I know exactly what you mean :) My suggestion was based on the assumption the application was built originally without using cfqueryparam and nobody likes going back to hundreds of files and modify each query used. Like I said.. short term fix :)
Brian Polackoff [email protected] http://www.emstoolkit.com -----Original Message----- From: Bryan Stevenson [mailto:[email protected]] Sent: Thursday, December 09, 2010 7:22 PM To: cf-talk Subject: RE: index.cfm being hacked (now application.cfm) ....or just use CFQUERYPARAM and skip all that ;-) On Thu, 2010-12-09 at 18:45 -0500, Brian Polackoff wrote: > Hey Mike, > Sorry if this reply is off target, I'm jumping in here way after the > original post but I too had issues with people hacking pages (using > sql injection, not sure if that's what you said they are doing to > you). I did some research and found the below code that helped. I > admit it's not the most efficient way of stopping the attacks, but I > do FULLY admit it stops the immediate threats and may buy you some time. > > <!--- lower case checking ---> > <cfif > cgi.SCRIPT_NAME contains "cast(" OR > cgi.SCRIPT_NAME contains "exec(" OR > cgi.PATH_INFO contains "exec(" OR > cgi.QUERY_STRING contains "exec(" OR > cgi.SCRIPT_NAME contains "declare(" OR > cgi.PATH_INFO contains "declare(" OR > cgi.QUERY_STRING contains "declare("> <cfabort> </cfif> > <!--- upper case checking if needed---> <cfif > cgi.SCRIPT_NAME contains "CAST(" OR > cgi.SCRIPT_NAME contains "EXEC(" OR > cgi.PATH_INFO contains "EXEC(" OR > cgi.QUERY_STRING contains "EXEC(" OR > cgi.SCRIPT_NAME contains "DECLARE(" OR > cgi.PATH_INFO contains "DECLARE(" OR > cgi.QUERY_STRING contains "DECLARE("> <cfabort> </cfif> <cfif > CGI.QUERY_STRING contains "delete " OR > CGI.QUERY_STRING contains "update " OR > CGI.QUERY_STRING contains "DELETE" OR > CGI.QUERY_STRING contains "UPDATE"> > <cfabort> > ---> > </cfif> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339956 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
