Re: sql injection attempt
Yes indeed. We had some attempts to injection attack via a fake useragent variable in the CGI scope, as we were logging visiting useragents in a database table. Luckily they were not able to execute any code thanks to tight SQL permissions, but the code they were trying to execute was written to the table. I'd not even thought of that method till we saw it. But something to have an eye on. Regards, Ian. On 23/01/2013 19:09, Pete Freitag wrote: On Wed, Jan 23, 2013 at 12:57 PM, Rob Voylerobvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Keep in mind that vulnerabilites can come from any input that the attacker can manipulate, eg form, url, cgi, cookie variables are all game. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354042 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Thanks Rob On 22 Jan 2013 at 11:12, Greg Morphis wrote: I saw some request errors but what were they trying to do? This is what the onRequest error email showed declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag= houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:35 3998 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354030 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
It was attempted via the URL On Wed, Jan 23, 2013 at 11:57 AM, Rob Voyle robvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Thanks Rob On 22 Jan 2013 at 11:12, Greg Morphis wrote: I saw some request errors but what were they trying to do? This is what the onRequest error email showed declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag= houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:35 3998 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354031 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
On Wed, Jan 23, 2013 at 12:57 PM, Rob Voyle robvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Keep in mind that vulnerabilites can come from any input that the attacker can manipulate, eg form, url, cgi, cookie variables are all game. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
sql injection attempt
I saw some request errors but what were they trying to do? This is what the onRequest error email showed declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353998 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
That's hex for, ?WAITFOR DELAY '00:00:15' On Tue, Jan 22, 2013 at 11:12 AM, Greg Morphis gmorp...@gmail.com wrote: 0x57414954464F522044454C4159202730303A30303A313527 -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353999 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
Ah so they were just checking to see if they could get something to work before possibly trying anything real. Thanks! On Tue, Jan 22, 2013 at 11:15 AM, John M Bliss bliss.j...@gmail.com wrote: That's hex for, ?WAITFOR DELAY '00:00:15' On Tue, Jan 22, 2013 at 11:12 AM, Greg Morphis gmorp...@gmail.com wrote: 0x57414954464F522044454C4159202730303A30303A313527 -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354000 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
Ah so they were just checking to see if they could get something to work before possibly trying anything real. That's a pretty standard approach. If they can get the response to delay then they can mark that URL as a potential entry point to come back and explore more later. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354001 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Another weird SQL Injection attempt
Hmmm. One of my sites also had this exact attack (and some variations tried about a dozen times) yesterday also. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_wi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352792 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Another weird SQL Injection attempt
Never seen this before! Script in Application file, as usual, caught it before it got further... Here's what was tried: /index.cfm?action=dance.school%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--40version--=MSOTlPn_View=0MSOTlPn_ShowSettings=False%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29--MSOGallery_SelectedLibrary=MSOGallery_FilterString=MSOTlPn_Button=none__REQUESTDIGEST=MSOAuthoringConsole_FormContext=MSOAC_EditDuringWorkflow=MSOSPWebPartManager_DisplayModeName=BrowseMSOWebPartPage_Shared=MSOLayout_LayoutChanges=MSOLayout_InDesignMode=MSOSPWebPartManager_OldDisplayModeName=BrowseMSOSPWebPartManager_StartWebPartEditingName=falseASB_TextDT_Props=ASB_DateTimeDT_Props=Write%23%3B%23CreatedASB_ResType_Query=__VIEWSTATE=PostList%24ctl06%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl07%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl08%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl09%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl10%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl11%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl12%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl13%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl14%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl15%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl16%24ctl26%24ctl01=nochange00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%240=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%241=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%242=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%243=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%244=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%245=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%246=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%247=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%248=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%249=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2410=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2411=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2412=ctl00%24ContentP ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352784 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Another weird SQL Injection attempt
Just battled this today myself Here's some more information on it. https://isc.sans.edu/diary.html?storyid=12127 On 9/30/12 5:58 PM, Les Mizzell lesm...@bellsouth.net wrote: Never seen this before! Script in Application file, as usual, caught it before it got further... Here's what was tried: /index.cfm?action=dance.school%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40ve rsion--40version--=MSOTlPn_View=0MSOTlPn_ShowSettings=False%27%2F%2A%2A% 2For%2F%2A%2A%2F1%3D%40%40version%29--MSOGallery_SelectedLibrary=MSOGall ery_FilterString=MSOTlPn_Button=none__REQUESTDIGEST=MSOAuthoringConsole _FormContext=MSOAC_EditDuringWorkflow=MSOSPWebPartManager_DisplayModeNam e=BrowseMSOWebPartPage_Shared=MSOLayout_LayoutChanges=MSOLayout_InDesig nMode=MSOSPWebPartManager_OldDisplayModeName=BrowseMSOSPWebPartManager_S tartWebPartEditingName=falseASB_TextDT_Props=ASB_DateTimeDT_Props=Write% 23%3B%23CreatedASB_ResType_Query=__VIEWSTATE=PostList%24ctl06%24ctl26%24 ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostLis t%24ctl07%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl 03%24ctl00%24PostList%24ctl08%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr %24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl09%24ctl26%24ctl01=nochange ctl00%24ctl00%24bcr%24bcr%2 4ctl01%24ctl03%24ctl00%24PostList%24ctl10%24ctl26%24ctl01=nochangectl00%2 4ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl11%24ctl26%24ct l01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList% 24ctl12%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03 %24ctl00%24PostList%24ctl13%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%2 4bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl14%24ctl26%24ctl01=nochangec tl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl15%24ctl2 6%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24Pos tList%24ctl16%24ctl26%24ctl01=nochange00%24ContentPlaceHolder1%24FilterAdD efault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%240=ctl00%24Con tentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxL istMakeMore%241=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAd Car_ascxControl1%24checkBoxListMakeMore%242=ctl00%24ContentPlaceHolder1%2 4FilterAdDefault1%24filterA dCar_ascxControl1%24checkBoxListMakeMore%243=ctl00%24ContentPlaceHolder1% 24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%244= ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1% 24checkBoxListMakeMore%245=ctl00%24ContentPlaceHolder1%24FilterAdDefault1 %24filterAdCar_ascxControl1%24checkBoxListMakeMore%246=ctl00%24ContentPla ceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMake More%247=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_asc xControl1%24checkBoxListMakeMore%248=ctl00%24ContentPlaceHolder1%24Filter AdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%249=ctl00%24 ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkB oxListMakeMore%2410=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filt erAdCar_ascxControl1%24checkBoxListMakeMore%2411=ctl00%24ContentPlaceHold er1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2 412=ctl00%24ContentP ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352785 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Another weird SQL Injection attempt
Looks like the same attack tried my servers too - too bad for them it failed. Long Live CFQueryParam amongst other little tools. Oh, and running PostgreSQL database :-) Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Sep 30, 2012, at 8:01 PM, Scott Slone wrote: Just battled this today myself Here's some more information on it. https://isc.sans.edu/diary.html?storyid=12127 On 9/30/12 5:58 PM, Les Mizzell lesm...@bellsouth.net wrote: Never seen this before! Script in Application file, as usual, caught it before it got further... Here's what was tried: /index.cfm?action=dance.school%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40ve rsion--40version--=MSOTlPn_View=0MSOTlPn_ShowSettings=False%27%2F%2A%2A% 2For%2F%2A%2A%2F1%3D%40%40version%29--MSOGallery_SelectedLibrary=MSOGall ery_FilterString=MSOTlPn_Button=none__REQUESTDIGEST=MSOAuthoringConsole _FormContext=MSOAC_EditDuringWorkflow=MSOSPWebPartManager_DisplayModeNam e=BrowseMSOWebPartPage_Shared=MSOLayout_LayoutChanges=MSOLayout_InDesig nMode=MSOSPWebPartManager_OldDisplayModeName=BrowseMSOSPWebPartManager_S tartWebPartEditingName=falseASB_TextDT_Props=ASB_DateTimeDT_Props=Write% 23%3B%23CreatedASB_ResType_Query=__VIEWSTATE=PostList%24ctl06%24ctl26%24 ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostLis t%24ctl07%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl 03%24ctl00%24PostList%24ctl08%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr %24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl09%24ctl26%24ctl01=nochange ctl00%24ctl00%24bcr%24bcr%2 4ctl01%24ctl03%24ctl00%24PostList%24ctl10%24ctl26%24ctl01=nochangectl00%2 4ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl11%24ctl26%24ct l01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList% 24ctl12%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03 %24ctl00%24PostList%24ctl13%24ctl26%24ctl01=nochangectl00%24ctl00%24bcr%2 4bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl14%24ctl26%24ctl01=nochangec tl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl15%24ctl2 6%24ctl01=nochangectl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24Pos tList%24ctl16%24ctl26%24ctl01=nochange00%24ContentPlaceHolder1%24FilterAdD efault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%240=ctl00%24Con tentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxL istMakeMore%241=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAd Car_ascxControl1%24checkBoxListMakeMore%242=ctl00%24ContentPlaceHolder1%2 4FilterAdDefault1%24filterA dCar_ascxControl1%24checkBoxListMakeMore%243=ctl00%24ContentPlaceHolder1% 24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%244= ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1% 24checkBoxListMakeMore%245=ctl00%24ContentPlaceHolder1%24FilterAdDefault1 %24filterAdCar_ascxControl1%24checkBoxListMakeMore%246=ctl00%24ContentPla ceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMake More%247=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_asc xControl1%24checkBoxListMakeMore%248=ctl00%24ContentPlaceHolder1%24Filter AdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%249=ctl00%24 ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkB oxListMakeMore%2410=ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filt erAdCar_ascxControl1%24checkBoxListMakeMore%2411=ctl00%24ContentPlaceHold er1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2 412=ctl00%24ContentP ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352786 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
SQL Injection
One of my sites that has some anti-injection script reported this today - does anyone know what this clown was trying to do. Thank you!! URL: /news_detail.cfm?NewsID=37+++Result:+no+post+sending +forms+are+found; ++ Kevin Parker ++ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351321 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL Injection
This is possibly from XRumer. It is link building/forum spamming software. On Thu, May 24, 2012 at 5:30 AM, Kevin Parker tras...@internode.on.netwrote: One of my sites that has some anti-injection script reported this today - does anyone know what this clown was trying to do. Thank you!! URL: /news_detail.cfm?NewsID=37+++Result:+no+post+sending +forms+are+found; ++ Kevin Parker ++ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351323 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New SQL injection :(
I'm pretty sure Leigh was just making a joke. It isn't Secure Account either though; it stands for System Administrator. The fact that it is the only (by default) user with the sysadmin server role should give it away. -Original Message- From: Alan Rother [mailto:alan.rot...@gmail.com] Sent: Monday, April 19, 2010 7:33 PM To: cf-talk Subject: Re: New SQL injection :( I thought it was Secure Account??? =] On Mon, Apr 19, 2010 at 4:27 PM, Leigh cfsearch...@yahoo.com wrote: And for the love of all that is good in the world, don't ever let your webs servers ever connect to your database with sa. sa, that is the SAfest account right ? ;) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333025 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
New SQL injection :(
I can't believe I got hit again. One of my old pages that is no longer linked into the website didn't have a cfqueryparam.. I deleted it from my local machine but forgot to delete it from the server. I have a generic checker in my cfapplication, but it missed this one.. here is the sequence of events: 1. They tried this on thousands of pages and found 1 where it worked.. (i am leaving off the domain name and page. This is just the query string.) ?item=471+or+1=(%73%65%6C%65%63%74+DATA_TYPE+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=char(080)%2Bchar(97)%2Bchar(121)%2Bchar(80)%2Bchar(97)%2Bchar(108)+AND+COLUMN_NAME=char(080)%2Bchar(97)%2Bchar(105)%2Bchar(100)%2Bchar(100)%2Bchar(97)%2Bchar(116)%2Bchar(101))- 2. for every table in the database, they did this: It was automated because it happened in a few seconds.. item=471+update+dvds+set+fname1=SUBSTRING(fname1,0,CHARINDEX(char(60)%2Bchar(116)%2Bchar(111)%2Bchar(116)%2Bchar(62),cast(fname1+as+varchar(8000)))-0)-- it came from one ip address: 94.102.52.27 in the netherlands. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333002 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New SQL injection :(
Fuseguard: http://foundeo.com/security/ Just add a couple lines to your App.cfc or App.cfm and bam, you're secure. Worked awesome for a legacy CFML application that one of our customers was having major SQL injection problems with. Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ Open BlueDragon Steering Committee Railo Community Distributions Al Musella, DPM wrote: I can't believe I got hit again. One of my old pages that is no longer linked into the website didn't have a cfqueryparam.. I deleted it from my local machine but forgot to delete it from the server. I have a generic checker in my cfapplication, but it missed this one.. here is the sequence of events: 1. They tried this on thousands of pages and found 1 where it worked.. (i am leaving off the domain name and page. This is just the query string.) ?item=471+or+1=(%73%65%6C%65%63%74+DATA_TYPE+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=char(080)%2Bchar(97)%2Bchar(121)%2Bchar(80)%2Bchar(97)%2Bchar(108)+AND+COLUMN_NAME=char(080)%2Bchar(97)%2Bchar(105)%2Bchar(100)%2Bchar(100)%2Bchar(97)%2Bchar(116)%2Bchar(101))- 2. for every table in the database, they did this: It was automated because it happened in a few seconds.. item=471+update+dvds+set+fname1=SUBSTRING(fname1,0,CHARINDEX(char(60)%2Bchar(116)%2Bchar(111)%2Bchar(116)%2Bchar(62),cast(fname1+as+varchar(8000)))-0)-- it came from one ip address: 94.102.52.27 in the netherlands. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333006 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New SQL injection :(
Al, These sort of attacks increase and decrease in waves unfortunately. I spent a few hours fixing a customer server this week myself. Very similar codewise: http://www.coldfusionmuse.com/index.cfm/2010/4/16/SQLi-char-urchin -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Monday, April 19, 2010 5:08 PM To: cf-talk Subject: New SQL injection :( I can't believe I got hit again. One of my old pages that is no longer linked into the website didn't have a cfqueryparam.. I deleted it from my local machine but forgot to delete it from the server. I have a generic checker in my cfapplication, but it missed this one.. here is the sequence of events: 1. They tried this on thousands of pages and found 1 where it worked.. (i am leaving off the domain name and page. This is just the query string.) ?item=471+or+1=(%73%65%6C%65%63%74+DATA_TYPE+FROM+INFORMATION_SCHEMA.COLUMNS +WHERE+TABLE_NAME=char(080)%2Bchar(97)%2Bchar(121)%2Bchar(80)%2Bchar(97)%2Bc har(108)+AND+COLUMN_NAME=char(080)%2Bchar(97)%2Bchar(105)%2Bchar(100)%2Bchar (100)%2Bchar(97)%2Bchar(116)%2Bchar(101))- 2. for every table in the database, they did this: It was automated because it happened in a few seconds.. item=471+update+dvds+set+fname1=SUBSTRING(fname1,0,CHARINDEX(char(60)%2Bchar (116)%2Bchar(111)%2Bchar(116)%2Bchar(62),cast(fname1+as+varchar(8000)))-0)-- it came from one ip address: 94.102.52.27 in the netherlands. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333008 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New SQL injection :(
FWIW I don't believe in silver bullets, but one can get a decent amount of mileage by taking the SQL account that CF connects to the database with and removing accessing to the system and information schema tables. Chances are your app doesn't use those tables and a lot of SQLi attacks revolve around them. And for the love of all that is good in the world, don't ever let your webs servers ever connect to your database with sa. :) ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333010 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New SQL injection :(
And for the love of all that is good in the world, don't ever let your webs servers ever connect to your database with sa. sa, that is the SAfest account right ? ;) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333011 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New SQL injection :(
I thought it was Secure Account??? =] On Mon, Apr 19, 2010 at 4:27 PM, Leigh cfsearch...@yahoo.com wrote: And for the love of all that is good in the world, don't ever let your webs servers ever connect to your database with sa. sa, that is the SAfest account right ? ;) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333012 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New SQL injection :(
If you block this at the webserver, or better yet network level, you won't incur any processing overhead, and less-than-secure code is at least a bit protected. Some apache rewrite rules have been posted that will at least stop it at the webserver level, and I think someone posted the IIS plugin deal equivalent, too. :den -- In all the areas within which the spiritual life of humanity is at work, the historical epoch wherein fate has placed us is an epoch of stupendous happenings. Edmund Husserl On Mon, Apr 19, 2010 at 4:07 PM, Al Musella, DPM wrote: I can't believe I got hit again. One of my old pages that is no longer linked into the website didn't have a cfqueryparam.. I deleted it from my local machine but forgot to delete it from the server. I have a generic checker in my cfapplication, but it missed this one.. here is the sequence of events: 1. They tried this on thousands of pages and found 1 where it worked.. (i am leaving off the domain name and page. This is just the query string.) ?item=471+or+1=(%73%65%6C%65%63%74+DATA_TYPE+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=char(080)%2Bchar(97)%2Bchar(121)%2Bchar(80)%2Bchar(97)%2Bchar(108)+AND+COLUMN_NAME=char(080)%2Bchar(97)%2Bchar(105)%2Bchar(100)%2Bchar(100)%2Bchar(97)%2Bchar(116)%2Bchar(101))- 2. for every table in the database, they did this: It was automated because it happened in a few seconds.. item=471+update+dvds+set+fname1=SUBSTRING(fname1,0,CHARINDEX(char(60)%2Bchar(116)%2Bchar(111)%2Bchar(116)%2Bchar(62),cast(fname1+as+varchar(8000)))-0)-- it came from one ip address: 94.102.52.27 in the netherlands. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333013 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New SQL injection :(
Hi Mark, You missed the first part of my post.. they actually look up all of the table names and field names! They don't do it by throwing random errors! And it replaced all of the text instead of appending. Appending is easier to fix. Luckily nothing of importance is stored in that database and I had daily backups. Had to go back a week to get the uninfected backup This was a really simple website I must have written in Cold fusion version 2 for a friend and haven't touched it in many years. The same attack was tried on my main website but didn't work. At 06:44 PM 4/19/2010, you wrote: Al, These sort of attacks increase and decrease in waves unfortunately. I spent a few hours fixing a customer server this week myself. Very similar codewise: http://www.coldfusionmuse.com/index.cfm/2010/4/16/SQLi-char-urchin -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333020 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Recent SQL Injection attacks
I do declare that keyword matching alone has issues :-) Yeah, that can really bite you in the butt! We've been having pretty good results with the tool that is posted over at my site. It does a fairly decent job of catching most injection and XSS attacks and with some recent updates that I made to it, has a low rate of false positives. While it doesn't include any IP blocking or monitoring functions, it would be pretty easy to add those if desired. You may need to tweak it a tad for your specific application, but it's pretty easy code to work with. http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 --- Mary Jo ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329804 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
On Friday 15 Jan 2010, Chung Chow wrote: if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or I do declare that keyword matching alone has issues :-) -- Helping to challengingly envisioneer eigth-generation network integrated turn-key bandwidth as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329750 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329728 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! I wouldn't run a cold fusion server without a tool like fusion reactor. I created my website with coldfusion 2.0, and a lot of the pages haven't been updated (except for sql injection proofing) since then.and I learned a lot since then.. fusion reactor gives me the list of slow running pages, and I try to improve at least one of them every day. I made the entire site much faster, and concentrated on the most frequently used pages. Before fusionreactor, I had no idea which pages were the slowest, and what was being looked at right now and by whom, and how the querries were doing - timewise and memory wise. For the forms, my website deals with some mentally challenged people and really important stuff.. so I try to make it easy for them. I log all attempts to login. I get an alert if someone fails more than twice. I get a screen with the username they are trying, the passwords they tried, the real password, name , location (so I know the time zone) phone number - as well as a way to unlock it ( it gets locked after 3 unsuccessful attempts). I can tell if it is a real person struggling or if it is someone trying to break in. If they are trying to break in, I add their ip address to our list of banned ip addresses. If it is a real person, and the local time is reasonable, I call them and help them get in. I am planning on adding chat capability soon. I usually turn off ftp on my server, except when I need someone to upload a large file like an mri. I had it on recently and noticed the log file was way too big (it is usually 1-2k, and now it was like 100k).. so I looked through it and saw someone was alternating between trying administrator and webmaster as the user names, and many password. Never got in. I don't have an administrator or webmaster account allowed for ftp access:) At 04:11 PM 1/13/2010, you wrote: How do you guys monitor these attacks? The webserver logs? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329710 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329712 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329720 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329721 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329717 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329722 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329716 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329718 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
What I do is similar.. IF I detect a sql injection, I also add the ip address of the user to my banned IP list. I ban them for a week.. this way if they manage to find a page that isn't protected, they can't do any damage. I use a server variable to hold the list of banned IP addresses, so I can share the list among the few websites I host. Then whenever anyone requests a page, I check if their ip is on the banned list, if so, I just log it and display an error page saying the website is down for maintenance and return soon. At 06:02 PM 1/15/2010, Chung Chow wrote: On the SQL injection subject, here's something I add in all my projects. I usually use this snippet of code to intercept at the top level. It helps. cffunction name=isSQLInjection access=public hint=Checks to see if there is a possible SQL Injection attempt cfscript if ( isdefined(cgi.query_string) and ( findnocase(DECLARE,cgi.query_string) or findnocase(CAST(,cgi.query_string) or findnocase(EXEC(,cgi.query_string) or findnocase(EXEC%,cgi.query_string)or len(cgi.query_string) gte 700 ) ) return true; else return false; /cfscript /cffunction -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, January 15, 2010 2:44 PM To: cf-talk Subject: RE: Recent SQL Injection attacks For coldfusion, I use Fusionreactor.. I look at the request history, and you see the templates that were recently called with the url parameters.. when an attack is in progress, you see a lot of them with big url parameters. Easy to see at a glance. Best part is then you can view the sql queries that ran and how many rows were affected!I can verify that they don't get through to the real database - just the query logging the attempt in my HACK database! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329719 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
The qpscanner is ok in general but I want something that will only get me numeric variables that are not in a cfqueryparam. That is not enough to protect you! It is not hard to create injection attacks that bypass CF's auto-doubling of quotes. qpscanner deliberately errs on the side of paranoia, because it only takes one small hole for an attacker to get in and cause havoc. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329661 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Recent SQL Injection attacks
I know it's not enough but the point was that there has to be a priority in what gets fixed. If there are 300+ query vars to fix, which do you do first? My solution is to fix the numeric vars first and then fix everything else after. In the end it all gets done but until I get to the end, the most dangerous vars have to be hit before the 'less' dangerous ones. It would be prefered to take the app down, fix it, and put it back up but with this client that is not an option. That means I have to work fast and smart to get the job done on a live site. Ug. :( -- Michael On Thu, Jan 14, 2010 at 5:43 AM, Peter Boughton bought...@gmail.com wrote: The qpscanner is ok in general but I want something that will only get me numeric variables that are not in a cfqueryparam. That is not enough to protect you! It is not hard to create injection attacks that bypass CF's auto-doubling of quotes. qpscanner deliberately errs on the side of paranoia, because it only takes one small hole for an attacker to get in and cause havoc. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329662 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Recent SQL Injection attacks
I think there's at least one or two more too. I should really make a note of them somewhere... Charlie Arehart's list. Pretty sure he's got all this listed in a security/similar category. Yep, here we go: http://www.carehart.org/cf411/#testing ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329664 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
I have been getting a lot lately... and had an interesting one. One computer was hammering my server. They were trying a dictionary attack on one of my forms, in addition to trying sql injection on every dynamic page. Strangely, the IP address of the attacker, 204.238.82.17, was from the USA. It was a security company. I called them and asked what they were doing. They said a security audit! They said they had permission. Turns out they were hired to test a website that is one letter off from my domain name and they made a mistake. They stopped immediately. At least they told me I passed:) My ftp server has also been getting dictionary attacks from Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow only certain ip addresses. At 08:14 PM 1/12/2010, you wrote: Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329625 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
How do you guys monitor these attacks? The webserver logs? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Wednesday, January 13, 2010 12:34 PM To: cf-talk Subject: Re: Recent SQL Injection attacks I have been getting a lot lately... and had an interesting one. One computer was hammering my server. They were trying a dictionary attack on one of my forms, in addition to trying sql injection on every dynamic page. Strangely, the IP address of the attacker, 204.238.82.17, was from the USA. It was a security company. I called them and asked what they were doing. They said a security audit! They said they had permission. Turns out they were hired to test a website that is one letter off from my domain name and they made a mistake. They stopped immediately. At least they told me I passed:) My ftp server has also been getting dictionary attacks from Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow only certain ip addresses. At 08:14 PM 1/12/2010, you wrote: Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329633 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
I wrote an IIS log parser which can not only parse the IIS logs to a DB but when the url params are over a certain size or has certain key words, it'll flag it as a problem to look at later. Unfortunately, the attack was on a clients site and we knew about it when the page display was compromised. The logs were only good after the fact. This attack didn't use the standard declare statement but it did have a longer than normal request string. Cleaning it out wasn't much of a problem once it was identified. I've added another bit of text to my injection scanner code but... I'm going through query after query on his site which will take me a while to recode. I'm going to have to dig up my auto-query-param code that I wrote for someone many years ago and get it up to date. More work and less rest. :( -- Michael On Wed, Jan 13, 2010 at 4:11 PM, Chad Gray cg...@careyweb.com wrote: How do you guys monitor these attacks? The webserver logs? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Wednesday, January 13, 2010 12:34 PM To: cf-talk Subject: Re: Recent SQL Injection attacks I have been getting a lot lately... and had an interesting one. One computer was hammering my server. They were trying a dictionary attack on one of my forms, in addition to trying sql injection on every dynamic page. Strangely, the IP address of the attacker, 204.238.82.17, was from the USA. It was a security company. I called them and asked what they were doing. They said a security audit! They said they had permission. Turns out they were hired to test a website that is one letter off from my domain name and they made a mistake. They stopped immediately. At least they told me I passed:) My ftp server has also been getting dictionary attacks from Amsterdam 95.154.246.98.. luckily my ftp sites are set up to allow only certain ip addresses. At 08:14 PM 1/12/2010, you wrote: Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329634 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
using cfformprotect i am doing an exercise whereby loggin each offending IP address in a table. next to each IP i am recording the number of times they reoffend. i am then using a block script (found from this site i think?)... !--- blacklist ip addresses --- cfset fName = getDirectoryFromPath(getCurrentTemplatePath()) blacklist.txt / cfif isDefined(url.updateapp) or NOT isDefined(application.blacklist) cfset application.blacklist = / cfif FileExists(fName) cftry cffile action=read file=#fName# variable=application.blacklist charset=utf-8 / cfcatch/cfcatch /cftry /cfif /cfif cfif ListFind(application.blacklist, cgi.remote_addr, Chr(13)Chr(10)) cflocation addtoken=false url=/blacklist.html / cfabort / /cfif cfif FindNoCase(DECLARE, cgi.query_string) OR FindNoCase(CAST, cgi.query_string) OR FindNoCase(EXEC, cgi.query_string) OR FindNoCase(DROP, cgi.query_string) OR FindNoCase(DELETE, cgi.query_string) cfif not ListFind(application.blacklist, cgi.remote_addr,Chr(13)Chr(10)) cfset application.blacklist = ListAppend(application.blacklist, cgi.remote_addr, Chr(13)Chr(10)) / cftry cffile action=write file=#fName# output=#application.blacklist# charset=utf-8 / cfcatch/cfcatch /cftry cflocation addtoken=false url=/blacklist.html / cfabort / /cfif /cfif i am updating the text file with IP addresses with multiple offences. has been interesting and i do believe i have cut down the spam/injection attacks. however the table continues to grow and i think i am losing the battle. anyway thought this may gorw some ideas... ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329635 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
Fast question. Has anyone seen an injection attack that used a field other than an integer? I've written a fast RegEx for use in Homesite (or any other regex using editor) that will find any query that has numeric 'looking' variables that are not in a cfqueryparam. While I have to change every variable not in a cfqueryparam, I'm trying to get the numerics first. Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329638 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
Michael, Yes... Certain types of installations of MySQL are subject to character injection attacks. http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact er-field Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Michael Dinowitz [mailto:mdino...@houseoffusion.com] Sent: Wednesday, January 13, 2010 5:34 PM To: cf-talk Subject: Re: Recent SQL Injection attacks Fast question. Has anyone seen an injection attack that used a field other than an integer? I've written a fast RegEx for use in Homesite (or any other regex using editor) that will find any query that has numeric 'looking' variables that are not in a cfqueryparam. While I have to change every variable not in a cfqueryparam, I'm trying to get the numerics first. Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329639 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
There's a project for that. I can't remember what it is off-hand, but I'm 100% sure there's a cfqueryparam-er.cfc out there, which does this. Maybe this one? : http://qpscanner.riaforge.org/ I think there's at least one or two more too. I should really make a note of them somewhere... It would be a good addition to codecop, too. :denny -- Time and memory are true artists; they remould reality nearer to the heart's desire. John Dewey On Wed, Jan 13, 2010 at 4:34 PM, Michael Dinowitz wrote: Fast question. Has anyone seen an injection attack that used a field other than an integer? I've written a fast RegEx for use in Homesite (or any other regex using editor) that will find any query that has numeric 'looking' variables that are not in a cfqueryparam. While I have to change every variable not in a cfqueryparam, I'm trying to get the numerics first. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329643 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Recent SQL Injection attacks
Maybe this one? : http://qpscanner.riaforge.org/ The other main one is http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection I think a mash up or two might have cropped up in the past year too. ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329645 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
The qpscanner is ok in general but I want something that will only get me numeric variables that are not in a cfqueryparam. The RegEx does that while putting the results in a single click position for me to edit immediately. My old cfqueryparam scanner allows for auto-insertion of cfqueryparam tags for variables, but the UI is nowhere near as good as qpscanner. I'll provide the rough regex I'm using as soon as I can so that anyone can use it, include it into an app, etc. -- Michael On Wed, Jan 13, 2010 at 7:11 PM, denstar valliants...@gmail.com wrote: There's a project for that. I can't remember what it is off-hand, but I'm 100% sure there's a cfqueryparam-er.cfc out there, which does this. Maybe this one? : http://qpscanner.riaforge.org/ I think there's at least one or two more too. I should really make a note of them somewhere... It would be a good addition to codecop, too. :denny ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329646 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Recent SQL Injection attacks
Mark, Thanks. The client is on MS SQL so doing the numbers first looks like a good idea for him. Always good to prioritize work. -- Michael On Wed, Jan 13, 2010 at 6:39 PM, Mark Kruger mkru...@cfwebtools.com wrote: Michael, Yes... Certain types of installations of MySQL are subject to character injection attacks. http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-charact er-field ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329647 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Recent SQL Injection attacks
Has anyone seen any recent SQL injection attacks on their sites or in the wild? I just cleaned a bunch of JS and other code from a clients DB. Most of the scripts were running those fake anti-virus popups but some had other things like lung cancer scams. Anyone see anything? Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329606 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
Yes. All from ip 91.212.226.161 Which we have blocked at our firewall. Annoying, but we saw these coming 2 summers ago, and took steps. On Tue, Jan 12, 2010 at 6:05 PM, Michael Dinowitz mdino...@houseoffusion.com wrote: Has anyone seen any recent SQL injection attacks on their sites or in the wild? I just cleaned a bunch of JS and other code from a clients DB. Most of the scripts were running those fake anti-virus popups but some had other things like lung cancer scams. Anyone see anything? Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329608 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Recent SQL Injection attacks
Didn't know about that IP. Thanks They got in through some code that was written literally 10 years ago on one of the clients forgotten sites. I've fixed up the cfquery tags and added my anti-injection code to the whole dir. Thanks -- Michael On Tue, Jan 12, 2010 at 6:31 PM, Jerry Johnson jmi...@gmail.com wrote: Yes. All from ip 91.212.226.161 Which we have blocked at our firewall. Annoying, but we saw these coming 2 summers ago, and took steps. On Tue, Jan 12, 2010 at 6:05 PM, Michael Dinowitz mdino...@houseoffusion.com wrote: Has anyone seen any recent SQL injection attacks on their sites or in the wild? I just cleaned a bunch of JS and other code from a clients DB. Most of the scripts were running those fake anti-virus popups but some had other things like lung cancer scams. Anyone see anything? Thanks -- Michael ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329610 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
After the fact: SQL Injection Scanner
All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327460 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
If the injection was the one that went around a few months ago - check out this post http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII There is a reverse stored procedure that can undo the damage down in the comments. Be sure and read the post and comments (and related posts) - otherwise you will fight this over again until you get it right :) -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327461 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
Mark's right. If you have the SQL injection code, you can essentially reverse engineer it and use it as a blueprint to fix the problems. andy -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327465 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
Mark: Thanks for the reply. I think the title of my email may have been misleading in that I'm not positive it was a SQL Injection attack. Because of some malicious code I've found on the file system, code that would allow an attacker to make sweeping changes to the database, I'm concerned that they may have appended additional code to varchar fields a la a SQL Injection attack. While the reverse code is great, I can't use it here because I haven't yet found any (nor do I know for sure that there is any) SQL Injection code to reverse. I'm hoping to find a scanner that can tell me if any of those fields appear suspicious. Something that would report on any varchar fields contain script, etc. Thanks. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelb...@evoch.com WWW: http://www.evoch.com/ -Original Message- From: Mark Kruger [mailto:mkru...@cfwebtools.com] Sent: Wednesday, October 21, 2009 3:30 PM To: cf-talk Subject: RE: After the fact: SQL Injection Scanner If the injection was the one that went around a few months ago - check out this post http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST- And-A SCII There is a reverse stored procedure that can undo the damage down in the comments. Be sure and read the post and comments (and related posts) - otherwise you will fight this over again until you get it right :) -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
Andy: Unfortunately, I don't have the SQL Injection code. From what I can gather, the attack resulted in a whole bunch of copies of some PHP code that essentially gives the user access to both the file system and the database. I'm still working on getting the log files from the web host (FTP is down for some reason) but with the PHP files, they could have changed the database without having to do so via the URL. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelb...@evoch.com WWW: http://www.evoch.com/ -Original Message- From: Andy Matthews [mailto:li...@commadelimited.com] Sent: Wednesday, October 21, 2009 3:49 PM To: cf-talk Subject: RE: After the fact: SQL Injection Scanner Mark's right. If you have the SQL injection code, you can essentially reverse engineer it and use it as a blueprint to fix the problems. andy -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327469 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: After the fact: SQL Injection Scanner
You might consider restoring a copy of a recent backup, then comparing against known records that shouldn't have changed (for example comment records) On Wed, Oct 21, 2009 at 4:04 PM, Mosh Teitelbaum mosh.teitelb...@evoch.comwrote: Andy: Unfortunately, I don't have the SQL Injection code. From what I can gather, the attack resulted in a whole bunch of copies of some PHP code that essentially gives the user access to both the file system and the database. I'm still working on getting the log files from the web host (FTP is down for some reason) but with the PHP files, they could have changed the database without having to do so via the URL. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelb...@evoch.com WWW: http://www.evoch.com/ -Original Message- From: Andy Matthews [mailto:li...@commadelimited.com] Sent: Wednesday, October 21, 2009 3:49 PM To: cf-talk Subject: RE: After the fact: SQL Injection Scanner Mark's right. If you have the SQL injection code, you can essentially reverse engineer it and use it as a blueprint to fix the problems. andy -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: After the fact: SQL Injection Scanner
Charles: Thanks for the reply. Unfortunately, they don't know when the attack happened and their current hosting company has not been very attentive to backing up files or the database. It's also built on a CMS with page content changes made daily. Thanks. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ -Original Message- From: Charles Sheehan-Miles [mailto:char...@sheehanmiles.net] Sent: Wednesday, October 21, 2009 4:31 PM To: cf-talk Subject: Re: After the fact: SQL Injection Scanner You might consider restoring a copy of a recent backup, then comparing against known records that shouldn't have changed (for example comment records) On Wed, Oct 21, 2009 at 4:04 PM, Mosh Teitelbaum mosh.teitelb...@evoch.comwrote: Andy: Unfortunately, I don't have the SQL Injection code. From what I can gather, the attack resulted in a whole bunch of copies of some PHP code that essentially gives the user access to both the file system and the database. I'm still working on getting the log files from the web host (FTP is down for some reason) but with the PHP files, they could have changed the database without having to do so via the URL. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelb...@evoch.com WWW: http://www.evoch.com/ -Original Message- From: Andy Matthews [mailto:li...@commadelimited.com] Sent: Wednesday, October 21, 2009 3:49 PM To: cf-talk Subject: RE: After the fact: SQL Injection Scanner Mark's right. If you have the SQL injection code, you can essentially reverse engineer it and use it as a blueprint to fix the problems. andy -Original Message- From: Mosh Teitelbaum [mailto:mosh.teitelb...@evoch.com] Sent: Wednesday, October 21, 2009 2:10 PM To: cf-talk Subject: After the fact: SQL Injection Scanner All: A client called today letting me know that their server had been breached and that some malicious code had been uploaded to the site. After doing some research into the particular files that were uploaded, it turns out that the attack is also usually accompanied by a SQL Injection attack. Their database is huge and, instead of manually going through the database looking for altered records, I thought to write some code that would scan the records and report any potential problems. Before doing that, does anyone know of any existing code that does that? Thanks in advance. -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 WWW: http://www.evoch.com/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327471 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
SQL Injection
We have one site on our server that was built about 10 years ago. Today some bot is hitting the site and appending their content to the content already in the system. I can't figure out how or where they are getting in. Anyone have any ideas how I can stop this. They are only putting in content and no script tags. I do have the Enable Global Script Protection enabled in the cf admin. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321941 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL Injection
Start here http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Chad McCue [mailto:c...@advmediaproductions.com] Sent: Friday, April 24, 2009 11:27 AM To: cf-talk Subject: SQL Injection We have one site on our server that was built about 10 years ago. Today some bot is hitting the site and appending their content to the content already in the system. I can't figure out how or where they are getting in. Anyone have any ideas how I can stop this. They are only putting in content and no script tags. I do have the Enable Global Script Protection enabled in the cf admin. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321942 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL Injection
We have one site on our server that was built about 10 years ago. Today some bot is hitting the site and appending their content to the content already in the system. I can't figure out how or where they are getting in. Anyone have any ideas how I can stop this. If you're sure it's SQL injection, start by implementing my basic protector available at: http://www.gravityfree.com/_SQLPrev.cfm.txt Next, run this against your files to find queries where CFQUERYPARAM isn't being used: http://qpscanner.riaforge.org/ Finally, implement CFQUERYPARAM on your queries to protect them against these attacks. Rinse and repeat as necessary. -Justin ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321947 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL Injection
Didn't Homer Simpson say rinse and repeat Always repeat :) -Original Message- From: Justin Scott [mailto:jscott-li...@gravityfree.com] Sent: Friday, April 24, 2009 12:59 PM To: cf-talk Subject: RE: SQL Injection We have one site on our server that was built about 10 years ago. Today some bot is hitting the site and appending their content to the content already in the system. I can't figure out how or where they are getting in. Anyone have any ideas how I can stop this. If you're sure it's SQL injection, start by implementing my basic protector available at: http://www.gravityfree.com/_SQLPrev.cfm.txt Next, run this against your files to find queries where CFQUERYPARAM isn't being used: http://qpscanner.riaforge.org/ Finally, implement CFQUERYPARAM on your queries to protect them against these attacks. Rinse and repeat as necessary. -Justin ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321948 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL Injection
Justin, That is a great piece of code, thank you for publishing it. I have a question about it. In the process of it, you create a structure, use it, then delete that structure. If I am using an Application.cfc, would there be any benefit of putting the structure into the application scope, then never deleting it? If I did this and referred to this struct in your code, would this save on overhead time, since I wouldn't need to recreate the structure every page load? Thanks, William -Original Message- From: Justin Scott [mailto:jscott-li...@gravityfree.com] Sent: Friday, April 24, 2009 10:59 AM To: cf-talk Subject: RE: SQL Injection We have one site on our server that was built about 10 years ago. Today some bot is hitting the site and appending their content to the content already in the system. I can't figure out how or where they are getting in. Anyone have any ideas how I can stop this. If you're sure it's SQL injection, start by implementing my basic protector available at: http://www.gravityfree.com/_SQLPrev.cfm.txt Next, run this against your files to find queries where CFQUERYPARAM isn't being used: http://qpscanner.riaforge.org/ Finally, implement CFQUERYPARAM on your queries to protect them against these attacks. Rinse and repeat as necessary. -Justin ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321949 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL Injection
If I am using an Application.cfc, would there be any benefit of putting the structure into the application scope, then never deleting it? It certainly couldn't hurt. I chose to do it the way I did because I wanted it to be completely self-contained and drop-in friendly regardless of the settings on the site/server it was deployed to. Making the structure permanent also encourages it to be used as the primary means of protection for a long period of time. It's designed as quick front-line protection until the application itself has been updated and protected from within. Putting the structure into an application variable would help speed up subsequent page loads, but the performance gain would probably be negligible. -Justin ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321950 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New SQL Injection
On Monday 22 Sep 2008, Judah McAuley wrote: we sit down to discuss strategy and bringing resources on under me, I know that conversion conversation is coming. Print out http://www.webbschofield.com/index.cfm/2008/9/15/ColdFusion-Evangelism-Kit and leave it on your desk just in case. -- Tom Chiverton Helping to carefully customize eye-catching customized markets This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:313010 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New SQL Injection
On Saturday 20 Sep 2008, Al Musella, DPM wrote: A new type of sql attack is hitting my server since about 2 am this morning. It's not new. It's just another minor variant. There should be no need for a big song and dance by now. -- Tom Chiverton Helping to evangelistically maximize fifth-generation sexy partnerships This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312899 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: New SQL Injection
Tom Chiverton Helping to evangelistically maximize fifth-generation sexy partnerships You know, that tagline makes you sound like a pimp. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312901 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New SQL Injection
CF could use more pimps. I just got bought and am now a new division within an existing company, all of whom are .Net Things are just settling in and its fine for now, but as we sit down to discuss strategy and bringing resources on under me, I know that conversion conversation is coming. Judah On Mon, Sep 22, 2008 at 8:37 AM, Dave Watts [EMAIL PROTECTED] wrote: Tom Chiverton Helping to evangelistically maximize fifth-generation sexy partnerships You know, that tagline makes you sound like a pimp. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312903 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New SQL Injection
On Sat, Sep 20, 2008 at 9:58 PM, Michael Dinowitz [EMAIL PROTECTED] wrote: If your interested, I have a project that I just wrote for a client that will allow you to scan an entire directory tree for all files that have a cfquery with un-paramed variables and fix them. Hi Michael, how much different is your scanner vs qpscanner that Peter Boughton put up on RiAForge http://qpscanner.riaforge.org/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312870 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
New SQL Injection
A new type of sql attack is hitting my server since about 2 am this morning. It got through the filter I use because it has different keywords. Luckily the cfparam triggered an error - as it was looking for intergers and was finding this: = +and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--sp_password So I added sp_password and schema to my list of bad keywords Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312847 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New SQL Injection
A new type of sql attack is hitting my server since about 2 am this morning. I am seeing a large increase in the number of attacks on several of my sites in the last 48 hours.. Here we go again... Instead of just being on the defense, I wish there was some way to counter attack!!! H ... might think on this a bit! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312852 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New SQL Injection
I wish there was some way to counter attack!!! H Well, based on the fact that attacks come from infected PC which even ignore they were infected, it would be pretty useless to counter-attack the IP address from which the attack came. BUT, all theses attacks tend to inject spammy links to some sites. So may be some retaliation on these site would have some effect ? And this is the same thing for spam. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312853 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New SQL Injection
We got a reputation for being easy to hack, so they now concentrate on cfm files.. hopefully, with this last attack, at least everyone on this list should already be protected against the current set of attempts... and if they don't succeed, maybe they will move on to easier targets. I know I got shot down last time for suggesting blasphemy (having cf query automatically fix the problem for us), but how about the next best thing... have a new option in the code analyzer in the cf administrator, to check for potential sql injection vulnerabilities. Maybe just license the scanner that is floating around, and integrate it in.. then add a new menu option in a prominent spot to check for sql injection vulunerabilities. If these attacks don't succeed, they will stop trying and move on. OR maybe a project to find these problems out in the wild and notify the owners of the problem. Just like these guys use google for find cfm pages, a spider can be created to search google for all cfm files, then try a simple test of sql injection technique like adding ';select * from nonexistent to the url and check for an error message with nonexistent in it. At 05:54 PM 9/20/2008, Les Mizzell wrote: A new type of sql attack is hitting my server since about 2 am this morning. I am seeing a large increase in the number of attacks on several of my sites in the last 48 hours.. Here we go again... Instead of just being on the defense, I wish there was some way to counter attack!!! H ... might think on this a bit! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312855 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New SQL Injection
If your interested, I have a project that I just wrote for a client that will allow you to scan an entire directory tree for all files that have a cfquery with un-paramed variables and fix them. It doesn't work automatically (it could but I disabled that option) but instead gives you the queries on a screen with a select next to each un-paramed variable with a suggested option. It's not a polished app for commercial use but a tool for back end site optimization. So if your up for a beta, let me know. On Sat, Sep 20, 2008 at 9:45 AM, Al Musella, DPM [EMAIL PROTECTED]wrote: A new type of sql attack is hitting my server since about 2 am this morning. It got through the filter I use because it has different keywords. Luckily the cfparam triggered an error - as it was looking for intergers and was finding this: = +and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--sp_password So I added sp_password and schema to my list of bad keywords Al ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312859 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New SQL Injection
Thanks, but all of mine are fixed finally. You should talk to the CF people to get that integrated with either cold fusion or dreamweaver.. At 09:58 PM 9/20/2008, Michael Dinowitz wrote: If your interested, I have a project that I just wrote for a client that will allow you to scan an entire directory tree for all files that have a cfquery with un-paramed variables and fix them. It doesn't work automatically (it could but I disabled that option) but instead gives you the queries on a screen with a select next to each un-paramed variable with a suggested option. It's not a polished app for commercial use but a tool for back end site optimization. So if your up for a beta, let me know. On Sat, Sep 20, 2008 at 9:45 AM, Al Musella, DPM [EMAIL PROTECTED]wrote: ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312861 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
REACTOR adn SQL injection
Is is still possible to injection hack a site that is using the REACTOR framework? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312507 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: REACTOR adn SQL injection
Is is still possible to injection hack a site that is using the REACTOR framework? If you're using it the way it was designed to be used, probably not. There's a short list of things you should avoid with DataFaucet on the wiki and probably a very similar list would apply with Reactor. Here's the list for DataFaucet: http://datafaucet.wikispaces.com/SQL+Injection Hopefully you should be able to extrapolate from that if you're doing anything with Reactor that might make you vulnerable. :) -- s. isaac dealey ^ new epoch isn't it time for a change? ph: 781.769.0723 http://onTap.riaforge.org/blog ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312512 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: REACTOR adn SQL injection
That's a nice list Isaac, but I'm curious about two things. 1) what is the sort versus order by. I'm quite familiar with the order by clause but I've never heard of a sort clause. Perhaps you mean something else? 2) You say to not put ANY user-supplied variables into the content property of a dynamic filter (i.e. stmt.sqlFilter(column,form.x,in)) I can understand the reasoning behind that, but that is a very common task. There are lots of reasons to let the user order the data by various columns and that should be a standard feature of most any tabular data display. So how would you suggest that developers implement the feature? I personally would have a built in list of columns that could be sorted by and then double check on the server side to make sure that the chosen sort field is in the allowable list before adding the filter. Do you have other suggestions? Cheers, Judah On Sat, Sep 13, 2008 at 11:29 AM, s. isaac dealey [EMAIL PROTECTED] wrote: Is is still possible to injection hack a site that is using the REACTOR framework? If you're using it the way it was designed to be used, probably not. There's a short list of things you should avoid with DataFaucet on the wiki and probably a very similar list would apply with Reactor. Here's the list for DataFaucet: http://datafaucet.wikispaces.com/SQL+Injection Hopefully you should be able to extrapolate from that if you're doing anything with Reactor that might make you vulnerable. :) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312513 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: REACTOR adn SQL injection
That's a nice list Isaac, but I'm curious about two things. Thanks Judah. :) This should help me improve the wiki and the documentation. 1) what is the sort versus order by. I'm quite familiar with the order by clause but I've never heard of a sort clause. Perhaps you mean something else? Right. As far as I know, there's not a sort clause in SQL. The sort feature is a DataFaucet feature that allows you to safely use user-supplied data in the order-by actually in much the way you described in question 2. So when you're building a query with DataFaucet, you might have something like this: qry = ds.getSelect(table=mytable,orderby=a,b,c).sort(url.sort) Now what DataFaucet does with that is set a default sort order using the orderby property you supplied. It then will pre-pend the value of url.sort to that order, so if the user goes to index.cfm?sort=d,c/desc it will create the order by clause order by d desc, c desc, a, b (it also eliminates the dup-c because duplicated columns cause errors with some databases) Before it prepends those columns it verifies that the columns specified exist in that table, so for example, if a malicious user were to enter the url index.cfm?sort=DECLARE... it would automatically remove the malicious sort string because it won't find it in the list of available columns in that table. The OrderBy property however is not protected. So you can have things in the orderby property that aren't allowed in sort, like concatenated columns or a coalesce(). So orderby=coalesce(a,b) is allowed, but sort=coalesce(a,b) will be stripped to protect you. Hence the reason why you should never put user data in orderby, because sort has been provided as a tool to protect you from SQL-injection attempts while still giving you the freedom to do some of those more advanced things you might want to do with orderby. There's a brief section on sorting in the docs for select statements here: http://www.datafaucet.com/sqlselect.cfm 2) You say to not put ANY user-supplied variables into the content property of a dynamic filter (i.e. stmt.sqlFilter(column,form.x,in)) I can understand the reasoning behind that, but that is a very common task. Actually dynamic filters in DataFaucet are pretty uncommon. I can't even think of any in my code offhand. There are a number of different types of filters in DataFaucet - there's a standard filter and then there are numeric, date, etc. filters which really are just helpers or shortcuts for doing more sophisticated kinds of filtering although they ultimately all use the same standard filters underneath, just with different syntax sugars applied. A dynamic filter in DataFaucet isn't your standard where col = 3 kind of filter. A dynamic filter is a filter that's been declared with the dynamic property so that you can for example compare it against another column name, so it's things like where col1 like '%' + col2 + '%'. They only exist to allow the flexibility to perform some advanced SQL tasks that honestly I can't recall needing with any of the apps I've built with DataFaucet. I think I added it originally because it was requested by Aaron Rouse. (Hi Aaron!) :) The reason why you don't want to put user supplied data in the content porperty of those filters is because when the filter is declared as dynamic, the content value is just output directly into the query without any modification and without any query parameters... It can't use query parameters for that because that would turn the column reference col2 (in the above example) into a literal value of col2, so you'd get this where col1 like '''%'' + col2 + ''%''' which won't match the way you want if you're using a dynamic filter. There's a page on dynamic filters in the documentation here: http://www.datafaucet.com/sqldynamicfilter.cfm There are lots of reasons to let the user order the data by various columns and that should be a standard feature of most any tabular data display. So how would you suggest that developers implement the feature? I personally would have a built in list of columns that could be sorted by and then double check on the server side to make sure that the chosen sort field is in the allowable list before adding the filter. Do you have other suggestions? Yep, DataFaucet uses the list of columns that are actually in the table to determine what columns are allowed in the sort property. Anything not found in the table is dropped from the query. So it's basically what you're describing here, though it automates the list so you don't have to write it out manually. -- s. isaac dealey ^ new epoch isn't it time for a change? ph: 781.769.0723 http://onTap.riaforge.org/blog ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF
Re: SQL injection attack on House of Fusion
Just got nailed myself - dammit - 15 years of knowledge. Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS vulnerability? My attack occured recently - possibly in the last 24 hours or so. Have disabled the database and CFABORTed any code that interacts with the database until I can solve the disastrous problem (apparently the attack came from China). Sigh! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311556 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS vulnerability? I seriously doubt this has anything to do with IIS, since IIS can't interact directly with your database. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311562 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Open the website log with word and do a search for DECLARE you will find a lot of entries.. Look for a filename that is in a different directory than what you expected.. I think I got hit from a template that was in an old, unused directory from many years ago. I recently went through the server and deleted all of my old unused directories.. Also look for any ASP pages that are being hit.. At 06:46 AM 8/26/2008, you wrote: Just got nailed myself - dammit - 15 years of knowledge. Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS vulnerability? My attack occured recently - possibly in the last 24 hours or so. Have disabled the database and CFABORTed any code that interacts with the database until I can solve the disastrous problem (apparently the attack came from China). Sigh! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311574 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 4:46 AM, Peter Tilbrook wrote: Just got nailed myself - dammit - 15 years of knowledge. There are at least 2 tools available that will search through your code looking for unparamed variables, and I think Larry posted a simple regex that you could use from within Eclipse. Those will help. I actually got a little nutty and wrote my own tool, that does a bit of database introspection, rewrites the query using the correct cfsqldatatypes, and then tests the query. Kinda cool, wasn't too hard, conceptually-- you have the DSN right there. It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways), although, I was thinking (about something Jochem said about the difficulty of introspecting stored procedures and whatnot, sorta) that since I think the DB will give you the source for the procedure or function, you could use /that/ to introspect them, and create ORM type deals. RIght? You would have to code stuff for each DB (or at least the most popular at first), which is a little sucky, but I think unavoidable. There are certainly similarities between DBs tho, which would make it a tad easier. Probably just pie-in-the-sky type thinking, ignoring some fundamental problem, but it sounds kind of plausible. Anyways, half-way through coding my thing, I was like, damn, this would have been a perfect use for ANTLR! There are even grammar files for SQL, which would make parsing that easier. Oh well. Maybe the next version. LOL. After I finish this one. I'm still messing with the UI for it- uses dojo (of course) with a nice split screen, the top half has a tree control for browsing the files and folders with unparamed queries, and the bottom half actually shows you the source that would change, assuming the query passes the test. Still need to add de-select, so you can ignore directories, files, or individual queries, and then I'll probably post a link to it. I started getting a little excited while coding it, thinking about the... what was it called? Ah, yes- coding standards/review. I remember Will had posted a tool, and I had been toying with creating a tool for managing the attributes (hint, access, etc..) of functions/CFCs myself... wouldn't it be nice to have a tool that would do everything (format code, check for unvared variables, maybe even allow for drag-and-drop moving of functions/refactoring? (Ok, that's kinda extreme, but it was an exciting thought.)). Maybe tie it into the SVN stuff, even? Heh. I began thinking about getting all wiggy with it, because I wrote the code in a pretty sloppy manner (switching between camelCase and all lowercase, cutting/pasting functions and not changing the hint attribute, etc.), and was like, hell, I could tweak this tool to tweak itself. And then every time I switched between styles, I was, like, hey, I'm creating a test-case! LOL. Something like that. It would be pretty easy, as it currently is, to have the tool replace queries like SELECT * FROM sometable with the actual column names, for instance, or even do things like refactor queries, changing column or table names... I grab the DSN metadata, and parse the SQL into table names and column names, so it's all there. I need a bunch more bad query test cases, for various DB dialects, but I'm thinking I'll link up with the group I saw at some point (maybe it was just a blog post, now that I think about it), that's specifically targeting the prevention of injection attacks, and see if we can't get a nice set of cross-database testcases to use for tools like this. So, in the end I hope to have a source-code maintenance type tool, as I think it sounds kind of cool. Over time, it looks like it would become a freaking web-based IDE. :-)p Heh... I started thinking about how I could pull off some cool DB/query stuff within CFEclipse again, while messing around with this stuff. But I digress... LOL. :)e|\| -- Haste is of the Devil. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311626 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311630 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Something other than SQL injection attack on House of Fusion
Can someone PLEASE change the title of this thread??? -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:01 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311632 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Andy Matthews has too much free time - was... SQL injection attack on House of Fusion
Sorry Andy, I couldn't resist. =] On Tue, Aug 26, 2008 at 1:46 PM, Andy Matthews [EMAIL PROTECTED]wrote: Can someone PLEASE change the title of this thread??? -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311633 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Andy Matthews has too much free time - was... SQL injection attack on House of Fusion
:P -Original Message- From: Alan Rother [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:57 PM To: CF-Talk Subject: Andy Matthews has too much free time - was... SQL injection attack on House of Fusion Sorry Andy, I couldn't resist. =] On Tue, Aug 26, 2008 at 1:46 PM, Andy Matthews [EMAIL PROTECTED]wrote: Can someone PLEASE change the title of this thread??? -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311635 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 2:01 PM, Dave Watts wrote: It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Ah, thank you Dave! I was thinking of cfstoredproc, I reckon. /tips hat :Denny -- Marriage is good for those who are afraid to sleep alone at night. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311642 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
That is, unless you concatenate SQL in your stored procedure. http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me ~Brad - Original Message - From: denstar [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, August 26, 2008 6:26 PM Subject: Re: SQL injection attack on House of Fusion On Tue, Aug 26, 2008 at 2:01 PM, Dave Watts wrote: It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Ah, thank you Dave! I was thinking of cfstoredproc, I reckon. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311643 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
The thread formally known as the SQL injection attack on House of Fusion
I hereby decree, in the name of all that doesn't suck, that from this day forth this thread will be hereby named The thread formally known as the SQL injection attack on House of Fusion . ~G~ On Tue, Aug 26, 2008 at 4:46 PM, Andy Matthews [EMAIL PROTECTED]wrote: Can someone PLEASE change the title of this thread??? -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:01 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311644 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Something other than SQL injection attack on House of Fusion
Why? So everyone can create more filters? ..:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 4:47 PM To: CF-Talk Subject: RE: Something other than SQL injection attack on House of Fusion Can someone PLEASE change the title of this thread??? -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:01 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311648 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 5:42 PM, Brad Wood wrote: That is, unless you concatenate SQL in your stored procedure. http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me Perfect example, thanks! Yeah, dunno what I was thinking... parsing that stuff would be not un-hard. =] Ah, yes, not impossible... but screw that idea. I'll stick to cleaning up simple queries and whatnot. :op -- The scars of others should teach us caution. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311650 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Something other than SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 7:18 PM, Bobby Hartsfield wrote: Why? So everyone can create more filters? Filters?!?! If you've been filtering, you've been missing out! There's been action, adventure, intrigue! We've been working on it this whole time. Has a nice little narrative... a beginning, middle, and end... some friends become enemies, some enemies become friends... at the end, we are all richer from the experience. -- They talk like angels but they live like men. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311651 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
On Sun, Aug 17, 2008 at 10:43 AM, Jochem wrote: denstar wrote: Or maybe you've got a simple solution, to how one would limit URL requests to only allowable values? I don't think simple solutions exist. The closest I have seen that still was simple yet appeared to be somewhat effective was a company that did something akin to hungarian notation. They had all their variables typed like user_uuid and article_int and they did type / bounds checking in the webserver, throwing security errors on every type mismatch or occurence of a variable without the type declared. That actually doesn't sound too painful. More cpu intensive compared to what I've got now (unless my keyword blacklist keeps growing), but pretty simple. I get the idea of deny, allow, but when you can cut out like 95% of the crap with a super-fast this is bad type deal... hmm... my real-world mind says go for it, while my programmer perfect world mind knows it's not the most secure angle. Stupid trade-offs! Wish we could pick all three, as the saying goes. Heh. I'm actually liking the idea of only passing ID numbers in the url request, which would make for a simple rule. Hmm... What else would you really need to pass besides a single token, the thread of the web? Am I thinking screwy, or what? Doesn't do squat for form or anywhere else, I reckon-- but what's the percentage of form submissions vs. url requests? Eh. Guess, like all things, it sorta depends on what you're doing, and trying to do, etc.. Thanks Jochem, I always enjoy your correspondence. :Denny -- Catch, then, O catch the transient hour; Improve each moment as it flies! St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311513 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Wed, Aug 20, 2008 at 4:37 PM, Dave Watts wrote: Your main concern is not the consumption of resources as a result of an automated attack. That's just like any other denial of service attack, basically. If you can filter it out successfully, that's good for you, but you should be far more concerned with the results of a successful SQL injection attack. Hey Dave! Not to argue the difference between if(len()) and if(len() eq 0)... [-;) I think DoS attacks are something to be aware of. I shudder to think of a million error emails, and the load that puts on multiple servers, bandwidth, etc.. DoS attacks are one of those deals, that can cascade. Like the Great Black-out, of whatever year that was. 70-something? Or like the bank crisis of the late 90s... Eh. Not to lessen the injection attacks, which are more likely to cause real damage, and are more likely to expose a security hole than DoS (but DoS can end up exposing quite a bit too, so) yeah, just wanted to say, the layered thing seems the way to do it. Low level, quick stuff, and high level, (most likely) slower stuff. For a web-app developer though (no admin responsibilities), maybe it goes like this: 1) Sanitizing *all* user input. GiGo. 2) Avoid a self-imposed DoS, by things like error emails with no throttle, emailed logs/huge logs on disk/in memory, or whatever. Just wanted to sorta put emphasis on the fact that a DoS is still something that's pretty bad, and *can* end up being as bad, or worse, than injection attacks. Just adding some emphasis, is all. You can DoS yourself with some of the solutions I've seen to the injection attacks. Not that we really have to worry, right? I'm sure we're all doing load-testing, and part of that is testing a massive amount of errors, right (intentional or no;)? Right? Hahahahaha. *sigh* someday. :-) Man, how did I get here from trying to express the idea that one attack can cascade into another kind of attack, or something like that? Eh. *shrug* :-) May your buffers never overflow, |Den -- Catch, then, O catch the transient hour; Improve each moment as it flies! St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311515 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Mary Jo, I've done some additional testing and have found that the prior version of the SQL Injection Blocker does better when challenged with the HP Scrawlr testing tool then the newest version. Rolling back to the prior release also solved the false positive problem for the three towns mentioned earlier. Matt ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
I've done some additional testing and have found that the prior version of the SQL Injection Blocker does better when challenged with the HP Scrawlr testing tool then the newest version. Rolling back to the prior release also solved the false positive problem for the three towns mentioned earlier. Hhm, interesting. My own customers ran into several problems with that version, that have been fixed with the new one. I'm not surprised it does better with scrawlr though as for us it had way more false positives and was blocking *too* much stuff. Just goes to show, there's no one solution that works for everyone...and how important it is not to rely on these tools exclusively since they clearly do not work 100% of the time. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311467 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I've upgraded to the latest version of Mary Jo's tool to filter attempts at SQL injection. It works well, but I found three interesting false positives today. My site has community profiles for cities and towns. The URL for these profiles includes the county name as well as the city or town name. There are Union counties in North Carolina, New Jersey and Ohio. There are three towns that get a false positive flag. They all start with All (Allenwood, Allen Center and Allens Crossroads). The URLs have the format of /Union/Allenwood.cfm, /Union/Allen-Center.cfm and /Union/Allens-Crossroads.cfm. Clearly, the combination of Union/All is causing the problem. Can anyone suggest a modification to the code that would eliminate the false positives without substantially weakening the filter? The RegEx in her tool, (http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18), is way beyond my skill set. TIA, Matt Thanks for pointing this out...I updated the tool on my site to address this and also switched it to use a different RegEx that seems to work better and throw less false positives. Same link to download as before: http://www.cfwebstore.com/index.cfm?fuseaction=page. downloaddownloadID=18 --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311450 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Can anyone suggest a modification to the code that would eliminate the false positives without substantially weakening the filter? The one in there now is by Luis Melo and his email is in the credits. You might want to send them along to him as I know he plans to work more on reducing the false positives as he has time. It's definitely a challenge to make sure you catch everything bad and let everything good through, so some false positives are probably inevitable. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311455 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
My site has community profiles for cities and towns. The URL for these profiles includes the county name as well as the city or town name. There are Union counties in North Carolina, New Jersey and Ohio. Or...maybe you could just get the states to rename that county. ;-) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311456 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4