You'd have to get the quotes closed for it to see the semi-colon and additonal commands, and I don't think CF will let you do that, from what I can tell...unless you are using the PreserveSingleQuotes function on the parameter..that would allow it to work.
We probably should not trust CF to do this for us tho..I need to look back at some of the suggestions. But..if this is the case, then the real worry for a beginning programmer is just the numeric parameters...you can check em with "IsNumeric" before using them in a query.. -----Original Message----- From: Knipp, Eric [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 4:46 PM To: Dallas/Fort Worth ColdFusion User Group Mailing List Subject: RE: [DFW CFUG] cfm hacks If an attacker adds a semicolon to the query string additional commands could be executed .. wouldn't this be a problem. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lewis, David Sent: Tuesday, December 06, 2005 2:35 PM To: 'Dallas/Fort Worth ColdFusion User Group Mailing List' Subject: RE: [DFW CFUG] cfm hacks Can anyone show that this example is still vulnerable in current CF versions? I'm seeing that CF escapes the quote mark and your parm string stays intact..ie.. SELECT * FROM users WHERE username = 'whatever' AND password = '1'' OR 1 = 1' -----Original Message----- From: Dave Shuck [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 3:45 PM To: Dallas/Fort Worth ColdFusion User Group Mailing List Subject: Re: [DFW CFUG] cfm hacks <snip> Or say you have a login on a site and your SQL is: SELECT * (yeah I know * is bad) FROM users WHERE username = '#form.username#' AND password = '#form.password#' What if the person puts the following in the password input field? value: 1' OR 1 = 1 Effectively they have just said SELECT * FROM users WHERE username = 'whatever' AND password = '1' OR 1 = 1 And they are now ogged in as the first user. Those are a couple of simple methods. ~Dave _______________________________________________ List mailing list Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archive: http://lists1.safesecureweb.com/mailman/private/list DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ CONFIDENTIALITY NOTICE: The information contained in this e-mail and attached document(s) may contain confidential information that is intended only for the addressee(s). If you are not the intended recipient, you are hereby advised that any disclosure, copying, distribution or the taking of any action in reliance upon the information is prohibited. If you have received this e-mail in error, please immediately notify the sender and delete it from your system. _______________________________________________ List mailing list Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archive: http://lists1.safesecureweb.com/mailman/private/list DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/ _______________________________________________ List mailing list Reply to DFWCFUG: [email protected] Subscribe/Unsubscribe: http://lists1.safesecureweb.com/mailman/listinfo/list List Archive: http://lists1.safesecureweb.com/mailman/private/list DFWCFUG Sponsors: www.HostMySite.com www.teksystems.com/
