> The hacker's hope is that you will be outputting one of those > varchar fields into a webpage without escaping HTML > characters. The extra text being inserted into the database > fields will include a malicious JavaScript file from another > server into the webpage. I haven't looked at the JS to see > what it does, but it probably tries to load some Trojan via > an active X applet or something. > > To clean your database, I would recommend reverse-engineering > the attack to loop over your database columns and remove the > text they placed in there. In the mean time, shut your site > down so you don't infect your customers.
For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. Second, if you can restore a previous copy of the database, that might be easier. Also, I'd recommend that you identify the problem scripts that contain the vulnerability before you restore the database. Otherwise, you might have to repeat the process. Finally, you might consider implementing filtering at the web server to block long (and presumably problematic) URLs before they're even sent to CF. If you're using IIS, you can do that with the latest version of URLScan. If you're using Apache, I think mod_security will let you do this. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309367 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
