Thanks Mark. So, the function checkSQLInject(str) and the function checkforattack() are no longer needed from Mary's original blocker.cfm file?
-----Original Message----- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 9:52 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Che, I tested a working example of his code... I posted on my blog if you want the skinny. http://www.coldfusionmuse.com -Mark -----Original Message----- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 8:46 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Gabriel... would you post the page in complete working order with your code modifications? Thanks! -----Original Message----- From: Gabriel [mailto:[EMAIL PROTECTED] Sent: Sunday, July 27, 2008 8:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta To anyone who happened to use the regex I posted earlier I have an updated method to be used in place, effective immediately. // Short list of db objects to protect DBObj.short = 'database|function|procedure|role|table|trigger|user|view'; // Sql Threat Indicators blackList = '@@|' & '(?:alter.*?(#DBObj.short#))|' & 'cast.*?\(|' & 'char.*?\([\w]{2}\)|' & '(?:create.*?(#DBObj.short#))|' & '(?:declare.*?@|cursor)|' & 'delete.*?from.*?_|' & '(?:drop.*?(#DBObj.short#))|' & 'exec.*?\(|' & 'insert.*?values.*?\(+?|' & 'schema[^\w]+?|' & 'sysObjects|' & 'truncate.*?table|' & 'update.*?set+?|' & '[sx]p_[\w_]+?|' & '\''.*?-{2}|-{2}.*?\''' & '/\*.*?\*/'; // Build the java pattern matcher rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern = rePattern.compile(blackList); reMatcher = rePattern.matcher(''); Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var. This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Regards, Gabriel Read -----Original Message----- From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 5:40 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta >What do you think about this solution for sites with 5000 files: This looks similar to the solution I am providing to my customers (I have a lot that run old releases that are not as well protected as my current one and have little desire to either update their software *or* the code). I used the RedEx that Gabriel posted (sorry, don't know your last name as I read this list online, let me know and I'll add that to the credits!) and made a URL/Form scanner that will abort the page if it finds anything illegal. This looks quite a bit more sophisticated, so it depends on how much you are getting hit, and how aggressive you want to get. My simple tool is here, feel free to download and modify as you wish. http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=17 --- Mary Jo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309791 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
