I read the following article on TechNet a couple of years ago, and
after implementing a HackerBasher site, we saw a big decrease in
suspicious activity.
http://technet.microsoft.com/en-us/magazine/cc160810.aspx
The basic premise of the article is that most scripts work by
attacking ip
Lots of things you can do
1. always use cfqueryparam
2. you can enable script protection from CF admin (depending on what version
you are on), alternatively you can use a custom function that filters the
URL and FORM vars, I can send it to you if you can't enable it in the admin
On Fri, Sep 26,
Hi Claude
As you pointed out the cfqueryparam is the best bet however even
though we had cfqueryparam and weren't affected it was still anyoying
getting all the errors on the logs so we added the following to
Application.cfm:
cfif reFindNocase(declare,cgi.query_string)cfcontent
reset=Yescfheader
funny this post should come up.
right at this moment I'm just watching a Connect presso of a CFUG in
the states: Ben Greenbaum from Symantec is speaking about web
application security, and how web applications are being attacked to
harvest and gather information from end-users.
it's
Claude Raiola wrote:
We have just had an SQL injection attack.
Given we have several hundred cold fusion pages and the sql database as
several hundred tables has anyone found a reliable solution where why
script can be placed in the application.cfm page that will prevent code
being
Another thing you can do is create different datasources, each with
different rights;
- read only
- update
- delete
And use the read only datasource on the queries that only read data. The
ones that update data might be behind a username and password so that would
make it more difficult for the
On Tue, Jun 06, 2006 at 11:17:24PM -0700, [EMAIL PROTECTED] wrote:
Hi Folks,
Read a good article on SQL Injection attacks today:
http://www.unixwiz.net/techtips/sql-injection.html
I've always been under the impression that quoted form fields are safe
from SQL injection attacks because
more programmers but they're hard to find at the moment..
Thanks
Joel
-Original Message-
From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED]
Behalf Of Barry Beattie
Sent: Wednesday, 7 June 2006 4:27 PM
To: cfaussie@googlegroups.com
Subject: [cfaussie] Re: SQL Injection in CF
ahem
What issues have you hit with cfqueryparam Joel?
I've also been using it since 4.5, and have never really hit a wall with it.
I'm curious to know what your problems have been?
Regards,
Mark
On 6/8/06, Joel Cass [EMAIL PROTECTED] wrote:
Because there has been some issues with the
there, so I'm a little stuck with this at the moment.
Joel
-Original Message-
From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED]
Behalf Of Mark Mandel
Sent: Thursday, 8 June 2006 10:16 AM
To: cfaussie@googlegroups.com
Subject: [cfaussie] Re: SQL Injection in CF
What issues have you
Yes,
You are correct, but there will be other queries on the page, I'm sure.
What you need for SQL injection, a table name: users.dbo.person
So the error gives all that and more, so if there is another keyword search
page or similar, without vals or cfqueryparams away you go.
Moral of the
11 matches
Mail list logo