Last night I watched as someone made a pretty determined attempt to attack one of my web sites. Thankfully I'd heeded good advice and used <cfqueryparam on all the queries in that site and nothing they tried worked. They were submitting urls with parameters like : /index.cfm?pid=111825&pgm=../../../../../../../../../../proc/self/environ&guestprogID=2 and many many variations. Like most of us, I get lots of hack attempts but this was more persistent than any I'd seen before.
The site is still running happily now, after about 8 hours of this. I don't know why they persisted for that long with no result - I would have thought there were other targets they could go for if they're getting no result here. I'm pleased I bothered to do all those things at the time. When I was building the site (which is only a small hobby site), I remember saying to myself several times "this is overkill there's no need for all this paranoia". But I'm glad now that I did all that. The techniques I've used that worked for me in this case were a combination of factors: [A] ALL queries - every single one of them - have <cfqueryparam including the cf-sqltype parameter around any parameters sent to the database. [B] no feedback is given to the user about the nature of the error, only an error-handling page with the generic statement that 'there is an error - perhaps we're updating the database - check back soon' so they have no clue why their attempt failed. [C] an email is sent to me with the exception struct, cgi vars, etc so I can be aware of what they're doing - that way i can make sure I am covering all the vulnerabilities. I have a banning system on forms on this site, so that forms submitted with values that match certain parameters cause the ip address of that user to be banned from the site. I think perhaps I'll need to expand that to include URL variables now. I just wanted to pass on, that the warnings everyone hears about using <cfqueryparam are valid, and we should never let a chink appear in our defences by listening to that voice in the back of your head, specially when you're under time pressure "this is overkill there's no need for all this paranoia". Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en.
