however, one of the owners got banned when > he included the word "Declare" in a product description:)
Wow-- that sucks. This is a classic reason why that sort of blocking method is in my opinoin only useful for a temproary stop gap. It treats the symtom more than the problem and is prone to false alarms. > for this attack, I am thinking wouldn't it be > wise to remove permission to use the sysobjects > and syscolumns from the user I access the MS SQL > server with from CF? (In other words, I am > assuming that cf does not need access to these tables - does it?) > I would absolutely recommend removing permissions to those system tables. I would also recommend blocking operations such as drop, grant, revoke, and alter. If you have part of your application that needs that kind of functionality, it is better to create a separate datasource with escalated privileges and use it sparingly. ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309549 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
