Re: Compromising Security
no. the issue is how you use the info.
A piece of text (eg Search text) like
'; drop table myTable; select name as thatData from sysObjects where '' = '
shouldn't be a problem, if executed like so:
select thatData from myTable where thatValue= '#form.thatvalue#';
but if you do it like this:
#preservesinglequotes(sql)#
well, I'd be betting that table is dropped and you've got the entire Name
field elements in Sysobjects table returned. no, I'm not going to test that
code.
:-)
A major worry is when people don't check their integers.
I've seen it alot of times in code, people assume that the variable, if it
exists, is a integer and let code like this run:
select * from myTable where ID = #url.id#
nasty...
so, test each form element used in the query for validity.
eg.
if (not (isdefined('url.id') and isNumeric(url.id))) url.id = 1; // or
whatever default value
// other checks
and if you do use queries like so:
#preservesinglequotes(sql)#
please, during your checking replace all single quotes in your strings with
2 single quotes, and if your using an Access database you've gotta check for
something else.. what is it? an exclamation mark? oh I can't remember.
- Original Message -
From: "sebastian palmigiani" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, May 23, 2001 1:41 PM
Subject: Re: Compromising Security
Is this the most efficient way to check for SQL in form input?
Sebastian
--
if they knew the name of the table and mess up the DB
>
>
> Bryan Love ACP
> Internet Application Developer
> [EMAIL PROTECTED]
~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Compromising Security
Uh.. Raymond's email is better. I wrote this before I received his, as I've had work to do I only now found Raymond's email. I've emailed anyway, as while somethings overlap, there is a bit more specific information on the topic of server side validation. Examine how you treat the URL/FORM parameters used in queries. When using integers (eg. referencing a primary key of integer type) make sure they really are numeric (use isNumeric(blah) instead of as 0a to 23a and 0p to 23p are regarded as numeric by cfparam) When using other data types, make sure they are validated *on recieving* in some way (eg. just before you do the cfquery). If you ever use PreserveSingleQuotes, make sure any string passed by URL/FORM your using has had it's single quotes manipulated (eg. replace(url.title, "'", "''", "all") Don't receive column/table names via the URL/FORM variables, unless you have something to check them against. eg. You have a list of available tables hard-coded and you check that url.table is in that list. Ideally, you want only values (eg. 'henry', 31, 1323) passed in URL/FORM variables. Less work, as you don't have to check validity as much. ;-) Of course, to generalise all this: "Check all variables that are to be used exist and are valid for there use before running your Query" now ask, should that person, though the query is safe, have been allowed to do that query? ;-) - Original Message - From: "Pooh Bear" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, May 23, 2001 12:16 PM Subject: RE: Compromising Security but my DB isn't located in some folder, it's a SQL server DB, not an access file. >From: "Peter Tilbrook" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: CF-Talk <[EMAIL PROTECTED]> >Subject: RE: Compromising Security >Date: Wed, 23 May 2001 11:56:50 +1000 > >The first thing you should do is store your databases in a folder that is >not accessible from the Internet (out of your web root). For example: > >Your websites could be in c:\inetpub\wwwroot\mywebsite\ > >But you should store the databases somewhere else, eg: > >c:\datasources\ > >Secure this directory and update CF Administrator to look here for >datasources instead. Don't think your databases have to be physically >within >your web site for CF to access them. > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Pooh Bear >Sent: Wednesday, 23 May, 2001 2:28 AM >To: CF-Talk >Subject: Compromising Security > > >hey, I was wondering what are the least amount of information someone needs >to compromise my database or code? I am.err..."hacking?" my >site/database through the URL. So far, I've got 2 tablenames, the >datasource, and some field names. I dont want to have to do a lot of >coding >to prevent this from being seen by someone else, but i will if have to, but >first i want to know if anyone could do anything with this much >information. > Thanx! :) > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Compromising Security
Is this the most efficient way to check for SQL in form input? Sebastian -- if they knew the name of the table and mess up the DB > > > Bryan Love ACP > Internet Application Developer > [EMAIL PROTECTED] > > > > -Original Message- > From: Pooh Bear [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 22, 2001 9:28 AM > To: CF-Talk > Subject: Compromising Security > > > hey, I was wondering what are the least amount of information someone needs > to compromise my database or code? I am.err..."hacking?" my > site/database through the URL. So far, I've got 2 tablenames, the > datasource, and some field names. I dont want to have to do a lot of coding > > to prevent this from being seen by someone else, but i will if have to, but > first i want to know if anyone could do anything with this much information. > > Thanx! :) > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Compromising Security
Code smart. Don't allow input from a form field to ever go directly into a query: Treat all data recieved from a user as tainted. Don't rely on JS or HTML, there's nothing to stop someone doing a direct post to your script. Get rid of detailed error messages, use error templates and try/catch to make them "user friendly" (and disable in admin). Give CF only the permissions it needs, don't run as a dbms su when select/insert/update permissions are all that's needed for the main site. Use stored procedures, not only do you get the benifit of added speed and lower connection overhead (though portability can be effected) you can more readily control exactly what is being accessed. There are tons of other suggestion, such as always staying on top of security updates (unlike 60%+ of sysadmins out there who don't patch known issues even years after they've been dicovered and documented). It doesn't take much extra coding, and it quickly becomes second nature. Your applications will be more stable, secure, and happier for it. -Original Message- From: Peter Tilbrook [mailto:[EMAIL PROTECTED]] Sent: May 22, 2001 18:57 To: CF-Talk Subject: RE: Compromising Security The first thing you should do is store your databases in a folder that is not accessible from the Internet (out of your web root). For example: Your websites could be in c:\inetpub\wwwroot\mywebsite\ But you should store the databases somewhere else, eg: c:\datasources\ Secure this directory and update CF Administrator to look here for datasources instead. Don't think your databases have to be physically within your web site for CF to access them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Pooh Bear Sent: Wednesday, 23 May, 2001 2:28 AM To: CF-Talk Subject: Compromising Security hey, I was wondering what are the least amount of information someone needs to compromise my database or code? I am.err..."hacking?" my site/database through the URL. So far, I've got 2 tablenames, the datasource, and some field names. I dont want to have to do a lot of coding to prevent this from being seen by someone else, but i will if have to, but first i want to know if anyone could do anything with this much information. Thanx! :) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Compromising Security
but my DB isn't located in some folder, it's a SQL server DB, not an access file. >From: "Peter Tilbrook" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: CF-Talk <[EMAIL PROTECTED]> >Subject: RE: Compromising Security >Date: Wed, 23 May 2001 11:56:50 +1000 > >The first thing you should do is store your databases in a folder that is >not accessible from the Internet (out of your web root). For example: > >Your websites could be in c:\inetpub\wwwroot\mywebsite\ > >But you should store the databases somewhere else, eg: > >c:\datasources\ > >Secure this directory and update CF Administrator to look here for >datasources instead. Don't think your databases have to be physically >within >your web site for CF to access them. > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Pooh Bear >Sent: Wednesday, 23 May, 2001 2:28 AM >To: CF-Talk >Subject: Compromising Security > > >hey, I was wondering what are the least amount of information someone needs >to compromise my database or code? I am.err..."hacking?" my >site/database through the URL. So far, I've got 2 tablenames, the >datasource, and some field names. I dont want to have to do a lot of >coding >to prevent this from being seen by someone else, but i will if have to, but >first i want to know if anyone could do anything with this much >information. > Thanx! :) > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Compromising Security
The first thing you should do is store your databases in a folder that is not accessible from the Internet (out of your web root). For example: Your websites could be in c:\inetpub\wwwroot\mywebsite\ But you should store the databases somewhere else, eg: c:\datasources\ Secure this directory and update CF Administrator to look here for datasources instead. Don't think your databases have to be physically within your web site for CF to access them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Pooh Bear Sent: Wednesday, 23 May, 2001 2:28 AM To: CF-Talk Subject: Compromising Security hey, I was wondering what are the least amount of information someone needs to compromise my database or code? I am.err..."hacking?" my site/database through the URL. So far, I've got 2 tablenames, the datasource, and some field names. I dont want to have to do a lot of coding to prevent this from being seen by someone else, but i will if have to, but first i want to know if anyone could do anything with this much information. Thanx! :) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Compromising Security
someone could conceivable type "; drop table [tablename];" into a form field if they knew the name of the table and mess up the DB Bryan Love ACP Internet Application Developer [EMAIL PROTECTED] -Original Message- From: Pooh Bear [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 22, 2001 9:28 AM To: CF-Talk Subject: Compromising Security hey, I was wondering what are the least amount of information someone needs to compromise my database or code? I am.err..."hacking?" my site/database through the URL. So far, I've got 2 tablenames, the datasource, and some field names. I dont want to have to do a lot of coding to prevent this from being seen by someone else, but i will if have to, but first i want to know if anyone could do anything with this much information. Thanx! :) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: [Compromising Security]
best thing to do is require only authorized hosts to connect to your DB. "Pooh Bear" <[EMAIL PROTECTED]> wrote: hey, I was wondering what are the least amount of information someone needs to compromise my database or code? I am.err..."hacking?" my site/database through the URL. So far, I've got 2 tablenames, the datasource, and some field names. I dont want to have to do a lot of coding to prevent this from being seen by someone else, but i will if have to, but first i want to know if anyone could do anything with this much information. Thanx! :) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Compromising Security
what i meant was, if someone knew my datasource, and a couple of table names and fields, will they be able to cuase any damage? >From: "Dave f" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: CF-Talk <[EMAIL PROTECTED]> >Subject: Re: Compromising Security >Date: Tue, 22 May 2001 14:00:42 -0400 > >What do you mean by compomise? >If you have a connection to the Internet, you are potentially at risk. The >only thing that you can do is to make it harder to be compomised >(encryption, firewall). Some Oses are inherently more secure than others, >but none of them can withstand an attack by a knowledgable individual or >group > >- Original Message - >From: "Pooh Bear" <[EMAIL PROTECTED]> >To: "CF-Talk" <[EMAIL PROTECTED]> >Sent: Tuesday, May 22, 2001 12:28 PM >Subject: Compromising Security > > > > hey, I was wondering what are the least amount of information someone >needs > > to compromise my database or code? I am.err..."hacking?" my > > site/database through the URL. So far, I've got 2 tablenames, the > > datasource, and some field names. I dont want to have to do a lot of >coding > > to prevent this from being seen by someone else, but i will if have to, >but > > first i want to know if anyone could do anything with this much >information. > > Thanx! :) > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Compromising Security
A big one: If the users can get this information. They may be able to send CFTAGS in your form fields and cause trouble. Be sure to validate all form entries to abort any cftags being sent into form fields. Signed, Bill King HostWorks INC http://www.hostworks.com -Original Message- From: Pooh Bear [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 22, 2001 10:28 AM To: CF-Talk Subject: Compromising Security hey, I was wondering what are the least amount of information someone needs to compromise my database or code? I am.err..."hacking?" my site/database through the URL. So far, I've got 2 tablenames, the datasource, and some field names. I dont want to have to do a lot of coding to prevent this from being seen by someone else, but i will if have to, but first i want to know if anyone could do anything with this much information. Thanx! :) ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Compromising Security
if someone can run a query from a url, all they have to do is get to the sysobjects table (a known table in ss7) thhen, if done properly, your code will display ever table name in the database. they could then insert orders (yes even as strings though that is a bit harder), or query teh credit card information.. there is a whole lot that can be done. make sure that you keep people from running queryies in the url. use validation at all times. -chris ps if you want help securing your site, emil me privately and i'll give you some insights. On Tue, 22 May 2001, Pooh Bear wrote: > hey, I was wondering what are the least amount of information someone needs > to compromise my database or code? I am.err..."hacking?" my > site/database through the URL. So far, I've got 2 tablenames, the > datasource, and some field names. I dont want to have to do a lot of coding > to prevent this from being seen by someone else, but i will if have to, but > first i want to know if anyone could do anything with this much information. > Thanx! :) > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Compromising Security
What do you mean by compomise? If you have a connection to the Internet, you are potentially at risk. The only thing that you can do is to make it harder to be compomised (encryption, firewall). Some Oses are inherently more secure than others, but none of them can withstand an attack by a knowledgable individual or group - Original Message - From: "Pooh Bear" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, May 22, 2001 12:28 PM Subject: Compromising Security > hey, I was wondering what are the least amount of information someone needs > to compromise my database or code? I am.err..."hacking?" my > site/database through the URL. So far, I've got 2 tablenames, the > datasource, and some field names. I dont want to have to do a lot of coding > to prevent this from being seen by someone else, but i will if have to, but > first i want to know if anyone could do anything with this much information. > Thanx! :) > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
