RE: Shell out some $ and start using STOMP, okay? (malicious SQL)

Thu, 19 Oct 2000 10:49:07 -0700 

Like say the very last part of a SQL statement of yours is a
CF Variable.

SELECT someID
FROM someTable
WHERE someID = #someVariable#


I am Joe Random Hacker

I pick up on a few URL parameters and know how
stuff works.

So I go to
www.somesite.com?fuseaction=SomeQuery&someVariable=DELETE%20FROM%20someTable

This is of course after I have pillaged your data structure since I know you
use
SQL 7.0 (Doing this by possible doing queries to your sys objects in SQL
7.0)

Yes I know it all sounds a little unbelievable but its not nearly as hard as
it sounds. Oh and if you just happen to have an exploit that you forgot to
patch
that gives someone access to your CF code you can kiss your site and your IP
history.

(This is purely hypothetical but it is a very real sitaution where a
persistent
"hacker" is going to bea ble to learn these things)



Jeremy Allen
[EMAIL PROTECTED]


-----Original Message-----
From: Bert Dawson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 19, 2000 12:25 PM
To: Fusebox
Subject: RE: Shell out some $ and start using STOMP, okay? (malicious
SQL)


what do you mean by "malicious" SQL?
How would this work?

Bert Dawson

> -----Original Message-----
> From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
> Sent: 19 October 2000 15:59
> To: Fusebox
> Subject: Shell out some $ and start using STOMP, okay?
>
<snip>
>
> The tool does a good job of looking at queries and pointing
> out stuff like
> changing any cf vars in a UPDATE/INSERT/DELETE query to
> #VAL(foo)# so that
> any malicious SQL gets translated into a 0. Never paid a ton
> of attention to
> that one either.
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

------------------------------------------------------------------------------
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to