RE: URL Hacks - Solution
Josh, Where is the script now? Is it available? I must have missed that if it was. Thanks. Lee Fuller Chief Technical Officer PrimeDNA Corporation / AAA Web Hosting Corporation "We ARE the net." http://www.aaawebhosting.com ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
>Date: Wed, 11 Jul 2001 14:57:10 -0400 >From: Chad Gray <[EMAIL PROTECTED]> >Subject: RE: URL Hacks - Solution >I added the following things to your script to check for: >exec%xp_cmdshell >exec+xp_cmdshell >exec xp_cmdshell >
RE: URL Hacks - Solution
I added the following things to your script to check for: exec%xp_cmdshell exec+xp_cmdshell exec xp_cmdshell
RE: URL Hacks - Solution
Josh, Do keep us all posted as to the outcome of all this. There are those of us who will, no doubt, want to jump right on any solutions you find. If you need a list to keep up with this, let me know and I'll create a temporary (or permanent if needed) list to accommodate. Take care... Lee Fuller Chief Technical Officer PrimeDNA Corporation / AAA Web Hosting Corporation "We ARE the net." http://www.aaawebhosting.com > -Original Message- > From: Josh R [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 10, 2001 10:08 PM > To: CF-Talk > Subject: RE: URL Hacks - Solution > > > > >From: "Paris Lundis" <[EMAIL PROTECTED]> > >Subject: RE: URL Hacks - Solution > >I think the script is a good first attempt and seems to > address the URL > >hack threads previously that have gone around. > > Thank you. My feelings exactly. As usual, Dave Watts was > right when he said > this script doesn't cover enough attacks. However, it was > intended to cover > the attack that started this thread. I'll be happy to expand > it's abilities > if I can get some help. > > >so programatically (SQL wise) what else might one post in > the string to > >pickup further data???... May the SQL gods speak... > > The fun part about dealing with hack attacks on a public > forum like this is > that no one wants to dish any details, which is a good thing, > but it does > make projects like this difficult. > > >I think if we all chip in with some specifics this program could get > >furthered and cover perhaps other known hack arounds... > > If anyone has any other info on database hacks that they'd > like to help > defend against, please contact me off list. The more I know > about, the > better this script can be. > > If you have just general comments, please post them here of > course. Maybe > your thought will get someone thinking. > > Thanks again, Paris for the good words and push to continue. > > >From: "Bruce, Rodney" <[EMAIL PROTECTED]> > >Subject: RE: URL Hacks - Solution > >URL hacks I think are easier to handle than form.Variables. > > As far as I'm concerned, variables are variables. These > attacks require > certain language context no matter if they come from urls, > forms, etc., so > filtering out the key phrase(s) the right way *should* repel them. > > >But I like the > >idea of adding the notification by email when an attempted hack is > >tried > >and > >then kicking them off site. > > Thanks, Bruce. That's the real meat of my security concepts. > If anything > unwanted is going on, I want to know about it and get rid of > them. I never > understood why we throw a friendly error message to someone > attacking our > system. > > But that's just me. > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
>From: "Paris Lundis" <[EMAIL PROTECTED]> >Subject: RE: URL Hacks - Solution >I think the script is a good first attempt and seems to address the URL >hack threads previously that have gone around. Thank you. My feelings exactly. As usual, Dave Watts was right when he said this script doesn't cover enough attacks. However, it was intended to cover the attack that started this thread. I'll be happy to expand it's abilities if I can get some help. >so programatically (SQL wise) what else might one post in the string to >pickup further data???... May the SQL gods speak... The fun part about dealing with hack attacks on a public forum like this is that no one wants to dish any details, which is a good thing, but it does make projects like this difficult. >I think if we all chip in with some specifics this program >could get furthered and cover perhaps other known hack arounds... If anyone has any other info on database hacks that they'd like to help defend against, please contact me off list. The more I know about, the better this script can be. If you have just general comments, please post them here of course. Maybe your thought will get someone thinking. Thanks again, Paris for the good words and push to continue. >From: "Bruce, Rodney" <[EMAIL PROTECTED]> >Subject: RE: URL Hacks - Solution >URL hacks I think are easier to handle than form.Variables. As far as I'm concerned, variables are variables. These attacks require certain language context no matter if they come from urls, forms, etc., so filtering out the key phrase(s) the right way *should* repel them. >But I like the >idea of adding the notification by email when an attempted hack is tried >and >then kicking them off site. Thanks, Bruce. That's the real meat of my security concepts. If anything unwanted is going on, I want to know about it and get rid of them. I never understood why we throw a friendly error message to someone attacking our system. But that's just me. _ Get your FREE download of MSN Explorer at http://explorer.msn.com Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
I might be wrong, but I think that Access will only allow one SQL statement per query, that's why the ; DROP TABLE attack won't work. As for other SQL commands that could cause damage - how about exec xp_cmdshell which allows you to execute DOS commands on the server? You don't need to think very much before seeing the damage THAT one could do. -Original Message- From: Chad Gray [mailto:[EMAIL PROTECTED]] Sent: 10 July 2001 14:48 To: CF-Talk Subject: RE: URL Hacks - Solution I tried this kind of attack on a test page hooked up to a Access Database, and could not get Access to drop the table. Does Access not recognize the Drop Table SQL command? Im also wonder what other SQL commands could be passed other than DROP that could cause damage. Im really glad this subject has come up. At 05:42 PM 7/9/2001 -0400, you wrote: >I think the script is a good first attempt and seems to address the URL >hack threads previously that have gone around. > >so programatically (SQL wise) what else might one post in the string to >pickup further data???... May the SQL gods speak... ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
I tried this kind of attack on a test page hooked up to a Access Database, and could not get Access to drop the table. Does Access not recognize the Drop Table SQL command? Im also wonder what other SQL commands could be passed other than DROP that could cause damage. Im really glad this subject has come up. At 05:42 PM 7/9/2001 -0400, you wrote: >I think the script is a good first attempt and seems to address the URL >hack threads previously that have gone around. > >so programatically (SQL wise) what else might one post in the string to >pickup further data???... May the SQL gods speak... ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
URL hacks I think are easier to handle than form.Variables. I have limited to bare min, the number of variables passed by url and were I have used them. and were I have they are limited to a Number/Integer, so that the VAL(), works well. but with forms, there is such a wide range of information that you are capturing, that it makes it a lot harder to control. I have used , which seems to be working well. But I like the idea of adding the notification by email when an attempted hack is tried and then kicking them off site. and if anyone has seen a hack that bypasses could you share the information. I know its not the end all for security. -Original Message- From: Chad Gray [mailto:[EMAIL PROTECTED]] Sent: Monday, July 09, 2001 3:11 PM To: CF-Talk Subject: RE: URL Hacks - Solution Where is CF_Input? I cant find it on the Developers exchange. On a SQL database cant you specify that the user connected to the database cannot use the DROP command? Wouldn't this be the first line of defense? At 05:00 PM 7/9/2001 -0400, you wrote: >Why not just use cf_input this tag works great, you can add words in there >like delete drop and add so that you don't have people entering things into >your database. > >Robert Everland III >Dixon Ticonderoga >Web Developer Extraordinaire > >-Original Message- >From: Josh R [mailto:[EMAIL PROTECTED]] >Sent: Monday, July 09, 2001 1:46 PM >To: CF-Talk >Subject: Re: URL Hacks - Solution > > >I've been reading this thread since the beginning and came up with a pretty >comfortable solution. I call it cf_antihack. It's a blanket script with a >pretty quick run time. I haven't placed it on the Developers Exchange yet, >but I might. > >I am offering it to you guys first so I can get some input on it. > >You can get the code at my site at http://www.rubak.com/cf-codes.cfm > >Don't forget to give me some feedback. If people like this solution, I plan >to increase it's reach to cover other security issues. > >Disclaimer: I am by no means a security expert. I just came up with (what I >think is) a good idea. > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
> On a SQL database cant you specify that the user connected to > the database cannot use the DROP command? Wouldn't this be the > first line of defense? Yes. You can specify in the datasource settings, in CF Administrator, that only SQL-DML commands (SELECT, INSERT, UPDATE, DELETE) and/or stored procedure calls are allowed. By itself, this isn't really enough, since you can specify raw connect strings in CF 5, among other reasons. In addition, when configuring your database, you can use rights within the database. You can create a user with only the necessary rights to modify data as desired, and use that username and password in your ODBC DSN. Finally, you can use stored procedures and bind parameters to limit what gets sent to the database. You should be doing all of these things to secure database access whenever possible. This is independent of input filtering. Unfortunately, these things often get neglected. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
Where is CF_Input? I cant find it on the Developers exchange. On a SQL database cant you specify that the user connected to the database cannot use the DROP command? Wouldn't this be the first line of defense? At 05:00 PM 7/9/2001 -0400, you wrote: >Why not just use cf_input this tag works great, you can add words in there >like delete drop and add so that you don't have people entering things into >your database. > >Robert Everland III >Dixon Ticonderoga >Web Developer Extraordinaire > >-Original Message- >From: Josh R [mailto:[EMAIL PROTECTED]] >Sent: Monday, July 09, 2001 1:46 PM >To: CF-Talk >Subject: Re: URL Hacks - Solution > > >I've been reading this thread since the beginning and came up with a pretty >comfortable solution. I call it cf_antihack. It's a blanket script with a >pretty quick run time. I haven't placed it on the Developers Exchange yet, >but I might. > >I am offering it to you guys first so I can get some input on it. > >You can get the code at my site at http://www.rubak.com/cf-codes.cfm > >Don't forget to give me some feedback. If people like this solution, I plan >to increase it's reach to cover other security issues. > >Disclaimer: I am by no means a security expert. I just came up with (what I >think is) a good idea. > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
I think the script is a good first attempt and seems to address the URL hack threads previously that have gone around. so programatically (SQL wise) what else might one post in the string to pickup further data???... May the SQL gods speak... My first level approach, having not experimented at all with this yet, would be people stacking SQL commands... Face it.. selecting the code won't display the result could someone commit a write to a known table.. for instance, writing a user name, access level etc??? SQL isn't my thing, but I am always amazed at the power and creativity.. I think if we all chip in with some specifics this program could get furthered and cover perhaps other known hack arounds... -paris -Original Message- From: Dave Watts <[EMAIL PROTECTED]> Date: Mon, 09 Jul 2001 16:55:54 -0400 Subject: RE: URL Hacks - Solution > > I've been reading this thread since the beginning and came up > > with a pretty comfortable solution. I call it cf_antihack. It's > > a blanket script with a pretty quick run time. I haven't placed > > it on the Developers Exchange yet, but I might. > > > > I am offering it to you guys first so I can get some input on it. > > > > You can get the code at my site at > http://www.rubak.com/cf-codes.cfm > > > > Don't forget to give me some feedback. If people like this > > solution, I plan to increase it's reach to cover other security > > issues. > > > > Disclaimer: I am by no means a security expert. I just came > > up with (what I think is) a good idea. > > I'm not a security expert either, but you did ask for feedback, so > here > goes. > > The problem with your tag is that it only defends against a very > small set > of specific malicious attacks. However, in reality an attacker is > usually > not interested in purely destructive attacks (DROP TABLE, etc) but > rather > wants to get access to things that he shouldn't be able to access. > For > example, the attacker might want to obtain credit card numbers, or > might > want to install a rootkit on your server, or might simply want a > location to > stash files. Those sorts of attacks through strings sent to the > database are > still possible with your tag. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
Why not just use cf_input this tag works great, you can add words in there like delete drop and add so that you don't have people entering things into your database. Robert Everland III Dixon Ticonderoga Web Developer Extraordinaire -Original Message- From: Josh R [mailto:[EMAIL PROTECTED]] Sent: Monday, July 09, 2001 1:46 PM To: CF-Talk Subject: Re: URL Hacks - Solution I've been reading this thread since the beginning and came up with a pretty comfortable solution. I call it cf_antihack. It's a blanket script with a pretty quick run time. I haven't placed it on the Developers Exchange yet, but I might. I am offering it to you guys first so I can get some input on it. You can get the code at my site at http://www.rubak.com/cf-codes.cfm Don't forget to give me some feedback. If people like this solution, I plan to increase it's reach to cover other security issues. Disclaimer: I am by no means a security expert. I just came up with (what I think is) a good idea. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks - Solution
> I've been reading this thread since the beginning and came up > with a pretty comfortable solution. I call it cf_antihack. It's > a blanket script with a pretty quick run time. I haven't placed > it on the Developers Exchange yet, but I might. > > I am offering it to you guys first so I can get some input on it. > > You can get the code at my site at http://www.rubak.com/cf-codes.cfm > > Don't forget to give me some feedback. If people like this > solution, I plan to increase it's reach to cover other security > issues. > > Disclaimer: I am by no means a security expert. I just came > up with (what I think is) a good idea. I'm not a security expert either, but you did ask for feedback, so here goes. The problem with your tag is that it only defends against a very small set of specific malicious attacks. However, in reality an attacker is usually not interested in purely destructive attacks (DROP TABLE, etc) but rather wants to get access to things that he shouldn't be able to access. For example, the attacker might want to obtain credit card numbers, or might want to install a rootkit on your server, or might simply want a location to stash files. Those sorts of attacks through strings sent to the database are still possible with your tag. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: URL Hacks - Solution
I've been reading this thread since the beginning and came up with a pretty comfortable solution. I call it cf_antihack. It's a blanket script with a pretty quick run time. I haven't placed it on the Developers Exchange yet, but I might. I am offering it to you guys first so I can get some input on it. You can get the code at my site at http://www.rubak.com/cf-codes.cfm Don't forget to give me some feedback. If people like this solution, I plan to increase it's reach to cover other security issues. Disclaimer: I am by no means a security expert. I just came up with (what I think is) a good idea. _ Get your FREE download of MSN Explorer at http://explorer.msn.com Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: URL Hacks (even more)
I don't think that hurts anything as long as you use a val() statement val(90;''%20DROP%20TABLE%20IMAGES) is still going to be 90 The worst case scenario is that you will throw a cf error because of syntax but that doesn't hurt anything. Even if they use seldir=90);.. it won't matter because you are feeding in a literal to the val function not building a sql string with it. The whole point is you have cf do SOMETHING with the value before you tack it on to your odbc string. - Original Message - From: "Michael Lugassy" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, July 06, 2001 8:12 AM Subject: Re: URL Hacks (even more) > What about people who write something like this: > > http://www.vawter.com/slideshow.cfm?seldir=90;'%20DROP%20TABLE%20IMAGES > or > http://www.vawter.com/slideshow.cfm?seldir=90;''%20DROP%20TABLE%20IMAGES > > ' or '' between/after/in middle the URL, thus closing the first condition and opening a new statment?? > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: URL Hacks
Would it be a good solution to add something like this into my application.cfm file? ---> alert("#cgi.remote_addr#" +" had been submitted your isp's abuse reporting sytem"); document.location="<A HREF="http://www.abuse.com"">http://www.abuse.com"</A>;; Where numID1-numID5 would be all of my SQL's numeric colums. BTW: have someone used Allaire CF_INPUTFILTER succesfuly to prevent things like that? Thanks, Michael - Original Message - From: "Dave Watts" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, July 06, 2001 1:53 AM Subject: RE: URL Hacks > > > If anyone has any interest it is at: > > > http://www.vawter.com/urlhack.cfm > > > > Quick question, the dropping of tables seems very destructive, and of > > little point other than trashing a site. > > > > Is it possible to construct more "useful" queries to run piggy back, > > i.e. the SQL to display all the tables in a database, the fields in a > > table, or the data in a field(s)? I'm not asking for examples, just if > > it's theoretically possible. > > > > Having the data deleted is easy to recover from (if not careless), > > having someone view your data, or database construction would seem to > > be a lot worse. > > Sure, it's possible to construct more useful strings, although usefulness > here is going to be in the eye of the beholder. For example, if you knew a > site was running against SQL Server, you might be able to execute the > xp_cmdshell stored procedure, which would get you a command prompt on the > database server, essentially. If you could do this, you could conceivably > have that command shell retrieve a file from an FTP server and run that > file. That might be useful, if your goal is to compromise a remote database > server. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: URL Hacks (even more)
What about people who write something like this: http://www.vawter.com/slideshow.cfm?seldir=90;'%20DROP%20TABLE%20IMAGES or http://www.vawter.com/slideshow.cfm?seldir=90;''%20DROP%20TABLE%20IMAGES ' or '' between/after/in middle the URL, thus closing the first condition and opening a new statment?? ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
> > If anyone has any interest it is at: > > http://www.vawter.com/urlhack.cfm > > Quick question, the dropping of tables seems very destructive, and of > little point other than trashing a site. > > Is it possible to construct more "useful" queries to run piggy back, > i.e. the SQL to display all the tables in a database, the fields in a > table, or the data in a field(s)? I'm not asking for examples, just if > it's theoretically possible. > > Having the data deleted is easy to recover from (if not careless), > having someone view your data, or database construction would seem to > be a lot worse. Sure, it's possible to construct more useful strings, although usefulness here is going to be in the eye of the beholder. For example, if you knew a site was running against SQL Server, you might be able to execute the xp_cmdshell stored procedure, which would get you a command prompt on the database server, essentially. If you could do this, you could conceivably have that command shell retrieve a file from an FTP server and run that file. That might be useful, if your goal is to compromise a remote database server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
not sure what the earlier messages were in this thread but >>Quick question, the dropping of tables seems very destructive, and of >>little point other than trashing a site. Absolutely - that's why you should tie this downin your code so hackers can't exploit it. >>Is it possible to construct more "useful" queries to run piggy back, >>i.e. the SQL to display all the tables in a database, the fields in a >>table, or the data in a field(s)? I'm not asking for examples, just if >>it's theoretically possible. You can run any valid SQL statement against the DB. Whether it will execute correctly is down to the permissions that the user has that the DSN is using. You won't however be able to display the results of your query unless the CF code does so. -Original Message- From: Daniel Kemp [mailto:[EMAIL PROTECTED]] Sent: 04 July 2001 17:44 To: CF-Talk Subject: RE: URL Hacks > -Original Message- > From: Don Vawter [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 13, 2001 7:10 PM > To: CF-Talk > Subject: URL Hacks > If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm Quick question, the dropping of tables seems very destructive, and of little point other than trashing a site. Is it possible to construct more "useful" queries to run piggy back, i.e. the SQL to display all the tables in a database, the fields in a table, or the data in a field(s)? I'm not asking for examples, just if it's theoretically possible. Having the data deleted is easy to recover from (if not careless), having someone view your data, or database construction would seem to be a lot worse. Cheers, Dan. This message is intended only for the use of the person(s) ("the intended recipient(s)") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of the applicable law. If you are not the intended recipient, please contact the sender as soon as possible. The views expressed in this communication may not necessarily be the views held by Live Information Systems Limited. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
> -Original Message- > From: Don Vawter [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 13, 2001 7:10 PM > To: CF-Talk > Subject: URL Hacks > If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm Quick question, the dropping of tables seems very destructive, and of little point other than trashing a site. Is it possible to construct more "useful" queries to run piggy back, i.e. the SQL to display all the tables in a database, the fields in a table, or the data in a field(s)? I'm not asking for examples, just if it's theoretically possible. Having the data deleted is easy to recover from (if not careless), having someone view your data, or database construction would seem to be a lot worse. Cheers, Dan. This message is intended only for the use of the person(s) ("the intended recipient(s)") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of the applicable law. If you are not the intended recipient, please contact the sender as soon as possible. The views expressed in this communication may not necessarily be the views held by Live Information Systems Limited. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
It is good to bring this subject up every now and then especially since we get too focused on making the application work, we often forget to check out ways make it break. Allaire has some knowledgebase articles about this that may be helpful: http://www.allaire.com/Handlers/index.cfm?ID=14558&Method=Full http://www.allaire.com/Handlers/index.cfm?ID=14557&Method=Full Best Regards, Dennis Powers UXB Internet (203) 879-2844 http://www.uxbinfo.com/ -Original Message- From: Don Vawter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 13, 2001 7:10 PM To: CF-Talk Subject: URL Hacks Having recently suffered (not too much fortunately) through an attempt of a hacker to corrupt a database by embedding sql in url paramaters I have put together a few tips on preventing these attacks from being successful. I realize that this is not new (I first heard of if at least 2 years ago) but sometimes a little reminder doesn't hurt because obviously the hackers are still out there. If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm HTH Don Vawter ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
That method only works for type="numeric" or type="boolean". Pete Freitag ([EMAIL PROTECTED]) CFDEV.COM ColdFusion Developers Resources http://www.cfdev.com/ -Original Message- From: John McCosker [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 6:16 AM To: CF-Talk Subject: RE: URL Hacks --->Another thing you can do which isn't to painful to make a habit of, is use --->the type attribute in --->So if you have a query --->SELECT * FROM images --->where seldir=#url.seldir# --->order by image_id --->then you could precede it with : ---> --->Then ColdFusion will throw an error if url.seldir isn't a number. What if your url variable is a string dynamically outputted from a query? -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 14, 2001 4:11 AM To: CF-Talk Subject: Re: URL Hacks Don, I can sympathize man. Check out the CF_Scriptkill tag in the Allaire developer's exchange. It should help out. Rey Bango Team Allaire... - Original Message - From: "Don Vawter" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, June 13, 2001 7:10 PM Subject: URL Hacks > Having recently suffered (not too much fortunately) through an attempt of a > hacker to corrupt a database by embedding sql in url paramaters I have put > together a few tips on preventing these attacks from being successful. I > realize that this is not new (I first heard of if at least 2 years ago) but > sometimes a little reminder doesn't hurt because obviously the hackers are > still out there. > > If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm > > HTH > > Don Vawter > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
--->Another thing you can do which isn't to painful to make a habit of, is use --->the type attribute in --->So if you have a query --->SELECT * FROM images --->where seldir=#url.seldir# --->order by image_id --->then you could precede it with : ---> --->Then ColdFusion will throw an error if url.seldir isn't a number. What if your url variable is a string dynamically outputted from a query? -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 14, 2001 4:11 AM To: CF-Talk Subject: Re: URL Hacks Don, I can sympathize man. Check out the CF_Scriptkill tag in the Allaire developer's exchange. It should help out. Rey Bango Team Allaire... - Original Message - From: "Don Vawter" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, June 13, 2001 7:10 PM Subject: URL Hacks > Having recently suffered (not too much fortunately) through an attempt of a > hacker to corrupt a database by embedding sql in url paramaters I have put > together a few tips on preventing these attacks from being successful. I > realize that this is not new (I first heard of if at least 2 years ago) but > sometimes a little reminder doesn't hurt because obviously the hackers are > still out there. > > If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm > > HTH > > Don Vawter > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
Another thing you can do which isn't to painful to make a habit of, is use the type attribute in So if you have a query SELECT * FROM images where seldir=#url.seldir# order by image_id then you could precede it with : Then ColdFusion will throw an error if url.seldir isn't a number. Pete Freitag ([EMAIL PROTECTED]) CFDEV.COM ColdFusion Developers Resources http://www.cfdev.com/ -Original Message- From: Andy [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 14, 2001 12:00 PM To: CF-Talk Subject: Re: URL Hacks You could also use security to limit what the SQL statement can do. For example, set up a database user called SystemRead. Use this to limit what can be done inside of the SQL. This would prevent any modification hacking during a read operation. Andy - Original Message - From: "Rey Bango" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, June 13, 2001 10:11 PM Subject: Re: URL Hacks > Don, > > I can sympathize man. Check out the CF_Scriptkill tag in the Allaire > developer's exchange. It should help out. > > Rey Bango > Team Allaire... > > - Original Message - > From: "Don Vawter" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Wednesday, June 13, 2001 7:10 PM > Subject: URL Hacks > > > > Having recently suffered (not too much fortunately) through an attempt of > a > > hacker to corrupt a database by embedding sql in url paramaters I have put > > together a few tips on preventing these attacks from being successful. I > > realize that this is not new (I first heard of if at least 2 years ago) > but > > sometimes a little reminder doesn't hurt because obviously the hackers are > > still out there. > > > > If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm > > > > HTH > > > > Don Vawter > > > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hacks
Actually, this was a new hack to me, but it isn't just URL variables. If you grab the HTML for a form (especially if it has absolute paths for the action) and play games there, you can get it to pass SQL also. Russel -Original Message- From: Don Vawter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 13, 2001 6:10 PM To: CF-Talk Subject: URL Hacks Having recently suffered (not too much fortunately) through an attempt of a hacker to corrupt a database by embedding sql in url paramaters I have put together a few tips on preventing these attacks from being successful. I realize that this is not new (I first heard of if at least 2 years ago) but sometimes a little reminder doesn't hurt because obviously the hackers are still out there. If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm HTH Don Vawter ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: URL Hacks
You could also use security to limit what the SQL statement can do. For example, set up a database user called SystemRead. Use this to limit what can be done inside of the SQL. This would prevent any modification hacking during a read operation. Andy - Original Message - From: "Rey Bango" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, June 13, 2001 10:11 PM Subject: Re: URL Hacks > Don, > > I can sympathize man. Check out the CF_Scriptkill tag in the Allaire > developer's exchange. It should help out. > > Rey Bango > Team Allaire... > > - Original Message - > From: "Don Vawter" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Wednesday, June 13, 2001 7:10 PM > Subject: URL Hacks > > > > Having recently suffered (not too much fortunately) through an attempt of > a > > hacker to corrupt a database by embedding sql in url paramaters I have put > > together a few tips on preventing these attacks from being successful. I > > realize that this is not new (I first heard of if at least 2 years ago) > but > > sometimes a little reminder doesn't hurt because obviously the hackers are > > still out there. > > > > If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm > > > > HTH > > > > Don Vawter > > > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: URL Hacks
thank you! >From: "Don Vawter" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: CF-Talk <[EMAIL PROTECTED]> >Subject: URL Hacks >Date: Wed, 13 Jun 2001 17:10:05 -0600 > >Having recently suffered (not too much fortunately) through an attempt of a >hacker to corrupt a database by embedding sql in url paramaters I have put >together a few tips on preventing these attacks from being successful. I >realize that this is not new (I first heard of if at least 2 years ago) but >sometimes a little reminder doesn't hurt because obviously the hackers are >still out there. > >If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm > >HTH > >Don Vawter > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: URL Hacks
Don, I can sympathize man. Check out the CF_Scriptkill tag in the Allaire developer's exchange. It should help out. Rey Bango Team Allaire... - Original Message - From: "Don Vawter" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, June 13, 2001 7:10 PM Subject: URL Hacks > Having recently suffered (not too much fortunately) through an attempt of a > hacker to corrupt a database by embedding sql in url paramaters I have put > together a few tips on preventing these attacks from being successful. I > realize that this is not new (I first heard of if at least 2 years ago) but > sometimes a little reminder doesn't hurt because obviously the hackers are > still out there. > > If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm > > HTH > > Don Vawter > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
URL Hacks
Having recently suffered (not too much fortunately) through an attempt of a hacker to corrupt a database by embedding sql in url paramaters I have put together a few tips on preventing these attacks from being successful. I realize that this is not new (I first heard of if at least 2 years ago) but sometimes a little reminder doesn't hurt because obviously the hackers are still out there. If anyone has any interest it is at: http://www.vawter.com/urlhack.cfm HTH Don Vawter ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists