Gabriel, One that might need adding is execute.
"execute something" I notice you are trapping " sp_" nice catch. Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Gabriel [mailto:[EMAIL PROTECTED] Sent: Sunday, July 27, 2008 7:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view'; // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read -----Original Message----- From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 5:40 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta >What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309785 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
