[cfaussie] SQL INJECTION

2008-09-25 Thread Claude Raiola


Hi,

We have just had an SQL injection attack.

Given we have several hundred cold fusion pages and the sql database as several hundred tables has anyone found a reliable solution where why script can be placed in the application.cfm page that will prevent code being appended to queries as a viable alternative to having to edit every query across the 100's of pages use the appropriate cfqueryparam .


Regards 



Claude Raiola 

B.Econ (Acc), B.Hot.Mngt.



Websites: 

www.AustralianAccommodation.com 

www.SAMARIS.NET 

www.WebSiteSolutions.com.au

Mobile: 0414 228 948  






[cfaussie] sql injection was: tvguide.com.au

2006-03-30 Thread Brett Payne-Rhodes

Just curious, not knowing much about sql injection...

Wouldn't the 'val()' function be sufficient protection in this case? Presuming 
that the sql that was trying to be 'injected' was stored in cookie.person_id 
then the val() function will effectively nullify it by returning zero... No?

ps. apologies for highjacking the thread...

Cheers,

Brett
B)



Dale Fraser wrote:
 Dam,
 
 That really looks open to SQL Injection, someone should let them know.
 
 Regards
 Dale Fraser
 
 
-Original Message-
From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Chad Renando
Sent: Friday, 31 March 2006 14:06 PM
To: cfaussie@googlegroups.com
Subject: [cfaussie] tvguide.com.au


Crash, bang, boom of a CF site.

I wonder what kind of traffic they get?  Might be some job opps
opening up or maybe just some hosting opportunities maybe? ;)

Chad

--
---

 The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.

The following information is meant for the website developer for
debugging purposes.
Error Occurred While Processing Request
Error Executing Database Query.
[Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot
be opened because it is offline.

The error occurred in D:\web\tvguide.com.au\index.cfm: line 32

30 : select person_id, password
31 : from users.dbo.person
32 : where person_id = #Val(cookie.person_id)#
33 : /cfquery
34 :

SQL  select person_id, password from users.dbo.person where
person_id = 2617356
DATASOURCE  hww_sql
VENDORERRORCODE 942
SQLSTATEHY000
Resources:

* Check the ColdFusion documentation to verify that you are using
the correct syntax.
* Search the Knowledge Base to find a solution to your problem.

Browser   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050711 Firefox/1.0.5 (ax)
Remote Address58.104.59.236
Referrer
Date/Time 31-Mar-06 02:01 PM
Stack Trace
at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32)
at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32)

java.sql.SQLException: [Macromedia][SQLServer JDBC
Driver][SQLServer]Database 'users' cannot be opened because it is
offline.
  at macromedia.jdbc.base.BaseExceptions.createException(Unknown
Source)
  at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source)
  at
macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source)
  at
macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source)
  at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown
Source)
  at
macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown
Source)
  at
macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source)
  at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown
Source)
  at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source)
  at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown
Source)
  at macromedia.jdbc.base.BaseStatement.execute(Unknown Source)
  at
coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212)
  at coldfusion.sql.Executive.executeQuery(Executive.java:719)
  at coldfusion.sql.Executive.executeQuery(Executive.java:652)
  at coldfusion.sql.Executive.executeQuery(Executive.java:613)
  at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236)
  at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499)
  at
cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32)
  at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152)
  at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349)
  at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
  at
coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:210)
  at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
  at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69)
  at
coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52)
  at
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersisten
ceFilter.java:28)
  at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
  at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
  at
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
  at
coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:
115)
  at coldfusion.CfmServlet.service(CfmServlet.java:107)
  at
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78)
  at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
  at com.seefusion.Filter.doFilter(Filter.java)
  at com.seefusion.SeeFusion.doFilter(SeeFusion.java)
  at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

[cfaussie] sql injection was: tvguide.com.au

2006-03-30 Thread Scott Thornton

not debugging, more 'Enable Robust Exception Information' is checked.


 [EMAIL PROTECTED] 31/03/2006 3:01:00 pm 

Yes,

You are correct, but there will be other queries on the page, I'm sure.

What you need for SQL injection, a table name: users.dbo.person

So the error gives all that and more, so if there is another keyword search
page or similar, without vals or cfqueryparams away you go.

Moral of the story, is debugging shouldn't be on in production and we would
have never known the table name. Or at least the errors should be caught.

Regards
Dale Fraser

Error Occurred While Processing Request Error Executing Database 
Query.
[Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot 
be opened because it is offline.

The error occurred in D:\web\tvguide.com.au\index.cfm: line 32

30 : select person_id, password
31 : from users.dbo.person
32 : where person_id = #Val(cookie.person_id)#
33 : /cfquery
34 :

SQL  select person_id, password from users.dbo.person where
person_id = 2617356

Regards
Dale Fraser


 -Original Message-
 From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On
 Behalf Of Brett Payne-Rhodes
 Sent: Friday, 31 March 2006 14:34 PM
 To: cfaussie@googlegroups.com 
 Subject: [cfaussie] sql injection was: tvguide.com.au
 
 
 Just curious, not knowing much about sql injection...
 
 Wouldn't the 'val()' function be sufficient protection in this case?
 Presuming that the sql that was trying to be 'injected' was stored in
 cookie.person_id then the val() function will effectively nullify it by
 returning zero... No?
 
 ps. apologies for highjacking the thread...
 
 Cheers,
 
 Brett
 B)
 
 
 
 Dale Fraser wrote:
  Dam,
 
  That really looks open to SQL Injection, someone should let them know.
 
  Regards
  Dale Fraser
 
 
 -Original Message-
 From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On
 Behalf Of Chad Renando
 Sent: Friday, 31 March 2006 14:06 PM
 To: cfaussie@googlegroups.com 
 Subject: [cfaussie] tvguide.com.au
 
 
 Crash, bang, boom of a CF site.
 
 I wonder what kind of traffic they get?  Might be some job opps
 opening up or maybe just some hosting opportunities maybe? ;)
 
 Chad
 
 
 --
 ---
 
  The web site you are accessing has experienced an unexpected error.
 Please contact the website administrator.
 
 The following information is meant for the website developer for
 debugging purposes.
 Error Occurred While Processing Request
 Error Executing Database Query.
 [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot
 be opened because it is offline.
 
 The error occurred in D:\web\tvguide.com.au\index.cfm: line 32
 
 30 : select person_id, password
 31 : from users.dbo.person
 32 : where person_id = #Val(cookie.person_id)#
 33 : /cfquery
 34 :
 
 SQLselect person_id, password from users.dbo.person where
 person_id = 2617356
 DATASOURCEhww_sql
 VENDORERRORCODE   942
 SQLSTATE  HY000
 Resources:
 
 * Check the ColdFusion documentation to verify that you are using
 the correct syntax.
 * Search the Knowledge Base to find a solution to your problem.
 
 Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.7.9)
 Gecko/20050711 Firefox/1.0.5 (ax)
 Remote Address  58.104.59.236
 Referrer
 Date/Time   31-Mar-06 02:01 PM
 Stack Trace
 at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32)
 at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32)
 
 java.sql.SQLException: [Macromedia][SQLServer JDBC
 Driver][SQLServer]Database 'users' cannot be opened because it is
 offline.
 at macromedia.jdbc.base.BaseExceptions.createException(Unknown
 Source)
 at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source)
 at
 macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown
 Source)
 at
 macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown
 Source)
 at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown
 Source)
 at
 macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkno
 wn
 Source)
 at
 macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown
 Source)
 at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown
 Source)
 at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source)
 at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown
 Source)
 at macromedia.jdbc.base.BaseStatement.execute(Unknown Source)
 at
 coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212)
 at coldfusion.sql.Executive.executeQuery(Executive.java:719)
 at coldfusion.sql.Executive.executeQuery(Executive.java:652)
 at coldfusion.sql.Executive.executeQuery(Executive.java:613)
 at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236)
 at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499