It doesn't have to have queries on it. Does it output data? That said, it sounds like some other sort of exploit.
On Tue, Nov 13, 2012 at 3:30 PM, Les Mizzell <[email protected]> wrote: > > > Issues like this are typically caused by either SQL injection (i.e. > didn't use cfqueryparam) or > > some sort of FTP vulnerability. My first step would be to make sure > that *every* > > cfquery that accepts any input of any kind from users is utilizing > cfqueryparam. > > Everything is "paramed" to the hilt - I sanitize all form vars BEFORE > the query, and then use cfqueryparam on top of that ... so I'm guess > we're looking at a ftp vulnerability. > > Question though - how could an injection attempt on an unprotected query > add a piece of script to a static page that doesn't even have any > queries on it? > I'd kinda like to see what that looked like, if it's possible... > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353146 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
