Looks like the same attack tried my servers too - too bad for them it failed. Long Live CFQueryParam amongst other little tools. Oh, and running PostgreSQL database :-)
Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com [email protected] www.trunkful.com On Sep 30, 2012, at 8:01 PM, Scott Slone wrote: > > Just battled this today myself > > Here's some more information on it. > > https://isc.sans.edu/diary.html?storyid=12127 > > > On 9/30/12 5:58 PM, "Les Mizzell" <[email protected]> wrote: > >> >> Never seen this before! Script in Application file, as usual, caught it >> before it got further... >> >> Here's what was tried: >> >> >> /index.cfm?action=dance.school%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40ve >> rsion--40version--=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False%27%2F%2A%2A% >> 2For%2F%2A%2A%2F1%3D%40%40version%29--&MSOGallery_SelectedLibrary=&MSOGall >> ery_FilterString=&MSOTlPn_Button=none&__REQUESTDIGEST=&MSOAuthoringConsole >> _FormContext=&MSOAC_EditDuringWorkflow=&MSOSPWebPartManager_DisplayModeNam >> e=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesig >> nMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_S >> tartWebPartEditingName=false&ASB_TextDT_Props=&ASB_DateTimeDT_Props=Write% >> 23%3B%23Created&ASB_ResType_Query=&__VIEWSTATE=PostList%24ctl06%24ctl26%24 >> ctl01=nochange&ctl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostLis >> t%24ctl07%24ctl26%24ctl01=nochange&ctl00%24ctl00%24bcr%24bcr%24ctl01%24ctl >> 03%24ctl00%24PostList%24ctl08%24ctl26%24ctl01=nochange&ctl00%24ctl00%24bcr >> %24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl09%24ctl26%24ctl01=nochange >> &ctl00%24ctl00%24bcr%24bcr%2 >> >> 4ctl01%24ctl03%24ctl00%24PostList%24ctl10%24ctl26%24ctl01=nochange&ctl00%2 >> 4ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl11%24ctl26%24ct >> l01=nochange&ctl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList% >> 24ctl12%24ctl26%24ctl01=nochange&ctl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03 >> %24ctl00%24PostList%24ctl13%24ctl26%24ctl01=nochange&ctl00%24ctl00%24bcr%2 >> 4bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl14%24ctl26%24ctl01=nochange&c >> tl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24PostList%24ctl15%24ctl2 >> 6%24ctl01=nochange&ctl00%24ctl00%24bcr%24bcr%24ctl01%24ctl03%24ctl00%24Pos >> tList%24ctl16%24ctl26%24ctl01=nochange00%24ContentPlaceHolder1%24FilterAdD >> efault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%240=&ctl00%24Con >> tentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxL >> istMakeMore%241=&ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAd >> Car_ascxControl1%24checkBoxListMakeMore%242=&ctl00%24ContentPlaceHolder1%2 >> 4FilterAdDefault1%24filterA >> >> dCar_ascxControl1%24checkBoxListMakeMore%243=&ctl00%24ContentPlaceHolder1% >> 24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%244=& >> ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1% >> 24checkBoxListMakeMore%245=&ctl00%24ContentPlaceHolder1%24FilterAdDefault1 >> %24filterAdCar_ascxControl1%24checkBoxListMakeMore%246=&ctl00%24ContentPla >> ceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMake >> More%247=&ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_asc >> xControl1%24checkBoxListMakeMore%248=&ctl00%24ContentPlaceHolder1%24Filter >> AdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%249=&ctl00%24 >> ContentPlaceHolder1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkB >> oxListMakeMore%2410=&ctl00%24ContentPlaceHolder1%24FilterAdDefault1%24filt >> erAdCar_ascxControl1%24checkBoxListMakeMore%2411=&ctl00%24ContentPlaceHold >> er1%24FilterAdDefault1%24filterAdCar_ascxControl1%24checkBoxListMakeMore%2 >> 412=&ctl00%24ContentP >> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352786 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
