> http://www.gravityfree.com/_sqlprev.cfm.txt
Just want to thank Justin for this script -- and everybody else who
has contributed some very useful information to this
discussion. It's been very helpful.
I cfincluded this script on application.cfm in just three directories
-- and over night, I got 2,600 emails regarding injection attempts.
It's going to be a while before I get cfqueryparam on all my queries,
so I have to do everything I can to stop this stuff at the top
level. It was a relief to see my MS SQL database still clean this
morning, after all that hammering.
So -- what I am wondering is -- there is going to be the next wave of
attack that's going to try something else -- very likely form-based
submissions....
I can get captcha working -- CF8 does that very nicely -- but I am
wondering if something like this initial script can be modified to
scope it for forms.
Maybe take something like that same script, and do something like
<CFIF IsDefined("form.variablename")>protection clause here</CFIF>
for every element in the script ???
Thanks for your patience with these kinda low-level questions. I
been programming in CF since 2.0 -- and I still have code out there
with "ParameterExists" in it -- but this is a one-man self-taught
deal here, and not too sophisticated.
How can we get form protection linked to application.cfm....?
- Bruce
At 06:51 AM 8/8/2008, you wrote:
>Justin,
>
>I have to agree with Dave. Every possible client scope needs to be checked -
>and the form scope seems rudimentary to me. Not checking the form scope is
>like setting up a firewall and locking down everything except a few dozen
>ports near the bottom of the stack (after all ... we rarely get attacked
>from ports 10 through 30 :)
>
>-Mark
>
>
>-----Original Message-----
>From: Dave Watts [mailto:[EMAIL PROTECTED]
>Sent: Thursday, August 07, 2008 4:43 PM
>To: CF-Talk
>Subject: RE: HELP! SQL Injection Attack!
>
> > Since nearly all SQL injection attempts come through the URL
> > (including the recent ones), that is where I put the focus.
>
>Nearly all automated SQL injection attempts come through the URL. The ones
>that, say, compromise peoples' credit card data, they typically come from
>forms.
>
> > With this script I would not recommend checking the form scope as
> > there is too high a risk of false positives. I've never heard of an
> > injection attack coming through CGI variables. I suppose it's
> > possible, but the percentage of queries using CGI scope data is
> > probably minuscule compared to URL variables.
>
>Again, targeted attacks will attempt to use any data that comes from the
>client. A brief review of the available tools for pen testing will show you
>that.
>
>Dave Watts, CTO, Fig Leaf Software
>http://www.figleaf.com/
>
>Fig Leaf Software provides the highest caliber vendor-authorized instruction
>at our training centers in Washington DC, Atlanta, Chicago, Baltimore,
>Northern Virginia, or on-site at your location.
>Visit http://training.figleaf.com/ for more information!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310507
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
