]
Sent: Monday, April 19, 2010 7:33 PM
To: cf-talk
Subject: Re: New SQL injection :(
I thought it was Secure Account???
=]
On Mon, Apr 19, 2010 at 4:27 PM, Leigh cfsearch...@yahoo.com wrote:
And for the love of all that is
good in the world, don't ever let your
webs servers ever connect
Fuseguard: http://foundeo.com/security/
Just add a couple lines to your App.cfc or App.cfm and bam, you're secure.
Worked awesome for a legacy CFML application that one of our customers
was having major SQL injection problems with.
Warm regards,
Jordan Michaels
Vivio Technologies
Al,
These sort of attacks increase and decrease in waves unfortunately. I spent
a few hours fixing a customer server this week myself. Very similar
codewise:
http://www.coldfusionmuse.com/index.cfm/2010/4/16/SQLi-char-urchin
-Mark
Mark A. Kruger, MCSE, CFG
(402) 408-3733 ext 105
FWIW I don't believe in silver bullets, but one can get a decent amount
of mileage by taking the SQL account that CF connects to the database
with and removing accessing to the system and information schema tables.
Chances are your app doesn't use those tables and a lot of SQLi attacks
revolve
And for the love of all that is
good in the world, don't ever let your
webs servers ever connect to your
database with sa.
sa, that is the SAfest account right ? ;)
~|
Want to reach the ColdFusion community with
I thought it was Secure Account???
=]
On Mon, Apr 19, 2010 at 4:27 PM, Leigh cfsearch...@yahoo.com wrote:
And for the love of all that is
good in the world, don't ever let your
webs servers ever connect to your
database with sa.
sa, that is the SAfest account right ? ;)
If you block this at the webserver, or better yet network level, you
won't incur any processing overhead, and less-than-secure code is at
least a bit protected.
Some apache rewrite rules have been posted that will at least stop it
at the webserver level, and I think someone posted the IIS plugin
Hi Mark,
You missed the first part of my post.. they actually look up all
of the table names and field names! They don't do it by throwing random errors!
And it replaced all of the text instead of appending. Appending is
easier to fix. Luckily nothing of importance is stored in that
On Monday 22 Sep 2008, Judah McAuley wrote:
we sit down to discuss strategy and bringing resources on under me, I know
that conversion conversation is coming.
Print out
http://www.webbschofield.com/index.cfm/2008/9/15/ColdFusion-Evangelism-Kit
and leave it on your desk just in case.
--
Tom
On Saturday 20 Sep 2008, Al Musella, DPM wrote:
A new type of sql attack is hitting my server since about 2 am this
morning.
It's not new.
It's just another minor variant.
There should be no need for a big song and dance by now.
--
Tom Chiverton
Helping to evangelistically maximize
Tom Chiverton
Helping to evangelistically maximize fifth-generation sexy
partnerships
You know, that tagline makes you sound like a pimp.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training
CF could use more pimps.
I just got bought and am now a new division within an existing company, all
of whom are .Net Things are just settling in and its fine for now, but as
we sit down to discuss strategy and bringing resources on under me, I know
that conversion conversation is coming.
Judah
On Sat, Sep 20, 2008 at 9:58 PM, Michael Dinowitz
[EMAIL PROTECTED] wrote:
If your interested, I have a project that I just wrote for a client that
will allow you to scan an entire directory tree for all files that have a
cfquery with un-paramed variables and fix them.
Hi Michael,
how
A new type of sql attack is hitting my server since about 2 am this
morning.
I am seeing a large increase in the number of attacks on several of my
sites in the last 48 hours..
Here we go again...
Instead of just being on the defense, I wish there was some way to
counter attack!!!
I wish there was some way to counter attack!!! H
Well, based on the fact that attacks come from infected PC which even
ignore they were infected,
it would be pretty useless to counter-attack the IP address from which
the attack came.
BUT, all theses attacks tend to inject spammy links to
We got a reputation for being easy to hack, so they now
concentrate on cfm files..
hopefully, with this last attack, at least everyone on this list
should already be protected against the current set of
attempts... and if they don't succeed, maybe they will move on to
easier targets.
I
If your interested, I have a project that I just wrote for a client that
will allow you to scan an entire directory tree for all files that have a
cfquery with un-paramed variables and fix them. It doesn't work
automatically (it could but I disabled that option) but instead gives you
the queries
Thanks, but all of mine are fixed finally.
You should talk to the CF people to get that integrated with either
cold fusion or dreamweaver..
At 09:58 PM 9/20/2008, Michael Dinowitz wrote:
If your interested, I have a project that I just wrote for a client that
will allow you to scan an entire
18 matches
Mail list logo