Don't forget to check things like "order by" variables. http://www.coldfusionmuse.com/index.cfm/2008/7/21/SQL-injection-using-order- by
Also with regard to application.cfm. Make sure every page is running that file. For example, do you have "included" that might not be intended to be run as URLs. Or do you have subdirectories that run cfm files that have their OWN application.cfm or application.cfc file. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 3:44 AM To: cf-talk Subject: Re: attack site / sql injections HELP! On Thursday 09 Oct 2008, Tim Do wrote: > I'm no security expert, but from what I understood all the inline > queries and input variables not being sanitized caused the sql > injections. that has been cleaned up. what else can it be? http://www.owasp.org/index.php/Top_10_2007 etc. -- Tom Chiverton Helping to confidentially supply architectures **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:313709 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
