Yes indeed. We had some attempts to injection attack via a fake useragent variable in the CGI scope, as we were logging visiting useragents in a database table.
Luckily they were not able to execute any code thanks to tight SQL permissions, but the code they were trying to execute was written to the table. I'd not even thought of that method till we saw it. But something to have an eye on. Regards, Ian. On 23/01/2013 19:09, Pete Freitag wrote: > On Wed, Jan 23, 2013 at 12:57 PM, Rob Voyle<robvo...@voyle.com> wrote: > > >> Hi Greg >> As I continue to update my security processes, I'm curious >> Was this injection attempt at the url or at a form input. >> >> > Keep in mind that vulnerabilites can come from any input that the attacker > can manipulate, eg form, url, cgi, cookie variables are all game. > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting& Products > http://hackmycf.com - Is your ColdFusion Server Secure? > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > minutes > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354042 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
