To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|' &
'(?:alter.*?(#DBObj.short#))|' &
'cast.*?\(|' &
'char.*?\([\w]{2}\)|' &
'(?:create.*?(#DBObj.short#))|' &
'(?:declare.*?@|cursor)|' &
'delete.*?from.*?_|' &
'(?:drop.*?(#DBObj.short#))|' &
'exec.*?\(|' &
'insert.*?values.*?\(+?|' &
'schema[^\w]+?|' &
'sysObjects|' &
'truncate.*?table|' &
'update.*?set+?|' &
'[sx]p_[\w_]+?|' &
'\''.*?-{2}|-{2}.*?\''' &
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern');
rePattern = rePattern.compile(blackList);
reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
-----Original Message-----
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
>What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as well protected as my current one
and have little desire to either update their software *or* the code). I
used the RedEx that Gabriel posted (sorry, don't know your last name as I
read this list online, let me know and I'll add that to the credits!) and
made a URL/Form scanner that will abort the page if it finds anything
illegal. This looks quite a bit more sophisticated, so it depends on how
much you are getting hit, and how aggressive you want to get.
My simple tool is here, feel free to download and modify as you wish.
http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17
--- Mary Jo
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309775
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
