This attack has nothing to do with elevation of privilege. It simply tacks on a SQL procedure to a query existing on the page already. This procedure then runs through the tables/columns in the database appending text the end of content in varchar fields. The text appended varies, but what I've seen is a javascript file call, that would run when the affected content was displayed in a browser.
I can't see how that security patch would have anything to do with it. (Please enlighten me if I'm wrong.) > Can someone confirm that having applied the Microsoft patch(es) mentioned on > http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx > is sufficient to protect against attacks like these? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309437 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
