Thanks, Andy and Ian -- I am going through this previous thread (I did get hit with this 2 or 3 weeks ago also) -- so, I am just wondering how I can get a basic/minimal level of protection installed, maybe linked from application.cfm
I must have 100,000 pages I need to protect -- and my primary database has something like 180 tables, some of which have more than 100 fields. So, I need something I can do quickly. And I got a lot to learn about this. So, just probing this one question -- what people are saying is -- it comes through a URL -- and not a user forms-submission (or at least that seems to be the case) ?? Here's a question: If it is possible to do a basic general-purpose kind of input filtering from application.cfm -- not as good as going through every query, but something that can be done quickly -- would it be possible to write a kind of generic protection script? The specifics of this script would depend on the variables/fieldnames/datatypes -- but if we had a general-purpose script, 1) stop attack type-A 2) stop attack type-B 3) stop attack type-C programmer to fill in the blanks -- ie, itemize the field names and types.... Could that be done? If that were possible, that would be a great help. Thanks for this good discussion. - Bruce >Bruce Schuman wrote: > > How do they do this? > >Yes it is done through the URL. This is well discussed here and in many >blogs. But the just gist is that the errant URL parameter is an ENTIRE >SQL function that well tell your database to scan every table looking at >every field, and if the field is a character field, to append the >payload to that field. >Actually, with this particular SQL injection attack it's really easy >to stop. We created a SQL filter that is called from >application.cfm. It loops through the URL structure and checks to >see if any URL variables contain both a semi-colon and any SQL >keyword. If a match is found, it just cfaborts the request and >sends us an e-mail with the details. We periodically review those >messages and have not found a single false-positive yet after >deployment to every site we manage. Granted, it will not stop SQL >injection through form posts, but I don't recall ever seeing a SQL >injection attack through a form post (yet). At the least it can put >an immediate stop to the current flood and give you time to >implement other protective measures such as cfqueryparam, etc. We >have CF5 and CFMX versions if anyone wants a copy. At 09:25 AM 8/7/2008, you wrote: >Bruce... > >Without going into the whole thing, the script runs in your database and >selects against the systables and syscolumns tables. It then loops over >these and performs updates on existing records. > >You really need to go back and read the entire thread from 3 weeks ago. > >http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065 > >It has everything you'd need to know about what this attack does, how to >reverse the results, and lastly how to prevent it from happening again. > > >andy > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310413 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
