I think the script is a good first attempt and seems to address the URL
hack threads previously that have gone around.
so programatically (SQL wise) what else might one post in the string to
pickup further data???... May the SQL gods speak...
My first level approach, having not experimented at all with this yet,
would be people stacking SQL commands...
Face it.. selecting the code won't display the result....
could someone commit a write to a known table.. for instance, writing a
user name, access level etc???
SQL isn't my thing, but I am always amazed at the power and
creativity.. I think if we all chip in with some specifics this program
could get furthered and cover perhaps other known hack arounds...
-paris
-----Original Message-----
From: Dave Watts <[EMAIL PROTECTED]>
Date: Mon, 09 Jul 2001 16:55:54 -0400
Subject: RE: URL Hacks - Solution
> > I've been reading this thread since the beginning and came up
> > with a pretty comfortable solution. I call it cf_antihack. It's
> > a blanket script with a pretty quick run time. I haven't placed
> > it on the Developers Exchange yet, but I might.
> >
> > I am offering it to you guys first so I can get some input on it.
> >
> > You can get the code at my site at
> http://www.rubak.com/cf-codes.cfm
> >
> > Don't forget to give me some feedback. If people like this
> > solution, I plan to increase it's reach to cover other security
> > issues.
> >
> > Disclaimer: I am by no means a security expert. I just came
> > up with (what I think is) a good idea.
>
> I'm not a security expert either, but you did ask for feedback, so
> here
> goes.
>
> The problem with your tag is that it only defends against a very
> small set
> of specific malicious attacks. However, in reality an attacker is
> usually
> not interested in purely destructive attacks (DROP TABLE, etc) but
> rather
> wants to get access to things that he shouldn't be able to access.
> For
> example, the attacker might want to obtain credit card numbers, or
> might
> want to install a rootkit on your server, or might simply want a
> location to
> stash files. Those sorts of attacks through strings sent to the
> database are
> still possible with your tag.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
