With this latest spate of SQL attacks it has at least alerted CF (and non CF
coders hopefully) to the importance of sql injection and input sanitisation.
However I am noticing that almost all of the drop-in 'patches', almost all
of them seem to be straight list/array searches and there is almost no use
of regular expressions, meaning that these 'solutions' can barely even be
considered as suitable stop gaps until more appropriate measures can be
taken (cfqueryparam, sql permissions, etcetera) as they really can only stop
the most basic attempts and are likely to produce an inordinate number of
false positives (someone earlier noted that an admin was blacklisted for
using declare in a perfectly acceptable context).
It seems to me that such a knee jerk reaction and placing half thought out
measures in place almost does more harm than good in that it leaves people
with a false sense of security. Take the following code as case in point;
function IsSQLInject(input) {
var listSQLInject =
"cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,'";
var arraySQLInject = ListToArray(listSQLInject);
var i = 1;
for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
if(findNoCase(arraySQLInject[i], input)) return true;
}
return false;
}
Running this function over any user input scope will flag every input that
contains one of the listed strings, i.e. 'Casting sugar', 'selectable
criteria', 'Name: Grant Thompson', so on and so forth...
But at least you're secure, right?
Dr/*foo*/op table orders;
The simplest obfuscation of the command using basic tools and the function
is rendered useless.
Conclusion? You're stopping legitimate use and still leaving a wide open
door to any hacker willing to put in 30 seconds effort. How long until
someone rewrites the current attack pattern and uses the above method to
bypass all of the shiny new keyword scanners? Dec/*can't see me*/lare @s =
....
That's all without even touching upon encoding.
I'm not claiming to have the ideal patch, I'm not even claiming to have been
the first to notice these things - posts are on many CF blogs detailing
these issues in a far more articulate manner, but I think that advocating
simple keyword scanners in this list is irresponsible, bad advice can be
worse than no advice at all. All 'senior' CF programmers either do, or
should know better.
Please note that I mean no offence to anyone on this list (or anywhere else
for that matter).
Regards,
Gabriel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309560
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
