What if the hacker puts a space between EXEC and the (?
-----Original Message-----
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2008 7:30 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
What about if I put:
<cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
in my all cf files on my web site and if hacker gonna try to run any of this
files for example:
index.cfm?+code, mail.cfm?+code etc basically it attacks all on google
indexed, but if u put in all of the files, it should abort the connection
everytime when one files is executed and tehn any query wont be
executed....it should work...what do you think?
Radek
On Wed, Jul 23, 2008 at 7:51 PM, Brad Wood <[EMAIL PROTECTED]> wrote:
> If you are still being affected by the attack, then you still have one
> or more vulnerable queries somewhere with access to that database.
>
> Did you use a code scanner like QueryParam Scanner from RiaForge to
> search the ENTIRE code base for missing cfqueryparams?
>
> Also, find out the user your ColdFusion data sources use to access the
> database. Revoke select permissions to sysobjects and syscolumns to
> that user.
> This will cause an error to occur when the attack hits a vulnerable query.
> (Run a test to confirm this) Do you have a site-wide error handler
> that E-mails you when errors occur. This will tip you off to where
> the hackers are gaining entry.
>
> ~Brad
>
> ----- Original Message -----
> From: "Bo Reahard" <[EMAIL PROTECTED]> How does it defeat the
> cfquery param tags that are now in all my queries?
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309577
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
