Awesome reference John.. thanks so much... Off to test it a bit tonight
with our system... Yeah even on the Access databases for fun :)
-paris
[finding the future in the past, passing the future in the present]
[connecting people, places and things]
-----Original Message-----
From: "John Cummings" <[EMAIL PROTECTED]>
Date: Mon, 13 Aug 2001 23:21:26 -0400
Subject: RE: Hacking CF Web Sites and Applications
> If you're interested in more detailed information, you might want to
> check out the following KB article - which goes in to a pretty fair
> bit
> of detail - specifically related to Oracle
>
> http://www.allaire.com/handlers/index.cfm?ID=17324&Method=Full
>
> John
>
> -----Original Message-----
> From: Paris Lundis [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 13, 2001 11:05 PM
> To: CF-Talk
> Subject: Re: Hacking CF Web Sites and Applications
>
>
> Interested in hearing more about the cfqueryparam tag... 4.5 version
> addition I suspect?
>
> Syntax and use in Mastering ColdFusion 4.5 book leave a lot to be
> desired...
>
> Anyone using it and what for...???
>
>
> -paris
> [finding the future in the past, passing the future in the present]
> [connecting people, places and things]
>
>
> -----Original Message-----
> From: Jochem van Dieten <[EMAIL PROTECTED]>
> Date: Mon, 13 Aug 2001 22:29:13 +0200
> Subject: Re: Hacking CF Web Sites and Applications
>
> > Josh R wrote:
> > > This may be simple minded, but you don't need to know every word
> > they use. A
> > > filter that elaborate would make a site practically useless.
> > However, most
> > > (actually all) hacks must contain a specific syntax to initiate
> the
> > security
> > > hole. For example, the URL attacks on you followed a
> > > "...90;%20DROP%20TABLE%20IMAGES..." syntax. My script just looks
> > for a
> > > hardly-used-always-the-same portion of that needed syntax such as
> > > ";%20DROP%20TABLE%20" to trigger the lockout.
> > >
> > > I've had some pretty good responses to my little script. It
> doesn't
> > cover
> > > every known hack, but then what does? It's better then just
> > complaining
> > > about the problem.
> > >
> > > BTW, I'm on the lookout for more "hack syntax" that I can
> > incorporate into
> > > the script. I've added all the ones I know of. If you know of
> > specific
> > > coding that is incorporated htrough a CFM page, please email me
> OFF
> > LIST so
> > > I can see about increasing the power of my cf_antihack script.
> >
> > Why a filter looking for words in a URL?
> >
> > AFAIK the issue is that code (like DROP, INSERT, DELETE, UPDATE,
> ALTER
> > and possibly functions/vbscript etc.) is executed in the database.
> > What
> > code can be executed? Wouldn't that be code that is not escaped? So
> > that
> > means that everything between proper quotes is safe by definition.
> > What
> > is left is dates, numbers etc. Well, simply use cfqueryparam for
> them
> > and you are done.
> >
> > Or am I misunderstanding something here?
> >
> > Jochem
> >
> > PS Some suggestions for Josh:- check formfields too
> > - URLDECODE everything so you can use regex pattern matching
> (instead
> > of ";%20DROP%20TABLE%20" match
> > "[[:space:]]*;[[:space:]]*drop[[:space:]]*table[[:space:]]*" so I
> > can't simply replace a space with a tab and bypass your filter
> > - check for all the abovementioned statements
> >
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
