Well.......

This has got to be the strongest case for unit testing then...

If a component is unit tested, then the first thing is that you will know
that this could happen and fix it straight away.

The second is that this is why..... ColdFusion should have adopted an
approach that used an ORM instead.... With an ORM it reduces the risk,
provided the ORM takes these attacks seriously.

I have never seen these attacks with hibernate, within GORM and Domain
Driven design approaches.

I so hope that ColdFusion 9, has 2 things on its release.

1) The engine itself is open sourced. And the extra functionality and
support for middle tier API integration is adopted.

2) GORM style approach as in DDD (Domain Driven Design) is taken more
seriously.

With these 2 additions then SQL injection will be a thing of the past.





-- 
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273




-----Original Message-----
From: Ben Forta [mailto:[EMAIL PROTECTED] 
Sent: Saturday, 9 August 2008 2:05 AM
To: CF-Talk
Subject: RE: SQL injection attack on House of Fusion

Yep, was curious about that too. I modified Justin's script to not send
e-mails, but to write a simple log entry - more an act of curiosity than
anything else - I just log the date, time, and client IP address.

--- Ben




-----Original Message-----
From: Brad Wood [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2008 12:03 PM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion

Tell us how you really feel Ben.  :)

I had to temporarily stop apache on my site long enough to get a stop gap in

place.  My database is safe, but I was getting around 90 requests a second 
and ColdFusion and MySQL were eating up all the server's CPU trying to keep 
up.  SSH was even unresponsive.

I think I'm going to dump all these attempts in a database to analyze.  I 
curious where the majority of the IPs are coming from.  There has to be a 
way to squeak in the ear of ISPs loud enough to have them shut down infected

users until they are cleaned.

~Brad

----- Original Message ----- 
From: "Ben Forta" <[EMAIL PROTECTED]>
To: "CF-Talk" <cf-talk@houseoffusion.com>
Sent: Friday, August 08, 2008 10:50 AM
Subject: RE: SQL injection attack on House of Fusion


> Yep, I turned e-mail notifications off too, leave it on and you can
> inadvertently turn blocking SQL injection attacks into a self-imposed DoS
> attack. Fun stuff.
>
> On the plus side, it's nice to see CF finally getting the recognition it
> deserves, even if it is from parasitic bottom-feeding bots created by
> despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form 
> repugnant
> socially-inept basement-dwelling death-penalty-deserving hacker-wannabes.
>
> --- Ben






~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310667
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to