Wondering if SQL in form fields is also a risk. At any rate Justin D. Scott of GravityFree ([EMAIL PROTECTED]) released a handy script which you can grab here:
http://www.actcfug.com/files/_SQLPrev.zip The original script had a minor mis-spelling bug and I made the keywords alphabetical in order to make tweaking it easier if you need not use all the provided keywords (eg: DROP). My host Mike Kear ([EMAIL PROTECTED]) provided this documentation: THE EXPLOIT: The attempt is to use url variables to gain access to the MASTER database (they cant!) or identify VARCHAR, NVARCHAR or CHAR fields in your tables, then add their own content to Them. The attackers use automated bots to make multiple attempts on multiple pages. If the attack is successful, at best it changes all the text fields in a database, at worst, it destroys your database. THE DEFENCE There are a number of ways to defend against an attack like this, and weâre doing all of them. [A] Deny read or write permissions to the MASTER database and the system tables to the SQLServer Login that ColdFusion uses to access the datasource. This has always been the case [B] Restrict the SQLServer Login that ColdFusion uses to read/write access to only the database that it needs for that datasource. This has always been the case, but weâre double checking. This means that if the hackers gain access, the damage will be contained to one database only, and a weak defence on one site wonât compromise everyone else. [C] prevent the attack reaching the database in the first place. This is where you come in. Attached is a script (_SQLPrev.cfm ) written by Justin Scott of GravityFree ([EMAIL PROTECTED]). It seeks to scan the URL being called, looking for some specific strings that can be used in this kind of attack. If it finds such a word, it aborts the page call and sends the user to the home page of the site, and sends you an email. I STRONGLY SUGGEST you incorporate this script at the top of your application.cfm (or if you are using application.cfc, at the start fo your onRequestStart() method) . IF the page call is not an attack, the page will be slowed by a millisecond or two. If it IS an attack, it will very likely capture it and prevent it. Just to help you focus your attention on this and how real the threat is, while I have been typing this email, 11 sites am currently watching have received 638 attack attempts, detected and deflected by this script. HOW TO DEPLOY THE SCRIPT: [A] alter the cfqueryparam variables at the top of the script to email addresses, passwords, etc that are appropriate to you. [B] put the script somewhere on your site [C] in your application.cfm site include the script ( or in application.cfc include the script in the onRequestStart() method) [D] to test the script, go to http://domain.com/index.cfm?id=4;DECLARE() should trigger the script and youâll get an email advising you of a hack attempt. Thanks to both Mike Kear and Justin Scott for making it a bit easier to discern if our sites are being attacked. Obviously good coding is preferred and touch wood I am immune so far but will do a full code review to make that gospel! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310490 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
