No problem, bare in mind that isn't going over the other server security or data transfer items. That list is focused in on those automated scripting attacks. There's a ton of over things to consider. The most obvious are sandboxing, firewalls and SSLs. But for the programming side of things, this gets the ball rolling..
John Mason [EMAIL PROTECTED] 770.337.8363 www.FusionLink.com - ColdFusion and Flex hosting Now offering ColdFusion 8 Enterprise hosting FREE Subversion hosting -----Original Message----- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Monday, August 06, 2007 1:45 PM To: CF-Talk Subject: RE: SQL injection hack? Thanks John...this is a great checklist. -----Original Message----- From: John Mason [mailto:[EMAIL PROTECTED] Sent: Monday, August 06, 2007 12:25 PM To: CF-Talk Subject: RE: SQL injection hack? You'll also see these automated scripts hitting other services like ftp, email, etc. You need to make certain that all services are properly protected and monitor. Cfqueryparam and stored procedures are good first steps, but bare in mind a lot of information could still be disclosed even with these in place. Here's my top 10 list of things to look at... -Use cfqueryparam and stored procs -Limit the other services on a site. If the site isn't using ASP, then turn it off. Reduce the http verbs for CF to just GET,HEAD,POST -Turn off RDS services -If your site has a login page, limit the login to 3-5 attempts and block after that. Send an alert that someone may be running a brute force attack on your login. -Have a restricted login for your datasource calls. In most cases, the web site doesn't need full dbo permissions to a datasource. You can also limit the sql commands in the cfadmin under the datasource listing. -If using cfc's, take a closer look at the access and roles attributes. Most cfc's I see have "public access" and that's it. There's far more you can do. -Check for cross-site scripting attacks and use the various ways to prevent them. No checking the cross-site toggle on the cfadmin or application is not going to do the trick. - Always have error catches in place and turn debugging off. Half the reason for the attack is to see the debugging information. - Turn off outside access to your CF Admin. Why give an automated script to chance to break into that? -And finally monitor your logs (including the other services like ftp) and site errors, that will help alert you to an attack. If you did all these things, you're still not done. Security is an on going process. New threats come up all the time. The point is to stay on top of this and continuously improve the security of our web app but also keep the usability that allows it to work. John Mason [EMAIL PROTECTED] 770.337.8363 www.FusionLink.com - ColdFusion and Flex hosting Now offering ColdFusion 8 Enterprise hosting FREE Subversion hosting -----Original Message----- From: Paul Vernon [mailto:[EMAIL PROTECTED] Sent: Monday, August 06, 2007 12:01 PM To: CF-Talk Subject: RE: SQL injection hack? We've been seeing the exact same thing, basic SQL injection attacks all originating from China... It looks automated as they've spidered several sites we host using the exact same technique and SQL phrase. It has been going on continuously for about a week now. Thankfully the sites are pro-actively monitored from an error management POV so we've been aware of the attacks from the get go. I agree. Using CFCs, having a common code base, employing type checking on functions and using CFQUERYPARAM all make life a little bit easier in coping with these things... In CF 8 it's worth noting that the type checking can be turned off for performance gains. I guess this is a trade off... What you gain in performance, you lose in data validation. It's a shame this feature is a global setting and not one that could be specified on a function by function basis as I'd like to keep type checking on for my DB objects and turn it off where I feel it's not necessary. Paul > -----Original Message----- > From: jonese [mailto:[EMAIL PROTECTED] > Sent: 06 August 2007 16:25 > To: CF-Talk > Subject: Re: SQL injection hack? > > Just an FYI to everyone else i've been at my current post for 3 years > and we've had pro-active error monitoring (versus re reactive "hey my > site doesn't work") now for close to 2 years. > > Just in the recent weeks we started seeing basic SQL injection hacks > on site we host. We never saw anything like this till recently, so be > on your toes. > > Like others have mentioned using CFQueryParam and Stored Procedures > can help. Also putting the stuff into CFC's and forcing incoming vars > to be typed help as well. (with everything except string of course). > > If you are looking for preventive stuff on top of those already > mentioned you can look into the CF Firewalls which are starting to > spring up. As well as there are those who have made some really cool > stuff to help watch for this. I think Shawn Gorrell has some code (he > mentioned it at a recent ACFUG meeting) you might reach out to him, > http://www.illumineti.com/blog/, if he doesn't notice this thread. > > jonese > > > > On 8/6/07, Rey Bango <[EMAIL PROTECTED]> wrote: > > Looks that way. > > > > Rey > > > > Rick King wrote: > > > Hey all, > > > > > > I just received this email that is generated when there is an > > > error > on a site I built (www.woreitonce.com) > > > > > > -------------------E-MAIL-------------------------------- > > > Invalid data 1 and 1=convert(int,(select top 1 > char(97)+admin_password from tbl_adminusers)) for CFSQLTYPE > CF_SQL_INTEGER. <br>The error occurred on line 30. > > > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) > Gecko/20070725 Firefox/2.0.0.6 > > > 81.10.46.130 > > > > > > /Details.cfm > > > > ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)%2badmin_pa > s > sword%20from%20tbl_adminusers)) > > > > > > ---------------------E-MAIL------------------------ > > > > > > Is this a SQL injection attack? Anything I can do? > > > > > > Thanks > > > Rick > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285520 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
