> Issues like this are typically caused by either SQL injection (i.e. didn't use cfqueryparam) or > some sort of FTP vulnerability. My first step would be to make sure that *every* > cfquery that accepts any input of any kind from users is utilizing cfqueryparam.
Everything is "paramed" to the hilt - I sanitize all form vars BEFORE the query, and then use cfqueryparam on top of that ... so I'm guess we're looking at a ftp vulnerability. Question though - how could an injection attempt on an unprotected query add a piece of script to a static page that doesn't even have any queries on it? I'd kinda like to see what that looked like, if it's possible... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353145 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm