Would it be a good solution to add something like this into my
application.cfm file?
<cfloop index="IDelement" list="numID1,numID2,numID3,numID4,numID5">
<cfif isDefined("url.#IDelement#")>
<cftry>
<cfparam name="url.#IDelement#" type="numeric">
<cfcatch>
<!--- Replace the parameter with a good one --->
<cfset "url.#IDelement#"=val(Evaluate("url.#IDelement#"))>--->
<cfoutput>
<!--- Now lets retaliate --->
<script>
alert("#cgi.remote_addr#" +" had been submitted your isp's abuse
reporting sytem");
document.location="http://www.abuse.com";;
</script>
</cfoutput>
<cfabort>
</cfcatch>
</cftry>
</cfif>
</cfloop>
Where numID1-numID5 would be all of my SQL's numeric colums.
BTW: have someone used Allaire CF_INPUTFILTER succesfuly to prevent things
like that?
Thanks,
Michael
----- Original Message -----
From: "Dave Watts" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, July 06, 2001 1:53 AM
Subject: RE: URL Hacks
> > > If anyone has any interest it is at:
> > > http://www.vawter.com/urlhack.cfm
> >
> > Quick question, the dropping of tables seems very destructive, and of
> > little point other than trashing a site.
> >
> > Is it possible to construct more "useful" queries to run piggy back,
> > i.e. the SQL to display all the tables in a database, the fields in a
> > table, or the data in a field(s)? I'm not asking for examples, just if
> > it's theoretically possible.
> >
> > Having the data deleted is easy to recover from (if not careless),
> > having someone view your data, or database construction would seem to
> > be a lot worse.
>
> Sure, it's possible to construct more useful strings, although usefulness
> here is going to be in the eye of the beholder. For example, if you knew a
> site was running against SQL Server, you might be able to execute the
> xp_cmdshell stored procedure, which would get you a command prompt on the
> database server, essentially. If you could do this, you could conceivably
> have that command shell retrieve a file from an FTP server and run that
> file. That might be useful, if your goal is to compromise a remote
database
> server.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
