If you're interested in more detailed information, you might want to
check out the following KB article - which goes in to a pretty fair bit
of detail - specifically related to Oracle
http://www.allaire.com/handlers/index.cfm?ID=17324&Method=Full
John
-----Original Message-----
From: Paris Lundis [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 11:05 PM
To: CF-Talk
Subject: Re: Hacking CF Web Sites and Applications
Interested in hearing more about the cfqueryparam tag... 4.5 version
addition I suspect?
Syntax and use in Mastering ColdFusion 4.5 book leave a lot to be
desired...
Anyone using it and what for...???
-paris
[finding the future in the past, passing the future in the present]
[connecting people, places and things]
-----Original Message-----
From: Jochem van Dieten <[EMAIL PROTECTED]>
Date: Mon, 13 Aug 2001 22:29:13 +0200
Subject: Re: Hacking CF Web Sites and Applications
> Josh R wrote:
> > This may be simple minded, but you don't need to know every word
> they use. A
> > filter that elaborate would make a site practically useless.
> However, most
> > (actually all) hacks must contain a specific syntax to initiate the
> security
> > hole. For example, the URL attacks on you followed a
> > "...90;%20DROP%20TABLE%20IMAGES..." syntax. My script just looks
> for a
> > hardly-used-always-the-same portion of that needed syntax such as
> > ";%20DROP%20TABLE%20" to trigger the lockout.
> >
> > I've had some pretty good responses to my little script. It doesn't
> cover
> > every known hack, but then what does? It's better then just
> complaining
> > about the problem.
> >
> > BTW, I'm on the lookout for more "hack syntax" that I can
> incorporate into
> > the script. I've added all the ones I know of. If you know of
> specific
> > coding that is incorporated htrough a CFM page, please email me OFF
> LIST so
> > I can see about increasing the power of my cf_antihack script.
>
> Why a filter looking for words in a URL?
>
> AFAIK the issue is that code (like DROP, INSERT, DELETE, UPDATE, ALTER
> and possibly functions/vbscript etc.) is executed in the database.
> What
> code can be executed? Wouldn't that be code that is not escaped? So
> that
> means that everything between proper quotes is safe by definition.
> What
> is left is dates, numbers etc. Well, simply use cfqueryparam for them
> and you are done.
>
> Or am I misunderstanding something here?
>
> Jochem
>
> PS Some suggestions for Josh:- check formfields too
> - URLDECODE everything so you can use regex pattern matching (instead
> of ";%20DROP%20TABLE%20" match
> "[[:space:]]*;[[:space:]]*drop[[:space:]]*table[[:space:]]*" so I
> can't simply replace a space with a tab and bypass your filter
> - check for all the abovementioned statements
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
