Just to make sure the finger points in the right place - the minor mis-spelling that Peter talks about was in a change that I made to Justin's file so it would work ok on our system. We require mail server, username and password in any cfmail tag, so i added them and made a dyslexic typing error.
But anyway the script works a treat when you dont have my misspelling in it, and in the last 2 hours it's identified more than 1400 hack attempts. And yes, Peter, you always need to use CFQUERYPARAM in any queries, if they're processing any user input. There has been some blogging on this subject in the last few weeks, with a couple of really good tools released that will identify queries in your apps that are exposing risk in this regard. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Fri, Aug 8, 2008 at 7:48 PM, Peter Tilbrook <[EMAIL PROTECTED]> wrote: > Wondering if SQL in form fields is also a risk. At any rate Justin D. Scott > of GravityFree ([EMAIL PROTECTED]) released a handy script which you can grab > here: > > http://www.actcfug.com/files/_SQLPrev.zip > > The original script had a minor mis-spelling bug and I made the keywords > alphabetical in order to make tweaking it easier if you need not use all the > provided keywords (eg: DROP). > > My host Mike Kear ([EMAIL PROTECTED]) provided this documentation: > > THE EXPLOIT: > > The attempt is to use url variables to gain access to the MASTER database > (they cant!) or identify VARCHAR, NVARCHAR or CHAR fields in your tables, > then add their own content to Them. The attackers use automated bots to > make multiple attempts on multiple pages. If the attack is successful, at > best it changes all the text fields in a database, at worst, it destroys > your database. > > THE DEFENCE > > There are a number of ways to defend against an attack like this, and we're > doing all of them. > > [A] Deny read or write permissions to the MASTER database and the system > tables to the SQLServer Login that ColdFusion uses to access the datasource. > This has always been the case > > [B] Restrict the SQLServer Login that ColdFusion uses to read/write access to > only the database that it needs for that datasource. This has always been > the case, but we're double checking. This means that if the hackers gain > access, the damage will be contained to one database only, and a weak defence > on one site won't compromise everyone else. > > [C] prevent the attack reaching the database in the first place. This is > where you come in. > > Attached is a script (_SQLPrev.cfm ) written by Justin Scott of GravityFree > ([EMAIL PROTECTED]). It seeks to scan the URL being called, looking for > some specific strings that can be used in this kind of attack. If it finds > such a word, it aborts the page call and sends the user to the home page of > the site, and sends you an email. > > I STRONGLY SUGGEST you incorporate this script at the top of your > application.cfm (or if you are using application.cfc, at the start fo your > onRequestStart() method) . IF the page call is not an attack, the page will > be slowed by a millisecond or two. If it IS an attack, it will very likely > capture it and prevent it. > > Just to help you focus your attention on this and how real the threat is, > while I have been typing this email, 11 sites am currently watching have > received 638 attack attempts, detected and deflected by this script. > > HOW TO DEPLOY THE SCRIPT: > > [A] alter the cfqueryparam variables at the top of the script to email > addresses, passwords, etc that are appropriate to you. > > [B] put the script somewhere on your site > > [C] in your application.cfm site include the script ( or in application.cfc > include the script in the onRequestStart() method) > > [D] to test the script, go to http://domain.com/index.cfm?id=4;DECLARE() > should trigger the script and you'll get an email advising you of a hack > attempt. > > Thanks to both Mike Kear and Justin Scott for making it a bit easier to > discern if our sites are being attacked. Obviously good coding is preferred > and touch wood I am immune so far but will do a full code review to make that > gospel! > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310492 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
