RE: Owned by Rootdamages by FasT
> Hmm, that's interesting. That's what we're using, and I've > never been able to get a sql injection attack to work on it. > > Can someone provide a simple example of how cfquery is > vulnerable, so that we all know what kinds of things to watch out for? I'm not aware of any vulnerabilities with CF's escaping of single quotes and SQL Server 2000. That said, that doesn't mean there aren't any. All that has to happen is for CF to interpret a character sequence as something other than a string delimiter, and for SQL Server to interpret the same character sequence as a string delimiter. I would probably check out Unicode character sequences for this, if I were a penetration tester. The point of using CFQUERYPARAM to secure database access is to prevent anything like this from happening. By building a prepared statement, you prevent the execution of anything in your values as code; the database will only treat it as data, no matter what it contains. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297383 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Owned by Rootdamages by FasT
On Wednesday 23 Jan 2008, Jerry Guido wrote: > These guys (Rootdamages) are all over the place. Heh, I did the same thing ;-) -- Tom Chiverton Helping to seamlessly restore vertical solutions on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297280 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Owned by Rootdamages by FasT
>>What kind of DB were you using? > SQL Server 2000 Just as a note, by default MySQL does not allow you to run multiple queries separated with a ";". At least within cfquery tags. This is great for security reasons but makes running large SQL scripts a bit of a pain. It still won't stop someone from tacking on a "OR 1=1" at the end of a query string. Jerry Guido Programmer MGT of America, Inc. [EMAIL PROTECTED] The information contained in this electronic communication is intended only for the use of the addressee, and may be a confidential communication. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, distribution or copying of this transmittal is strictly prohibited. -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 1:28 PM To: CF-Talk Subject: Re: Owned by Rootdamages by FasT SQL Server 2000 >What kind of DB were you using? I still haven't seen a good example of a >sql query injection in CF since CF auto escapes single quotes. > >Russ > >> ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297227 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Owned by Rootdamages by FasT
> > I don't get where you're getting the variables on line ... > > Are you cfsetting URL variable and I've never seen the > variables.itm ... what's this? The url variable is always available. It is a structure. variables.itm is any old variable that you name in the 'item' property in cfloop. It looks a little odd because it is being explicitly put in the 'variables' scope (look it up). You would do this to avoid variable naming confusion and duplication. Dominic -- Blog it up: http://fusion.dominicwatson.co.uk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297181 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Owned by Rootdamages by FasT
You don't have to do things like that if you just use cfqueryparam ;) the only thing you lose on pre-cf8 is caching of the queries, so worst case is you may have to re-factor some slow SQL statements. Chris Peterson -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 12:30 PM To: CF-Talk Subject: Re: Owned by Rootdamages by FasT Is there a way to address all URL scopes or do I have to be specific and list all URL scopes used on the site? I'm thinking ... >Or at the very least write some generic code in Application.cfm/Application.cfc >that inspects the form, url and cookie scopes and strips out anything >suspicious like SQL statements. That would only be a half measure though. >The queries need to be changed to use cfqueryparam. > >On Jan 23, 2008 11:38 AM, Tom Chiverton <[EMAIL PROTECTED]> >wrote: > >> ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297198 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Owned by Rootdamages by FasT
These guys (Rootdamages) are all over the place. http://www.google.com/search?q=RootDamages&sourceid=navclient-ff&ie=UTF- 8&rlz=1B3GGGL_enUS209US209 Jerry Guido Programmer MGT of America, Inc. [EMAIL PROTECTED] The information contained in this electronic communication is intended only for the use of the addressee, and may be a confidential communication. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error; any review, dissemination, distribution or copying of this transmittal is strictly prohibited. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 11:26 AM To: CF-Talk Subject: Owned by Rootdamages by FasT One of the site's I'm working on had a SQL break-in on an old application. The url scope passed an integer and the where statement in the cfquery wasn't protected by cfqueryparam. I've added cferror to this application as well so a hacker can't see the standard cf error message. Is there anything else I can do to tighten this issue down? Just want to make sure. Thanks D ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297166 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Owned by Rootdamages by FasT
What kind of DB were you using? I still haven't seen a good example of a sql query injection in CF since CF auto escapes single quotes. Russ > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 23, 2008 11:26 AM > To: CF-Talk > Subject: Owned by Rootdamages by FasT > > One of the site's I'm working on had a SQL break-in on an old application. > The url scope passed an integer and the where statement in the cfquery > wasn't > protected by cfqueryparam. I've added cferror to this application as well > so > a hacker can't see the standard cf error message. Is there anything else > I can > do to tighten this issue down? Just want to make sure. > > Thanks > > D > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297165 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Owned by Rootdamages by FasT
Hmm, that's interesting. That's what we're using, and I've never been able to get a sql injection attack to work on it. Can someone provide a simple example of how cfquery is vulnerable, so that we all know what kinds of things to watch out for? Russ > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 23, 2008 1:28 PM > To: CF-Talk > Subject: Re: Owned by Rootdamages by FasT > > SQL Server 2000 > > >What kind of DB were you using? I still haven't seen a good example of a > >sql query injection in CF since CF auto escapes single quotes. > > > >Russ > > > >> > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297199 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Owned by Rootdamages by FasT
If your form uses the "get" method, the variables will be in the 'url' scope. If the form uses the "post" method, your variables will be in the 'form' scope. On Jan 23, 2008 12:30 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Is there a way to address all URL scopes or do I have to be specific and > list all URL scopes used on the site? > > I'm thinking ... > > > > > > > > >Or at the very least write some generic code in Application.cfm > /Application.cfc > >that inspects the form, url and cookie scopes and strips out anything > >suspicious like SQL statements. That would only be a half measure though. > >The queries need to be changed to use cfqueryparam. > > > >On Jan 23, 2008 11:38 AM, Tom Chiverton <[EMAIL PROTECTED]> > >wrote: > > > >> > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297192 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Owned by Rootdamages by FasT
> > Is there a way to address all URL scopes or do I have to be specific and > list all URL scopes used on the site? Yep, the url 'scope' is a structure so you can loop over it's keys: Not sure about that SQL checking code. Perhaps there's some regex out there already... Dominic -- Blog it up: http://fusion.dominicwatson.co.uk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297172 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Owned by Rootdamages by FasT
> > > Correction: Dominic On 23/01/2008, Dominic Watson <[EMAIL PROTECTED]> wrote: > > Is there a way to address all URL scopes or do I have to be specific and > > list all URL scopes used on the site? > > > Yep, the url 'scope' is a structure so you can loop over it's keys: > > > > > > Not sure about that SQL checking code. Perhaps there's some regex out > there already... > > Dominic > > -- > Blog it up: http://fusion.dominicwatson.co.uk > -- Blog it up: http://fusion.dominicwatson.co.uk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297173 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Owned by Rootdamages by FasT
I don't get where you're getting the variables on line ... Are you cfsetting URL variable and I've never seen the variables.itm ... what's this? >You just loop over a collection: > > > > > Please don't do that... tisk tisk! > > > > > >On 1/23/08, [EMAIL PROTECTED] [EMAIL PROTECTED] ><[EMAIL PROTECTED]> wrote: >> ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297169 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Owned by Rootdamages by FasT
SQL Server 2000 >What kind of DB were you using? I still haven't seen a good example of a >sql query injection in CF since CF auto escapes single quotes. > >Russ > >> ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297170 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Owned by Rootdamages by FasT
You just loop over a collection: Please don't do that... tisk tisk! On 1/23/08, [EMAIL PROTECTED] [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Is there a way to address all URL scopes or do I have to be specific and list > all URL scopes used on the site? > > I'm thinking ... > > > > > > > > >Or at the very least write some generic code in > >Application.cfm/Application.cfc > >that inspects the form, url and cookie scopes and strips out anything > >suspicious like SQL statements. That would only be a half measure though. > >The queries need to be changed to use cfqueryparam. > > > >On Jan 23, 2008 11:38 AM, Tom Chiverton <[EMAIL PROTECTED]> > >wrote: > > > >> > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297153 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Owned by Rootdamages by FasT
Is there a way to address all URL scopes or do I have to be specific and list all URL scopes used on the site? I'm thinking ... >Or at the very least write some generic code in Application.cfm/Application.cfc >that inspects the form, url and cookie scopes and strips out anything >suspicious like SQL statements. That would only be a half measure though. >The queries need to be changed to use cfqueryparam. > >On Jan 23, 2008 11:38 AM, Tom Chiverton <[EMAIL PROTECTED]> >wrote: > >> ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297148 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Owned by Rootdamages by FasT
Or at the very least write some generic code in Application.cfm/Application.cfc that inspects the form, url and cookie scopes and strips out anything suspicious like SQL statements. That would only be a half measure though. The queries need to be changed to use cfqueryparam. On Jan 23, 2008 11:38 AM, Tom Chiverton <[EMAIL PROTECTED]> wrote: > On Wednesday 23 Jan 2008, [EMAIL PROTECTED] wrote: > > anything else I can do to tighten this issue down? Just want to make > sure. > > Have you reviewed every other cfquery in the app ? > > -- > Tom Chiverton > Helping to heterogeneously envisioneer leading-edge architectures > on: http://thefalken.livejournal.com > > > > This email is sent for and on behalf of Halliwells LLP. > > Halliwells LLP is a limited liability partnership registered in England > and Wales under registered number OC307980 whose registered office address > is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. > A list of members is available for inspection at the registered office. Any > reference to a partner in relation to Halliwells LLP means a member of > Halliwells LLP. Regulated by The Solicitors Regulation Authority. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and > may be confidential or legally privileged. If you are not the addressee you > must not read it and must not use any information contained in nor copy it > nor inform any person other than Halliwells LLP or the addressee of its > existence or contents. If you have received this email in error please > delete it and notify Halliwells LLP IT Department on 0870 365 2500. > > For more information about Halliwells LLP visit www.halliwells.com. > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297137 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Owned by Rootdamages by FasT
On Wednesday 23 Jan 2008, [EMAIL PROTECTED] wrote: > anything else I can do to tighten this issue down? Just want to make sure. Have you reviewed every other cfquery in the app ? -- Tom Chiverton Helping to heterogeneously envisioneer leading-edge architectures on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297132 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Owned by Rootdamages by FasT
One of the site's I'm working on had a SQL break-in on an old application. The url scope passed an integer and the where statement in the cfquery wasn't protected by cfqueryparam. I've added cferror to this application as well so a hacker can't see the standard cf error message. Is there anything else I can do to tighten this issue down? Just want to make sure. Thanks D ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297128 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
