Don't forget the SQL attacks - similar to the type of attack we've been
discussing, but not addressed thus far.
Something like this:
<cfquery name="myQuery" datasource="MyDSN">
Select *
From MyTable
Where SomeField = #Form.SomeField#
</cfquery>
now if Form.SomeField were "b'; use dbname; drop table tablename; --'"
then The original query would get executed with 'b' as the filter, but then
standard SQL commands are issued. The "--'" ensures that anything following
this point is treated as a comment. try it out on one of YOUR sites -
except maybe replace the drop table statement with a select or something...
Protect against this by using stored procedures where possible and/or doing
some sort of filter. The preservesinglequotes might help with this too, not
sure.
No, I'm not revealing anything new here - I learned the details of this at
the MS PDC conference in LA, and know I've seen reference to the issue on
the list a few times.
Here's hoping that mentioning it here helps improve some sites.
Shawn Grover
-----Original Message-----
This is bad for multiple reasons. I don't deny that many people do it,
but as a reminder, it's much easier, and quicker, to do:
<cfset temp = form[field]>
Furthermore, this is only an issue if you pass a _function_ as you
describe below.
> In testing somebodies site I have used this to slow his site
> to a crawl
> by making a custom form with code like:
> <form action="">
> <input type="text" name="CFUSION_DBCONNECTIONS_FLUSH()">
> </form>
Interesting. Good point. This is one more reason why we need to preach
to people to NOT use evaluate to get form fields. I need to go on a
crusade or something. ;)
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : [EMAIL PROTECTED]
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
______________________________________________________________________
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
