And they try JS injection too. Learnt a few tricks for MK over the years myself so rather than data loss if anything annoying content to delete.
Will be in a position shortly to share what I do (apart from CFQUERYPARAM) so stay tuned. Peter Tilbrook Managing Director, ColdGen Internet Solutions Professional Adobe ColdFusion 9 Application Development President, ACT and Region ColdFusion Users Group PO Box 2247 Queanbeyan, NSW, 2620 AUSTRALIA Tel: +61-2-6284-2727 Mob: +61-2-0457-449-016 Email Address: pe...@coldgen.com WWW: http://www.coldgen.com/ ABN: 80 826 226 128 On 3 May 2011 07:34, Taco Fleur <taco.fl...@clickfind.com.au> wrote: > There all automated attacks, that's why they keep doing it, they're zombie > bots. > > On Mon, May 2, 2011 at 11:35 AM, Mike Kear <afpwebwo...@gmail.com> wrote: >> >> Last night I watched as someone made a pretty determined attempt to >> attack one of my web sites. Thankfully I'd heeded good advice and >> used <cfqueryparam on all the queries in that site and nothing they >> tried worked. They were submitting urls with parameters like : >> >> /index.cfm?pid=111825&pgm=../../../../../../../../../../proc/self/environ&guestprogID=2 >> and many many variations. Like most of us, I get lots of hack >> attempts but this was more persistent than any I'd seen before. >> >> The site is still running happily now, after about 8 hours of this. I >> don't know why they persisted for that long with no result - I would >> have thought there were other targets they could go for if they're >> getting no result here. I'm pleased I bothered to do all those things >> at the time. When I was building the site (which is only a small >> hobby site), I remember saying to myself several times "this is >> overkill there's no need for all this paranoia". But I'm glad now >> that I did all that. >> >> The techniques I've used that worked for me in this case were a >> combination of factors: >> >> [A] ALL queries - every single one of them - have <cfqueryparam >> including the cf-sqltype parameter around any parameters sent to the >> database. >> [B] no feedback is given to the user about the nature of the error, >> only an error-handling page with the generic statement that 'there is >> an error - perhaps we're updating the database - check back soon' so >> they have no clue why their attempt failed. >> [C] an email is sent to me with the exception struct, cgi vars, etc so >> I can be aware of what they're doing - that way i can make sure I am >> covering all the vulnerabilities. >> >> I have a banning system on forms on this site, so that forms >> submitted with values that match certain parameters cause the ip >> address of that user to be banned from the site. I think perhaps >> I'll need to expand that to include URL variables now. >> >> I just wanted to pass on, that the warnings everyone hears about using >> <cfqueryparam are valid, and we should never let a chink appear in our >> defences by listening to that voice in the back of your head, >> specially when you're under time pressure "this is overkill there's no >> need for all this paranoia". >> >> Cheers >> Mike Kear >> Windsor, NSW, Australia >> Adobe Certified Advanced ColdFusion Developer >> AFP Webworks >> http://afpwebworks.com >> ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month >> >> -- >> You received this message because you are subscribed to the Google Groups >> "cfaussie" group. >> To post to this group, send email to cfaussie@googlegroups.com. >> To unsubscribe from this group, send email to >> cfaussie+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/cfaussie?hl=en. >> > > > > -- > Kind regards, > Taco Fleur > clickfind™ - The new Australian Online Marketing Platform (OMP) > http://www.onlinemarketingplatform.com.au > http://www.clickfind.com.au > > -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To post to this group, send email to cfaussie@googlegroups.com. > To unsubscribe from this group, send email to > cfaussie+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/cfaussie?hl=en. > -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en.