
Greg Morphis
08/11/08 11:34 A
I started not to use the rape analogy and certainly didn't want to
Rick Faircloth
08/11/08 12:00 P
This is totally off topic in this list, but I'll make this comment and
Jenny Gavin-Wear
08/21/08 01:23 A
Rick,
Robert Rawlins
08/11/08 11:30 A
Criticizing someone for negligence is not blaming the victim. If the person who coded the site is so incompetent as not to include a cfqueryparam for any user input that has direct impact on the database, then they deserve to get blamed. What's so difficult about <cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#form.foo#" />
Larry Lyons
08/11/08 11:06 A
Dave Morris wrote:
Jochem van Dieten
08/11/08 12:15 P
...
denstar
08/11/08 08:46 P
> Ah. You're from the "blame the victim" school.
Dave Watts
08/11/08 12:32 P
> Viewing this as a rape case, if a girl was hanging out on a
Dave Watts
08/11/08 12:37 P
> The second is that this is why..... ColdFusion should have
Dave Watts
08/11/08 12:43 P
Interestingly, hibernate is one of the rumoured additions to CF9:
James Holmes
08/11/08 09:46 P
Dave,
Andrew Scott
08/11/08 11:04 P
...
denstar
08/12/08 04:57 A
> You of all people have been around long enough to know, that
Dave Watts
08/12/08 12:31 P
> What is the ASP equivalent of CFQUERYPARAM?
Dave Watts
08/19/08 11:53 A
Neat! Thanks Dave.
Qing Xia
08/19/08 12:37 P
Qing, when you use cfquery with cfqueryparam, a prepared statement is
Brad Wood
08/19/08 01:13 P
> Does this thing just raise it's ugly head every now and then
Dave Watts
08/20/08 05:58 P
Right on Dave... That's a point I've been making as well.
Mark Kruger
08/20/08 06:07 P
The only way I found the SQL Injection Attack was my server kept crawling to a dead hault. I looked in SeeFusion (some softwear I purchased that lets me see what is going on live with the websites) and I noticed that the sites Total Time just kept going up and never resolving, basically every website coming to a hault and bringing my server to a scretching hault. I would reboot CF to get it to unlock. After a scan of Cold Fusion logfiles application.cfm file, I saw this weird URL string and thus my search landed me here.
David Moore, Jr.
08/20/08 06:08 P
> When you say "Update Your Code", are you saying using
Dave Watts
08/20/08 06:36 P
...
denstar
08/25/08 03:39 P
> Have code reviewed and wasn't my CFML (at this stage) so
Dave Watts
08/26/08 09:46 A
> It doesn't work with stored procedures (which shouldn't
Dave Watts
08/26/08 04:00 P
>> It doesn't work with stored procedures (which shouldn't
denstar
08/26/08 07:30 P
That is, unless you concatenate SQL in your stored procedure.
Brad Wood
08/26/08 07:41 P
> That is, unless you concatenate SQL in your stored procedure.
denstar
08/26/08 11:50 P
Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Michael Dinowitz
08/08/2008 10:22 AM

Sorry for the problems with the House of Fusion site. We've been under massive attack by sql injection bots and I've just been able to get a handle on it. A fast solution to the problem is this: <cfif findnocase("';DECLARE", cgi.query_string)><cfabort></cfif> It works unless you have a few hundred attacks at a time. In that case, place a cfmail before the abort and send youself the cgi.remote_addr. Then block it on the webserver level. It works very well. I've blocked a dozen IPs and now the site is back to flying. -- Michael Dinowitz (http://www.linkedin.com/in/mdinowitz) President: House of Fusion (http://www.houseoffusion.com) Publisher: Fusion Authority (http://www.fusionauthority.com) Adobe Community Expert / Advanced Certified ColdFusion Professional

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Scott Stewart
08/08/2008 10:36 AM

Yeah, I've gotten a couple today.. but fortunately when Ray built BlogCFC. he covered his bases. Scott Stewart ColdFusion Developer Office of Research Information Systems Research & Economic Development University of North Carolina at Chapel Hill Phone:(919)843-2408 Fax: (919)962-3600 Email: sastew01@email.unc.edu Michael Dinowitz wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Michael Dinowitz
08/08/2008 10:43 AM

Covering the bases with cfqueryparam is one thing, being mobbed is another. Sometimes you have to stop these things before any other code is run. I've put that abort script at the top of all my application.cfcs jst to brute force stop the horde. On Fri, Aug 8, 2008 at 10:31 AM, Scott Stewart <sastew01@email.unc.edu>wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Scott Stewart
08/08/2008 10:49 AM

and your absolutely right, I've gotten two and query params covered it, but it sounds like you're getting hit two pronged. "If the injection doesn't do something, the brute force attack will" I'm almost flattered that someone thought my site was important enough to attack... Scott Stewart ColdFusion Developer Office of Research Information Systems Research & Economic Development University of North Carolina at Chapel Hill Phone:(919)843-2408 Fax: (919)962-3600 Email: sastew01@email.unc.edu Michael Dinowitz wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Tom Chiverton
08/08/2008 11:33 AM

> I'm almost flattered that someone thought my site was important enough > to attack... They didn't. The attack is probably driving itself based on a Google search ( [inurl:.cfm] ?) . -- Tom Chiverton **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP.  Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Scott Stewart
08/08/2008 11:44 AM

Ouch.... Thanks Tom... :) -- Scott Stewart ColdFusion Developer Office of Research Information Systems Research & Economic Development University of North Carolina at Chapel Hill Phone:(919)843-2408 Fax: (919)962-3600 Email: sastew01@email.unc.edu Tom Chiverton wrote: ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Michael Dinowitz
08/08/2008 11:44 AM

Which explains why House of Fusion is being so heavily hit. We're literally everywhere on Google. Fusion Authority on the other hand has all of its urls masked to .htm so the only one being attacked there is an old .cfm archive. I'm working on a webserver level fix for this which will bypass the need to block based on IPs. I just need a few moments. The attacks are hitting VERY hard. I got 4000 alert emails in the space of 5 minutes before I turned them off again. On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Forta
08/08/2008 11:54 AM

Yep, I turned e-mail notifications off too, leave it on and you can inadvertently turn blocking SQL injection attacks into a self-imposed DoS attack. Fun stuff. On the plus side, it's nice to see CF finally getting the recognition it deserves, even if it is from parasitic bottom-feeding bots created by despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. --- Ben Which explains why House of Fusion is being so heavily hit. We're literally everywhere on Google. Fusion Authority on the other hand has all of its urls masked to .htm so the only one being attacked there is an old .cfm archive. I'm working on a webserver level fix for this which will bypass the need to block based on IPs. I just need a few moments. The attacks are hitting VERY hard. I got 4000 alert emails in the space of 5 minutes before I turned them off again. On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com ----- Excess quoted