>This has *not* been heavily tested as of yet, so use at your own risk!
There was a little mistake in the scanner I posted earlier that could cause it
to hang, if anyone downloaded it before, please grab the updated copy.
In just some basic iteration checking, the new version does appear to be
Version 2 of the scanner I did is now available here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18
This has *not* been heavily tested as of yet, so use at your own risk!
--- Mary Jo
~|
Adobe® C
>The code on my blog is a working example, but it's not
>"drop in" ready - you would still need to check the form and cookie scope
>for example... So either way you will need to do some tweaking to get it to
>work for you situation.
I'm going to post an updated version of my tool later today, just
do some tweaking to get it to
work for you situation.
-Mark
-Original Message-
From: Che Vilnonis [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 9:01 AM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Thanks Mark. So, the function c
o: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF
Scractching My Head... To Ben
Forta
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me
Gabriel... would you post the page in complete working order with your code
modifications? Thanks!
-Original Message-
From: Gabriel [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 27, 2008 8:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
To anyone who happened to use the regex I posted earlier I have an updated
method to be used in place, effective immediately.
// Short list of db objects to protect
DBObj.short = 'database|function|procedure
>This will fix a problem in which a long string containing too many back
>references for non-word chars can cause a stack overflow. As much as I love
>CF, I find the native regex implementation sadly lacking.
Thanks for the update... I'm not sure if any of my customers are using a host
that disab
hat I get being
drawn into posting code I hadn't had a chance to fully test. If anyone has
problems with, or enhancements to the above, please let me know.
Also, thank you to Mary Jo for adding me to the credits. My surname is Read
FYI in case you still desire to include me.
Regards,
Gabriel
Tell me about it I told one of my customers E- commerce store to backup
often DB (if u do some edits to DB make a backup!!!) and told him to buy
hard-drive or RAID 1 or RAID 5 solution to backup the DB ansd website, he
said no no no expensive, 6 days ago he got hit cause who made this site
never us
>Ok gonna check that out thanks.
I just uploaded a new version that includes the cookie scope, and commonly used
CGI vars as well.
While this has been a headache to deal with, at least it might convince more of
my customers to get around to updating their sites. ;-) It often doesn't matter
ho
Ok gonna check that out thanks.
On Fri, Jul 25, 2008 at 3:40 PM, Mary Jo Sminkey <[EMAIL PROTECTED]>
wrote:
> >What do you think about this solution for sites with 5000 files:
>
> This looks similar to the solution I am providing to my customers (I have a
> lot that run old releases that are not
>What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a lot
that run old releases that are not as well protected as my current one and have
little desire to either update their software *or* the code). I used t
I requested that code from them earlier, so in case I will receive it, gonna
send it to you.
RAdek
On Fri, Jul 25, 2008 at 2:42 PM, Radek Valachovic <[EMAIL PROTECTED]>
wrote:
> That's what I thought same thing, temporary fix. Thanks for checking that
> out and posting scanners.
>
>
> On Fri, Ju
OK.. You are right.. drop my request..
but I would request 3 other enhancements to dreamweaver to make these
changes easier:
1. Put the sql queryparam on the main CF toolbar..
2. When you right click the file name in the Files area you can
select PUT.. I would like to add that functionality t
That's what I thought same thing, temporary fix. Thanks for checking that
out and posting scanners.
On Fri, Jul 25, 2008 at 2:42 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > What do you think about this solution for sites with 5000 files
>
> It may be satisfactory for a temporary fix, to give yo
> What do you think about this solution for sites with 5000 files
It may be satisfactory for a temporary fix, to give you enough time to fix
your 5000 files. It is almost certainly unsuitable as a permanent solution.
This part is fairly vague:
"Checks all FORM and URL input for SQL injection code
ot;
Sent: Friday, July 25, 2008 1:33 PM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
> RIAForge is back up ...
>
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic rel
RIAForge is back up ...
-Original Message-
From: Radek Valachovic [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 2:20 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I have it installed already, but other guys in forums asking for
t
>>
>> ~Brad
>>
>> - Original Message -
>> From: "Radek Valachovic" <[EMAIL PROTECTED]>
>> To: "CF-Talk"
>> Sent: Friday, July 25, 2008 1:11 PM
>> Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To B
/24/Announcing-the-first-ever-International-Operation-cfSQLprotect
>
> ~Brad
>
> - Original Message -
> From: "Radek Valachovic" <[EMAIL PROTECTED]>
> To: "CF-Talk"
> Sent: Friday, July 25, 2008 1:11 PM
> Subject: Re: (ot) URL Hack Attempt L
: "Radek Valachovic" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, July 25, 2008 1:11 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
> RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
>
> http://qpscan
rgy better
spent.
~Brad
- Original Message -
From: "Claude Schneegans" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, July 25, 2008 12:46 PM
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
> >>I have to hand it to Claude - he d
RiaForge.org doesnt work, tryied to get the cfqueryparam scanner:
http://qpscanner.riaforge.org/
anybody knows what happenned?
Radek
On Fri, Jul 25, 2008 at 1:46 PM, Claude Schneegans <
[EMAIL PROTECTED]> wrote:
> >>I have to hand it to Claude - he definitely has confidence
>
> Well, unless O
>>I have to hand it to Claude - he definitely has confidence
Well, unless ODBC and JDBC have some function to enable/disable multi
statements,
It would certainly be much trouble to implement this in CF.
I've checked rapidly in the ODBC docs, and I don't see any reference to
multi statement.
An
>>That is more a function of the db.
Exact, and I don't see how CF could prevent from multiple execution.
It should compile the SQL code for that, and it does not.
Unless ODBC/JDBC drivers have a function to disable it.
--
___
REUSE CODE! Use custom tags;
See
I have to hand it to Claude - he definitely has confidence :)
-Original Message-
From: Claude Schneegans [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:15 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
>> how about ch
Is there a kind of way to stop the botnet from spamming websites? Hacker has
to stop it? or right now if it is automated is there any way?
Radek
On Fri, Jul 25, 2008 at 12:56 PM, Dave Watts <[EMAIL PROTECTED]> wrote:
> > Seeing as how this type of sql injection attack is
> > succeeding so mu
>> how about changing cfquery so that by default, only ONE sql
>>statment can be sent. Let us override that with a parameter in
>>cfquery or a cfprocessing driective type of thing in our
application.cfm..
Pretty good idea.
>>I doubt many people use multiple sql statements in one cfquery,
9
F : 631.434.7022
www.austin-williams.com
Great advertising can't be either/or... It must be &.
-Original Message-
From: Matt Quackenbush [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:42 PM
To: CF-Talk
Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
For
> Seeing as how this type of sql injection attack is
> succeeding so much (even my favorite fishing website has been
> down for days due to it (it is a .cfm site))...
> how about changing cfquery so that by default, only ONE sql
> statment can be sent. Let us override that with a paramete
+Infinity.
(I'd add some sort of really intelligent comment, but, well, Robert already
covered that part.)
On Fri, Jul 25, 2008 at 11:14 AM, Robert Harrison wrote:
> > how about changing cfquery so that by default...
>
> NO NO NO NO NO NO NO NO
>
> I've use nested SQL all the time, and
from this without going to the extreme that you suggest
>
> - Original Message -
> From: "Al Musella, DPM" <[EMAIL PROTECTED]>
> To: "CF-Talk"
> Sent: Friday, July 25, 2008 9:04 AM
> Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head.
you'd
still have to remember to switch it off.
-- Josh
- Original Message -
From: "Al Musella, DPM" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Friday, July 25, 2008 9:04 AM
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
>
Al Musella, DPM wrote:
> Seeing as how this type of sql injection attack is succeeding so
> much (even my favorite fishing website has been down for days due to
> it (it is a .cfm site))...
> how about changing cfquery so that by default, only ONE sql
> statment can be sent.
That is a *ve
Dave Francis [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:16 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To Ben
Forta
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[
I find it useful on occasion with INSERT then SELECT @IDENTITY
-Original Message-
From: Al Musella, DPM [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2008 12:05 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... To
Ben Forta
Ben,
Seeing as how this
> how about changing cfquery so that by default...
NO NO NO NO NO NO NO NO
I've use nested SQL all the time, and I've got over 100 web sites up.
Validate and use REREPLACE and CFQUERYPARAM and you're fine.
Don't ever make a function change that kills existing code written
correctly.
R
Ben,
Seeing as how this type of sql injection attack is succeeding so
much (even my favorite fishing website has been down for days due to
it (it is a .cfm site))...
how about changing cfquery so that by default, only ONE sql
statment can be sent. Let us override that with a parameter in
40 matches
Mail list logo