Ummm but is it not your website that YOU left vulnerable? If you didn't have access to cfqueryparam then you should have used an alternate approach. I'm sure they exist even for CF 4.0, a little extra time at the beginning validating variables would save so much grief now right? And from what I'm hearing from popular sites is it's not so much the cfqueryparam because they are still getting hit thousands of times every minute, like HoF. So there's other steps, not just within CF. I think MD was working on a something to stop the intruders at the server, before it even hits CF. I'm not saying it's entirely YOUR fault but you allowed it to happen, same thing Dave Watts is saying..
On Mon, Aug 11, 2008 at 7:45 AM, Dave Morris <[EMAIL PROTECTED]> wrote: > Ah. You're from the "blame the victim" school. > > Unfortunately, when I wrote the first 1,000 ColdFusion templates using Ben > Forta's CF 4.0 book, there was no CFQueryParam. So going back and rewriting > all those programs (now well into several thousand) has been a bitch. And > all it took was one missed spot. > > So I shouldn't be mad at the poor little hackers, because they were doing us > all favor by pointing out our faults. That is your school of thought, > right? > > Dave Morris > > >> -----Original Message----- >> From: Dave Watts [mailto:[EMAIL PROTECTED] >> Sent: Sunday, August 10, 2008 11:15 PM >> To: CF-Talk >> Subject: RE: SQL injection attack on House of Fusion >> >> > Anyway, I propose the dot-com millionaires who left us stuck >> > with the current mess in the spam and virus arena be >> > personally required to fund an international Goon Squad with >> > kneecap breaking instructions to go after these vandals. >> >> And who exactly would that be? >> >> > If someone did this crap to your house, you'd have the police >> > and/or FBI out there in a heartbeat tracking down the >> > criminals. This is criminal mischief on a global scale. >> >> If you left your front door open, so that anyone could just walk in, >> you'd >> have no one but yourself to blame. If you're looking for an analogy, >> that's >> the one that fits. The reason this particular attack has been so >> successful >> is the arguably criminal negligence of so many web developers, coupled >> with >> the typical improper usage of administrator rights on untrained users' >> desktops. >> >> People have been harping on these two issues for years - I know I have. >> As a >> web developer, one of these issues is within your direct control. If >> you've >> failed to do anything about unparameterized queries until something bad >> happens to you, you've failed to meet the minimal due diligence for >> being a >> web application developer. >> >> > And if Interpol won't do anything about it, and if the powers >> > that be refuse to attach any form of responsibility or >> > traceability to the ownership of an IP address, then we may >> > just have to implement vigilante measures and go after the >> > crooks ourselves. >> >> Well, uh, good luck with that. Let me know how it goes with you against >> the >> Russian mafia. This stuff is no longer just maladjusted kids in their >> parents' basement - there's money to be had here, and there are people >> going >> after that money. I suggest your efforts are better directed at >> ensuring the >> adequacy of your own sites' protection instead. >> >> Dave Watts, CTO, Fig Leaf Software >> http://www.figleaf.com/ >> >> Fig Leaf Software provides the highest caliber vendor-authorized >> instruction at our training centers in Washington DC, Atlanta, >> Chicago, Baltimore, Northern Virginia, or on-site at your location. >> Visit http://training.figleaf.com/ for more information! >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310711 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
