Re: SQL injection attack on House of Fusion
Just got nailed myself - dammit - 15 years of knowledge. Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS vulnerability? My attack occured recently - possibly in the last 24 hours or so. Have disabled the database and CFABORTed any code that interacts with the database until I can solve the disastrous problem (apparently the attack came from China). Sigh! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311556 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS vulnerability? I seriously doubt this has anything to do with IIS, since IIS can't interact directly with your database. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311562 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Open the website log with word and do a search for DECLARE you will find a lot of entries.. Look for a filename that is in a different directory than what you expected.. I think I got hit from a template that was in an old, unused directory from many years ago. I recently went through the server and deleted all of my old unused directories.. Also look for any ASP pages that are being hit.. At 06:46 AM 8/26/2008, you wrote: Just got nailed myself - dammit - 15 years of knowledge. Have code reviewed and wasn't my CFML (at this stage) so maybe a new IIS vulnerability? My attack occured recently - possibly in the last 24 hours or so. Have disabled the database and CFABORTed any code that interacts with the database until I can solve the disastrous problem (apparently the attack came from China). Sigh! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311574 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 4:46 AM, Peter Tilbrook wrote: Just got nailed myself - dammit - 15 years of knowledge. There are at least 2 tools available that will search through your code looking for unparamed variables, and I think Larry posted a simple regex that you could use from within Eclipse. Those will help. I actually got a little nutty and wrote my own tool, that does a bit of database introspection, rewrites the query using the correct cfsqldatatypes, and then tests the query. Kinda cool, wasn't too hard, conceptually-- you have the DSN right there. It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways), although, I was thinking (about something Jochem said about the difficulty of introspecting stored procedures and whatnot, sorta) that since I think the DB will give you the source for the procedure or function, you could use /that/ to introspect them, and create ORM type deals. RIght? You would have to code stuff for each DB (or at least the most popular at first), which is a little sucky, but I think unavoidable. There are certainly similarities between DBs tho, which would make it a tad easier. Probably just pie-in-the-sky type thinking, ignoring some fundamental problem, but it sounds kind of plausible. Anyways, half-way through coding my thing, I was like, damn, this would have been a perfect use for ANTLR! There are even grammar files for SQL, which would make parsing that easier. Oh well. Maybe the next version. LOL. After I finish this one. I'm still messing with the UI for it- uses dojo (of course) with a nice split screen, the top half has a tree control for browsing the files and folders with unparamed queries, and the bottom half actually shows you the source that would change, assuming the query passes the test. Still need to add de-select, so you can ignore directories, files, or individual queries, and then I'll probably post a link to it. I started getting a little excited while coding it, thinking about the... what was it called? Ah, yes- coding standards/review. I remember Will had posted a tool, and I had been toying with creating a tool for managing the attributes (hint, access, etc..) of functions/CFCs myself... wouldn't it be nice to have a tool that would do everything (format code, check for unvared variables, maybe even allow for drag-and-drop moving of functions/refactoring? (Ok, that's kinda extreme, but it was an exciting thought.)). Maybe tie it into the SVN stuff, even? Heh. I began thinking about getting all wiggy with it, because I wrote the code in a pretty sloppy manner (switching between camelCase and all lowercase, cutting/pasting functions and not changing the hint attribute, etc.), and was like, hell, I could tweak this tool to tweak itself. And then every time I switched between styles, I was, like, hey, I'm creating a test-case! LOL. Something like that. It would be pretty easy, as it currently is, to have the tool replace queries like SELECT * FROM sometable with the actual column names, for instance, or even do things like refactor queries, changing column or table names... I grab the DSN metadata, and parse the SQL into table names and column names, so it's all there. I need a bunch more bad query test cases, for various DB dialects, but I'm thinking I'll link up with the group I saw at some point (maybe it was just a blog post, now that I think about it), that's specifically targeting the prevention of injection attacks, and see if we can't get a nice set of cross-database testcases to use for tools like this. So, in the end I hope to have a source-code maintenance type tool, as I think it sounds kind of cool. Over time, it looks like it would become a freaking web-based IDE. :-)p Heh... I started thinking about how I could pull off some cool DB/query stuff within CFEclipse again, while messing around with this stuff. But I digress... LOL. :)e|\| -- Haste is of the Devil. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311626 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311630 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Something other than SQL injection attack on House of Fusion
Can someone PLEASE change the title of this thread??? -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:01 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311632 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Andy Matthews has too much free time - was... SQL injection attack on House of Fusion
Sorry Andy, I couldn't resist. =] On Tue, Aug 26, 2008 at 1:46 PM, Andy Matthews [EMAIL PROTECTED]wrote: Can someone PLEASE change the title of this thread??? -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311633 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Andy Matthews has too much free time - was... SQL injection attack on House of Fusion
:P -Original Message- From: Alan Rother [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:57 PM To: CF-Talk Subject: Andy Matthews has too much free time - was... SQL injection attack on House of Fusion Sorry Andy, I couldn't resist. =] On Tue, Aug 26, 2008 at 1:46 PM, Andy Matthews [EMAIL PROTECTED]wrote: Can someone PLEASE change the title of this thread??? -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311635 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 2:01 PM, Dave Watts wrote: It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Ah, thank you Dave! I was thinking of cfstoredproc, I reckon. /tips hat :Denny -- Marriage is good for those who are afraid to sleep alone at night. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311642 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
That is, unless you concatenate SQL in your stored procedure. http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me ~Brad - Original Message - From: denstar [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, August 26, 2008 6:26 PM Subject: Re: SQL injection attack on House of Fusion On Tue, Aug 26, 2008 at 2:01 PM, Dave Watts wrote: It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Ah, thank you Dave! I was thinking of cfstoredproc, I reckon. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311643 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
The thread formally known as the SQL injection attack on House of Fusion
I hereby decree, in the name of all that doesn't suck, that from this day forth this thread will be hereby named The thread formally known as the SQL injection attack on House of Fusion . ~G~ On Tue, Aug 26, 2008 at 4:46 PM, Andy Matthews [EMAIL PROTECTED]wrote: Can someone PLEASE change the title of this thread??? -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:01 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311644 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Something other than SQL injection attack on House of Fusion
Why? So everyone can create more filters? ..:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 4:47 PM To: CF-Talk Subject: RE: Something other than SQL injection attack on House of Fusion Can someone PLEASE change the title of this thread??? -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 3:01 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion It doesn't work with stored procedures (which shouldn't matter, 'cause I think they are type-checked by the DB first anyways) Well, not necessarily. As Mark pointed out when this thread started - it feels like it was long, long ago - if you're calling a stored procedure from CFQUERY you have to check your variables there too. If you're using CFSTOREDPROC, that builds a prepared statement that calls the stored procedure for you, and you don't have to worry about it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311648 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 5:42 PM, Brad Wood wrote: That is, unless you concatenate SQL in your stored procedure. http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me Perfect example, thanks! Yeah, dunno what I was thinking... parsing that stuff would be not un-hard. =] Ah, yes, not impossible... but screw that idea. I'll stick to cleaning up simple queries and whatnot. :op -- The scars of others should teach us caution. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311650 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Something other than SQL injection attack on House of Fusion
On Tue, Aug 26, 2008 at 7:18 PM, Bobby Hartsfield wrote: Why? So everyone can create more filters? Filters?!?! If you've been filtering, you've been missing out! There's been action, adventure, intrigue! We've been working on it this whole time. Has a nice little narrative... a beginning, middle, and end... some friends become enemies, some enemies become friends... at the end, we are all richer from the experience. -- They talk like angels but they live like men. St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311651 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
On Sun, Aug 17, 2008 at 10:43 AM, Jochem wrote: denstar wrote: Or maybe you've got a simple solution, to how one would limit URL requests to only allowable values? I don't think simple solutions exist. The closest I have seen that still was simple yet appeared to be somewhat effective was a company that did something akin to hungarian notation. They had all their variables typed like user_uuid and article_int and they did type / bounds checking in the webserver, throwing security errors on every type mismatch or occurence of a variable without the type declared. That actually doesn't sound too painful. More cpu intensive compared to what I've got now (unless my keyword blacklist keeps growing), but pretty simple. I get the idea of deny, allow, but when you can cut out like 95% of the crap with a super-fast this is bad type deal... hmm... my real-world mind says go for it, while my programmer perfect world mind knows it's not the most secure angle. Stupid trade-offs! Wish we could pick all three, as the saying goes. Heh. I'm actually liking the idea of only passing ID numbers in the url request, which would make for a simple rule. Hmm... What else would you really need to pass besides a single token, the thread of the web? Am I thinking screwy, or what? Doesn't do squat for form or anywhere else, I reckon-- but what's the percentage of form submissions vs. url requests? Eh. Guess, like all things, it sorta depends on what you're doing, and trying to do, etc.. Thanks Jochem, I always enjoy your correspondence. :Denny -- Catch, then, O catch the transient hour; Improve each moment as it flies! St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311513 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Wed, Aug 20, 2008 at 4:37 PM, Dave Watts wrote: Your main concern is not the consumption of resources as a result of an automated attack. That's just like any other denial of service attack, basically. If you can filter it out successfully, that's good for you, but you should be far more concerned with the results of a successful SQL injection attack. Hey Dave! Not to argue the difference between if(len()) and if(len() eq 0)... [-;) I think DoS attacks are something to be aware of. I shudder to think of a million error emails, and the load that puts on multiple servers, bandwidth, etc.. DoS attacks are one of those deals, that can cascade. Like the Great Black-out, of whatever year that was. 70-something? Or like the bank crisis of the late 90s... Eh. Not to lessen the injection attacks, which are more likely to cause real damage, and are more likely to expose a security hole than DoS (but DoS can end up exposing quite a bit too, so) yeah, just wanted to say, the layered thing seems the way to do it. Low level, quick stuff, and high level, (most likely) slower stuff. For a web-app developer though (no admin responsibilities), maybe it goes like this: 1) Sanitizing *all* user input. GiGo. 2) Avoid a self-imposed DoS, by things like error emails with no throttle, emailed logs/huge logs on disk/in memory, or whatever. Just wanted to sorta put emphasis on the fact that a DoS is still something that's pretty bad, and *can* end up being as bad, or worse, than injection attacks. Just adding some emphasis, is all. You can DoS yourself with some of the solutions I've seen to the injection attacks. Not that we really have to worry, right? I'm sure we're all doing load-testing, and part of that is testing a massive amount of errors, right (intentional or no;)? Right? Hahahahaha. *sigh* someday. :-) Man, how did I get here from trying to express the idea that one attack can cascade into another kind of attack, or something like that? Eh. *shrug* :-) May your buffers never overflow, |Den -- Catch, then, O catch the transient hour; Improve each moment as it flies! St. Jerome ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311515 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Mary Jo, I've done some additional testing and have found that the prior version of the SQL Injection Blocker does better when challenged with the HP Scrawlr testing tool then the newest version. Rolling back to the prior release also solved the false positive problem for the three towns mentioned earlier. Matt ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
I've done some additional testing and have found that the prior version of the SQL Injection Blocker does better when challenged with the HP Scrawlr testing tool then the newest version. Rolling back to the prior release also solved the false positive problem for the three towns mentioned earlier. Hhm, interesting. My own customers ran into several problems with that version, that have been fixed with the new one. I'm not surprised it does better with scrawlr though as for us it had way more false positives and was blocking *too* much stuff. Just goes to show, there's no one solution that works for everyone...and how important it is not to rely on these tools exclusively since they clearly do not work 100% of the time. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311467 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I've upgraded to the latest version of Mary Jo's tool to filter attempts at SQL injection. It works well, but I found three interesting false positives today. My site has community profiles for cities and towns. The URL for these profiles includes the county name as well as the city or town name. There are Union counties in North Carolina, New Jersey and Ohio. There are three towns that get a false positive flag. They all start with All (Allenwood, Allen Center and Allens Crossroads). The URLs have the format of /Union/Allenwood.cfm, /Union/Allen-Center.cfm and /Union/Allens-Crossroads.cfm. Clearly, the combination of Union/All is causing the problem. Can anyone suggest a modification to the code that would eliminate the false positives without substantially weakening the filter? The RegEx in her tool, (http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18), is way beyond my skill set. TIA, Matt Thanks for pointing this out...I updated the tool on my site to address this and also switched it to use a different RegEx that seems to work better and throw less false positives. Same link to download as before: http://www.cfwebstore.com/index.cfm?fuseaction=page. downloaddownloadID=18 --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311450 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Can anyone suggest a modification to the code that would eliminate the false positives without substantially weakening the filter? The one in there now is by Luis Melo and his email is in the credits. You might want to send them along to him as I know he plans to work more on reducing the false positives as he has time. It's definitely a challenge to make sure you catch everything bad and let everything good through, so some false positives are probably inevitable. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311455 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
My site has community profiles for cities and towns. The URL for these profiles includes the county name as well as the city or town name. There are Union counties in North Carolina, New Jersey and Ohio. Or...maybe you could just get the states to rename that county. ;-) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311456 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Funny, I went to high school with him. Had a comp sci class with him where he spent quite a bit of time trying to get passwords from unsuspecting people. -Original Message- From: Mike Kear [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2008 6:33 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion A while ago I read a totally rivetting book called The Art Of Intrusion by Kevin D Mitnick, the legendary hacker who was sent to jail for his intrusion exploits.He runs a security company now, that tests you security and reports back on how well you've done. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311383 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
I am still getting around 50 to 75 attacks a day on about 20 of my websites. I applied the solution from JOCHEM that aborts the attach in the application.cfm file and then sends me an email. They just keep coming from different IP addresses so it is useless to do anything other than wait for the storm to pass and watch them eat up bandwidth. In the words of one of my all time favoritesAUGH! (that would be Charlie Brown for all you young ones) David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311306 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I also had a concern about thread safety; it's caching the java.util. regex.Matcher object in Application scope, and calling Application. injChecker.reset(testvar) for each url/form/etc variable -- seems like Matcher.reset() changes state of the cached Matcher object? Thanks for pointing this out...I updated the tool on my site to address this and also switched it to use a different RegEx that seems to work better and throw less false positives. Same link to download as before: http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311311 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a my SQL Injection blocker is better than yours, yet trying to educate myself on just what is going on and what is best to do. Does this thing just raise it's ugly head every now and then and go away for a while? This is the first I have seen of it on my server. Thanks in advance, ~David G. Moore, Jr. UpstateWeb, LLC Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 14:36:46 -0400 I also had a concern about thread safety; it's caching the java.util. regex.Matcher object in Application scope, and calling Application. injChecker.reset(testvar) for each url/form/etc variable -- seems like Matcher.reset() changes state of the cached Matcher object? Thanks for pointing this out...I updated the tool on my site to address this and also switched it to use a different RegEx that seems to work better and throw less false positives. Same link to download as before: http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18 --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311313 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. Since I am not familiar with his, I cannot say what the difference would be. I did include URL, form, cookie and common CGI variables into mine as well so it's pretty comprehensive for both this attack and others that might start looking for other vulnerable areas. It uses Gabriel's method of leveraging the java regex pattern matcher which seems to give better performance and less likely to hang on large strings than with CF. Luis Melo who contributed the RegEx that I am now using has his own SQLi blocker as well that includes a bunch of additional functions (such as keeping a list of blacklisted IP addresses in application memory) which some people may like as well. My goal was to just try and put something together that could easily be dropped in any application and do its thing with fairly minimal overhead. Does this thing just raise it's ugly head every now and then and go away for a while? This is the first I have seen of it on my server. This particular attack? It does seem to come and go. I have no doubt the hackers will look for other avenues to exploit once it seems that this one is no longer having much effect. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311314 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a my SQL Injection blocker is better than yours, yet trying to educate myself on just what is going on and what is best to do. My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) just checks for basic SQL keywords with a semicolon in URL variables. It's a quick and dirty way to give you some protection from bots short-term while your code base is updated to use best practices and secure coding methods. Mary Jo's is more thorough in that it checks additional variable scopes, and can help protect better against hand-drafted attacks, but may have a higher potential for false positives (though it's improved recently from what I can tell). SQLPrev has a version compatible with CF5 for those who need it where the other script relies on CFMX functions to run. I'm not saying one is better than the other, they both get the job done. Just use whatever works best for you, and update your code so that you don't need either of them g. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311317 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. ~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:01:42 -0400 I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a my SQL Injection blocker is better than yours, yet trying to educate myself on just what is going on and what is best to do. My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) just checks for basic SQL keywords with a semicolon in URL variables. It's a quick and dirty way to give you some protection from bots short-term while your code base is updated to use best practices and secure coding methods. Mary Jo's is more thorough in that it checks additional variable scopes, and can help protect better against hand-drafted attacks, but may have a higher potential for false positives (though it's improved recently from what I can tell). SQLPrev has a version compatible with CF5 for those who need it where the other script relies on CFMX functions to run. I'm not saying one is better than the other, they both get the job done. Just use whatever works best for you, and update your code so that you don't need either of them g. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311320 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
When you say Update Your Code, are you saying using cfqueryparam? Yes, that's what he is saying. so, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Because if you don't, you are putting a LOT of faith in these blockers and assuming that hackers won't find other ways to attack a vulnerable application that doesn't get by them. Personally, I'm not sure I'd put *that* much trust in them, if I really cared about my sites being safe. Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Nothing new, and certainly not unique to ColdFusion either. is cfqueryparam something a lot of programmers really use? Uh, yes. This is the first I have ever heard of using cfqueryparam. That is a truly scary thought. I hope you will spend some time on the ColdFusion blogs which have lots of information on the importance of using it. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311321 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
David Moore, Jr. wrote: Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. Yes cfqueryparam... is well used and for very good reasons. One of which is what do you want to happen if the next clever hacker comes along with an attack that gets around all these solutions that have been developed to stop them at the gate? Do you really want to gamble your data and possible career on that fact that you can out guess every hacker who collectively have almost endless time and resources to figure out ways around these solutions? I equate it to this analogy I have been dying to use for some time. Would you never build the city walls and gates just because you have sentries watching the road? No matter how good and undefeatable you think your sentries are. Or why have database passwords if you have a firewall. (That one might be better) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311322 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. It depends on what you mean by a lot. But, if you'd been hanging out on this list at all, you'd have heard of cfqueryparam. It's discussed quite often. But, since most people learn ColdFusion on their own, and it's not a necessary tag to know about to get things done, you could go for years without using it or even understanding why it's needed. -- Josh ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311323 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
And this is where I am. I have been using CF since 4.5. Very Scary. Glad I have found this list. I am sure to learn a lot. I will try to read and not bother. Thanks for the SMACK DOWN. I will start to write it in and become more learned. I can say, just in the last weeks since joining I have learned a lot. ~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 14:35:19 -0700 Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. It depends on what you mean by a lot. But, if you'd been hanging out on this list at all, you'd have heard of cfqueryparam. It's discussed quite often. But, since most people learn ColdFusion on their own, and it's not a necessary tag to know about to get things done, you could go for years without using it or even understanding why it's needed. -- Josh ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311324 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Essentially, yes, code should be using cfqueryparam and other secure coding methods to keep the baddies out. The resources will get used either way, really. You can either rely on a filter up-front and use up CPU cycles regardless of whether a user is legitimate or not, or even whether or not a query is being run in the page or not, etc. Or, you can implement cfqueryparam where appropriate and only use those cycles where they're needed, and you'll get the added benefit of prepared statements on the SQL Server in most cases and the queries will run slightly faster as a result. Either way you go, protect yourself and your clients. SQL injection attacks have been around since before I got started in web development, and secure coding against them has been a best practice just as long. I remember updating old CF code I inherited way back when I was using ColdFusion 4, so it's certainly nothing new. It's unfortunate that you haven't seen this in practice until now, but it really is something you should be doing. It's been my observation over the years that web programmers in general (not just limited to ColdFusion) tend to learn about security only when there is a breach of some kind, and then have to scramble to learn under fire. Just as an example, how many out there run e-commerce applications and have never heard of PCI-DSS? I'm not picking on you specifically, David, so please don't think I'm calling you out or anything. I'm always learning new things myself, but we web developers need to collectively get more educated about the risks and threats we face and alter our practice accordingly. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311325 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
As someone who was hit by the attack on the first day. I will say I've used cfqueryparam for years and yet I had a handful of pages with old code where I was not using cfqueryparam. It just takes one page that's publically accessible to do damage. Once I fixed the pages in question, try as they might, I have not been effected since. Using cfqueryparam is a good habit to get into, to protect your sites and client sites. I was also running a forum program I purchased years ago CFForum2000 I think, and all the code in that product was not using cfqueryparam either. I had to go through and edit the code throughout. It's possible their newer versions are using proper coding but it was a bit of a pain, and really my own fault for not rechecking that code long ago. Kelly David Moore, Jr. wrote: When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. ~David G. Moore, ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311326 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Does this thing just raise it's ugly head every now and then and go away for a while? This is the first I have seen of it on my server. This is the first large-scale automated SQL injection attack. Automated attacks have been around for a long time, as have SQL injection attacks. Honestly, this current attack is just a nuisance. SQL injection attacks are usually more destructive, in that they often involve the theft of sensitive data. In those cases, of course, the attack is manual rather than automated. But if your site is vulnerable to this automated attack, it has always been vulnerable to these manual, destructive attacks - which may have already occurred without your knowledge. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311327 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Justin, I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do? I am a little embarrassed to say I didn't know, but at least in honesty I can learn and get a complete picture. So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post Thanks everyone! ~David G. Moore, Jr. P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go get'em girl! Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:41:12 -0400 When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Essentially, yes, code should be using cfqueryparam and other secure coding methods to keep the baddies out. The resources will get used either way, really. You can either rely on a filter up-front and use up CPU cycles regardless of whether a user is legitimate or not, or even whether or not a query is being run in the page or not, etc. Or, you can implement cfqueryparam where appropriate and only use those cycles where they're needed, and you'll get the added benefit of prepared statements on the SQL Server in most cases and the queries will run slightly faster as a result. Either way you go, protect yourself and your clients. SQL injection attacks have been around since before I got started in web development, and secure coding against them has been a best practice just as long. I remember updating old CF code I inherited way back when I was using ColdFusion 4, so it's certainly nothing new. It's unfortunate that you haven't seen this in practice until now, but it really is something you should be doing. It's been my observation over the years that web programmers in general (not just limited to ColdFusion) tend to learn about security only when there is a breach of some kind, and then have to scramble to learn under fire. Just as an example, how many out there run e-commerce applications and have never heard of PCI-DSS? I'm not picking on you specifically, David, so please don't think I'm calling you out or anything. I'm always learning new things myself, but we web developers need to collectively get more educated about the risks and threats we face and alter our practice accordingly. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311328 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
is cfqueryparam something a lot of programmers really use? Only the good ones. ;) Thanks, Eric David Moore, Jr. wrote: When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. ~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:01:42 -0400 I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a my SQL Injection blocker is better than yours, yet trying to educate myself on just what is going on and what is best to do. My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) just checks for basic SQL keywords with a semicolon in URL variables. It's a quick and dirty way to give you some protection from bots short-term while your code base is updated to use best practices and secure coding methods. Mary Jo's is more thorough in that it checks additional variable scopes, and can help protect better against hand-drafted attacks, but may have a higher p otential for false positives (though it's improved recently from what I can tell). SQLPrev has a version compatible with CF5 for those who need it where the other script relies on CFMX functions to run. I'm not saying one is better than the other, they both get the job done. Just use whatever works best for you, and update your code so that you don't need either of them g. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311329 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Right on Dave... That's a point I've been making as well. It is the SQL injection attacks that don't obviously do anything that are more insidious. For those of you who have found your sites vulnerable, this attack is not the one that should be keeping you up at night. Instead, it should be those attacks that came in and left with your data without arousing any alarm at all :) -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2008 4:59 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Does this thing just raise it's ugly head every now and then and go away for a while? This is the first I have seen of it on my server. This is the first large-scale automated SQL injection attack. Automated attacks have been around for a long time, as have SQL injection attacks. Honestly, this current attack is just a nuisance. SQL injection attacks are usually more destructive, in that they often involve the theft of sensitive data. In those cases, of course, the attack is manual rather than automated. But if your site is vulnerable to this automated attack, it has always been vulnerable to these manual, destructive attacks - which may have already occurred without your knowledge. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311330 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Eric, A good answer might be it is now :) -Original Message- From: Eric Cobb [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2008 4:59 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion is cfqueryparam something a lot of programmers really use? Only the good ones. ;) Thanks, Eric David Moore, Jr. wrote: When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. ~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:01:42 -0400 I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a my SQL Injection blocker is better than yours, yet trying to educate myself on just what is going on and what is best to do. My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) just checks for basic SQL keywords with a semicolon in URL variables. It's a quick and dirty way to give you some protection from bots short-term while your code base is updated to use best practices and secure coding methods. Mary Jo's is more thorough in that it checks additional variable scopes, and can help protect better against hand-drafted attacks, but may have a higher p otential for false positives (though it's improved recently from what I can tell). SQLPrev has a version compatible with CF5 for those who need it where the other script relies on CFMX functions to run. I'm not saying one is better than the other, they both get the job done. Just use whatever works best for you, and update your code so that you don't need either of them g. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311331 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
The only way I found the SQL Injection Attack was my server kept crawling to a dead hault. I looked in SeeFusion (some softwear I purchased that lets me see what is going on live with the websites) and I noticed that the sites Total Time just kept going up and never resolving, basically every website coming to a hault and bringing my server to a scretching hault. I would reboot CF to get it to unlock. After a scan of Cold Fusion logfiles application.cfm file, I saw this weird URL string and thus my search landed me here. Whether or not that is what was or is bringing my server to a hault, I don't know - but I can only hope. I am pretty sure it has something to do with the (don't everyone scream all at once) 45 access databases I am using to run the individual websites off of or not, but just maybe. ~ David G. Moore, Jr. P.S. Can't wait to see everyone's response to this one? I am pretty sure I am about to get another SMACK DOWN... Subject: RE: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:59:23 -0400 Does this thing just raise it's ugly head every now and then and go away for a while? This is the first I have seen of it on my server. This is the first large-scale automated SQL injection attack. Automated attacks have been around for a long time, as have SQL injection attacks. Honestly, this current attack is just a nuisance. SQL injection attacks are usually more destructive, in that they often involve the theft of sensitive data. In those cases, of course, the attack is manual rather than automated. But if your site is vulnerable to this automated attack, it has always been vulnerable to these manual, destructive attacks - which may have already occurred without your knowledge. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311332 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Well, it is my goal :) not there yet... Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 16:59:26 -0500 is cfqueryparam something a lot of programmers really use? Only the good ones. ;) Thanks, Eric David Moore, Jr. wrote: When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam.~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:01:42 -0400 I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a my SQL Injection blocker is better than yours, yet trying to educate myself on just what is going on and what is best to do. My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) just checks for basic SQL keywords with a semicolon in URL variables. It's a quick and dirty way to give you some protection from bots short-term while your code base is updated to use best practices and secure coding methods. Mary Jo's is more thorough in that it checks additional variable scopes, and can help protect better against hand-drafted attacks, but may have a higher p otential for false positives (though it's improved recently from what I can tell). SQLPrev has a version compatible with CF5 for those who need it where the other script relies on CFMX functions to run. I'm not saying one is better than the other, they both get the job done. Just use whatever works best for you, and update your code so that you don't need either of them g. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311333 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
So, I have found like the Mother Load of good programmers who really care about Cold Fusion and take the time to do it right? Becuase every peice of code I have ever gotten from Adobe Exchange or Purchase from other sites has never had cfqueryparam. And I know Ben is going to shoot me, because looking back at some of his Advanced books now I see where he says I should be using it. I guess my 10 hour days just turned into 14 hours. Anybody got a Starbucks Supersize Java Java Double Caffeine coupon? Eric is pretty good at the Smack Down too, Eric The Great takes David the Geek over the ropes and into the first row of chairs! (Yes, I am from the South and everything references Wrestling or Nascar) ~David Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 16:59:26 -0500 is cfqueryparam something a lot of programmers really use? Only the good ones. ;) Thanks, Eric David Moore, Jr. wrote: When you say Update Your Code, are you saying using cfqueryparam? But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. Not trying to pick a fight, becuase I am sure you have forgotten more code than I will ever know (seriously) and I am probably just being lazy (seriously), but is cfqueryparam something a lot of programmers really use? I have never seen cfqueryparam used on any tags I have purchased or exchanged and I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam.~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 17:01:42 -0400 I am currently using the SQLprev.cfm from Jochem to stop the onslaught of superfluous bandwidth suckage from my server, but was wondering what the difference would be with this one. I am not looking to start a my SQL Injection blocker is better than yours, yet trying to educate myself on just what is going on and what is best to do. My original SQLprev script (http://www.gravityfree.com/_sqlprev.cfm.txt) just checks for basic SQL keywords with a semicolon in URL variables. It's a quick and dirty way to give you some protection from bots short-term while your code base is updated to use best practices and secure coding methods. Mary Jo's is more thorough in that it checks additional variable scopes, and can help protect better against hand-drafted attacks, but may have a higher p otential for false positives (though it's improved recently from what I can tell). SQLPrev has a version compatible with CF5 for those who need it where the other script relies on CFMX functions to run. I'm not saying one is better than the other, they both get the job done. Just use whatever works best for you, and update your code so that you don't need either of them g. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311334 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do? Well, the first step is getting more connected to the community, being exposed to different styles, and being on a list such as this one is a great start. Presentations at user groups can also cover topics such as this if you have one near your area. So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post In short, PCI-DSS is the Payment Card Industry Data Security Standard. It is required for any merchant who accepts, processes, handles, stores, or transmits credit card or debit card information. It isn't law, but your merchant account (or those of your clients) will have provisions in their contracts that require compliance with these rules. You can read more about it at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml That's another whole can o' worms though. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311335 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
So, I have found like the Mother Load of good programmers who really care about Cold Fusion and take the time to do it right? Pretty much. The skill level on the list varies from can express the meaning of life in ColdFusion to what's a database so your experience may vary. I'd like to think that everyone here, including me, is looking to learn through the experience of others, so you're in the right place. Welcome! -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311336 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Consider me connected. At the same time, I will try not to just suck the life out of the list and provide substance where I can. I was a morning radio announcer for 20 years before becoming a web programmer, so if you can't remember the name of that song or artist - just ask. :) As for the can o' worms. If you're ever in Spartanburg, SC, just bring 'em along and I can show you some really nice fishin! Seriously, thanks everyone! ~David G. Moore, Jr. Subject: Re: SQL injection attack on House of Fusion From: [EMAIL PROTECTED] To: cf-talk@houseoffusion.com Date: Wed, 20 Aug 2008 18:17:34 -0400 I certainly don't feel picked on. I feel blessed to have a place where I can learn from people who do know so much. And you are right. I (we) only seem to learn under fire. I am a one man business owner in a small town with limited resources and time. 10 hour days, work weekends, what is family time except coaching baseball-soccer-basketball, and I have forgotten what sleep even is. So, what do we do? Well, the first step is getting more connected to the community, being exposed to different styles, and being on a list such as this one is a great start. Presentations at user groups can also cover topics such as this if you have one near your area. So, what is PCI-DSS (he asks sheepishly) or is that a whole nother Post In short, PCI-DSS is the Payment Card Industry Data Security Standard. It is required for any merchant who accepts, processes, handles, stores, or transmits credit card or debit card information. It isn't law, but your merchant account (or those of your clients) will have provisions in their contracts that require compliance with these rules. You can read more about it at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml That's another whole can o' worms though. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311337 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
When you say Update Your Code, are you saying using cfqueryparam? Yes. That is the only mechanism guaranteed to prevent known and future SQL injection attacks. Using a filter can protect you from the current attack long enough for you to fix your broken code. But even so, the SQL injection still will use up countless resources instead of cutting it off early. So, go back and fix 1,000's of lines of code I have developed over the last 'upteen' years or stop it before it starts? Is this something new to CF8 or just a necessary evil because of SQL Injection Attacks. It's only possible to stop something before it starts if you can clearly identify what it is. In this attack, for example, there are some specific keywords that you can use in a filter: DECLARE and CAST. The next attack may use different keywords, or different permutations of the same keywords (using Unicode sequences instead of ASCII characters, for example). Your main concern is not the consumption of resources as a result of an automated attack. That's just like any other denial of service attack, basically. If you can filter it out successfully, that's good for you, but you should be far more concerned with the results of a successful SQL injection attack. is cfqueryparam something a lot of programmers really use? A lot of (arguably, almost all) competent programmers use it. Fewer incompetent programmers use it. I'm not trying to pick a fight with you either; I'm not calling you incompetent. But at this point, web application programmers using almost any language should be familiar with the concept of prepared statements (what you're building with CFQUERYPARAM) and why they're important. I am afraid all I know is what I have learned from books and forums. This is the first I have ever heard of using cfqueryparam. It's been mentioned periodically on this list for years. It's covered in the official Adobe courseware, and in all of the CF books I've seen. That said, I can see how you might not know about it if you don't pay relatively close attention to all this stuff. But with THAT said, it is your job and responsibility as a web developer to be aware of best practices and requirements within that field. There are PLENTY of resources about building secure web applications. Those resources might not cover CF specifically all that much, but if you read in Open Web Application Security Project (http://www.owasp.org/index.php/Top_10_2007), for example, about the top ten vulnerabilities in web applications, you would see that SQL injection is on the list and that you use prepared statements to prevent it. Your next question should be, how do I build a prepared statement in ColdFusion? You, as the web developer, are often responsible for ALL SORTS of things that you're not going to learn in books or forums: development issues like application security, interface issues like usability and accessibility, business issues, deplooyment issues, etc, etc. What's more, your responsibility may well be legally binding; in other words, you might get sued for doing the wrong thing for a client. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311338 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
A while ago I read a totally rivetting book called The Art Of Intrusion by Kevin D Mitnick, the legendary hacker who was sent to jail for his intrusion exploits.He runs a security company now, that tests you security and reports back on how well you've done. He says one of the most common failures of security systems of all kinds is that they rely on a secure perimeter.The theory is that if we keep the hoards out of the city at the boundaries, that's all we need to do. Unfortunately all the bad guys need is a single crack in that outer perimeter and tehy can go wherever they like. So his hacking attempts usually meant hunting for some hole in the wall, and once through that hole the entire enterprise was laid out for the taking. He'd find a router left online but unsecure by some lazy support person who wanted to be able to work from home. Or a long-forgotten modem somewhere, and once through that security hole, there were no other security blockers and teh whole network was his for the raping and pillaging. The lesson we learn from this?Dont rely on only one defense mechanism. All it takes is one crack in that armour and you're dead. You need to use all the weapons you have at your disposal. In this case, we need to use the Regex blockers, cfqueryparam, strong passwords, regular password changing, separate physical machines for web and database - everything you can think of to make it more difficult for the attackers. That book was a great read on its own, but a real education for me as a web developer. i heartily recommend it. The opening chapter is highly amusing - where he is hired to probe security at a company, and at the review meeting where he presented his report, he said 'yes i managed to get in and managed to get some unauthorised access.And i think you should have done a better job on your applicatoin for a raise. And did you know you are being paid less than others of equivalent rank in your company?Oh and the profits you're going to report next month are x xx xx .. you have a secretary who is having an affair with one of your senior execs. When their mouths gaped open he finished it with the clincher .. oh and this PC i'm using for the presentation - it's yours. Your security manager gave it to me, along with remote admin access to you network, and i have been working remotely through your network for the past month. A fantastic read. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311339 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Don't feel bad, David. I am a freelance CF programmer. I spend most of my time working on bug fixes or feature enhancements on code written by others.And the vast majority of files I work on have no cfqueryparam. Most of the code I work on really needs re-writing from scratch it's so poorly written. At least in my experience, very few CF programmers use cfqueryparam. It's quite frightening really.Not only is the code vulnerable to attack, it's slow, inefficent, and often just plain wrong. I'd say one fo the best things you have ever done as a CF programmer is join this list and pay attention to the things clever folks like Dave Watts have to say.Rare is the day when I dont learn something useful on this list. -- Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311341 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go get'em girl! LOL, actually I am a pacifist at heart and always try to not lose my temper (serves me well with customers, particularly the endlessly annoying ones!) As for not knowing what cfqueryparam is and how to properly secure an application (there's more to it than just cfqueryparam) hopefully all these issues that people are dealing with will help such information make it's way into even beginner CF materials, and not have it be so much of an afterthought as it seems to have been up to this point. --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311356 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Eric is pretty good at the Smack Down too, Eric The Great takes David the Geek over the ropes and into the first row of chairs! (Yes, I am from the South and everything references Wrestling or Nascar) Here's another smack down for youit would be nice if you could remove all the extra quoted stuff on your poststake a look at the online web archives, it really makes a mess of the thread! --- Mary Jo ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311357 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Mary Jo, Sorry. Didn't see all that. First time using this kind of post. Here's another smack down for youit would be nice if you could remove all the extra quoted stuff on your poststake a look at the online web archives, it really makes a mess of the thread! Will do better in the future. No way for me to go in an edit that once it is posted? YUCK. Where's a good Langolier when you need one? Thanks for the education though. ~David P.S. I like your Smack Downs. You got GRIT! Were you wearing a cape or mask when you wrote that SMACK!? _ See what people are saying about Windows Live. Check out featured posts. http://www.windowslive.com/connect?ocid=TXT_TAGLM_WL_connect2_082008 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311358 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Actually I am a pacifist at heart and always try to not lose my temper (serves me well with customers, particularly the endlessly annoying ones!) LOLOL. I am actually a moderately conservative liberal. I believe in loosing my temper only when I know I can't find it. As for not knowing what cfqueryparam is and how to properly secure an application (there's more to it than just cfqueryparam) hopefully all these issues that people are dealing with will help such information make it's way into even beginner CF materials, and not have it be so much of an afterthought as it seems to have been up to this point. On a serious note, it would have been nice that I would have been more aware when I started coding those many years ago. I have more lines of code that need reworking than I care to think of, but I have to start somewhere. --- Mary Jo Thanks for your help today! You have been incredibly patient and kind. Now, I must go home because my wife has called for her third and last time, which means I am on the couch... ~David Rock Moore _ Get ideas on sharing photos from people like you. Find new ways to share. http://www.windowslive.com/explore/photogallery/posts?ocid=TXT_TAGLM_WL_Photo_Gallery_082008 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311359 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
David Moore, Jr. wrote: I am currently using the SQLprev.cfm from Jochem The what from whom? Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311361 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
OK. I thought it was from you. I was sent an email with the link to SQLprev.cfm in an email and they referenced I use your suggestion in the email as well. I stuck the two together. David Moore, Jr. wrote: I am currently using the SQLprev.cfm from Jochem Jochem Wrote? The what from whom?Please don't shoot me. I am new to all this? Sleep deprived... ~David _ Talk to your Yahoo! Friends via Windows Live Messenger. Find out how. http://www.windowslive.com/explore/messenger?ocid=TXT_TAGLM_WL_messenger_yahoo_082008 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311362 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
I'm using WhosOn, an IIS server monitor. It does an auto look up on the location of the IP and I can also set it up to record alerts for keywords, such as DECLARE. www.whoson.com -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: 09 August 2008 18:37 To: CF-Talk Subject: Re: SQL injection attack on House of Fusion Bobby, what have you been using to look up the origin of the IPs en masse? I found a site that let's me do a handful at a time, but I don't know how accurate the data it. It is saying the majority of my IPs originated from the US. ~Brad - Original Message - From: Bobby Hartsfield [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Saturday, August 09, 2008 11:58 AM Subject: RE: SQL injection attack on House of Fusion Now look at how many of those are from Asia Pacific Network Info Centre ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311363 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
This is totally off topic in this list, but I'll make this comment and that's an end to it. Your expression asked for rape defies the logic of your argument. Asked for rape would mean she asked for sex and would therefore be a consenting adult, ie, not a rape victim. Overall a really bad and totally insensitive analogy, the likes of which I hope we never see on this list again. Enough -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: 11 August 2008 16:24 To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Rick, While your argument is well put, perhaps we could choose a slightly less inflammatory analogy than rape. We have a large group here and I wouldn't want anyone to be incensed by trivializing such a traumatic event (although obviously that is not the intent). -Mark -Original Message- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2008 9:45 AM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion This would probably be more productively viewed as as responsibility issue, rather than blame. Both parties, webmaster and attacker, bear responsibility for the status of the server/data/etc. A negligent server/website admin bears a certain amount of responsibility for the situation. The attacker also bears responsibility for the consequences of the attack. A court of law might hold only the attacker ultimately responsible. However, the supervisor of a negligent server/website administrator would view it as shared responsibility between the attacker and the attacked, as in, Why wasn't the server/website protected in the first place? Viewing this as a rape case, if a girl was hanging out on a street corner and asking passers-by to rape her, then, yes, she bears some responsibility for putting herself in that situation. It doesn't mean the one who rapes her doesn't bear the greater responsibility for the situation, and, therefore, punishment, but a fair judge would have to ask the girl why was she asking passers-by to rape her in the first place. Girls should reasonably avoid provoking rapists, and rapists should resist their impulses. Likewise, server/website admins should reasonably protect their servers and websites, but hackers should avoid their impulses or share responsibility for the situation. Rick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311364 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Hello folks: I am sorry about the thread jump here, but any ASP gurus out there on this discussion list? In the past week, I have been fanatically patching our old CF code and applying CFQUERYPARAM wherever it applies. Additionally, I also implemented the SQL Injection Blocker written by Gabriel and Mary Jo. It is extremely helpful. However, a big chunk of our old application is written in ASP. It was an off-the-shelf content-mangement-system which we plan to replace soon. I have no experience with ASP, but from the database being hit, it is pretty certain that the injection must have come through the ASP code. Is there a quick-and-dirty fix for ASP code regarding this sql injection? Has anybody written the SQL injection blocker function in ASP? What is the ASP equivalent of CFQUERYPARAM? BTW, I know that another effective method would be to install a Web Server injection filter--but that is not within my control and the only thing I can do now is on the code side. Thanks and any help will be most appreciated! Qing Xia On Sun, Aug 17, 2008 at 12:43 PM, Jochem van Dieten [EMAIL PROTECTED]wrote: denstar wrote: On Sun, Aug 17, 2008 at 2:08 AM, Jochem van Dieten wrote: denstar wrote: On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Filtering means allow unless it matches. A security measure should be deny unless it matches. Or maybe you've got a simple solution, to how one would limit URL requests to only allowable values? I don't think simple solutions exist. The closest I have seen that still was simple yet appeared to be somewhat effective was a company that did something akin to hungarian notation. They had all their variables typed like user_uuid and article_int and they did type / bounds checking in the webserver, throwing security errors on every type mismatch or occurence of a variable without the type declared. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311257 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
What is the ASP equivalent of CFQUERYPARAM? http://prepared-statement.blogspot.com/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311265 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
Neat! Thanks Dave. On Tue, Aug 19, 2008 at 11:54 AM, Dave Watts [EMAIL PROTECTED] wrote: What is the ASP equivalent of CFQUERYPARAM? http://prepared-statement.blogspot.com/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311271 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Qing, when you use cfquery with cfqueryparam, a prepared statement is generated. So basically, you will be making ASP do the same thing CF does. CF just makes it easier. :) ~Brad - Original Message - From: Qing Xia [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, August 19, 2008 11:33 AM Subject: Re: SQL injection attack on House of Fusion Neat! Thanks Dave. On Tue, Aug 19, 2008 at 11:54 AM, Dave Watts [EMAIL PROTECTED] wrote: What is the ASP equivalent of CFQUERYPARAM? http://prepared-statement.blogspot.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311277 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
denstar wrote: On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Filtering means allow unless it matches. A security measure should be deny unless it matches. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311144 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
LoL... At the end of the day I see hibernate as a great tool, and hasn't been till recently that I discovered how easy it is to use. Not perfect or as good as GORM... But hey I am not complaining... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: denstar [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 2:34 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion On Sat, Aug 16, 2008 at 10:04 PM, Andrew Scott wrote: Well at the end of the day, I am currently using hibernate in ColdFusion thanks to Joe Reinhart I think is the one I am using. But I now plenty of people are looking into it at the moment. Hibernate is easy to use with CF8 and Java. Few lines of code. Now, CF objects and hibernate is another matter. :-) The first thing I did was hook up HibernateTools (DB reverse engineering into POJOs or HBMs), but I didn't feel that was right for the majority of CF devs. And Having to restart things to see changes and whatnot? Neh. Crazy classloading-ness? Neh. Hooking into a java-based model? Sure. Taking advantage of all the awesome java tools? Priceless. But it ain't CF, per-se. Not that that matters, of course, I just decided I wanted it to, for kicks. I have even looked at using GORM in Coldfusion, to help with DDD. But haven't had the time to investigate as of yet. But I am very happy to even just use POJO's for now. Right on. Looks like a GORM-ish deal wouldn't be hard to rock with about any ORM. When you talk about DDD, how are you representing the domain? Are you using a modeling language? Thanks, DeN -- Nothing except the mint can make money without advertising. Thomas B. Macaulay ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311146 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
On Sun, Aug 17, 2008 at 2:08 AM, Jochem van Dieten wrote: denstar wrote: On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Filtering means allow unless it matches. A security measure should be deny unless it matches. So long as it's simple list of matches, right? If the list is too complicated, you get the Godel's Theorem effect, neh? :-) Heh, I can see it now-- MG3 not only auto-generates your controllers and XML and whatnot, but using the power of introspection, it adds rewrite rules to your vhost conf file per event, with type-binding! That actually sounds pretty cool. See, I'm wondering if this is closer to searching than security, per-se. Sorta thinking (it's getting late, so bear with me :) of a lame example: I could parse a paragraph looking for every word that's good, and tossing out the swear-words-- or just look for swear-words. Which is going to be faster? Which list is longer? Maybe that analogy is broken. Probably. Hmm... Yup, cause you'd have to throw in that they could make up new curses as well, without you even knowing. Hmm... Well, I'm sure you get the point I'm trying to make by now (which could be a non-point), but I'll elaborate further, because I'm not sure if it is a point :-)p I'd want the lowest-level, most used to be the fastest checks, and the highest level, least used to be the slowest, most thorough. In an ideal world, you could run the highest all the time, but that might be a fake world, because the more encrypted you get, the longer it takes, not only to break, but to encode and decode. Maybe. Probably another broken analogy (and a lie ta boot), but whatever. :) Hmm... if you've got access to all the data at each level (what to allow, say, in rewrite rules, or query parameters, etc.), I don't see why you couldn't lock it down to only what's possible, vs. what could be. It would take organization tho. Borg-like, Terminator-making organization. :-) Or maybe you've got a simple solution, to how one would limit URL requests to only allowable values? I can't see anything short of automation, but that's why this is taking so long. Probably overlooking something simple. Eh. What's your scenario, to help me grok this here, Jochem? Search Engine Safe? Ha! That's simple! Force a pattern-- string([A-z]), number, string! Easy. Is that a solve? Damn. This, by now dead, horse is freaking beat. I'm going to sign off now... -- slowly steps away from the keyboard... -- ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311147 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Andrew, I need to check with my hosting provider to see if they've taken any measures, but at least I'm on a VPS instead of shared hosting using MySQL. After running my own server for 5 years and decided that the cost of VPS's made it worth outsourcing the hosting again, I can't imagine going back to shared hosting and putting up with the limitations. But sometimes, it's necessary in some situations. For now, it looks like I'm protected. But I know the time is coming. Rick -Original Message- From: Andrew Scott [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 10:38 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Rick, I think it is only a matter of time, I only have one ColdFusion website that is on a shared server/public. I have been through the attacks, but when speaking with the hosting provider I think they started to put measures in place for the entire servers. Not 100% sure, as I haven't seen these attacks for nearly 2 years. So I better touch some wood:-) -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 3:39 AM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Man... at this point, after reading about all of these problems with SQL injection, and having been told that it doesn't concern MySQL, I'm glad I'm using MySQL. This would be one big, time-consuming headache, otherwise. I'm a solo developer and can use whatever DB I prefer, but I realize some of you have to use the affected DB's. I'm sure the whole thing is nothing but aggravation, to the point of wanting to strangle (or shoot, if you're Andrew :o) (at least I think that's his prefered method of punishment) those abusing the DB's with attacks. However, my day to deal with the attackers will come, I'm sure...hang in there, guys and gals. Rick -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 12:37 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion David, As a stop gap while in full force you could use the ISAPI filtering technique or apache rewrite. This wuold keep it from reaching CF. Of course that still might mean changing for every site in your pool of sites. I have a post on it... The comments are pretty useful as well: http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents -sql-injection There are about 6 or 8 posts on the topic and links to many other blogs as well. If that doesn't work, I have dropped a blocker script into a few dozen vulnerable sites - again as as stop gap. It is important to note that these can only be considered a temporary fix. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: David Moore [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 11:16 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311148 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Yeah, well my personal blog is on a shared hosting. But it uses Ray's BlogCFC, so I feel safe. The problem though is that I don't get to see the logs for the server, and have to rely on the hosting provider. As cheap as they are, I do feel safe believe it or not. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 10:16 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Andrew, I need to check with my hosting provider to see if they've taken any measures, but at least I'm on a VPS instead of shared hosting using MySQL. After running my own server for 5 years and decided that the cost of VPS's made it worth outsourcing the hosting again, I can't imagine going back to shared hosting and putting up with the limitations. But sometimes, it's necessary in some situations. For now, it looks like I'm protected. But I know the time is coming. Rick -Original Message- From: Andrew Scott [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 10:38 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Rick, I think it is only a matter of time, I only have one ColdFusion website that is on a shared server/public. I have been through the attacks, but when speaking with the hosting provider I think they started to put measures in place for the entire servers. Not 100% sure, as I haven't seen these attacks for nearly 2 years. So I better touch some wood:-) -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 3:39 AM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Man... at this point, after reading about all of these problems with SQL injection, and having been told that it doesn't concern MySQL, I'm glad I'm using MySQL. This would be one big, time-consuming headache, otherwise. I'm a solo developer and can use whatever DB I prefer, but I realize some of you have to use the affected DB's. I'm sure the whole thing is nothing but aggravation, to the point of wanting to strangle (or shoot, if you're Andrew :o) (at least I think that's his prefered method of punishment) those abusing the DB's with attacks. However, my day to deal with the attackers will come, I'm sure...hang in there, guys and gals. Rick -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 12:37 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion David, As a stop gap while in full force you could use the ISAPI filtering technique or apache rewrite. This wuold keep it from reaching CF. Of course that still might mean changing for every site in your pool of sites. I have a post on it... The comments are pretty useful as well: http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents -sql-injection There are about 6 or 8 posts on the topic and links to many other blogs as well. If that doesn't work, I have dropped a blocker script into a few dozen vulnerable sites - again as as stop gap. It is important to note that these can only be considered a temporary fix. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: David Moore [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 11:16 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311149 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
But hey I am not complaining... Who are you, and why are you using Andrew's email address? -Original Message- From: Andrew Scott [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2008 5:19 AM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion LoL... At the end of the day I see hibernate as a great tool, and hasn't been till recently that I discovered how easy it is to use. Not perfect or as good as GORM... But hey I am not complaining... -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311150 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Filtering means allow unless it matches. A security measure should be deny unless it matches. I believe that depends on the proportion of wanted vs. unwanted items. On a firewall, this is the best approach because there are far more ports that you don't want to have available than there are that you do want available, so a deny everything and allow these few approach is workable. Trying to apply the same logic to URLs isn't workable in my opinion. With dynamic web applications there are a virtually unlimited number of good URLs that are possible, and only a handful that are undesirable. This is especially true if you pass session tokens through the URL for session management. I can think of a few ways to implement a security system to allow only approved URLs, but none of them are any more effective than using secure coding methods to begin with. If you have a novel approach I'd be interested in learning about it. -Justin Scott ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311151 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
denstar wrote: On Sun, Aug 17, 2008 at 2:08 AM, Jochem van Dieten wrote: denstar wrote: On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Filtering means allow unless it matches. A security measure should be deny unless it matches. Or maybe you've got a simple solution, to how one would limit URL requests to only allowable values? I don't think simple solutions exist. The closest I have seen that still was simple yet appeared to be somewhat effective was a company that did something akin to hungarian notation. They had all their variables typed like user_uuid and article_int and they did type / bounds checking in the webserver, throwing security errors on every type mismatch or occurence of a variable without the type declared. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311154 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Fri, Aug 15, 2008 at 10:58 PM, Mark Mandel wrote: What I'm curious about, is that there seems to be noone you can report this to? Well, I'm pretty sure there is something we could do, but the general attitude seems to be to just suck it up. And buy some stocks in the tech hardware/broadband market. ;] -- I got 3 new servers, and a switch! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311091 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
On Fri, Aug 15, 2008 at 11:56 PM, Brad Wood [EMAIL PROTECTED] wrote: They completely stopped on the 11th, but they are back to day spelling it like DeCLARE. We're seeing the same - we're using RegExp to pick 'em up now. -- mac jordan www.webhorus.net | www.reactivecooking.com | www.nibblous.com | www.jordan-cats.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311092 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
Mark Mandel wrote: What I'm curious about, is that there seems to be noone you can report this to? You can report it to the abuse department of the ISP of the originating IP. Just look up the IP delegation and the abuse address is usually right there. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311095 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
LOL... Ever heard of IP spoofing? Sure you need to complain about it, but the one thing they need to do is track the packets. This will only work if all paths along the way, have log capturing to traverse the mac address to get the correct IP address. But yes start with your IP, give them as much info as they need to do their job with. It is then in their hands to contact the authorities to have the individual charged. I think this is one reason that there is not enough done when it comes to DoD, and SQL Injections. Which leaves me to something I have stated before, why the hell Coldfusion didn't build this under the hood to begin with I do not know. Then it wouldn't matter if you use cfqueryparam or not, there is nothing that this tag does that couldn't be done under the hood. However, it will not stop people from trying:-( I mean with all the filters that Coldfusion has from ajax to flex integration, one more filter for URL's would have been simple. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Saturday, 16 August 2008 7:37 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion Mark Mandel wrote: What I'm curious about, is that there seems to be noone you can report this to? You can report it to the abuse department of the ISP of the originating IP. Just look up the IP delegation and the abuse address is usually right there. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311097 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Andrew Scott wrote: Ever heard of IP spoofing? Sure you need to complain about it, but the one thing they need to do is track the packets. IP spoofing is really only a significant problem with UDP. With TCP any decent ISP will catch spoofs in their egress filters. Even your cheap, Taiwanese black box NAT router at home will stop spoofing for TCP because it won't be able to match the NAT state. You just send your complaints to the abuse department of their ISP and they will handle it. Or not, but that is really out of your hands. But yes start with your IP, give them as much info as they need to do their job with. It is then in their hands to contact the authorities to have the individual charged. You want to charge somebody because his computer is infected with a trojan? Which leaves me to something I have stated before, why the hell Coldfusion didn't build this under the hood to begin with I do not know. Then it wouldn't matter if you use cfqueryparam or not, there is nothing that this tag does that couldn't be done under the hood. There is no way CF can guess the right datatypes to bind my function arguments to when I call a polymorphic function in the database. I mean with all the filters that Coldfusion has from ajax to flex integration, one more filter for URL's would have been simple. I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach, but I'll let you in on a little secret: you can plug your filter regular expressions right into neo-security.xml. No need to change anything in any application, you just plug it in and enable the scriptprotect feature. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311098 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Hmmm, I believe IP spoofing is still a huge problem. I know little about it, so no more comment on that but a quick google shows that it is still a huge problem. As for polymorphic functions, that is not the issue. SQL injection is mainly passed via the URL, header or some form of post to the server. A filter can be placed to introspect every request to check the URL for known SQL injection attacks. That would then remove the need to had extra overload for each query, because the intail request would have already been checked. So if you where to have a component with 20 queries, and have hits of around 1000 the cycles to do SQL protection in the cfqueryparam would be reduce to one check and not 20 * 1000, but 1000 only. Surely that increase in speed has to be worth something? No? As for what else cfqeuryparam offers, this can be handled by the cfquery tag. After all ColdFusion has been using JDBC drivers for a long time, the cfqueryparam was introduced in the days when ColdFusion was not built ontop of Java. That means that the extra features that JDBC drivers introduce (like pooling, binding etc.) can be taken care of under the hood. And with a proper ORM, it would know what datatype you are requesting anyway. But as I stated once before, Coldfusion 9 with hibernate native support would elimante the SQL injection problem. I can't vouch for php, .Net but at least in the Java world ORM reduces that risk to nil. And its built into the ORM, so if the ORM can't work out your polymorphic function in the database then how does it do it? This thread was about SQL injection, and a more better response would be for the CFML engine to intercept every request and reject anything that looks remotely like a sql injection attack. If you where in the Java, Grails world there is no such thing as cfqueryparam. They do it under the hood, and there is no real reason that Coldfusion can adopt the same. How hard is that to understand? -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Saturday, 16 August 2008 10:15 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion Andrew Scott wrote: Ever heard of IP spoofing? Sure you need to complain about it, but the one thing they need to do is track the packets. IP spoofing is really only a significant problem with UDP. With TCP any decent ISP will catch spoofs in their egress filters. Even your cheap, Taiwanese black box NAT router at home will stop spoofing for TCP because it won't be able to match the NAT state. You just send your complaints to the abuse department of their ISP and they will handle it. Or not, but that is really out of your hands. But yes start with your IP, give them as much info as they need to do their job with. It is then in their hands to contact the authorities to have the individual charged. You want to charge somebody because his computer is infected with a trojan? Which leaves me to something I have stated before, why the hell Coldfusion didn't build this under the hood to begin with I do not know. Then it wouldn't matter if you use cfqueryparam or not, there is nothing that this tag does that couldn't be done under the hood. There is no way CF can guess the right datatypes to bind my function arguments to when I call a polymorphic function in the database. I mean with all the filters that Coldfusion has from ajax to flex integration, one more filter for URL's would have been simple. I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach, but I'll let you in on a little secret: you can plug your filter regular expressions right into neo-security.xml. No need to change anything in any application, you just plug it in and enable the scriptprotect feature. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311101 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
Andrew Scott wrote: I believe IP spoofing is still a huge problem. I know little about it, so no more comment on that but a quick google shows that it is still a huge problem. AIDS is a huge problem too. It is also about equally relevant for the current wave of SQL injection attacks. As for polymorphic functions, that is not the issue. SQL injection is mainly passed via the URL, header or some form of post to the server. A filter can be placed to introspect every request to check the URL for known SQL injection attacks. Yes, a sufficiently advanced filter (basically an allow list of values) can do that. But you did not claim a filter could do that, you claimed ColdFusion could do anything cfqueryparam does under the hood. And that is just not true. It is impossible to extrapolate the correct datatype of input BIND variables from the text of the query string. You need code or convention for that. I can't vouch for php, .Net but at least in the Java world ORM reduces that risk to nil. And its built into the ORM, so if the ORM can't work out your polymorphic function in the database then how does it do it? With an ORM in combination with an untyped language my use case of polymorphic functions would probably end up as a configuration issue in the ORM and the ORM exposing multiple functions to the application. This thread was about SQL injection, and a more better response would be for the CFML engine to intercept every request and reject anything that looks remotely like a sql injection attack. But you can do that already. Just fiddle with the allowed SQL options in CF and observe the random failures in the application as CF tries to interpret SQL. Whatever the solution is, it is not teaching CF how to interpret SQL. CF is the CFML runtime and should leave the interpretation of SQL to the database. If you where in the Java, Grails world there is no such thing as cfqueryparam. They do it under the hood, and there is no real reason that Coldfusion can adopt the same. Maybe the tags don't exist, but in Java the concepts do. In fact, the CFML constructs map directly to Java classes: cfquery - java - jdbc - statement cfquery + cfqyeryparam - java - jdbc - preparedstatement cfstoredproc - java - jdbc - callablestatement And I think Dave already explained to you why you shouldn't compare Grails and ColdFusion. Now, if you wanted to compare ModelGlue Unity and Grails, you will see that neither exposes cfqueryparam like functionality to the programmer. (But please don't claim the concepts aren't there, they are just hidden behind an ORM). Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311102 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
they are back. Yeah, here too. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311103 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Hmm, I wasn't trying to compare ColdFusion to Grails, I used grails as an example because it relies heavily on an ORM. The ORM has the needed datatypes for the DB (or bind / prepared Statements), but when it comes to SQL injection, it doesn't appear to be an issue. Please read what I said, I wasn't trying to compare apples to oranges. But they both have the ability to be infected, it is up to how that protection is put into place as to how much work is involved by the developer. I stand by the fact that cfqueryparam, can and should be taken care of under the hood. Other languages are doing it, so what does that tell you? That way older code, can be automatically be protected under the scenes with no change to the appliction you design. Its not rocket science, but it is something to consider. Hibernate has no problems with SQl injection why is that? Because hibernate DOES use prepared statements under the hood, so if it can there is no reason why Coldfusion can't. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 12:34 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion Andrew Scott wrote: I believe IP spoofing is still a huge problem. I know little about it, so no more comment on that but a quick google shows that it is still a huge problem. AIDS is a huge problem too. It is also about equally relevant for the current wave of SQL injection attacks. As for polymorphic functions, that is not the issue. SQL injection is mainly passed via the URL, header or some form of post to the server. A filter can be placed to introspect every request to check the URL for known SQL injection attacks. Yes, a sufficiently advanced filter (basically an allow list of values) can do that. But you did not claim a filter could do that, you claimed ColdFusion could do anything cfqueryparam does under the hood. And that is just not true. It is impossible to extrapolate the correct datatype of input BIND variables from the text of the query string. You need code or convention for that. I can't vouch for php, .Net but at least in the Java world ORM reduces that risk to nil. And its built into the ORM, so if the ORM can't work out your polymorphic function in the database then how does it do it? With an ORM in combination with an untyped language my use case of polymorphic functions would probably end up as a configuration issue in the ORM and the ORM exposing multiple functions to the application. This thread was about SQL injection, and a more better response would be for the CFML engine to intercept every request and reject anything that looks remotely like a sql injection attack. But you can do that already. Just fiddle with the allowed SQL options in CF and observe the random failures in the application as CF tries to interpret SQL. Whatever the solution is, it is not teaching CF how to interpret SQL. CF is the CFML runtime and should leave the interpretation of SQL to the database. If you where in the Java, Grails world there is no such thing as cfqueryparam. They do it under the hood, and there is no real reason that Coldfusion can adopt the same. Maybe the tags don't exist, but in Java the concepts do. In fact, the CFML constructs map directly to Java classes: cfquery - java - jdbc - statement cfquery + cfqyeryparam - java - jdbc - preparedstatement cfstoredproc - java - jdbc - callablestatement And I think Dave already explained to you why you shouldn't compare Grails and ColdFusion. Now, if you wanted to compare ModelGlue Unity and Grails, you will see that neither exposes cfqueryparam like functionality to the programmer. (But please don't claim the concepts aren't there, they are just hidden behind an ORM). Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311104 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
-- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 And you haven't seen grails then, you can't get any more of a dyanmic language than that:-) It uses GORM, which is a entry point to hibernate and guess what it takes care of eveything I spoke about. Still no reason Coldfusion can't and I will stand by that. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 12:34 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion Andrew Scott wrote: I can't vouch for php, .Net but at least in the Java world ORM reduces that risk to nil. And its built into the ORM, so if the ORM can't work out your polymorphic function in the database then how does it do it? With an ORM in combination with an untyped language my use case of polymorphic functions would probably end up as a configuration issue in the ORM and the ORM exposing multiple functions to the application. Jochem ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311105 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: Andrew Scott wrote: Ever heard of IP spoofing? Sure you need to complain about it, but the one thing they need to do is track the packets. IP spoofing is really only a significant problem with UDP. With TCP any decent ISP will catch spoofs in their egress filters. Even your cheap, Taiwanese black box NAT router at home will stop spoofing for TCP because it won't be able to match the NAT state. Unrelated, but isn't our government pretty much listening to all the chatter across the wires? Pity to think we couldn't take advantage of that infrastructure. /joke [...] There is no way CF can guess the right datatypes to bind my function arguments to when I call a polymorphic function in the database. This, I'm curious about. Aren't there ways to use some type of introspection? Bah. I see your point, even if so, you end up having to understand every type of SQL, if from a different angle. No easy java SQL parser to throw in, I guess. Still, there aren't *that* many DBs out there that would need to be supported... :-)p I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Even just a couple of rules in an apache conf file has helped quite a bit to eliminate these spam hits on CF, without impacting anthing else, that I'm aware of... are you thinking something closer to the network level? Every piece you add opens holes, and I used to sorta shun rewriting because of that, but, who am I kidding? :-) And it seems like rewriting is pretty common-place, so pretty vetted. But I'd love to hear your take on the URL request filtering, Jochem! :Denny -- Few of the many wise apothegms which have been uttered have prevented a single foolish action. Thomas B. Macaulay ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311106 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Actually, That should have been the reverse on URL filtering:-( In other words, I should or could write a filter to do the checking of SQL injections. Sorry my bad there. But it is only one way to do it. Anyway as I do grails work I dug this link up for you all... http://docs.codehaus.org/display/GRAILS/Security So it is possible to do under the hood, now I can't vouch for Transfer but I do know Mark would have used cfqueryparam. Now as it is written in ColdFusion in most parts, it does take care of the fact as a developer I don't need to worry about the SQL injection as I am confident that Transfer has taken care of it for me. That is a typical example, how ColdFusion can and should do it under the hood. And take particular notice how the data is escaped when committing to the database. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: denstar [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 1:14 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: Andrew Scott wrote: Ever heard of IP spoofing? Sure you need to complain about it, but the one thing they need to do is track the packets. IP spoofing is really only a significant problem with UDP. With TCP any decent ISP will catch spoofs in their egress filters. Even your cheap, Taiwanese black box NAT router at home will stop spoofing for TCP because it won't be able to match the NAT state. Unrelated, but isn't our government pretty much listening to all the chatter across the wires? Pity to think we couldn't take advantage of that infrastructure. /joke [...] There is no way CF can guess the right datatypes to bind my function arguments to when I call a polymorphic function in the database. This, I'm curious about. Aren't there ways to use some type of introspection? Bah. I see your point, even if so, you end up having to understand every type of SQL, if from a different angle. No easy java SQL parser to throw in, I guess. Still, there aren't *that* many DBs out there that would need to be supported... :-)p I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Even just a couple of rules in an apache conf file has helped quite a bit to eliminate these spam hits on CF, without impacting anthing else, that I'm aware of... are you thinking something closer to the network level? Every piece you add opens holes, and I used to sorta shun rewriting because of that, but, who am I kidding? :-) And it seems like rewriting is pretty common-place, so pretty vetted. But I'd love to hear your take on the URL request filtering, Jochem! :Denny -- Few of the many wise apothegms which have been uttered have prevented a single foolish action. Thomas B. Macaulay ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311107 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Andrew Scott wrote:
I stand by the fact that cfqueryparam, can and should be taken care of under
the hood. Other languages are doing it, so what does that tell you?
It tells me that they need additional configuration or convention.
I have 2 functions with the following signatures in my database:
find(needle:char, haystack:text):boolean
find(needle:varchar, haystack:text):boolean
I call the database in one place using:
cfquery ...
SELECT find(
cfqueryparam cfsqltype=cf_sql_varchar value=#x# /,
cfqueryparam cfsqltype=cf_sql_varchar value=#y# /
)
/cfquery
In another place I use:
cfquery ...
SELECT find(
cfqueryparam cfsqltype=cf_sql_char value=#x# /,
cfqueryparam cfsqltype=cf_sql_varchar value=#y# /
)
/cfquery
Along comes your ColdFusion version that can determine datatypes to bind
to automagically. So now I start using:
cfquery ...
SELECT find('x#', '#y#')
/cfquery
But which of the two find() functions in the database is going to get
executed?
The only way to make sure a specific find() function is executed in the
database is by configuring the ORM to do so. Fine, problem solved. But
that is not under the hood.
ORMs need configuration too. That is not under the hood.
Jochem
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311108
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
You'll be happy to know that CF9 is rumoured to include Hibernate with a corresponding set of tags, so CF should indeed be able to deal with this under the hood. On Sat, Aug 16, 2008 at 11:12 PM, Andrew Scott [EMAIL PROTECTED] wrote: -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 And you haven't seen grails then, you can't get any more of a dyanmic language than that:-) It uses GORM, which is a entry point to hibernate and guess what it takes care of eveything I spoke about. Still no reason Coldfusion can't and I will stand by that. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311109 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Have you ever done any GORM work?
Now technically embedding hibernate into ColdFusion would technically be
under the hood as far as ColdFuison is concerned.
I mean, I might as well by your reasoning say that ajaxUI is not under the
hood in ColdFusion because it uses a 3rd part library to do its work.
In the advent that ColdFusion does incorporate hibernate it will technically
be under the hood, because your tags / functions call internal wrappers to
ColdFusion to do the work for you.
So technically GORM and its Domain Driven Design, is considered to be under
the hood.
Technically
--
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613 9015 8628
Mobile: 0404 998 273
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Sunday, 17 August 2008 1:29 AM
To: CF-Talk
Subject: Re: SQL injection attack on House of Fusion
Andrew Scott wrote:
I stand by the fact that cfqueryparam, can and should be taken care of
under
the hood. Other languages are doing it, so what does that tell you?
It tells me that they need additional configuration or convention.
I have 2 functions with the following signatures in my database:
find(needle:char, haystack:text):boolean
find(needle:varchar, haystack:text):boolean
I call the database in one place using:
cfquery ...
SELECT find(
cfqueryparam cfsqltype=cf_sql_varchar value=#x# /,
cfqueryparam cfsqltype=cf_sql_varchar value=#y# /
)
/cfquery
In another place I use:
cfquery ...
SELECT find(
cfqueryparam cfsqltype=cf_sql_char value=#x# /,
cfqueryparam cfsqltype=cf_sql_varchar value=#y# /
)
/cfquery
Along comes your ColdFusion version that can determine datatypes to bind
to automagically. So now I start using:
cfquery ...
SELECT find('x#', '#y#')
/cfquery
But which of the two find() functions in the database is going to get
executed?
The only way to make sure a specific find() function is executed in the
database is by configuring the ORM to do so. Fine, problem solved. But
that is not under the hood.
ORMs need configuration too. That is not under the hood.
Jochem
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:30
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Man your about 6 months late with that news -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 1:35 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion You'll be happy to know that CF9 is rumoured to include Hibernate with a corresponding set of tags, so CF should indeed be able to deal with this under the hood. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:31 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
Sorry for the problems with the House of Fusion site. We've been under
massive attack by sql injection bots and I've just been able to get a handle
on it. A fast solution to the problem is this:
cfif findnocase(';DECLARE, cgi.query_string)cfabort/cfif
It works unless you have a few hundred attacks at a time. In that case,
place a cfmail before the abort and send youself the cgi.remote_addr. Then
block it on the webserver level. It works very well. I've blocked a dozen
IPs and now the site is back to flying.
--
Michael Dinowitz (http://www.linkedin.com/in/mdinowitz)
President: House of Fusion (http://www.houseoffusion.com)
Publisher: Fusion Authority (http://www.fusionauthority.com)
Adobe Community Expert / Advanced Certified ColdFusion Professional
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:33
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Denstar, dig out your neo-security.xml file. In my Windows CF8 standalong install it is located in C:\ColdFusion8\lib\neo-security.xml Look at the following section: var name=CrossSiteScriptPatterns struct type=coldfusion.server.ConfigMap var name=lt;\s*(object|embed|script|applet|meta) stringlt;InvalidTag/string /var /struct /var When you check the Enable Global Script Protection check box on the Settings page of ColdFusion Administartor, requests are filtered if anything in the Form, URL, CGI, or Cookie scope matches this regex: \s*(object|embed|script|applet|meta) What Jochem is saying, is to add to that regex to filter for whatever else you want and enable that setting. While I agree with Jochem that request filtering is NOT the appropriate way to secure your application, this is a rather slick approach. Also note, this is NOT rewriting. It is not happinging at the network level, nor is it happening at the web server level (Aache, IIS). The requests are filtered when they reach ColdFusion. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:34 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:35 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I can't vouch for php, .Net but at least in the Java world ORM reduces that risk to nil. And its built into the ORM, so if the ORM can't work out your polymorphic function in the database then how does it do it? php is as ColdFusion and Java; you can use a plain query string or use a parametised statement / prepared statement. If you use the prepared statement, you are protected from SQL injection (unless your SQL is running some code on the db that takes your input and runs it as dynamic SQL, of course ;). I think the main trouble with cfqueryparam is that it has not been pushed enough in the documentation and in books. This is why reams of application are not using it - the people writing the queries did not know any different. I would say the same is true of php and prepared statements though I have not enough experience in php to vouch for that. ORM is brilliant and hibernate appears to be great news for CF9. However, I believe that ORM is an application design *choice* and not something to be forced by the language (therefore hibernate will not interfere with cfquery I presume. That said, I think that if CF could make use of hibernate's data mapping knowledge to rewrite a plain query to be a parametised one, that would be great news indeed. I think that is what Andrew is getting at - if it could be done efficiently and without configuration or convention that would have to be welcome. A question for anyone who knows hibernate then; does it require configuration per database, rely on convention or does it query the schema to generate its mappings automatically? Dominic ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:37 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. What people have done: 1. Make sure the database login that CF is using does not have access to the system tables. This particular attack queries the schema to find tables and fields to attack. 2. Put in place some kind of url rewrite rules to catch the threat and deal with it at that point 3. Put in place some ColdFusion code that checks all forms of user input for malicious code and that deals with it appropriately 4. Start the daunting task of putting cfqueryparam where it wasn't already (daunting for those who have inherited apps with thousands of queries, none of which used it) A scan of this thread should get you the info on the rewrites rules and CF code that people have put forward. HTH Dominic ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:38 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
David, As a stop gap while in full force you could use the ISAPI filtering technique or apache rewrite. This wuold keep it from reaching CF. Of course that still might mean changing for every site in your pool of sites. I have a post on it... The comments are pretty useful as well: http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents -sql-injection There are about 6 or 8 posts on the topic and links to many other blogs as well. If that doesn't work, I have dropped a blocker script into a few dozen vulnerable sites - again as as stop gap. It is important to note that these can only be considered a temporary fix. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: David Moore [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 11:16 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:39 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Denstar, dig out your neo-security.xml file. In my Windows CF8 standalong install it is located in C:\ColdFusion8\lib\neo-security.xml Look at the following section: var name=CrossSiteScriptPatterns struct type=coldfusion.server.ConfigMap var name=lt;\s*(object|embed|script|applet|meta) stringlt;InvalidTag/string /var /struct /var When you check the Enable Global Script Protection check box on the Settings page of ColdFusion Administartor, requests are filtered if anything in the Form, URL, CGI, or Cookie scope matches this regex: \s*(object|embed|script|applet|meta) What Jochem is saying, is to add to that regex to filter for whatever else you want and enable that setting. While I agree with Jochem that request filtering is NOT the appropriate way to secure your application, this is a rather slick approach. Also note, this is NOT rewriting. It is not happinging at the network level, nor is it happening at the web server level (Aache, IIS). The requests are filtered when they reach ColdFusion. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311120 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Man... at this point, after reading about all of these problems with SQL injection, and having been told that it doesn't concern MySQL, I'm glad I'm using MySQL. This would be one big, time-consuming headache, otherwise. I'm a solo developer and can use whatever DB I prefer, but I realize some of you have to use the affected DB's. I'm sure the whole thing is nothing but aggravation, to the point of wanting to strangle (or shoot, if you're Andrew :o) (at least I think that's his prefered method of punishment) those abusing the DB's with attacks. However, my day to deal with the attackers will come, I'm sure...hang in there, guys and gals. Rick -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 12:37 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion David, As a stop gap while in full force you could use the ISAPI filtering technique or apache rewrite. This wuold keep it from reaching CF. Of course that still might mean changing for every site in your pool of sites. I have a post on it... The comments are pretty useful as well: http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents -sql-injection There are about 6 or 8 posts on the topic and links to many other blogs as well. If that doesn't work, I have dropped a blocker script into a few dozen vulnerable sites - again as as stop gap. It is important to note that these can only be considered a temporary fix. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: David Moore [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 11:16 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311123 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
I'm doing the request filtering in apache so that it never even bothers my CF engine with the request, but I was wondering if Jochem didn't like the filtering for a reason. I wouldn't rely on it alone in any way, shape or form, but just cutting down on the spam hits on the application seems like a worthy deal. Doing it at the network level would be even faster and less intensive application-wise, but I'm wondering if there's a problem with the very idea that I haven't thought of. Accidentally removing legitimate traffic, or just trading one weakness for another-- something like that. We need to be preventing this stuff on every level, layered like an onion, as someone said earlier. I was not endorsing request filtering as a sole means of protection, for the record. :-) Gracias for the info on what turning on global script protection actually is! :Den -- He had a wonderful talent for packing thought close, and rendering it portable. Thomas B. Macaulay On Sat, Aug 16, 2008 at 10:14 AM, Brad Wood [EMAIL PROTECTED] wrote: I haven't mentioned this before because I do believe that filtering request URLs is the wrong approach Care to elaborate on this? Denstar, dig out your neo-security.xml file. In my Windows CF8 standalong install it is located in C:\ColdFusion8\lib\neo-security.xml Look at the following section: var name=CrossSiteScriptPatterns struct type=coldfusion.server.ConfigMap var name=lt;\s*(object|embed|script|applet|meta) stringlt;InvalidTag/string /var /struct /var When you check the Enable Global Script Protection check box on the Settings page of ColdFusion Administartor, requests are filtered if anything in the Form, URL, CGI, or Cookie scope matches this regex: \s*(object|embed|script|applet|meta) What Jochem is saying, is to add to that regex to filter for whatever else you want and enable that setting. While I agree with Jochem that request filtering is NOT the appropriate way to secure your application, this is a rather slick approach. Also note, this is NOT rewriting. It is not happinging at the network level, nor is it happening at the web server level (Aache, IIS). The requests are filtered when they reach ColdFusion. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311126 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SQL injection attack on House of Fusion
So for six months you've known the feature is coming yet you're still arguing about it now? Do you just like wasting people's time? On Sat, Aug 16, 2008 at 11:37 PM, Andrew Scott [EMAIL PROTECTED] wrote: Man your about 6 months late with that news -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311129 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Another not so common approach, is spamstop. This little wrapper for cf, allows someone to filter the request by known attackers. So you could redirect them away or display garbage on the screen or whatever. Maybe another stop gap measure. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 2:37 AM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion David, As a stop gap while in full force you could use the ISAPI filtering technique or apache rewrite. This wuold keep it from reaching CF. Of course that still might mean changing for every site in your pool of sites. I have a post on it... The comments are pretty useful as well: http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents -sql-injection There are about 6 or 8 posts on the topic and links to many other blogs as well. If that doesn't work, I have dropped a blocker script into a few dozen vulnerable sites - again as as stop gap. It is important to note that these can only be considered a temporary fix. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: David Moore [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 11:16 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311130 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
Rick, I think it is only a matter of time, I only have one ColdFusion website that is on a shared server/public. I have been through the attacks, but when speaking with the hosting provider I think they started to put measures in place for the entire servers. Not 100% sure, as I haven't seen these attacks for nearly 2 years. So I better touch some wood:-) -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 3:39 AM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion Man... at this point, after reading about all of these problems with SQL injection, and having been told that it doesn't concern MySQL, I'm glad I'm using MySQL. This would be one big, time-consuming headache, otherwise. I'm a solo developer and can use whatever DB I prefer, but I realize some of you have to use the affected DB's. I'm sure the whole thing is nothing but aggravation, to the point of wanting to strangle (or shoot, if you're Andrew :o) (at least I think that's his prefered method of punishment) those abusing the DB's with attacks. However, my day to deal with the attackers will come, I'm sure...hang in there, guys and gals. Rick -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 12:37 PM To: CF-Talk Subject: RE: SQL injection attack on House of Fusion David, As a stop gap while in full force you could use the ISAPI filtering technique or apache rewrite. This wuold keep it from reaching CF. Of course that still might mean changing for every site in your pool of sites. I have a post on it... The comments are pretty useful as well: http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevents -sql-injection There are about 6 or 8 posts on the topic and links to many other blogs as well. If that doesn't work, I have dropped a blocker script into a few dozen vulnerable sites - again as as stop gap. It is important to note that these can only be considered a temporary fix. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: David Moore [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2008 11:16 AM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion I am new to the post, but I have been programming in CF for over 10 years and know some of you from the CF Forums. I am getting slammed with this crud as well on over 30 of my websites. Any suggestions as how to handle this for multuple sites on 1 server? I just discovered the issue as it seems to be targeting multiple sites on my server. David G. Moore, Jr. UpstateWeb, LLC ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311131 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: SQL injection attack on House of Fusion
No I am not arguing about it, I am saying that there is no reason that ColdFusion could not do what I said it could. It only means that with the release of ColdFusion 9, it is more of a possibility that SQL Injection will become a thing of the past for ColdFusion. It doesn't excuse the fact that when cfqueryparam was introduced, it couldn't have done something like this a long time ago. The argument came about because people believed it was not possible for ColdFusion to do this stuff under the hood, the reality was that it could have a long time ago. It just never was a request or thought about before. If you read anything I have said, you would see I am not arguing about it. But making a statement that it was and could have been possible. Nothing more nothing less. It was everyone else who disagreed, well almost everyone else. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 12:15 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion So for six months you've known the feature is coming yet you're still arguing about it now? Do you just like wasting people's time? On Sat, Aug 16, 2008 at 11:37 PM, Andrew Scott [EMAIL PROTECTED] wrote: Man your about 6 months late with that news -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311134 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
There are always trade-offs. Everything you add is a few (or more) cycles, and you've got to at least sorta aim for optimization (if ambiguously). Like, the hibernate stuff seems plenty fast to me right now, but what happens when I toss a ton of requests at it, or use large tables or something? It would be cool to have a switch to turn it on tho, and leave it on by default. :-) On Sat, Aug 16, 2008 at 8:51 PM, Andrew Scott wrote: No I am not arguing about it, I am saying that there is no reason that ColdFusion could not do what I said it could. It only means that with the release of ColdFusion 9, it is more of a possibility that SQL Injection will become a thing of the past for ColdFusion. It doesn't excuse the fact that when cfqueryparam was introduced, it couldn't have done something like this a long time ago. The argument came about because people believed it was not possible for ColdFusion to do this stuff under the hood, the reality was that it could have a long time ago. It just never was a request or thought about before. If you read anything I have said, you would see I am not arguing about it. But making a statement that it was and could have been possible. Nothing more nothing less. It was everyone else who disagreed, well almost everyone else. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 12:15 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion So for six months you've known the feature is coming yet you're still arguing about it now? Do you just like wasting people's time? On Sat, Aug 16, 2008 at 11:37 PM, Andrew Scott [EMAIL PROTECTED] wrote: Man your about 6 months late with that news -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311137 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SQL injection attack on House of Fusion
Well at the end of the day, I am currently using hibernate in ColdFusion thanks to Joe Reinhart I think is the one I am using. But I now plenty of people are looking into it at the moment. I have even looked at using GORM in Coldfusion, to help with DDD. But haven't had the time to investigate as of yet. But I am very happy to even just use POJO's for now. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: denstar [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 1:46 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion There are always trade-offs. Everything you add is a few (or more) cycles, and you've got to at least sorta aim for optimization (if ambiguously). Like, the hibernate stuff seems plenty fast to me right now, but what happens when I toss a ton of requests at it, or use large tables or something? It would be cool to have a switch to turn it on tho, and leave it on by default. :-) On Sat, Aug 16, 2008 at 8:51 PM, Andrew Scott wrote: No I am not arguing about it, I am saying that there is no reason that ColdFusion could not do what I said it could. It only means that with the release of ColdFusion 9, it is more of a possibility that SQL Injection will become a thing of the past for ColdFusion. It doesn't excuse the fact that when cfqueryparam was introduced, it couldn't have done something like this a long time ago. The argument came about because people believed it was not possible for ColdFusion to do this stuff under the hood, the reality was that it could have a long time ago. It just never was a request or thought about before. If you read anything I have said, you would see I am not arguing about it. But making a statement that it was and could have been possible. Nothing more nothing less. It was everyone else who disagreed, well almost everyone else. -- Senior Coldfusion Developer Aegeon Pty. Ltd. www.aegeon.com.au Phone: +613 9015 8628 Mobile: 0404 998 273 -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, 17 August 2008 12:15 PM To: CF-Talk Subject: Re: SQL injection attack on House of Fusion So for six months you've known the feature is coming yet you're still arguing about it now? Do you just like wasting people's time? On Sat, Aug 16, 2008 at 11:37 PM, Andrew Scott [EMAIL PROTECTED] wrote: Man your about 6 months late with that news -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311141 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SQL injection attack on House of Fusion
On Sat, Aug 16, 2008 at 10:04 PM, Andrew Scott wrote: Well at the end of the day, I am currently using hibernate in ColdFusion thanks to Joe Reinhart I think is the one I am using. But I now plenty of people are looking into it at the moment. Hibernate is easy to use with CF8 and Java. Few lines of code. Now, CF objects and hibernate is another matter. :-) The first thing I did was hook up HibernateTools (DB reverse engineering into POJOs or HBMs), but I didn't feel that was right for the majority of CF devs. And Having to restart things to see changes and whatnot? Neh. Crazy classloading-ness? Neh. Hooking into a java-based model? Sure. Taking advantage of all the awesome java tools? Priceless. But it ain't CF, per-se. Not that that matters, of course, I just decided I wanted it to, for kicks. I have even looked at using GORM in Coldfusion, to help with DDD. But haven't had the time to investigate as of yet. But I am very happy to even just use POJO's for now. Right on. Looks like a GORM-ish deal wouldn't be hard to rock with about any ORM. When you talk about DDD, how are you representing the domain? Are you using a modeling language? Thanks, DeN -- Nothing except the mint can make money without advertising. Thomas B. Macaulay ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311142 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
