RE: Coldfusion SQL Hack
Anthony Doherty wrote on 2010-03-22: I have a site page that is only using the query below and the site keeps getting hit by SQL hacks. I have looked through every SQL query and all the queries are using cfqueryparam value=#URL.???# cfsqltype=cf_sql_numeric so they cant be hacked. What makes you think that is susceptible to SQL injection attacks? To me it looks safe, maybe you missed to paste something (there were no variables in your query). /H. -- Hugo Ahlenius - Hugo AhleniusE-Mail: hugo.ahlenius(at)nordpil.com Phone:+46 75 7575284 Nordpil Fax: +46 8 6747020 http://nordpil.com Mobile: +46 733 467111 Skype: callto:hugo.ahlenius vCard:http://nordpil.com/hugoahlenius.vcf - ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331929 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
I have a site page that is only using the query below and the site keeps getting hit by SQL hacks. I have looked through every SQL query and all the queries are using cfqueryparam value=#URL.???# cfsqltype=cf_sql_numeric so they cant be hacked. Can someone explain how I can amend this query so its not hackable?? cfquery name=RS1 datasource=DS1 SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County. County, County.ID FROM FEEDBACK INNER JOIN County ON (FEEDBACK.COUNTY = County.ID) /cfquery Thanks Where are you using cfqueryparam above? With County.ID? What are they doing to hack your site? Can you give an example? You can use IsValid before your query as well: cfif isValid(integer, form.value) Your Query Here /cfif ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331930 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
I'm making certain assumptions but are you ensuring your feedback is clean when it's saved? If it's not, that'd explain how they're getting nastiness into the DB which is the called in that query. If not, explain a little more of the attack as that query would not be susceptible to sql injection from the url. - Gabriel On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty a.dohe...@advancesystems.co.uk wrote: I have a site page that is only using the query below and the site keeps getting hit by SQL hacks. I have looked through every SQL query and all the queries are using cfqueryparam value=#URL.???# cfsqltype=cf_sql_numeric so they cant be hacked. Can someone explain how I can amend this query so its not hackable?? cfquery name=RS1 datasource=DS1 SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County.County, County.ID FROM FEEDBACK INNER JOIN County ON (FEEDBACK.COUNTY = County.ID) /cfquery Thanks ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331931 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
The Feedback section is entered with an administration section and this is locked down with a username and password. The feedback section is only a text field and the person using the site lets say is not clued in! Throughout the site i have a number of pages that are database driven and the customer feedback page is the only one that is being effected as all the other queries are using CFQUERYPARAM for variables. They are amending the FEEDBACK field and entering a piece of javascript that redirects the user to a site that contains spyware and malware. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331932 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
That's not SQL injection, it's HTML injection. (Or XSS as the fashionable term is). You need to use HtmlEditFormat (or similar function) to ensure all content output to HTML pages gets appropriately escaped. (If you need to allow certain HTML, escape it all, and then unescape only the safe whitelist.) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331933 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
The query you provided is only retrieving the offending code but would likely not be the source. I'd look at other sources. 1. Check if the javascript is saved in the database along with the feedback. If it is, then start looking at all the places where the feedback is entered. 2. Are you storing the IP address of who left the feedback with the embedded javascript? If you are, you can then check if it's coming from you not clued in user's computer. - Gabriel On Mon, Mar 22, 2010 at 7:46 AM, Anthony Doherty a.dohe...@advancesystems.co.uk wrote: The Feedback section is entered with an administration section and this is locked down with a username and password. The feedback section is only a text field and the person using the site lets say is not clued in! Throughout the site i have a number of pages that are database driven and the customer feedback page is the only one that is being effected as all the other queries are using CFQUERYPARAM for variables. They are amending the FEEDBACK field and entering a piece of javascript that redirects the user to a site that contains spyware and malware. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331934 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
How can I check use this function 'HtmlEditFormat' on my FEEDBACK field? Also before I removed the code there was some javascript being stored in the FEEDBACK field as well. I dont think they are entering the HACK from the administration section but could this type of HACK be made from a contact form - The contact form just asks for a NAME, EMAIL COMMENTS field - and the COMMENTS section is just a simple text box. Thanks ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331937 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
1. You'd use HtmlEditFormat on any page that displayed the feedback. So on the public page if you show it back to the user and on the admin page. Generally, anywhere you're using #feedback# you'd want to do #htmlEditFormat(feedback)# 2. Yes, if you have a public form that is a simple text box then that is very much likely the way they're doing it. They're simply submitting the javascript code directly along with with the fake feedback. It's up to you to sanitize input data. At a minimum, you'd be looking to remove any javascript from the input as that's what's being exploited here. - Gabriel On Mon, Mar 22, 2010 at 8:24 AM, Anthony Doherty a.dohe...@advancesystems.co.uk wrote: How can I check use this function 'HtmlEditFormat' on my FEEDBACK field? Also before I removed the code there was some javascript being stored in the FEEDBACK field as well. I dont think they are entering the HACK from the administration section but could this type of HACK be made from a contact form - The contact form just asks for a NAME, EMAIL COMMENTS field - and the COMMENTS section is just a simple text box. Thanks ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331938 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion SQL Hack
The query you wrote is not hackable via SQL injection. No changes need to be made to it. -Mike Chabot On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty a.dohe...@advancesystems.co.uk wrote: I have a site page that is only using the query below and the site keeps getting hit by SQL hacks. I have looked through every SQL query and all the queries are using cfqueryparam value=#URL.???# cfsqltype=cf_sql_numeric so they cant be hacked. Can someone explain how I can amend this query so its not hackable?? cfquery name=RS1 datasource=DS1 SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County.County, County.ID FROM FEEDBACK INNER JOIN County ON (FEEDBACK.COUNTY = County.ID) /cfquery Thanks ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331939 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion SQL Hack
I would ensure that every single update / insert on your site is using cfqueryparam's for security sake, however It sounds to me like your issue is not SQL injection.. but more XSS attacks. An XSS attack is where data is inserted into into a page usually via a database input field somewhere which then executes a javascript or other piece of code into a site which can cause users sessions to be hijacked or the user could be simpley redirected, which is what is sounds like this xsser is doing. Dorioo is right on about the fix for this, I would either sanitize all data that a customer has access to input with the htmleditformat() or sanitize the output with htmleditformat(). IE; INSERT INTO users (userId, userName) VALUES ('#form.username#') Should be.. INSERT INTO users (userId, userName) VALUES ('#htmlEditFormat(form.username)#') Another option would be to enable Global Script Protection in the settings area of your coldfusion administrator. Doing this will cause you to never have the ability to pass javascript tags and object tags via CGI, FORM and URL variables though, so I would be careful about this global option. Good luck! Paul Alkema AlkemaDesigns.com -Original Message- From: Mike Chabot [mailto:mcha...@gmail.com] Sent: Monday, March 22, 2010 9:25 AM To: cf-talk Subject: Re: Coldfusion SQL Hack The query you wrote is not hackable via SQL injection. No changes need to be made to it. -Mike Chabot On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty a.dohe...@advancesystems.co.uk wrote: I have a site page that is only using the query below and the site keeps getting hit by SQL hacks. I have looked through every SQL query and all the queries are using cfqueryparam value=#URL.???# cfsqltype=cf_sql_numeric so they cant be hacked. Can someone explain how I can amend this query so its not hackable?? cfquery name=RS1 datasource=DS1 SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County.County, County.ID FROM FEEDBACK INNER JOIN County ON (FEEDBACK.COUNTY = County.ID) /cfquery Thanks ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331941 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion SQL Hack
Script protection can also be enabled on an application basis. If you are confident that your admin tools are not easily hacked you can have a public application with scriptprotect disabled and an admin section with it enabled... this is fairly common when using a CMS. cfapplication name=blah scriptprotect=all Or in an application.cfc This.scriptprotect= all; -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Paul Alkema [mailto:paulalkemadesi...@gmail.com] Sent: Monday, March 22, 2010 8:56 AM To: cf-talk Subject: RE: ColdFusion SQL Hack I would ensure that every single update / insert on your site is using cfqueryparam's for security sake, however It sounds to me like your issue is not SQL injection.. but more XSS attacks. An XSS attack is where data is inserted into into a page usually via a database input field somewhere which then executes a javascript or other piece of code into a site which can cause users sessions to be hijacked or the user could be simpley redirected, which is what is sounds like this xsser is doing. Dorioo is right on about the fix for this, I would either sanitize all data that a customer has access to input with the htmleditformat() or sanitize the output with htmleditformat(). IE; INSERT INTO users (userId, userName) VALUES ('#form.username#') Should be.. INSERT INTO users (userId, userName) VALUES ('#htmlEditFormat(form.username)#') Another option would be to enable Global Script Protection in the settings area of your coldfusion administrator. Doing this will cause you to never have the ability to pass javascript tags and object tags via CGI, FORM and URL variables though, so I would be careful about this global option. Good luck! Paul Alkema AlkemaDesigns.com -Original Message- From: Mike Chabot [mailto:mcha...@gmail.com] Sent: Monday, March 22, 2010 9:25 AM To: cf-talk Subject: Re: Coldfusion SQL Hack The query you wrote is not hackable via SQL injection. No changes need to be made to it. -Mike Chabot On Mon, Mar 22, 2010 at 7:04 AM, Anthony Doherty a.dohe...@advancesystems.co.uk wrote: I have a site page that is only using the query below and the site keeps getting hit by SQL hacks. I have looked through every SQL query and all the queries are using cfqueryparam value=#URL.???# cfsqltype=cf_sql_numeric so they cant be hacked. Can someone explain how I can amend this query so its not hackable?? cfquery name=RS1 datasource=DS1 SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County.County, County.ID FROM FEEDBACK INNER JOIN County ON (FEEDBACK.COUNTY = County.ID) /cfquery Thanks ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331943 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion SQL Hack
I have added the #htmlEditFormat# TAG and will monitor the site over the coming weeks and she what happens Thanks for everyone who helped! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331951 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion SQL Hack
I have added the #htmlEditFormat# TAG and will monitor the site over the coming weeks and she what happens Thanks for everyone who helped! The Feedback section is entered with an administration section and this is locked down with a username and password. If you say the person doing this has already signed into your admin app, try recording their IP address when they add the XSS code. Then fire them. If you have access to the web logs and the time they've added this malicious code (timestamp), you could look back at the ones they've already entered. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331970 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion SQL Hack
I would also add this: http://www.cflib.org/udf/FormStripHTMLhttp://www.cflib.org/udf/FormStripHTML strip out the html before it goes into the database. This query below is only hackable if the County.ID is a text field and people can enter it from a website. (Like if you ask for an abbreviation as the country ID) cfquery name=RS1 datasource=DS1 SELECT FEEDBACK.ID, FEEDBACK.FEEDBACK, FEEDBACK.LEFT_BY, County.County, County.ID FROM FEEDBACK INNER JOIN County ON (FEEDBACK.COUNTY = County.ID) /cfquery ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331992 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm