RE: ColdFusion SQL Hack

Mon, 22 Mar 2010 06:58:22 -0700 

I would ensure that every single update / insert on your site is using
cfqueryparam's for security sake, however It sounds to me like your issue is
not SQL injection.. but more XSS attacks. An XSS attack is where data is
inserted into into a page usually via a database input field somewhere which
then executes a javascript or other piece of code into a site which can
cause users sessions to be hijacked or the user could be simpley redirected,
which is what is sounds like this xsser is doing.

Dorioo is right on about the fix for this, I would either sanitize all data
that a customer has access to input with the htmleditformat() or sanitize
the output with htmleditformat().

IE; 

INSERT INTO users (userId, userName)
VALUES ('#form.username#')

Should be..

INSERT INTO users (userId, userName)
VALUES ('#htmlEditFormat(form.username)#')

Another option would be to enable "Global Script Protection" in the settings
area of your coldfusion administrator. Doing this will cause you to never
have the ability to pass javascript tags and object tags via CGI, FORM and
URL variables though, so I would be careful about this global option.

Good luck!
Paul Alkema
AlkemaDesigns.com

-----Original Message-----
From: Mike Chabot [mailto:mcha...@gmail.com] 
Sent: Monday, March 22, 2010 9:25 AM
To: cf-talk
Subject: Re: Coldfusion SQL Hack


The query you wrote is not hackable via SQL injection. No changes need
to be made to it.

-Mike Chabot

On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty
<a.dohe...@advancesystems.co.uk> wrote:
>
> I have a site page that is only using the query below and the site keeps
getting hit by SQL hacks.  I have looked through every SQL query and all the
queries are using <cfqueryparam value="#URL.???#"
cfsqltype="cf_sql_numeric"> so they cant be hacked.
>
> Can someone explain how I can amend this query so its not hackable??
>
> <cfquery name="RS1" datasource="DS1">
> SELECT     FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY,
County.County, County.ID
> FROM         FEEDBACK INNER JOIN
>                      County ON (FEEDBACK.COUNTY = County.ID)
> </cfquery>
>
> Thanks
>
> 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331941
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Reply via email to