-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me
-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
for you situation.
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 9:01 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Thanks Mark. So, the function checkSQLInject(str) and the function
The code on my blog is a working example, but it's not
drop in ready - you would still need to check the form and cookie scope
for example... So either way you will need to do some tweaking to get it to
work for you situation.
I'm going to post an updated version of my tool later today, just want
Version 2 of the scanner I did is now available here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18
This has *not* been heavily tested as of yet, so use at your own risk!
--- Mary Jo
~|
Adobe®
This has *not* been heavily tested as of yet, so use at your own risk!
There was a little mistake in the scanner I posted earlier that could cause it
to hang, if anyone downloaded it before, please grab the updated copy.
In just some basic iteration checking, the new version does appear to be
-Original Message-
From: Mary Jo Sminkey [mailto:[EMAIL PROTECTED]
Sent: Saturday, 26 July 2008 5:40 AM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
Thanks for the update... I'm not sure if any of my customers are using a host
that
Ben,
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to
it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter in
how about changing cfquery so that by default...
NO NO NO NO NO NO NO NO
I've use nested SQL all the time, and I've got over 100 web sites up.
Validate and use REREPLACE and CFQUERYPARAM and you're fine.
Don't ever make a function change that kills existing code written
correctly.
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To
Ben Forta
Ben,
Seeing as how
Francis [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:16 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[EMAIL
Al Musella, DPM wrote:
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to
it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent.
That is a *very*
you'd
still have to remember to switch it off.
-- Josh
- Original Message -
From: Al Musella, DPM [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 9:04 AM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Ben,
Seeing
this without going to the extreme that you suggest
- Original Message -
From: Al Musella, DPM [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 9:04 AM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Ben,
Seeing
+Infinity.
(I'd add some sort of really intelligent comment, but, well, Robert already
covered that part.)
On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote:
how about changing cfquery so that by default...
NO NO NO NO NO NO NO NO
I've use nested SQL all the time, and I've
Seeing as how this type of sql injection attack is
succeeding so much (even my favorite fishing website has been
down for days due to it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter
www.austin-williams.com
Great advertising can't be either/or... It must be .
-Original Message-
From: Matt Quackenbush [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:42 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
+Infinity
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter in
cfquery or a cfprocessing driective type of thing in our
application.cfm..
Pretty good idea.
I doubt many people use multiple sql statements in one cfquery,
Also
Is there a kind of way to stop the botnet from spamming websites? Hacker has
to stop it? or right now if it is automated is there any way?
Radek
On Fri, Jul 25, 2008 at 12:56 PM, Dave Watts [EMAIL PROTECTED] wrote:
Seeing as how this type of sql injection attack is
succeeding so much
I have to hand it to Claude - he definitely has confidence :)
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:15 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
how about changing
That is more a function of the db.
Exact, and I don't see how CF could prevent from multiple execution.
It should compile the SQL code for that, and it does not.
Unless ODBC/JDBC drivers have a function to disable it.
--
___
REUSE CODE! Use custom tags;
See
I have to hand it to Claude - he definitely has confidence
Well, unless ODBC and JDBC have some function to enable/disable multi
statements,
It would certainly be much trouble to implement this in CF.
I've checked rapidly in the ODBC docs, and I don't see any reference to
multi statement.
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org/
anybody knows what happenned?
Radek
On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans
[EMAIL PROTECTED] wrote:
I have to hand it to Claude - he definitely has confidence
Well, unless ODBC
- Original Message -
From: Claude Schneegans [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 12:46 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I have to hand it to Claude - he definitely has confidence
Well, unless ODBC
: Radek Valachovic [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org
-International-Operation-cfSQLprotect
~Brad
- Original Message -
From: Radek Valachovic [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RiaForge.org doesnt
@houseoffusion.com
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org/
anybody knows what happenned?
Radek
RIAForge is back up ...
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 2:20 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I have it installed already, but other guys in forums asking
: Friday, July 25, 2008 1:33 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
RIAForge is back up ...
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
What do you think about this solution for sites with 5000 files
It may be satisfactory for a temporary fix, to give you enough time to fix
your 5000 files. It is almost certainly unsuitable as a permanent solution.
This part is fairly vague:
Checks all FORM and URL input for SQL injection code
That's what I thought same thing, temporary fix. Thanks for checking that
out and posting scanners.
On Fri, Jul 25, 2008 at 2:42 PM, Dave Watts [EMAIL PROTECTED] wrote:
What do you think about this solution for sites with 5000 files
It may be satisfactory for a temporary fix, to give you
OK.. You are right.. drop my request..
but I would request 3 other enhancements to dreamweaver to make these
changes easier:
1. Put the sql queryparam on the main CF toolbar..
2. When you right click the file name in the Files area you can
select PUT.. I would like to add that functionality
I requested that code from them earlier, so in case I will receive it, gonna
send it to you.
RAdek
On Fri, Jul 25, 2008 at 2:42 PM, Radek Valachovic [EMAIL PROTECTED]
wrote:
That's what I thought same thing, temporary fix. Thanks for checking that
out and posting scanners.
On Fri, Jul 25,
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a lot
that run old releases that are not as well protected as my current one and have
little desire to either update their software *or* the code). I used
Ok gonna check that out thanks.
On Fri, Jul 25, 2008 at 3:40 PM, Mary Jo Sminkey [EMAIL PROTECTED]
wrote:
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a
lot that run old releases that are not as
Ok gonna check that out thanks.
I just uploaded a new version that includes the cookie scope, and commonly used
CGI vars as well.
While this has been a headache to deal with, at least it might convince more of
my customers to get around to updating their sites. ;-) It often doesn't matter
Tell me about it I told one of my customers E- commerce store to backup
often DB (if u do some edits to DB make a backup!!!) and told him to buy
hard-drive or RAID 1 or RAID 5 solution to backup the DB ansd website, he
said no no no expensive, 6 days ago he got hit cause who made this site
never
40 matches
Mail list logo
