And that girl who was raped should not have been wearing a skirt. Yes, we've implemented things way more sophisticated than CFQUERYPARAM. Anybody who waits until the SQL query to try to detect bogus data is asking for trouble.
But crime is crime, and we should not be allowing criminals to CHOP away at our systems until they find that one hole we didn't catch, and then blame it on the victim! Dave Morris > -----Original Message----- > From: Greg Morphis [mailto:[EMAIL PROTECTED] > Sent: Monday, August 11, 2008 9:04 AM > To: CF-Talk > Subject: Re: SQL injection attack on House of Fusion > > Ummm but is it not your website that YOU left vulnerable? If you > didn't have access to cfqueryparam then you should have used an > alternate approach. I'm sure they exist even for CF 4.0, a little > extra time at the beginning validating variables would save so much > grief now right? And from what I'm hearing from popular sites is it's > not so much the cfqueryparam because they are still getting hit > thousands of times every minute, like HoF. So there's other steps, not > just within CF. I think MD was working on a something to stop the > intruders at the server, before it even hits CF. > I'm not saying it's entirely YOUR fault but you allowed it to happen, > same thing Dave Watts is saying.. > > > On Mon, Aug 11, 2008 at 7:45 AM, Dave Morris <[EMAIL PROTECTED]> > wrote: > > Ah. You're from the "blame the victim" school. > > > > Unfortunately, when I wrote the first 1,000 ColdFusion templates > using Ben > > Forta's CF 4.0 book, there was no CFQueryParam. So going back and > rewriting > > all those programs (now well into several thousand) has been a bitch. > And > > all it took was one missed spot. > > > > So I shouldn't be mad at the poor little hackers, because they were > doing us > > all favor by pointing out our faults. That is your school of > thought, > > right? > > > > Dave Morris > > > > > >> -----Original Message----- > >> From: Dave Watts [mailto:[EMAIL PROTECTED] > >> Sent: Sunday, August 10, 2008 11:15 PM > >> To: CF-Talk > >> Subject: RE: SQL injection attack on House of Fusion > >> > >> > Anyway, I propose the dot-com millionaires who left us stuck > >> > with the current mess in the spam and virus arena be > >> > personally required to fund an international Goon Squad with > >> > kneecap breaking instructions to go after these vandals. > >> > >> And who exactly would that be? > >> > >> > If someone did this crap to your house, you'd have the police > >> > and/or FBI out there in a heartbeat tracking down the > >> > criminals. This is criminal mischief on a global scale. > >> > >> If you left your front door open, so that anyone could just walk in, > >> you'd > >> have no one but yourself to blame. If you're looking for an analogy, > >> that's > >> the one that fits. The reason this particular attack has been so > >> successful > >> is the arguably criminal negligence of so many web developers, > coupled > >> with > >> the typical improper usage of administrator rights on untrained > users' > >> desktops. > >> > >> People have been harping on these two issues for years - I know I > have. > >> As a > >> web developer, one of these issues is within your direct control. If > >> you've > >> failed to do anything about unparameterized queries until something > bad > >> happens to you, you've failed to meet the minimal due diligence for > >> being a > >> web application developer. > >> > >> > And if Interpol won't do anything about it, and if the powers > >> > that be refuse to attach any form of responsibility or > >> > traceability to the ownership of an IP address, then we may > >> > just have to implement vigilante measures and go after the > >> > crooks ourselves. > >> > >> Well, uh, good luck with that. Let me know how it goes with you > against > >> the > >> Russian mafia. This stuff is no longer just maladjusted kids in > their > >> parents' basement - there's money to be had here, and there are > people > >> going > >> after that money. I suggest your efforts are better directed at > >> ensuring the > >> adequacy of your own sites' protection instead. > >> > >> Dave Watts, CTO, Fig Leaf Software > >> http://www.figleaf.com/ > >> > >> Fig Leaf Software provides the highest caliber vendor-authorized > >> instruction at our training centers in Washington DC, Atlanta, > >> Chicago, Baltimore, Northern Virginia, or on-site at your location. > >> Visit http://training.figleaf.com/ for more information! > >> > >> > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310714 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
