Re: Hack Attempt on our database last night
That's because it's not a hacker; it's a script. It's either running in a loop or on a schedule. There's not much point in trying to block the IP address, since they could just change the IP address. It's probably onion routed or otherwise obfuscated through a proxy of some sort; they can just change proxy. Remember that any blocked IP address could be dynamically assigned, so you can end up blocking legit users that way. I've seen scripted attacks go on for months with the IP addresses changed frequently. If you want to block attempts, you would have to use a tool that would detect the pattern and add IP addresses automatically, or you could reject the IP block that it's coming from if the country is blockable per your business requirements. Depending on your business model that may or may not be appropriate but it ultimately may not work since there are proxies and zombies in the US that could used for this. I've blocked IP blocks before but they can change IP blocks too. If you need to buy time to close some holes, you can block the IP block that contains the IP. It will take a little while for the block to get worked around. I've seen one day turn around circumventing that. Blocking a single IP is faster to get around, but they'll get around it. The code needs to be fixed. Anything else is cat and mouse. One thing that I noticed in my last attack was that there was a simultaneous attack on production and on dev, with attempts to log into both via Remote Desktop. You may want to also check your system logs to make sure that they aren't trying to brute force onto the servers as well. If they are, you'll need to implement something at the firewall. (Yes, I know that should have been firewalled to begin with. Don't get me started.) On Mon, Jul 22, 2013 at 11:28 AM, Dave Hatz daveh...@hatzventures.orgwrote: Russ, The query never processed. The hacker was relentless though. For about 5 straight hours he kept trying. Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356280 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
Sent from my Verizon Wireless 4G LTE DROID Jen Larkin jlar...@gmail.com wrote: That's because it's not a hacker; it's a script. It's either running in a loop or on a schedule. There's not much point in trying to block the IP address, since they could just change the IP address. It's probably onion routed or otherwise obfuscated through a proxy of some sort; they can just change proxy. Remember that any blocked IP address could be dynamically assigned, so you can end up blocking legit users that way. I've seen scripted attacks go on for months with the IP addresses changed frequently. If you want to block attempts, you would have to use a tool that would detect the pattern and add IP addresses automatically, or you could reject the IP block that it's coming from if the country is blockable per your business requirements. Depending on your business model that may or may not be appropriate but it ultimately may not work since there are proxies and zombies in the US that could used for this. I've blocked IP blocks before but they can change IP blocks too. If you need to buy time to close some holes, you can block the IP block that contains the IP. It will take a little while for the block to get worked around. I've seen one day turn around circumventing that. Blocking a single IP is faster to get around, but they'll get around it. The code needs to be fixed. Anything else is cat and mouse. One thing that I noticed in my last attack was that there was a simultaneous attack on production and on dev, with attempts to log into both via Remote Desktop. You may want to also check your system logs to make sure that they aren't trying to brute force onto the servers as well. If they are, you'll need to implement something at the firewall. (Yes, I know that should have been firewalled to begin with. Don't get me started.) On Mon, Jul 22, 2013 at 11:28 AM, Dave Hatz daveh...@hatzventures.orgwrote: Russ, The query never processed. The hacker was relentless though. For about 5 straight hours he kept trying. Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356281 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
On 7/23/2013 12:51 AM, Justin Scott wrote: Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? I had an interesting attack yesterday ... A bot hit a payment form on a site. It entered*legit* information in all the blanks, so it passed both client and server side validation. What it did - in a very short period of time - submitted over 750 separate credit card numbers, all for small but odd amounts, usually under $2.00. Best guess - it had a list of stolen numbers and was looking for good ones it could use elsewhere. Only way I could find to stop this was to measure the amount of time between submissions - around 4 seconds each - and add a script to the form that would not allow it to be submitted if it took less than a certain amount of time to filling it out. Fastest I could do it, even with browser prefill, was around 30 seconds, so I set the timer at 20. Attack immediately stopped. Client originally requested this form be in an anybody can access section of the site, which I protested. Got an idea I can get them to change their mind when I contact them about it later today. Bots and methods used are getting more and more interesting all the time. The increasing cleverness of some of this stuff keeps me on my toes. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356282 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
cfformprotect will help you with stuff like this On Tue, Jul 23, 2013 at 12:35 PM, Les Mizzell lesm...@bellsouth.net wrote: On 7/23/2013 12:51 AM, Justin Scott wrote: Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? I had an interesting attack yesterday ... A bot hit a payment form on a site. It entered*legit* information in all the blanks, so it passed both client and server side validation. What it did - in a very short period of time - submitted over 750 separate credit card numbers, all for small but odd amounts, usually under $2.00. Best guess - it had a list of stolen numbers and was looking for good ones it could use elsewhere. Only way I could find to stop this was to measure the amount of time between submissions - around 4 seconds each - and add a script to the form that would not allow it to be submitted if it took less than a certain amount of time to filling it out. Fastest I could do it, even with browser prefill, was around 30 seconds, so I set the timer at 20. Attack immediately stopped. Client originally requested this form be in an anybody can access section of the site, which I protested. Got an idea I can get them to change their mind when I contact them about it later today. Bots and methods used are getting more and more interesting all the time. The increasing cleverness of some of this stuff keeps me on my toes. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356283 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
cfformprotect will help you with stuff like this I'll second that... it's become a standard for me to implement on public-facing forms to prevent automated submissions. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Hack Attempt on our database last night
I'll vote for that as well. Because it has several levels of detection it's very reliable. -mark -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Tuesday, July 23, 2013 8:15 AM To: cf-talk Subject: Re: Hack Attempt on our database last night cfformprotect will help you with stuff like this I'll second that... it's become a standard for me to implement on public-facing forms to prevent automated submissions. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 4:29 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Pete, So is that the purpose of the !3000 then? Got it! That's correct Mark, you got it. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
You can run cast function on the hex string to see the actual sql it generates, which I thought was required anyway so not sure that query would even execute otherwise. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 22 Jul 2013 04:45, Justin Scott leviat...@darktech.org wrote: There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
Check out the 4th comment here - http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection Seems to be similar attack. On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.orgwrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356267 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
In this particular case it's not generating SQL but just filling in space to match the number of columns with the original query. Basically once it executes without an error it allows the attacker to see how many columns the original query is selecting. It's part of an automated attack tool. -Justin On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels r...@michaels.me.uk wrote: You can run cast function on the hex string to see the actual sql it generates, which I thought was required anyway so not sure that query would even execute otherwise. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 22 Jul 2013 04:45, Justin Scott leviat...@darktech.org wrote: There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Hack Attempt on our database last night
According to the stack overflow comments 0x313032 ...etc is the calling card of Havij, an automated injection tool. The commentor said somewhat of a necro - which I have no idea what that means... he's either disparaging a race of intergalactic conquerors or misspelling macro. -Original Message- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Monday, July 22, 2013 11:49 AM To: cf-talk Subject: RE: Hack Attempt on our database last night That makes sense to me, looks more like an attempt to see if an injection would work. Byron Mann Lead Engineer Architect HostMySite.com On Jul 22, 2013 12:46 PM, Mark A Kruger mkru...@cfwebtools.com wrote: Justin (et al) When I unpack this I get 99.99 /*!3000 union all select 0x313032... etc */ -- Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. -Mark -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, July 22, 2013 11:19 AM To: cf-talk Subject: Re: Hack Attempt on our database last night In this particular case it's not generating SQL but just filling in space to match the number of columns with the original query. Basically once it executes without an error it allows the attacker to see how many columns the original query is selecting. It's part of an automated attack tool. -Justin On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels r...@michaels.me.uk wrote: You can run cast function on the hex string to see the actual sql it generates, which I thought was required anyway so not sure that query would even execute otherwise. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 22 Jul 2013 04:45, Justin Scott leviat...@darktech.org wrote: There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-inje ction -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303 235343830303536,0x31303235343830303536,0x31303235343830303536,0x313032353438 30303536,0x31303235343830303536,0x31303235343830303536,0x3130323534383030353 6,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x313 03235343830303536,0x31303235343830303536,0x31303235343830303536,0x3130323534 3830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303 536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x3 1303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356270 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Hack Attempt on our database last night
That makes sense to me, looks more like an attempt to see if an injection would work. Byron Mann Lead Engineer Architect HostMySite.com On Jul 22, 2013 12:46 PM, Mark A Kruger mkru...@cfwebtools.com wrote: Justin (et al) When I unpack this I get 99.99 /*!3000 union all select 0x313032... etc */ -- Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. -Mark -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, July 22, 2013 11:19 AM To: cf-talk Subject: Re: Hack Attempt on our database last night In this particular case it's not generating SQL but just filling in space to match the number of columns with the original query. Basically once it executes without an error it allows the attacker to see how many columns the original query is selecting. It's part of an automated attack tool. -Justin On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels r...@michaels.me.uk wrote: You can run cast function on the hex string to see the actual sql it generates, which I thought was required anyway so not sure that query would even execute otherwise. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 22 Jul 2013 04:45, Justin Scott leviat...@darktech.org wrote: There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-inje ction -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303 235343830303536,0x31303235343830303536,0x31303235343830303536,0x313032353438 30303536,0x31303235343830303536,0x31303235343830303536,0x3130323534383030353 6,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x313 03235343830303536,0x31303235343830303536,0x31303235343830303536,0x3130323534 3830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303 536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x3 1303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Hack Attempt on our database last night
Justin (et al) When I unpack this I get 99.99 /*!3000 union all select 0x313032... etc */ -- Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. -Mark -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, July 22, 2013 11:19 AM To: cf-talk Subject: Re: Hack Attempt on our database last night In this particular case it's not generating SQL but just filling in space to match the number of columns with the original query. Basically once it executes without an error it allows the attacker to see how many columns the original query is selecting. It's part of an automated attack tool. -Justin On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels r...@michaels.me.uk wrote: You can run cast function on the hex string to see the actual sql it generates, which I thought was required anyway so not sure that query would even execute otherwise. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 22 Jul 2013 04:45, Justin Scott leviat...@darktech.org wrote: There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-inje ction -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303 235343830303536,0x31303235343830303536,0x31303235343830303536,0x313032353438 30303536,0x31303235343830303536,0x31303235343830303536,0x3130323534383030353 6,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x313 03235343830303536,0x31303235343830303536,0x31303235343830303536,0x3130323534 3830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303 536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x3 1303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
Russ, The query never processed. The hacker was relentless though. For about 5 straight hours he kept trying. Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
Justin, That is the same attack we had. He never made it through to our database to execute the query. I scanned the DB logs and it failed on him every time. Thanks for the link, it was helpful. Dave ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356272 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
with application firewalls mostly. There are plenty of options out there from hardware to software to web server plugins. For a cf specific WAF try fuseguard. On Mon, Jul 22, 2013 at 7:28 PM, Dave Hatz daveh...@hatzventures.orgwrote: Russ, The query never processed. The hacker was relentless though. For about 5 straight hours he kept trying. Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. It is a MySQL version specific comment so if MySQL version is greater than version 3.0 in this case it would execute, all other DB engines would treat as a comment. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Hack Attempt on our database last night
Ah that is devilishly clever. -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Monday, July 22, 2013 2:23 PM To: cf-talk Subject: Re: Hack Attempt on our database last night On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. It is a MySQL version specific comment so if MySQL version is greater than version 3.0 in this case it would execute, all other DB engines would treat as a comment. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356275 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Hack Attempt on our database last night
Pete, So is that the purpose of the !3000 then? Got it! -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Monday, July 22, 2013 2:23 PM To: cf-talk Subject: Re: Hack Attempt on our database last night On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. It is a MySQL version specific comment so if MySQL version is greater than version 3.0 in this case it would execute, all other DB engines would treat as a comment. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356276 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? What I do is a combination of input sanitizing and using cfqueryparam to the point where it's actually not possible (in theory) to put the application in an unknown or error state and invalid input is always handled in a predictable way (e.g. redirect to the home page, etc.). One of my goals when building an application is to make it so that in theory it shouldn't be possible for the end user to generate a ColdFusion error. When my error handlers get a hit it becomes a Big Deal(tm) and usually leads to a code change to make it so that the error can't happen again. Due to the volume of automated probes and attack tools constantly sweeping the web I generally don't bother trying to block individual addresses and such manually. Our firewall/IDS farther upstream looks for known attack patterns and blocks those for us automatically, but if I see someone probing in the logs I usually don't pay it much attention. If someone is able to trigger a CF error then it does become a top priority to investigate how they were able to do so and patch the code so that the condition can be handled gracefully. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356279 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Hack Attempt on our database last night
We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356261 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356264 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Hack Attempt?
Hi. My server just stopped handling reqs for a second and I got alerted. When I checked to see what was running, I saw a long-ish running req for: index.cfm? -d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%2 2+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2f%2finput+-n I killed that req and blacklisted the IP. Any idea: - what that req is supposed to do? - how to be sure to block it? -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356053 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Hack Attempt?
Hi. My server just stopped handling reqs for a second and I got alerted. When I checked to see what was running, I saw a long-ish running req for: index.cfm? -d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%2 2+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2f%2finput+-n I killed that req and blacklisted the IP. Any idea: - what that req is supposed to do? - how to be sure to block it? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356058 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356060 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.comwrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356061 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
Thanks for the heads up. I know some people that use plesk On Tue, Jun 25, 2013 at 1:16 PM, John M Bliss bliss.j...@gmail.com wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356062 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
IIS 7 has a rewrite module that you could null route this type of request based on a regex. Byron Mann Lead Engineer Architect HostMySite.com On Tue, Jun 25, 2013 at 1:16 PM, John M Bliss bliss.j...@gmail.com wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356073 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
Using IIS 6. Any other ideas? On Tue, Jun 25, 2013 at 3:26 PM, Byron Mann byronos...@gmail.com wrote: IIS 7 has a rewrite module that you could null route this type of request based on a regex. Byron Mann Lead Engineer Architect HostMySite.com On Tue, Jun 25, 2013 at 1:16 PM, John M Bliss bliss.j...@gmail.com wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356075 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
Fuseguard will auto-kill requests like that. Will send a forbidden response back. Warm Regards, Jordan Michaels On 06/25/2013 10:16 AM, John M Bliss wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.comwrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356077 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
Thanks. Any free solutions? On Tue, Jun 25, 2013 at 3:44 PM, Jordan Michaels jor...@viviotech.netwrote: Fuseguard will auto-kill requests like that. Will send a forbidden response back. Warm Regards, Jordan Michaels On 06/25/2013 10:16 AM, John M Bliss wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356078 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
http://www.modsecurity.org/index.html Higher learning curve then fuseguard, but will do the job. Warm Regards, Jordan Michaels On 06/25/2013 12:49 PM, John M Bliss wrote: Thanks. Any free solutions? On Tue, Jun 25, 2013 at 3:44 PM, Jordan Michaels jor...@viviotech.netwrote: Fuseguard will auto-kill requests like that. Will send a forbidden response back. Warm Regards, Jordan Michaels On 06/25/2013 10:16 AM, John M Bliss wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356079 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
Thanks. It looks like that relies on edits to: \IIS webroot\web.config With IIS 6 and ACF (no .NET), I do not even have that file present. Do you know: do I just add it as a blank text file and then start throwing ModSecurity stuff into it? On Tue, Jun 25, 2013 at 4:00 PM, Jordan Michaels jor...@viviotech.netwrote: http://www.modsecurity.org/index.html Higher learning curve then fuseguard, but will do the job. Warm Regards, Jordan Michaels On 06/25/2013 12:49 PM, John M Bliss wrote: Thanks. Any free solutions? On Tue, Jun 25, 2013 at 3:44 PM, Jordan Michaels jor...@viviotech.net wrote: Fuseguard will auto-kill requests like that. Will send a forbidden response back. Warm Regards, Jordan Michaels On 06/25/2013 10:16 AM, John M Bliss wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356080 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
Thanks. It looks like that relies on edits to: \IIS webroot\web.config With IIS 6 and ACF (no .NET), I do not even have that file present. Do you know: do I just add it as a blank text file and then start throwing ModSecurity stuff into it? The web.config file is XML, not plaintext. And I believe you have to have .NET installed at least, even if you're not using it. But once you've installed .NET, you can create your own web.config files. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356081 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
http://www.modsecurity.org/projects/modsecurity/iis/ On Tue, Jun 25, 2013 at 8:49 PM, John M Bliss bliss.j...@gmail.com wrote: Thanks. Any free solutions? On Tue, Jun 25, 2013 at 3:44 PM, Jordan Michaels jor...@viviotech.net wrote: Fuseguard will auto-kill requests like that. Will send a forbidden response back. Warm Regards, Jordan Michaels On 06/25/2013 10:16 AM, John M Bliss wrote: I don't have PHP installed so I guess I'm not vulnerable, right? Any idea how to have CF (or IIS) auto-kill requests like this? On Tue, Jun 25, 2013 at 1:09 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Jun 25, 2013 at 12:56 PM, John Bliss wrote: - what that req is supposed to do? - how to be sure to block it? First result via Google for that string: Plesk 0-day Remote Vulnerability in the Wild http://blog.sucuri.net/2013/06/plesk-0-day-remote-vulnerability-in-the-wild.html -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356082 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
OK. I confirmed that .NET is installed from: http://www.microsoft.com/en-us/download/details.aspx?id=17851 ...added this web.config file: ?xml version=1.0 encoding=utf-8 ? configuration system.web /system.web system.webServer ModSecurity enabled=true configFile=C:\inetpub\wwwroot\owasp_crs\modsecurity_iis.conf / /system.webServer /configuration ...and then tried original hack attempt. Ended up looking at normal page, not a denied message. Any ideas as to what to try next? On Tue, Jun 25, 2013 at 4:39 PM, Dave Watts dwa...@figleaf.com wrote: Thanks. It looks like that relies on edits to: \IIS webroot\web.config With IIS 6 and ACF (no .NET), I do not even have that file present. Do you know: do I just add it as a blank text file and then start throwing ModSecurity stuff into it? The web.config file is XML, not plaintext. And I believe you have to have .NET installed at least, even if you're not using it. But once you've installed .NET, you can create your own web.config files. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356083 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
...and then tried original hack attempt. Ended up looking at normal page, not a denied message. Any ideas as to what to try next? I'm pretty sure you have to configure modsecurity to reject the URL pattern via SecFilter rules. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356085 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt?
http://www.isapirewrite.com/ Maybe another alternative for IIS6. I think modsecurity is for IIS7 from what I saw in the documentation. Byron Mann Lead Engineer Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356087 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
On Mon, May 2, 2011 at 11:48 AM, Mike Kear wrote: Thankfully I'd heeded good advice and used cfqueryparam on all the queries in that site and nothing they tried worked. They were submitting urls with parameters like : /index.cfm?pid=111825pgm=../../../../../../../../../../proc/self/environguestprogID=2 and many many variations. That is not an attempts at SQL injection at all. That is an attempt to test for a Linux vulnerability: http://lwn.net/Articles/191954/ Considering how long ago that vulnerability was fixed this was most likely a generic scan, not something tailored to ColdFusion or your sites. Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Bless cfqueryparam - helped defend against a persistent hack attempt
Same here. I'm not aware of a way (in CF) to achieve caching of execution plans without fully qualified, paramterized SQL. CFQUERYPARAM gets you the latter when done right. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Mark A. Kruger [mailto:mkru...@cfwebtools.com] Sent: Monday, May 02, 2011 4:28 PM To: cf-talk Subject: RE: Bless cfqueryparam - helped defend against a persistent hack attempt I almost always see a significant gain in query performance - at least on all versions of MSSQL - as much as 20-30 percent in some cases. Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, May 02, 2011 1:54 PM To: cf-talk Subject: Re: Bless cfqueryparam - helped defend against a persistent hack attempt cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. In your practice, perhaps. In the practice of others, not so much. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344206 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
You forgot a round in there too. ;) On Mon, May 2, 2011 at 9:10 PM, Justin Scott leviat...@darktech.org wrote: of course). If I have a numeric ID, I'm going to min(abs(val(trim(url.id))), 200) that variable before it ever makes it to the query (forces a positive in-range integer or zero; the two billion value can be modified if you're using larger numbers in your situation; an error can occur if the integer value is out of range so I force it in range as well). ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344208 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Bless cfqueryparam - helped defend against a persistent hack attempt
Last night I watched as someone made a pretty determined attempt to attack one of my web sites. Thankfully I'd heeded good advice and used cfqueryparam on all the queries in that site and nothing they tried worked.They were submitting urls with parameters like : /index.cfm?pid=111825pgm=../../../../../../../../../../proc/self/environguestprogID=2 and many many variations.Like most of us, I get lots of hack attempts but this was more persistent than any I'd seen before. The site is still running happily now, after about 8 hours of this. I don't know why they persisted for that long with no result - I would have thought there were other targets they could go for if they're getting no result here. I'm pleased I bothered to do all those things at the time. When I was building the site (which is only a small hobby site), I remember saying to myself several times this is overkill there's no need for all this paranoia.But I'm glad now that I did all that. The techniques I've used that worked for me in this case were a combination of factors: [A] ALL queries - every single one of them - have cfqueryparam including the cf-sqltype parameter around any parameters sent to the database. [B] no feedback is given to the user about the nature of the error, only an error-handling page with the generic statement that 'there is an error - perhaps we're updating the database - check back soon' so they have no clue why their attempt failed. [C] an email is sent to me with the exception struct, cgi vars, etc so I can be aware of what they're doing - that way i can make sure I am covering all the vulnerabilities. I have a banning system on forms on this site, so that forms submitted with values that match certain parameters cause the ip address of that user to be banned from the site. I think perhaps I'll need to expand that to include URL variables now. I just wanted to pass on, that the warnings everyone hears about using cfqueryparam are valid, and we should never let a chink appear in our defences by listening to that voice in the back of your head, specially when you're under time pressure this is overkill there's no need for all this paranoia. -- Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344116 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
Right. However about CFQUERYPARAM, keep in mind that: - this will prevent SQL injection, not all form of attacks; - CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; - disabling multiple statement execution in the database will prevent from SQL injection as well. - ending a query on an error because of CFQUERYPARAM will prevent the injection, but will not give you any hint that it was really an attack. Personally I prefer checking crucial form and url parameters and eventually ban the intruder before submiting the query. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344119 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
- CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; Are you implying that cfqueryparam _shouldn't_ be used for these reasons?? - Gabriel On Mon, May 2, 2011 at 8:49 AM, wrote: Right. However about CFQUERYPARAM, keep in mind that: - this will prevent SQL injection, not all form of attacks; - CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; - disabling multiple statement execution in the database will prevent from SQL injection as well. - ending a query on an error because of CFQUERYPARAM will prevent the injection, but will not give you any hint that it was really an attack. Personally I prefer checking crucial form and url parameters and eventually ban the intruder before submiting the query. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
Are you implying that cfqueryparam _shouldn't_ be used for these reasons?? No, I'm just saying that there are better and more efficient ways of fighting attacks. I use cfqueryparam on some occasions, but not everywhere blindly. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344121 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
- CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; I couldn't disagree more with this statement. Aside from the protection benefits, the use of cfqueryparam creates bound sql parameters, which improve query performance. I don't disagree with your suggestion to check form and url parameters. In fact I encourage it heavily, and hope that folks will remember the 'type' attribute of the cfparam tag. That said, use of cfqueryparam is a must, IMO, and the more you use it the more it becomes second nature. Yes, your error messages may need some help, but a combination of usage and proper error handling (too often ignored) can go a long way towards saving your bacon. Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://blog.cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it On 5/2/2011 7:49 AM, =?ISO-8859-1?Q?Claude_Schn=E9egans wrote: Right. However about CFQUERYPARAM, keep in mind that: - this will prevent SQL injection, not all form of attacks; - CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; - disabling multiple statement execution in the database will prevent from SQL injection as well. - ending a query on an error because of CFQUERYPARAM will prevent the injection, but will not give you any hint that it was really an attack. Personally I prefer checking crucial form and url parameters and eventually ban the intruder before submiting the query. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344122 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
- CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; There are parsers that will show the actual queries with values. My favorite is the one that Ben Nadel wrote. It is a little JS bookmark widget. - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; Opinion. Depends on the person. I have not problem with using them. Besides the bulk of the SQL code for most of my CRUD's are machine generated. G! On Mon, May 2, 2011 at 8:49 AM, wrote: Right. However about CFQUERYPARAM, keep in mind that: - this will prevent SQL injection, not all form of attacks; - CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; - disabling multiple statement execution in the database will prevent from SQL injection as well. - ending a query on an error because of CFQUERYPARAM will prevent the injection, but will not give you any hint that it was really an attack. Personally I prefer checking crucial form and url parameters and eventually ban the intruder before submiting the query. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344123 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
In case anyone is interested. This is the JS bookmark widget that parses Queryparam debugging info. Very handy. http://www.bennadel.com/blog/459-Merging-ColdFusion-SQL-Debugging-And-Query-Params-With-Javascript.htm HTH G! On Mon, May 2, 2011 at 9:14 AM, Gerald Guido gerald.gu...@gmail.com wrote: - CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; There are parsers that will show the actual queries with values. My favorite is the one that Ben Nadel wrote. It is a little JS bookmark widget. - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; Opinion. Depends on the person. I have not problem with using them. Besides the bulk of the SQL code for most of my CRUD's are machine generated. G! On Mon, May 2, 2011 at 8:49 AM, wrote: Right. However about CFQUERYPARAM, keep in mind that: - this will prevent SQL injection, not all form of attacks; - CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; - disabling multiple statement execution in the database will prevent from SQL injection as well. - ending a query on an error because of CFQUERYPARAM will prevent the injection, but will not give you any hint that it was really an attack. Personally I prefer checking crucial form and url parameters and eventually ban the intruder before submiting the query. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344124 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
Ok. I'll respect your opinion. But for anyone new to CF that may read this, I don't believe there is a debate about using cfqueryparam. My impression is that the settled majority best practice is to use it blindly, use it everywhere rather than not use it, or use it sparingly, or not use it because of code aesthetic reasons. - Gabriel On Mon, May 2, 2011 at 9:04 AM, wrote: Are you implying that cfqueryparam _shouldn't_ be used for these reasons?? No, I'm just saying that there are better and more efficient ways of fighting attacks. I use cfqueryparam on some occasions, but not everywhere blindly. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344125 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
Just for the record, I use other techniques to protect my sites too but in this case, i was outlining what saved me in this case. Clearly there are a bazillion ways nasty people can do damage or exploit weaknesses in sites. In this case, I was grateful that I hadn't given in to the temptation to take the shortcut. The fields that the hacker was trying to inject into are integer fields. If I hadn't had the cfqueryparam set up for all variables to the query, AND the cf-sqltype=integer parameter as well, the injection might have got through the other defences I have set up. But the cfqueryparam stopped the text injection getting into the query, and the fact that i use error handling to trap errors, and give no feedback as to why the url failed, meant it was difficult for the hacker to figure out what he had to do to get around my defences. As it is, I got to watch over a period of 8 hours several hundred attempts to exploit my database and do damage, without having to lift a finger. I use a code writer to write most of my queries - at least the CRUD ones anyway, so it's no difficulty to ensure all the queries have cfqueryparam but at the time I wrote this site, I didnt have the code writer ready yet. I'm just glad i took the time back then to do the job properly and not cut corners. All I'm saying about this is:whenever you think it's not likely someone will try to hack your site, and anyway you're up against a deadline and cfqueryparam is a long-winded way to type out the simple parameter you want to use, THINK AGAIN!! it is DEFINITELY worth putting up all the defences you can, provided there isnt an undue price to pay in terms of performance. In fact, using cfqueryparam improves performance of queries- that site of mine is a database-driven site for a radio show, and it just lopes along during the show when load is higher. If anyone is curious about what site it is, I'll be happy to tell you and let you have a look for yourself, but I'm reluctant to post the url here since I've discussed so much about the security of the site. Just send me an email off line and i'll tell you. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month On Mon, May 2, 2011 at 11:49 PM, Dorioo dor...@gmail.com wrote: Ok. I'll respect your opinion. But for anyone new to CF that may read this, I don't believe there is a debate about using cfqueryparam. My impression is that the settled majority best practice is to use it blindly, use it everywhere rather than not use it, or use it sparingly, or not use it because of code aesthetic reasons. - Gabriel On Mon, May 2, 2011 at 9:04 AM, wrote: Are you implying that cfqueryparam _shouldn't_ be used for these reasons?? No, I'm just saying that there are better and more efficient ways of fighting attacks. I use cfqueryparam on some occasions, but not everywhere blindly. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344126 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
As an interesting aside, the same ip address started trying to probe my mail server a few minutes ago, and my version of cfformprotect picked it up and added the ip address to the banned ips. Now that same ip address is banned from using any forms on any site I administer. Again, they get no feedback that they've been banned.Just seems like they've successfully submitted a form, but in fact their submission just gets dumped in the bitbucket and nothing gets done. it doesn't even get to the database. The reason for not letting them know they're banned is they can submit forms till the cows come home and nothing will happen. It means they will be less likely to try to find other holes in the defences to exploit. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344127 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
Mike, out of curiosity, what seems to be motivating these attacks? Malware injections? Hacker cred? Revenge or grudge? Or just to vandalize and do damage? It seems like a LOT of effort. I am also surprised that they are using the same IP for so long and not changing proxies. Thanx G! On Mon, May 2, 2011 at 10:42 AM, Mike Kear afpwebwo...@gmail.com wrote: As an interesting aside, the same ip address started trying to probe my mail server a few minutes ago, and my version of cfformprotect picked it up and added the ip address to the banned ips. Now that same ip address is banned from using any forms on any site I administer. Again, they get no feedback that they've been banned.Just seems like they've successfully submitted a form, but in fact their submission just gets dumped in the bitbucket and nothing gets done. it doesn't even get to the database. The reason for not letting them know they're banned is they can submit forms till the cows come home and nothing will happen. It means they will be less likely to try to find other holes in the defences to exploit. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344129 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
I dont know what the motivation is. All I've seen is repeated attempts to inject stuff into the database - never getting anywhere. So that means all the attempts so far are simply attempts to get at passwords or schema. I'm supposing once they get a look at the database they'll be able to figure out what's there that they want. If they're after credit card or user info I have bad news for them ... it's not a commercial site. There AREN'T any customer details because there are no customers LOL I get attempts on the email server every day. At least a hundred attempts a day over all the sites I manage. I dont see them now because I have automated the defences. Once an ip address is banned, they can submit hundreds of forms a minute and i wont see any of them because the first line of the form processing is to check if the user's ip address is banned, and only proceed further if it's not. I'm guessing the reason for these probes is to find mail servers that are open to exploitation, so they can send spams through them. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month On Tue, May 3, 2011 at 1:09 AM, Gerald Guido gerald.gu...@gmail.com wrote: Mike, out of curiosity, what seems to be motivating these attacks? Malware injections? Hacker cred? Revenge or grudge? Or just to vandalize and do damage? It seems like a LOT of effort. I am also surprised that they are using the same IP for so long and not changing proxies. Thanx G! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344130 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
However about CFQUERYPARAM, keep in mind that: - this will prevent SQL injection, not all form of attacks; - CFQUERYPARAM makes all values look like parameter 1... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; - disabling multiple statement execution in the database will prevent from SQL injection as well. - ending a query on an error because of CFQUERYPARAM will prevent the injection, but will not give you any hint that it was really an attack. Personally I prefer checking crucial form and url parameters and eventually ban the intruder before submiting the query. This is silly contrarianism. Yes, CFQUERYPARAM only prevents SQL injection attacks. That's not a criticism. I've been using it for years, and I haven't found it significantly more difficult to read errors or debug query problems. Also, it is not the case that all SQL injection attacks require the ability to execute multiple statements. SQL injection attacks can be written within a single statement, although the attacker does lose some flexibility within that constraint. Hell, the Wikipedia page on SQL injection attacks lists as its first attack (an information disclosure attack) a single statement. Finally, how you trap errors is entirely up to you. CFQUERYPARAM is definitely more likely to be successful at preventing SQL injection attacks than your checking crucial form and URL parameters. CFQUERYPARAM, by defining a separation between data and executable code, prevents them entirely. It prevents known SQL injection attacks, and is guaranteed to prevent as-yet-undiscovered SQL injection attacks in the future. You have no guarantee that you can prevent attacks entirely by attempting to filter them out individually. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344131 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
The site is still running happily now, after about 8 hours of this. I don't know why they persisted for that long with no result - I would have thought there were other targets they could go for if they're getting no result here. Chances are, it was an automated attack - the attacker might not have even know that your site was being attacked. Time is on the attacker's side here. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344132 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344134 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
And we prefer to hack Schneegans apps. :D On Mon, May 2, 2011 at 1:10 PM, wrote: cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344135 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
On Mon, May 2, 2011 at 11:10 AM, wrote: cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. The gains are not purely theoretical but like most things, it depends on your situation. If you are using very simple queries, the benefit very well may be negligible. If you are using more complex queries that require more time to compute the query plan and are under load the benefits are much more obvious. If you are optimizing for errors, you are doing it wrong. It isn't that difficult to do proper error handling and debugging with cfquery, you just have to plan for it. I wrote up a quick blog article on the subject last year. http://judah.posterous.com/debugging-with-prepared-statements-with-cfque If you provide a result attribute on your cfquery you'll get a struct returned that includes not only the results but also the parameterized query that was run, the parameters that were passed in and whether or not the query was cached. Hope that helps, Juda ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344137 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. In your practice, perhaps. In the practice of others, not so much. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344140 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Bless cfqueryparam - helped defend against a persistent hack attempt
I almost always see a significant gain in query performance - at least on all versions of MSSQL - as much as 20-30 percent in some cases. Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, May 02, 2011 1:54 PM To: cf-talk Subject: Re: Bless cfqueryparam - helped defend against a persistent hack attempt cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. In your practice, perhaps. In the practice of others, not so much. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344142 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
I generally see a pretty significant gain on Oracle as well. Thanks, Eric Cobb http://www.cfgears.com Help me make a difference this summer - http://bit.ly/i8dJvQ On 5/2/2011 3:27 PM, Mark A. Kruger wrote: I almost always see a significant gain in query performance - at least on all versions of MSSQL - as much as 20-30 percent in some cases. Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, May 02, 2011 1:54 PM To: cf-talk Subject: Re: Blesscfqueryparam - helped defend against a persistent hack attempt cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. In your practice, perhaps. In the practice of others, not so much. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344143 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
Sure, your MS Access DB doesn't cache execution plans, but real databases do. On Tuesday, 3 May 2011, wrote: cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. -- -- WSS4CF - WS-Security framework for CF http://wss4cf.riaforge.org ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344150 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
On Mon, May 2, 2011 at 2:10 PM, wrote: cfqueryparam creates bound sql parameters, which improve query performance. This is purely theoretical, in practice, the gain in performance is neglectible. I prefer have a query to take 11 ms and see the values submitted in case of error, than having the same query take 10 ms, but no information in errors. no information in errors -- Untrue. The error/catch object has one key SQL with the sql statement containing the (param 1) etc placeholders, and another key where with all the parameters, types, and values. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344151 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Bless cfqueryparam - helped defend against a persistent hack attempt
Yes, your error messages may need some help, but a combination of usage and proper error handling (too often ignored) can go a long way towards saving your bacon. Perhaps I'm going a little overboard, but my personal philosophy is that it shouldn't be possible for an end-user to generate a ColdFusion error message. Proper error handling is an absolute must so you get notified of errors that do occur, but I will generally massage the incoming data before passing it into a query (which uses cfqueryparam, of course). If I have a numeric ID, I'm going to min(abs(val(trim(url.id))), 200) that variable before it ever makes it to the query (forces a positive in-range integer or zero; the two billion value can be modified if you're using larger numbers in your situation; an error can occur if the integer value is out of range so I force it in range as well). There is something to be said for getting notified when an attack is in progress, but I'd lean on the side of logging unusual requests and sending a notice when the app sees greater than X unusual requests within a certain time period so I can check it out. It's very rare that the error notification on my sites ever need to kick in, and it becomes an event when they do rather than thousands of error emails getting generated from an automated attack. Kudos to the original poster for making sure they used some protection though. Attackers don't care what your deadline looked like when the app was written and their automated scanning tools don't care how big your site is, so you have to assume they're going to probe long and hard regardless of the size of the site. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344152 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Gabriel,
Nice job on this. Looks like it works rather spendidly.
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 7:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|'
'(?:alter.*?(#DBObj.short#))|'
'cast.*?\(|'
'char.*?\([\w]{2}\)|'
'(?:create.*?(#DBObj.short#))|'
'(?:declare.*?@|cursor)|'
'delete.*?from.*?_|'
'(?:drop.*?(#DBObj.short#))|'
'exec.*?\(|'
'insert.*?values.*?\(+?|'
'schema[^\w]+?|'
'sysObjects|'
'truncate.*?table|'
'update.*?set+?|'
'[sx]p_[\w_]+?|'
'\''.*?-{2}|-{2}.*?\'''
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern =
rePattern.compile(blackList); reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309784
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head
Gabriel,
One that might need adding is execute.
execute something
I notice you are trapping sp_ nice catch.
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 7:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|'
'(?:alter.*?(#DBObj.short#))|'
'cast.*?\(|'
'char.*?\([\w]{2}\)|'
'(?:create.*?(#DBObj.short#))|'
'(?:declare.*?@|cursor)|'
'delete.*?from.*?_|'
'(?:drop.*?(#DBObj.short#))|'
'exec.*?\(|'
'insert.*?values.*?\(+?|'
'schema[^\w]+?|'
'sysObjects|'
'truncate.*?table|'
'update.*?set+?|'
'[sx]p_[\w_]+?|'
'\''.*?-{2}|-{2}.*?\'''
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern =
rePattern.compile(blackList); reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as well protected as my current one
and have little desire to either update their software *or* the code). I
used the RedEx that Gabriel posted (sorry, don't know your last name as I
read this list online, let me know and I'll add that to the credits!) and
made a URL/Form scanner that will abort the page if it finds anything
illegal. This looks quite a bit more sophisticated, so it depends on how
much you are getting hit, and how aggressive you want to get.
My simple tool is here, feel free to download and modify as you wish.
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=17
--- Mary Jo
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309785
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|'
'(?:alter.*?(#DBObj.short#))|'
'cast.*?\(|'
'char.*?\([\w]{2}\)|'
'(?:create.*?(#DBObj.short#))|'
'(?:declare.*?@|cursor)|'
'delete.*?from.*?_|'
'(?:drop.*?(#DBObj.short#))|'
'exec.*?\(|'
'insert.*?values.*?\(+?|'
'schema[^\w]+?|'
'sysObjects|'
'truncate.*?table|'
'update.*?set+?|'
'[sx]p_[\w_]+?|'
'\''.*?-{2}|-{2}.*?\'''
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern =
rePattern.compile(blackList); reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as well protected as my current one
and have little desire to either update their software *or* the code). I
used the RedEx that Gabriel posted (sorry, don't know your last name as I
read this list online, let me know and I'll add that to the credits!) and
made a URL/Form scanner that will abort the page if it finds anything
illegal. This looks quite a bit more sophisticated, so it depends on how
much you are getting hit, and how aggressive you want to get.
My simple tool is here, feel free to download and modify as you wish.
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=17
--- Mary Jo
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309789
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Che,
I tested a working example of his code... I posted on my blog if you want
the skinny.
http://www.coldfusionmuse.com
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 8:46 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|'
'(?:alter.*?(#DBObj.short#))|'
'cast.*?\(|'
'char.*?\([\w]{2}\)|'
'(?:create.*?(#DBObj.short#))|'
'(?:declare.*?@|cursor)|'
'delete.*?from.*?_|'
'(?:drop.*?(#DBObj.short#))|'
'exec.*?\(|'
'insert.*?values.*?\(+?|'
'schema[^\w]+?|'
'sysObjects|'
'truncate.*?table|'
'update.*?set+?|'
'[sx]p_[\w_]+?|'
'\''.*?-{2}|-{2}.*?\'''
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern =
rePattern.compile(blackList); reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as well protected as my current one
and have little desire to either update their software *or* the code). I
used the RedEx that Gabriel posted (sorry, don't know your last name as I
read this list online, let me know and I'll add that to the credits!) and
made a URL/Form scanner that will abort the page if it finds anything
illegal. This looks quite a bit more sophisticated, so it depends on how
much you are getting hit, and how aggressive you want to get.
My simple tool is here, feel free to download and modify as you wish.
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=17
--- Mary Jo
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309790
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Thanks Mark. So, the function checkSQLInject(str) and the function
checkforattack() are no longer needed from Mary's original blocker.cfm file?
-Original Message-
From: Mark Kruger [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 9:52 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Che,
I tested a working example of his code... I posted on my blog if you want
the skinny.
http://www.coldfusionmuse.com
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 8:46 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|'
'(?:alter.*?(#DBObj.short#))|'
'cast.*?\(|'
'char.*?\([\w]{2}\)|'
'(?:create.*?(#DBObj.short#))|'
'(?:declare.*?@|cursor)|'
'delete.*?from.*?_|'
'(?:drop.*?(#DBObj.short#))|'
'exec.*?\(|'
'insert.*?values.*?\(+?|'
'schema[^\w]+?|'
'sysObjects|'
'truncate.*?table|'
'update.*?set+?|'
'[sx]p_[\w_]+?|'
'\''.*?-{2}|-{2}.*?\'''
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern =
rePattern.compile(blackList); reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as well protected as my current one
and have little desire to either update their software *or* the code). I
used the RedEx that Gabriel posted (sorry, don't know your last name as I
read this list online, let me know and I'll add that to the credits!) and
made a URL/Form scanner that will abort the page if it finds anything
illegal. This looks quite a bit more sophisticated, so it depends on how
much you are getting hit, and how aggressive you want to get.
My simple tool is here, feel free to download and modify as you wish.
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=17
--- Mary Jo
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309791
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Che,
That depends... Mary Jo's function does all the scope checking for you ...
So you might want to use the reMatcher.reset().find() in Mary Jo's function
in place of the call to checkSQLInject() inside of the checkforattack()
function. That would make use of Gabriel's cod, but keep all the
looping/checking inside of Mary Jo's function. You get the best of both
worlds that way :) The code on my blog is a working example, but it's not
drop in ready - you would still need to check the form and cookie scope
for example... So either way you will need to do some tweaking to get it to
work for you situation.
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 9:01 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Thanks Mark. So, the function checkSQLInject(str) and the function
checkforattack() are no longer needed from Mary's original blocker.cfm file?
-Original Message-
From: Mark Kruger [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 9:52 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Che,
I tested a working example of his code... I posted on my blog if you want
the skinny.
http://www.coldfusionmuse.com
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 8:46 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|'
'(?:alter.*?(#DBObj.short#))|'
'cast.*?\(|'
'char.*?\([\w]{2}\)|'
'(?:create.*?(#DBObj.short#))|'
'(?:declare.*?@|cursor)|'
'delete.*?from.*?_|'
'(?:drop.*?(#DBObj.short#))|'
'exec.*?\(|'
'insert.*?values.*?\(+?|'
'schema[^\w]+?|'
'sysObjects|'
'truncate.*?table|'
'update.*?set+?|'
'[sx]p_[\w_]+?|'
'\''.*?-{2}|-{2}.*?\'''
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern'); rePattern =
rePattern.compile(blackList); reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as well protected as my current one
and have little desire to either update their software *or* the code). I
used the RedEx that Gabriel posted (sorry, don't know your last name as I
read this list online, let me know and I'll add that to the credits!) and
made a URL/Form scanner that will abort the page if it finds anything
illegal. This looks quite a bit more sophisticated, so it depends on how
much you are getting hit, and how aggressive you want to get.
My simple tool is here, feel free to download and modify as you wish.
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=17
--- Mary Jo
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309794
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
The code on my blog is a working example, but it's not drop in ready - you would still need to check the form and cookie scope for example... So either way you will need to do some tweaking to get it to work for you situation. I'm going to post an updated version of my tool later today, just want to run a few tests on it first. As I noted on your blog though Mark, the original RegEx was Gabriel's work as well. I just used it to create the scanner tool. My ability to write regular expressions is rudimentary at best. ;-) --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309799 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Version 2 of the scanner I did is now available here: http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 This has *not* been heavily tested as of yet, so use at your own risk! --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309802 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
This has *not* been heavily tested as of yet, so use at your own risk! There was a little mistake in the scanner I posted earlier that could cause it to hang, if anyone downloaded it before, please grab the updated copy. In just some basic iteration checking, the new version does appear to be significantly more efficient, with an average of 1.5 ms to process a large form submission, versus about 10 ms with the old method. So thanks Gabriel, nice improvement! --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309806 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head
Version 2 of the scanner I did is now available here: http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 Am I missing something here. I thought CFQUERYPARAM solved this problem. Is this redundant or is there some problem with CFQUERYPARAM I'm missing? Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309821 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head
MaryJo produces a product that she supports on older platforms, hence the need to bypass cfqueryparam. Steve Cutter Blades Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer _ http://blog.cutterscrossing.com Robert Harrison wrote: Version 2 of the scanner I did is now available here: http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 Am I missing something here. I thought CFQUERYPARAM solved this problem. Is this redundant or is there some problem with CFQUERYPARAM I'm missing? Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309825 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head
Goodness sakes-- cfqueryparam has been around since ColdFusion 4.5.1. How far back does she need to support? :) ~Brad - Original Message - From: Cutter (CFRelated) [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Monday, July 28, 2008 2:56 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head MaryJo produces a product that she supports on older platforms, hence the need to bypass cfqueryparam. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309827 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head
I have a client who reluctantly upgraded to CF5 from CF4.0 last year (yes, that would be 2007) because an sysadmin _accidentally_ upgraded, and they couldn't find the original 4.0 disks. While they'd like to upgrade to CF7 or CF8, the cost of migrating the many, many apps they have is cost prohibitive for them. So, there ya go. There are plenty of companies out there still running 4.0, and I'd guess, even earlier versions. Goodness sakes-- cfqueryparam has been around since ColdFusion 4.5.1. How far back does she need to support? :) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309828 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head
MaryJo produces a product that she supports on older platforms, hence the need to bypass cfqueryparam. Actually, that's not really the issue so much as customers that are running older versions of my software that don't have all the text inputs covered with cfqueryparams. While this is certainly no substitution for them upgrading to my newer versions that are better protected against this new attack (and other stuff like XSS) it helps with customer relations to provide them with something to as least block it until such time as they get around to upgrading. I haven't supported anything below CF5 for quite some time! I may still include it in newer versions as well, for a couple reasons. One is simply that I prefer stopping hackers before they even can get to code that accesses the database, for whatever reason. It may not be 100% foolproof, but it's a worthwhile thing to do, IMO. The other reason is that my software is *very* commonly modified by those that purchase it. Hopefully anyone doing the code changes would know to use cfqueryparam but I've seen some pretty awful coding in my years of doing this, so I prefer not to assume and have some code in there that may help protect the sitebecause regardless of how a hacker gets in, it will still be me that gets the blame. ;-) --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309830 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Sql Threat Indicators
blackList = '@@|'
'(?:alter.*?(#DBObj.short#))|'
'cast.*?\(|'
'char.*?\([\w]{2}\)|'
'(?:create.*?(#DBObj.short#))|'
'(?:declare.*?@|cursor)|'
'delete.*?from.*?_|'
'(?:drop.*?(#DBObj.short#))|'
'exec.*?\(|'
'insert.*?values.*?\(+?|'
'schema[^\w]+?|'
'sysObjects|'
'truncate.*?table|'
'update.*?set+?|'
'[sx]p_[\w_]+?|'
'\''.*?-{2}|-{2}.*?\'''
'/\*.*?\*/';
// Build the java pattern matcher
rePattern = createObject('java', 'java.util.regex.Pattern');
rePattern = rePattern.compile(blackList);
reMatcher = rePattern.matcher('');
Then use reMatcher.reset(lcase(var_to_scan)).find() to scan the var.
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
My apologies to anyone already using it, I guess this is what I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel Read
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as well protected as my current one
and have little desire to either update their software *or* the code). I
used the RedEx that Gabriel posted (sorry, don't know your last name as I
read this list online, let me know and I'll add that to the credits!) and
made a URL/Form scanner that will abort the page if it finds anything
illegal. This looks quite a bit more sophisticated, so it depends on how
much you are getting hit, and how aggressive you want to get.
My simple tool is here, feel free to download and modify as you wish.
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=17
--- Mary Jo
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309775
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
This will fix a problem in which a long string containing too many back references for non-word chars can cause a stack overflow. As much as I love CF, I find the native regex implementation sadly lacking. Thanks for the update... I'm not sure if any of my customers are using a host that disables use of CreateObject with java classes, but that would be a possible concern with this change. But I have only run into that once before, so shouldn't be a major issue. I'm thinking for my own application, I'll just load the pattern matcher into a persistent scope so there won't be too much performance hit running it on every page request. My apologies to anyone already using it, I guess this is what I get being drawn into posting code I hadn't had a chance to fully test. If anyone has problems with, or enhancements to the above, please let me know. I don't know how many of my customers tried the first one I put up, but haven't gotten anything but positive feedback so far, and I haven't put out any new release with it included yet, so thanks for posting the enhancement, I'll give it a good test and let you know if I run into problems. I'll give it a test on Railo as well and make sure it doesn't run into any bumps on it either. Also, thank you to Mary Jo for adding me to the credits. My surname is Read FYI in case you still desire to include me. Well, I always try to give credit where it is due, and already had put you on there, just glad to add your surname as well. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309778 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Was) URL Hack Attempt - now DNS attack..
And on top of that there is a story since Monday about DNS that is much scarier and much closer to home to most readers. I am surprised we are not hearing about this on the list.. just in case you haven't been getting the MS alerts or other news sources telling you about it: there is a new attack on DNS servers.. it was supposed to start in August, to give people time to patch, but it was released early..http://arstechnica.com/news.ars/post/20080726-new-dns-exploit-now-in-the-wild-and-having-a-blast.html Basically, unpatched servers are open to cache poisoning, which means that if you ask your dns server for roslyn bank, the dns server may give you the hacker's ip address, and you go to the hacker's site thinking you are on the real bank.. If you run a dns server, it has to be patched right now. Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309756 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like select email from users where id=1; drop table users) Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309696 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
how about changing cfquery so that by default... NO NO NO NO NO NO NO NO I've use nested SQL all the time, and I've got over 100 web sites up. Validate and use REREPLACE and CFQUERYPARAM and you're fine. Don't ever make a function change that kills existing code written correctly. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309697 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
I find it useful on occasion with INSERT then SELECT @IDENTITY -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like select email from users where id=1; drop table users) Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309698 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
I also use this to get the new key on inserted records, and have used cfqueryparam for years to protect against this sort of attack, and for performance reasons. Functionality shouldn't be sacrificed just to protect careless developers from themselves. John -Original Message- From: Dave Francis [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:16 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta I find it useful on occasion with INSERT then SELECT @IDENTITY -Original Message- From: Al Musella, DPM [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:05 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a ..cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like select email from users where id=1; drop table users) Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309699 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Al Musella, DPM wrote: Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. That is a *very* bad idea since it would require CF to understand SQL. And not just SQL as the standard defines it, but every dialect implemented by every database. There is no way that CF would be able to reliably do that. If you want an example of how bad this would be just try and see what happens if you take one of your current datasources, go to advanced properties and unselect every operation except SELECT. Then run the following statements: cfquery ... -- x DROP TABLE x /cfquery cfquery ... SELECT 'test some string ; DROP c' FROM x /cfquery cfquery ... SET nocount on DROP TABLE x SET nocount off /cfquery ColdFusion is a CFML engine. Everything that isn't CFML should be treated as opaque. (And the current 'feature' to limit SQL operations should be ripped out.) Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309700 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
That is more a function of the db. I know that by default, MySQL does not allow multiple sql statements. You have to change a setting to allow this. I suppose this could be added to CF as well, but it would have to allow multiples by default, so that it would be backwards compatible. So you'd still have to remember to switch it off. -- Josh - Original Message - From: Al Musella, DPM [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 9:04 AM Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like select email from users where id=1; drop table users) Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309701 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
If you spent more time securing your variables then it wouldnt be much of a problem.. E.G if you create a database field lname char(50), in CF check the length before passing that variable to your CFQUERY.. There's isnumeric() to check for numbers, there's ways to help protect yourself from this without going to the extreme that you suggest - Original Message - From: Al Musella, DPM [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 9:04 AM Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta Ben, Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. I doubt many people use multiple sql statements in one cfquery, and those that do are probably advanced enough to know to add the parameter for allowing it.. You can call this enhancement request cf_trainingWheels How many people out there group together (intentionally) multiple sql statements in one cfquery? (Like select email from users where id=1; drop table users) Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309702 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
+Infinity. (I'd add some sort of really intelligent comment, but, well, Robert already covered that part.) On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote: how about changing cfquery so that by default... NO NO NO NO NO NO NO NO I've use nested SQL all the time, and I've got over 100 web sites up. Validate and use REREPLACE and CFQUERYPARAM and you're fine. Don't ever make a function change that kills existing code written correctly. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309703 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. The problem with this, as Jochem points out, is that it would require CF to parse SQL. This is a losing battle, as each database will do different things when given an SQL batch. What if databases automatically escape Unicode character sequences? Then CF would have to do the same. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309704 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Sorry for the outburst, but that scared me. I could just see me telling all my clients, well, that used to work. Sorry about that. :-) Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . -Original Message- From: Matt Quackenbush [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:42 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta +Infinity. (I'd add some sort of really intelligent comment, but, well, Robert already covered that part.) On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote: how about changing cfquery so that by default... NO NO NO NO NO NO NO NO I've use nested SQL all the time, and I've got over 100 web sites up. Validate and use REREPLACE and CFQUERYPARAM and you're fine. Don't ever make a function change that kills existing code written correctly. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309705 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. Pretty good idea. I doubt many people use multiple sql statements in one cfquery, Also note that certain databses, like Access won't allow multiple statements anyway. I know, I know, some ayatollah will say NEVER use *Access*... -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309707 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Is there a kind of way to stop the botnet from spamming websites? Hacker has to stop it? or right now if it is automated is there any way? Radek On Fri, Jul 25, 2008 at 12:56 PM, Dave Watts [EMAIL PROTECTED] wrote: Seeing as how this type of sql injection attack is succeeding so much (even my favorite fishing website has been down for days due to it (it is a .cfm site))... how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. The problem with this, as Jochem points out, is that it would require CF to parse SQL. This is a losing battle, as each database will do different things when given an SQL batch. What if databases automatically escape Unicode character sequences? Then CF would have to do the same. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309708 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
I have to hand it to Claude - he definitely has confidence :) -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:15 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta how about changing cfquery so that by default, only ONE sql statment can be sent. Let us override that with a parameter in cfquery or a cfprocessing driective type of thing in our application.cfm.. Pretty good idea. I doubt many people use multiple sql statements in one cfquery, Also note that certain databses, like Access won't allow multiple statements anyway. . I know, I know, some ayatollah will say NEVER use *Access*... -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309709 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
That is more a function of the db. Exact, and I don't see how CF could prevent from multiple execution. It should compile the SQL code for that, and it does not. Unless ODBC/JDBC drivers have a function to disable it. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309710 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
I have to hand it to Claude - he definitely has confidence Well, unless ODBC and JDBC have some function to enable/disable multi statements, It would certainly be much trouble to implement this in CF. I've checked rapidly in the ODBC docs, and I don't see any reference to multi statement. Anyway, if the option was available, it shouldn't be the default, for sure. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309711 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: http://qpscanner.riaforge.org/ anybody knows what happenned? Radek On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans [EMAIL PROTECTED] wrote: I have to hand it to Claude - he definitely has confidence Well, unless ODBC and JDBC have some function to enable/disable multi statements, It would certainly be much trouble to implement this in CF. I've checked rapidly in the ODBC docs, and I don't see any reference to multi statement. Anyway, if the option was available, it shouldn't be the default, for sure. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309712 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
I don't believe DMBS's like MSSQL have a single statement option. As it has already been pointed out, MySQL does and it is the default. The setting is on a per connection level. If you are using MySQL and know that most of the time you will only have one statement, then create two datasource-- one that allows it and one that does not. Use as needed. The inherent problem with any of this is it still require the programmer to: 1) use the correct datasource and not be lazy 2) properly secure the queries that allow the multiple statements and not be lazy Worst of all, not all SQL injection attacks require a second statement!!! Many attacks use a union to pull additional data out in a select and that is _totally_ allowed in MySQL in single statement mode. Basically, the we as the programmers don't get out of this one. We have to be relied upon to consistently do SOMETHING whether it is use the correct datasource etc. So here's the thing, if you are going to go through trouble to do ANYTHING, just make sure that we always use cfqueryparam-- that is the only option that will always work without many gotcha's. I think that is energy better spent. ~Brad - Original Message - From: Claude Schneegans [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 12:46 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta I have to hand it to Claude - he definitely has confidence Well, unless ODBC and JDBC have some function to enable/disable multi statements, It would certainly be much trouble to implement this in CF. I've checked rapidly in the ODBC docs, and I don't see any reference to multi statement. Anyway, if the option was available, it shouldn't be the default, for sure. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309713 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
Hmm, it appears to be down-- and Ray is on vacation. I can post it on my blog temporarily if I need to. Today is Operation cf_SQLprotect! http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect ~Brad - Original Message - From: Radek Valachovic [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 1:11 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: http://qpscanner.riaforge.org/ anybody knows what happenned? Radek ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309714 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta
I have it installed already, but other guys in forums asking for scanner so I suggest that one and when I came to riaforge it didnt work so I was wondering why. Thanks anyway, but I think on your new page u should post it there too to download from your server or blog with credits of RiaForge. Radek On Fri, Jul 25, 2008 at 2:20 PM, Brad Wood [EMAIL PROTECTED] wrote: Hmm, it appears to be down-- and Ray is on vacation. I can post it on my blog temporarily if I need to. Today is Operation cf_SQLprotect! http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect ~Brad - Original Message - From: Radek Valachovic [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Friday, July 25, 2008 1:11 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben Forta RiaForge.org doesnt work, tryied to get the cfqueryparam scanner: http://qpscanner.riaforge.org/ anybody knows what happenned? Radek ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309715 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
