That may help with this particular attack, but I already have seen 2
versions of it today.. Both happened to have the "EXEC("
but there are variations that use other key words.
The correct way (which unfortunately I found out through failure:) is:
1. Run a scanner like: http://qpscanner.riaforge.org/ and fix EVERY
query it finds so that it uses cfqueryparam
2. Do a search for every cfparam in your code and add the correct
type. For example:
<cfparam name="id" default="0" type="integer">
That will prevent people from adding anything to the end of the integer..
3. Set up a sitewide error handler to email you when a problem
occurs... you will be amazed at how many attempts that cfparam catches..
4. Set up your database so that the user you use with coldfusion is
denied permission to all of the system tables and stored procedures
that you do not use.
5. I use a filter similar to what you mention below, in the
application.cfm or application.cfc file.. mine uses a few other
words.. such as ";DECLARE" , "CHAR( " , ";SET " and "CAST( " and I
am also working on a system of banning the bad IP addresses on the
entire server for a while.. figuring if they hit a protected page,
why let them keep trying.. I am collecting data on the attack, and it
appears that an IP address is only used 2-15 times within a 1 minute
period.. then it is never used again. So it looks like banning the
IP for an hour should be ok..
6. I set up an automated task to check 10 different tables for my own
entry every 15 minutes - checking that the email address and website
address hasn't changed. If it does, I get notified..
7. Make sure that you backup your website and database as frequently
as possible. Keep old versions in case the next attack just changes
a few numbers here and there instead of being this obvious.
At 08:30 PM 7/23/2008, you wrote:
>What about if I put:
>
><cfif cgi.SCRIPT_NAME contains "EXEC(" OR cgi.PATH_INFO contains "EXEC(" OR
>cgi.QUERY_STRING contains "EXEC("><cfabort></cfif>
>
>in my all cf files on my web site and if hacker gonna try to run any of this
>files for example:
>
>index.cfm?+code, mail.cfm?+code etc basically it attacks all on google
>indexed, but if u put in all of the files, it should abort the connection
>everytime when one files is executed and tehn any query wont be
>executed....it should work...what do you think?
>
>Radek
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309554
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
