[cfaussie] Re: SQL INJECTION

Fri, 26 Sep 2008 18:26:43 -0700 

One small issue I have just discovered with blocker.cfm. If you apply it to a 
site that is running webservices that rely on the application.cfm file that you 
apply blocker.cfm to then they will fail because there isn't a 'form' defined 
for the webservice call. I wrapped the code up in a simple <cfif 
isDefined("form")> ... </cfif> and it was all good again.

Cheers,

Brett
B)


Kym Kovan wrote:
> Claude Raiola wrote:
>> We have just had an SQL injection attack.
>>
>> Given we have several hundred cold fusion pages and the sql database as 
>> several hundred tables has anyone found a reliable solution where why 
>> script can be placed in the application.cfm page that will prevent code 
>> being appended to queries as a viable alternative to having to edit 
>> every query  across the 100's of pages use the appropriate <cfqueryparam 
>> .............
> 
> You *have* to use <cfqueryparam , no choice. But it takes time to patch 
> up legacy sites, etc so drop the function found here
> 
> http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18
> 
> into your application.cfm and that will take some of the stress away.
> 
> There has been much chatter on various Lists about this and Mary Joe is 
> keeping the latest version of the function ready for her own clients and 
> the rest of us, most appreciated.
> 
> Another assist of you have the access it to remove permissions for the 
> System tables in the database, sys_objects and the like, so the script 
> cannot read them to do its nasty work.
> 
> 
> We surfed to our favourite surf watching site yesterday and got a 
> warning from Chrome (dodgy site warning) The site had been infected :-( 
> Do a Google on:
> 
> chkadw.com
> 
> and see how many hits there are and most of them are right there in the 
> Title of the, obviously CMS-driven, website!
> 

-- 
Brett Payne-Rhodes
Eaglehawk Computing
t: +61 (0)8 9371-0471
m: +61 (0)414 371 047
e: [EMAIL PROTECTED]
w: http://www.yoursite.net.au


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"cfaussie" group.
To post to this group, send email to cfaussie@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cfaussie?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to