We've been seeing the exact same thing, basic SQL injection attacks all originating from China... It looks automated as they've spidered several sites we host using the exact same technique and SQL phrase. It has been going on continuously for about a week now. Thankfully the sites are pro-actively monitored from an error management POV so we've been aware of the attacks from the get go.
I agree. Using CFCs, having a common code base, employing type checking on functions and using CFQUERYPARAM all make life a little bit easier in coping with these things... In CF 8 it's worth noting that the type checking can be turned off for performance gains. I guess this is a trade off... What you gain in performance, you lose in data validation. It's a shame this feature is a global setting and not one that could be specified on a function by function basis as I'd like to keep type checking on for my DB objects and turn it off where I feel it's not necessary. Paul > -----Original Message----- > From: jonese [mailto:[EMAIL PROTECTED] > Sent: 06 August 2007 16:25 > To: CF-Talk > Subject: Re: SQL injection hack? > > Just an FYI to everyone else i've been at my current post for 3 years > and we've had pro-active error monitoring (versus re reactive "hey my > site doesn't work") now for close to 2 years. > > Just in the recent weeks we started seeing basic SQL injection hacks > on site we host. We never saw anything like this till recently, so be > on your toes. > > Like others have mentioned using CFQueryParam and Stored Procedures > can help. Also putting the stuff into CFC's and forcing incoming vars > to be typed help as well. (with everything except string of course). > > If you are looking for preventive stuff on top of those already > mentioned you can look into the CF Firewalls which are starting to > spring up. As well as there are those who have made some really cool > stuff to help watch for this. I think Shawn Gorrell has some code (he > mentioned it at a recent ACFUG meeting) you might reach out to him, > http://www.illumineti.com/blog/, if he doesn't notice this thread. > > jonese > > > > On 8/6/07, Rey Bango <[EMAIL PROTECTED]> wrote: > > Looks that way. > > > > Rey > > > > Rick King wrote: > > > Hey all, > > > > > > I just received this email that is generated when there is an error > on a site I built (www.woreitonce.com) > > > > > > -------------------E-MAIL-------------------------------- > > > Invalid data 1 and 1=convert(int,(select top 1 > char(97)+admin_password from tbl_adminusers)) for CFSQLTYPE > CF_SQL_INTEGER. <br>The error occurred on line 30. > > > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) > Gecko/20070725 Firefox/2.0.0.6 > > > 81.10.46.130 > > > > > > /Details.cfm > > > > ProdID=1%20and%201=convert(int,(select%20top%201%20char(97)%2badmin_pas > sword%20from%20tbl_adminusers)) > > > > > > ---------------------E-MAIL------------------------ > > > > > > Is this a SQL injection attack? Anything I can do? > > > > > > Thanks > > > Rick > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285501 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
