Hi Les,
How about removing single quotes in application.cfm for the short term and
submitting information from Adobe on the value of cfqueryparam for preventing
sql injection in the hopes that helps for the future?
David
>>> CFQUERYPARAM creates a prepared statement
>
>Just because some of you might find this fun and slightly related to the
>above...
>
>
>I'm working on a Congressional site at the moment, and Coldfusion is
>*very* poorly supported to start with. The "official house supported"
>version is CF5, so I'm having to rewrite most of my carefully crafted
>snippets and reusable code chunks.
>
>Anyway, once you're logged onto the house network and posted your files,
>they have to go through a "security scan" before they can go live. The
>scan doesn't take cfqueryparam into consideration at all, so my first
>scan of a dynamic page generated about 5 pages worth of "failed" reports
>that looked like:
>
>ScanDo included the ' (apostrophe) character in the parameter value. The
>server's reply indicates that the parameter is vulnerable to
>manipulation using SQL symbols.
>1)High Severity
>URL: mypage-detail.cfm?id=97'
>Solution: Make sure parameter values sent by remote users do not include
>SQL commands or symbols. Validate and sanitize every user variable
>passed to the database. Check that the input has the expected data type.
>Never pass unchecked user-input to database-queries.
>
>Basically, the scan program tries about every SQL Injection trick known
>to man, and if you fail one of them, you don't go live. All my carefully
>written queries using cfqueryparam meant nothing. Pfffftttt!
>
>So, for every single variable passed to a query, about the only way to
>pass the security scan was to do this:
>
><cfif IsDefined("fname") and (findoneof("!<[^>]+%>!=",fname,1) NEQ 0)>
><cfabort>
>
>
>Sheesh.....
>
>But, this presents a HUGE problem. The client has requested an admin
>section to update content on certain pages. So, a simple <p> tag which
>needs to get passed will trigger the cfabort above. ACK!
>
>I'm glad I'm getting paid well for this....
>
>More later once I've got it all figured out on how to give the client
>what they want but pass all the required BS needed to get stuff
>approved, including the "Secret Squirrel Security Code Generator" that
>we've now got that display a security code to login into the house
>private network that changes every 60 seconds. This is fun stuff...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230695
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
