RE: URL Hacks - Solution

Wed, 11 Jul 2001 17:15:42 -0700 

I added the following things to your script to check for:
exec%xp_cmdshell
exec+xp_cmdshell
exec xp_cmdshell
<script>

VB scripts are another area to look into.



At 10:08 PM 7/10/2001 +0000, you wrote:

> >From: "Paris Lundis" <[EMAIL PROTECTED]>
> >Subject: RE: URL Hacks - Solution
> >I think the script is a good first attempt and seems to address the URL
> >hack threads previously that have gone around.
>
>Thank you. My feelings exactly. As usual, Dave Watts was right when he said
>this script doesn't cover enough attacks. However, it was intended to cover
>the attack that started this thread. I'll be happy to expand it's abilities
>if I can get some help.
>
> >so programatically (SQL wise) what else might one post in the string to
> >pickup further data???...  May the SQL gods speak...
>
>The fun part about dealing with hack attacks on a public forum like this is
>that no one wants to dish any details, which is a good thing, but it does
>make projects like this difficult.
>
> >I think if we all chip in with some specifics this program
> >could get furthered and cover perhaps other known hack arounds...
>
>If anyone has any other info on database hacks that they'd like to help
>defend against, please contact me off list. The more I know about, the
>better this script can be.
>
>If you have just general comments, please post them here of course. Maybe
>your thought will get someone thinking.
>
>Thanks again, Paris for the good words and push to continue.
>
> >From: "Bruce, Rodney" <[EMAIL PROTECTED]>
> >Subject: RE: URL Hacks - Solution
> >URL hacks I think are easier to handle than form.Variables.
>
>As far as I'm concerned, variables are variables. These attacks require
>certain language context no matter if they come from urls, forms, etc., so
>filtering out the key phrase(s) the right way *should* repel them.
>
> >But I like the
> >idea of adding the notification by email when an attempted hack is tried
> >and
> >then kicking them off site.
>
>Thanks, Bruce. That's the real meat of my security concepts. If anything
>unwanted is going on, I want to know about it and get rid of them. I never
>understood why we throw a friendly error message to someone attacking our
>system.
>
>But that's just me.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to