[cfaussie] SQL INJECTION
Hi, We have just had an SQL injection attack. Given we have several hundred cold fusion pages and the sql database as several hundred tables has anyone found a reliable solution where why script can be placed in the application.cfm page that will prevent code being appended to queries as a viable alternative to having to edit every query across the 100's of pages use the appropriate cfqueryparam . Regards Claude Raiola B.Econ (Acc), B.Hot.Mngt. Websites: www.AustralianAccommodation.com www.SAMARIS.NET www.WebSiteSolutions.com.au Mobile: 0414 228 948
[cfaussie] sql injection was: tvguide.com.au
Just curious, not knowing much about sql injection... Wouldn't the 'val()' function be sufficient protection in this case? Presuming that the sql that was trying to be 'injected' was stored in cookie.person_id then the val() function will effectively nullify it by returning zero... No? ps. apologies for highjacking the thread... Cheers, Brett B) Dale Fraser wrote: Dam, That really looks open to SQL Injection, someone should let them know. Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Chad Renando Sent: Friday, 31 March 2006 14:06 PM To: cfaussie@googlegroups.com Subject: [cfaussie] tvguide.com.au Crash, bang, boom of a CF site. I wonder what kind of traffic they get? Might be some job opps opening up or maybe just some hosting opportunities maybe? ;) Chad -- --- The web site you are accessing has experienced an unexpected error. Please contact the website administrator. The following information is meant for the website developer for debugging purposes. Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQL select person_id, password from users.dbo.person where person_id = 2617356 DATASOURCE hww_sql VENDORERRORCODE 942 SQLSTATEHY000 Resources: * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax) Remote Address58.104.59.236 Referrer Date/Time 31-Mar-06 02:01 PM Stack Trace at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) at coldfusion.sql.Executive.executeQuery(Executive.java:719) at coldfusion.sql.Executive.executeQuery(Executive.java:652) at coldfusion.sql.Executive.executeQuery(Executive.java:613) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:210) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersisten ceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java: 115) at coldfusion.CfmServlet.service(CfmServlet.java:107) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at com.seefusion.Filter.doFilter(Filter.java) at com.seefusion.SeeFusion.doFilter(SeeFusion.java) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
[cfaussie] sql injection was: tvguide.com.au
not debugging, more 'Enable Robust Exception Information' is checked. [EMAIL PROTECTED] 31/03/2006 3:01:00 pm Yes, You are correct, but there will be other queries on the page, I'm sure. What you need for SQL injection, a table name: users.dbo.person So the error gives all that and more, so if there is another keyword search page or similar, without vals or cfqueryparams away you go. Moral of the story, is debugging shouldn't be on in production and we would have never known the table name. Or at least the errors should be caught. Regards Dale Fraser Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQL select person_id, password from users.dbo.person where person_id = 2617356 Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Brett Payne-Rhodes Sent: Friday, 31 March 2006 14:34 PM To: cfaussie@googlegroups.com Subject: [cfaussie] sql injection was: tvguide.com.au Just curious, not knowing much about sql injection... Wouldn't the 'val()' function be sufficient protection in this case? Presuming that the sql that was trying to be 'injected' was stored in cookie.person_id then the val() function will effectively nullify it by returning zero... No? ps. apologies for highjacking the thread... Cheers, Brett B) Dale Fraser wrote: Dam, That really looks open to SQL Injection, someone should let them know. Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Chad Renando Sent: Friday, 31 March 2006 14:06 PM To: cfaussie@googlegroups.com Subject: [cfaussie] tvguide.com.au Crash, bang, boom of a CF site. I wonder what kind of traffic they get? Might be some job opps opening up or maybe just some hosting opportunities maybe? ;) Chad -- --- The web site you are accessing has experienced an unexpected error. Please contact the website administrator. The following information is meant for the website developer for debugging purposes. Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQLselect person_id, password from users.dbo.person where person_id = 2617356 DATASOURCEhww_sql VENDORERRORCODE 942 SQLSTATE HY000 Resources: * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax) Remote Address 58.104.59.236 Referrer Date/Time 31-Mar-06 02:01 PM Stack Trace at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkno wn Source) at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) at coldfusion.sql.Executive.executeQuery(Executive.java:719) at coldfusion.sql.Executive.executeQuery(Executive.java:652) at coldfusion.sql.Executive.executeQuery(Executive.java:613) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499