Nick, it is *POSSIBLE* for your actual index.cfm files to be modified via SQL injection (xp_cmdshell on MS SQL Server), but it is highly doubtful.
I can't think of a scenario where XSS could actually affect files on your server since that is a client-based attack. The XSS attack would need to be coupled with a server-side vulnerability. I would focus directly on all of your FTP access, Windows file sharing access, and telnet/remote desktop connections. If you using shared hosting, your problem just got a lot harder to track down. Also, for the record-- it is possible for an attacker to modify cfm files on your server if you have a piece of your application that allows users to upload files to the server (like images or attachments) and these files are placed in a web accessible location where they could be accessed via a URL and executed. (imagine uploading a .cfm file with a few cffile tags in it...) The probability of this sort of attack is smaller than the chances of someone brute-forcing your FTP login though. Like I said before, change ALL your passwords, and check your logs. If this is a publicly accessible server, it should be behind a firewall blocking ALL ports not absolutley necessary (like 80 and 443) ~Brad -------- Original Message -------- Subject: RE: Question about hack From: "Nick Gleason" <[email protected]> Date: Mon, April 06, 2009 3:10 pm To: cf-talk <[email protected]> Brad, Many thanks for your response. We'll take a look at those things. It appears that the code is in the actual index.cfm pages on the web server. There are some old sites on this server that may be vulnerable, so that is a theory. However, I would expect that kind of vulnerability to result in a database injection, which is not what we are seeing. So, I guess one question is whether an XSS type hack can result in code being added to a file on the web server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321373 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
