Code (not sql) injection by hackers via coldfusion

Similar Messages

• Protect From SQL Injection in ASP

  Hi, can anyone tell me different ways of how to protect from
  SQL Injection in ASP via DW or other means? I thought there was
  something in DW that would automatically do that.
  This would be a simple text form field which will allow
  visitors to search for a product from a db.
  thanks

  Google "SQL Injection ASP".
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  ==================
  "ed19" <[email protected]> wrote in message
  news:g9s98d$6nn$[email protected]..
  > Hi, can anyone tell me different ways of how to protect
  from SQL Injection
  > in
  > ASP via DW or other means? I thought there was something
  in DW that would
  > automatically do that.
  >
  > This would be a simple text form field which will allow
  visitors to search
  > for
  > a product from a db.
  >
  > thanks
  >

• SQL Injection & CF code Attacks

  One thing I've noticed with sites using CF is that many, many
  programmers do not take into account SQL Injection and CF Form/URL
  variable attacks. I've seen SO many CF pages that blow up when the
  input varies in the slightest, displaying CF error messages,
  datasources, variable names, etc.
  Seems not enough programmers use CFTRY/CFCATCH or even know
  about it. I've seen where SQL table names and datasources were
  being passed in a URL!! It's frightening
  Interested in everyone's BEST PRACTICES to avoid these type
  of attacks.
  I'll start it off with a few I use:
  Use CFTRY / CFCATCH.
  ALWAYS set the maxlength value on form input text boxes and
  make sure the value matches the corresponding column length in your
  DB. If you do not, someone can enter a huge amount of data in the
  field, causing your CF routine or DB to choke.
  Scope all variables, URL, Form, etc.
  Use numbers/integers whenever possible for URL variable
  values.
  Avoid using varchar as the data type in your stored
  procedures for passed URL or Form variables. Use INT instead.
  Validate user input using CF before passing to your SQL, etc.
  queries. Test for allowed/disallowed characters, blanks, length of
  input value, etc.
  Use stored procedures whenever possible.
  Don't make URL or Form variable names too descriptive. ex.
  ?m=100 is better than ?memberID=100

  In addition to the things listed above, you should never
  expect the values sent from any form submission to be 100% as they
  are coded. There are tons of programs out there that can be used to
  intercept and alter the submitted data before it hits your server.
  It is a slow process, but we are locking down any and all form
  variables not just type="text" and textarea's.
  If a user has the ability to alter submitted data, they can
  change the values for all types of form fields (hidden, radio,
  checkbox, select, button, etc...). A lot of our old code did not
  take that into consideration and simply allowed the value entered
  from a "predefind" (hard coded value) form type (radio, checkbox,
  etc...) directly into the database without a check.
  Another step is to turn off "Enable Robust Exception
  Information" in the CF Administrator. This step will help in not
  giving an attacker the complete SQL statement being used in your
  code. Note: This is a recomended practice for all production CF
  servers as it is, but it never hurts to say it. CFTRY/CFCATCH
  blocks work as well to hid that info, but neither way will
  prevent an attack.
  You also can not rely on client side JavaScript for
  validation.
  CR

• Sql injection attack - need help changing ASP code

  Our web server was attacked yesterday by SQL injection. So I
  quickly learned about the holes in the code that was generated by
  Dreamweaver MX 2004.
  I found the help article on the Adobe website to fix the ASP
  code; however I need more information for my particular case. I
  don't know how to get my cursor type and location settings into the
  new code.
  MY ORIGINAL CODE
  <%
  Dim Recordset1
  Dim Recordset1_numRows
  Set Recordset1 = Server.CreateObject("ADODB.Recordset")
  Recordset1.ActiveConnection = MM_Oncology_STRING
  Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
  Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
  Recordset1.CursorType = 0
  Recordset1.CursorLocation = 3
  Recordset1.LockType = 1
  Recordset1.Open()
  Recordset1_numRows = 0
  %>
  THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
  AND LOCATION ABOVE.
  <%
  Dim Recordset1
  Dim Recordset1_cmd
  Dim Recordset1_numRows
  Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
  Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
  Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
  WHERE Oncology_ID = ?"
  Recordset1_cmd.Prepared = true
  Recordset1_cmd.Parameters.Append
  Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
  Recordset1__MMColParam) ' adDouble
  Set Recordset1 = Recordset1_cmd.Execute
  Recordset1_numRows = 0
  %>
  What exactly is the 5,1,-1 in the code above?
  Any help would be very much appreciated as my ASP page
  (although secured from SQL injection) is not working properly.
  Thanks,
  --Jen
  --Jen

  The new snippet is not vulnerable to SQL injection. It uses a
  command
  object and actual defined parameters, so you're safe. You
  cannot change the
  cursor type or location on that object.
  "jennday" <[email protected]> wrote in
  message
  news:f85omh$ngg$[email protected]..
  > Our web server was attacked yesterday by SQL injection.
  So I quickly
  > learned
  > about the holes in the code that was generated by
  Dreamweaver MX 2004.
  > I found the help article on the Adobe website to fix the
  ASP code; however
  > I
  > need more information for my particular case. I don't
  know how to get my
  > cursor type and location settings into the new code.

• SQL Injection analysis report does not work.

  I have tried to run the SQL Injection report (Home|Utilities|Object Reports Security|QL Injection but it comes up with the following message.
  "SQL Injection analysis is not supported with your current database version. It is only available for Oracle release 10.2 or higher."
  I have tried this as both an ordinary user and as system, on both Windows XP and Linux

  This is a bug in the XE Beta. The SQL Injection Analysis will not be accessible for XE production.
  Joel

• SQL Injection Blocker

  Hello all-
  I've got a server with a huge number of ColdFusion templates
  (over 10,000) which I really need to protect agains SQL Injection.
  I know that CFQUERYPARAM is the best way to do this. I'd love
  to do it that way, but with so many pages, and so many queries it
  would take weeks/months to fix the queries, then test to make sure
  I didn't screw something up.
  So, I've come up with a plan that I wanted to get some input
  on.
  Currently, I have a page on my server that is included in
  almost every page that runs. It is a simple page that I can modify
  to change the status of my systems in the event of a database
  changeover, or some other sort of failure. (The pages still run,
  but no updating is allowed, only reading)
  Okay, so on this page which is always included, I was
  thinking about analyzing the variables that come over. I was
  thinking about looking for things that looked like a SQL injection
  attack and blocking the page from running.
  I wanted to know if this would work- anyone have ideas? This
  would be great because I could protect the entire server in about
  an hour. But, I don't want to give myself a false sense of security
  if this won't really do the job.

  First, here are some simple things you can do to protect all
  pages before you follow the other advice and plans in this thread:
  In CF administrator, click on your datasources and then the
  "Advanced" button.
  There you will uncheck all but the read and stored procedure
  and (possibly) write permissions. "Drop", "Create", etc., are
  definite no-nos here.
  If you haven't already, make one data source read-permissions
  only and refactor your code to use it everywhere except for
  carefully segregated updates, inserts and deletes.
  Now, in SQL Server itself, remove all permissions from the
  users that CF uses except for data_reader and (selectively) data
  writer and exec permissions on any procedures or functions you use.
  In SQL server, setup at least two CF users. One, should have
  only the data_reader permission (plus any read-only stored
  procedures).
  Find articles, such as this one:
  http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
  and follow their advice, start with locking down xp_cmdshell.
  These measures require little or no CF code changes but will
  block all but the most determined and skilled hackers. You still
  need to follow Adam's advice though.
  BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
  injection.
  SQL server is not even the most vulnerable anymore (Studies
  show that Oracle now has that "honor").

• Can SQL injection output rows to hacker?

  Can a hacker retrieve rows through SQL injection or simply
  just jumble up the data? I wouldn't see how they could get the rows
  without coldfusion code that will actually be instructed to output
  the query. If not, are there any hot cf/mssql hacking techniques to
  steal database rows?

  chazman113 wrote:
  > Can a hacker retrieve rows through SQL injection
  Yes, yes they can.
  You are correct that there would need to be code to output
  the data.
  The hackers just use the code you already have built to
  output data.
  But then use SQL injection tricks to output more data then
  the developer
  intended for anybody to see.
  Here is a blog that describe a real life example of just
  that.
  http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Number s,-Other-Sensitive-Data.aspx

• Sql injection

  What is SQL Injection?
  SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
  An attack against a database using SQL Injection could be motivated by two primary objectives:
  1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
  2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
  There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
  * JSP
  * ASP
  * XML, XSL and XSQL
  * Javascript
  * VB, MFC, and other ODBC-based tools and APIs
  * Portal, the older WebDB, and other Oracle Web-based applications and API’s
  * Reports, discoverer, Oracle Applications
  * 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
  * Perl and CGI scripts that access Oracle databases
  * many more.
  Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
  The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
  While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
  Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
  1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
  2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
  The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
  [http://www.securityfocus.com/infocus/1644]
  how oracle prevent sql injections?

  mango_boy wrote:
  damorgan wrote:
  And they do so using bind variables
  http://www.morganslibrary.org/reference/bindvars.html
  and DBMS_ASSERT
  http://www.morganslibrary.org/reference/dbms_assert.html
  do you have any suggestion for mysql users??Yes. Install Oracle.

• SQL Injection - cfqueryparam and other techniques to stop abuse?

  We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
  First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
  What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
  Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
  Thanks for any other suggestions.

  CFqueryparam is a good fist step, though you should note that it will not protect some queries.  For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case.  You will need to review data and validate for that.
  You should also be checking for XSS vulnarabilities.
  http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in- ColdFusion
  The blog above has a great number of CF sercurity related posts.
  Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
  http://www.petefreitag.com/item/721.cfm
  There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
  http://portcullis.riaforge.org/
  Finally there are several conferences in the CF world coming up, and all surely have some security sessions.  You may want to attend.

• SQL Injection and cfqueryparam

  I was told to look into <cfqueryparam> to assist in
  fighting sql-injection
  and it makes perfect sense, up until I thought of a different
  scenario...
  This tag seems great when you are dealing with numbers or
  text that you can
  restrict the number of characters, but what if you have a
  textarea that
  allows for a large amount of text to be entered? I.E. a
  search field for
  records that uses keywords.
  How you stop someone from entering damaging sql into an area
  that accepts
  this?
  Thanks for any education.
  Wally Kolcz
  MyNextPet.org
  Founder / Developer
  586.871.4126

  WebDev wrote:
  It works because <cfqueryparam ....> tells the DBMS
  that this data is a
  value NOT SQL. The DBMS will then never process it as SQL.
  When you
  write the SQL and Values straight into the code, then the
  DBMS does not
  know what is what and assumes it all must be SQL.
  An Example...
  <cfquery ....>
  SELECT aField FROM aTable WHERE aField = '#aValue#'
  </cfquery>
  With this code, ColdFusion process the entire body of the
  <cfquery...>
  tag into a string and sends that entire string to the DBMS as
  SQL. The
  DBMS then processes what it was given. If somebody can modify
  the
  aValue variable to change the SQL string - that is what is
  processed.
  <cfquery ...>
  SELECT aField FROM aTable WHERE aField = <cfqueryParam
  value="#aValue#"...>
  </cfquery>
  With this code ColdFusion process the SQL and the queryParam
  as separate
  things. It sends the DBMS the SQL with parameters and a list
  of values
  to be used in those parameters. The DBMS knows the parameters
  are not
  SQL and will not process it as SQL and if the parameter
  contains SQL it
  will just be used as a value and not parsed.
  FYI... That is how <cfqueryparam...> can improve
  performance. By
  knowing what parts of the SQL are variables, it can cache the
  SQL and
  just use different variables when they are passed to the
  DBMS.
  HTH
  Ian

• SQL injection embeded .js file to execute CF hack

  I am a programmer sent to investigate suspicious activity at
  a client's web application. I cannot attach a file in case of
  infection potential. The Coldfusion code is open to SQL injection
  attack which is how we believe the Apache web server became
  infected. Upon investigation we found javascript files which had
  been written with CFML code programatically scripted to fit within
  a .js javascript file and write and read data from the server.
  Has ANYONE seen this type of attack before? I cannot disclose
  the client or specific data as we are under a NDA (Non-Disclosure
  Agreement), however, I need help of other Coldfusion programmers to
  fully understand this attack. Has anyone seen CFML code programmed
  into a .js javascript file and run by calling the .js javascript
  file before?
  We have found japanese or chinese language within the code
  and within files on the server. The client states they have NOT
  installed any language packs or anything referencing other
  languages than English. There have been japanese characters found
  on the database server. There are hundreds of .js and .xml files on
  the server which reference japanese. Furthermore, we have found
  many XML files on the server,but the client does not use .xml so
  these .xml files would then be foreign and potentially
  programatically scripted by the server launching code to write
  these files under the un-knowing eyes of the client.
  So we need to understand the limits or potential threats:
  1. Can CFML scripting be embedded into a .js javascript file
  2. If database parameters are not locked, what are the
  possible attacks available to SQL injection
  Any help would be appreciated.
  Thank you in advance.
  Alex Dove

  1. Only if the server is set to parse a .js file as CFML
  2. A lot!
  http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already
  http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARA M
  Ken Ford
  Adobe Community Expert - Dreamweaver/ColdFusion
  Fordwebs, LLC
  http://www.fordwebs.com
  "ajdove" <[email protected]> wrote in
  message news:[email protected]...
  >
  > I am a programmer sent to investigate suspicious
  activity at a client's web
  > application. I cannot attach a file in case of infection
  potential. The
  > Coldfusion code is open to SQL injection attack which is
  how we believe the
  > Apache web server became infected. Upon investigation we
  found javascript
  > files which had been written with CFML code
  programatically scripted to fit
  > within a .js javascript file and write and read data
  from the server.
  >
  > Has ANYONE seen this type of attack before? I cannot
  disclose the client or
  > specific data as we are under a NDA (Non-Disclosure
  Agreement), however, I need
  > help of other Coldfusion programmers to fully understand
  this attack. Has
  > anyone seen CFML code programmed into a .js javascript
  file and run by calling
  > the .js javascript file before?
  >
  > We have found japanese or chinese language within the
  code and within files on
  > the server. The client states they have NOT installed
  any language packs or
  > anything referencing other languages than English. There
  have been japanese
  > characters found on the database server. There are
  hundreds of .js and .xml
  > files on the server which reference japanese.
  Furthermore, we have found many
  > XML files on the server,but the client does not use .xml
  so these .xml files
  > would then be foreign and potentially programatically
  scripted by the server
  > launching code to write these files under the un-knowing
  eyes of the client.
  >
  > So we need to understand the limits or potential
  threats:
  > 1. Can CFML scripting be embedded into a .js javascript
  file
  > 2. If database parameters are not locked, what are the
  possible attacks
  > available to SQL injection
  >
  > Any help would be appreciated.
  > Thank you in advance.
  > Alex Dove
  >
  >

• SQL injection on login system by Adobe?

  Hello everybody!
  I recently bought a wonderful book "Adobe Dreamweaver CS5 with PHP - Training from the source" by Daivid Powers.
  In the book is described how you can create a login system.
  What I would like to ask is: Have the dreamweaver server behaviors any kind of protection against SQL injection?
  Unfortunately I do not know PHP in order to recognize the code generated by server behaviors and be able to answer this question by myself..
  I just want to know how safe is to publish a website based on the dreamweaver server behaviors..
  Thank you in advance!

  Any form values and inbound URL parameters will be sanitized (via the function GetSQLValueString) based on several criteria:
  a) generally applied sanitizing functions: stripslashes, mysql_real_escape_string
  b) in case of a numeric value (integer, double) the function GetSQLValueString will additionally apply the PHP function intval respectively doubleval

• Sql injection character fields

  Is it true that with MSSQL in the background, character fields can't be used for sql injection?
  A)   One source says that in MSSQL single quotes are escaped into double quotes.
  B)   Another source says that " SQL injection (within ColdFusion apps) is really only an issue with non textual fields. If a text value is tampered with you'll end up with tampered text, but that text will all be part of the core string (within quotes) passed as a value, and will therefore not be executed as separate statements. Numbers, on the other hand, are not enclosed within quotes, and so extraneous text can be tampered "
  Questions about A):   How does escaping 's with "s help, by making string literals in MSSQL not valid?
                                  How could A) above be true when names like O'Mally are being stored with a single quote ?
  Questions about B)    Does it mean code like DELETE * FROM atable would just be stored as a string and not execute ?
                                  If so, is that accurate ?

  To actually answer your question's.
  A) A single quote in SQL is a comment.  To store a single quote as DATA one has to escape it by doubling it.  So to store O'Mally it would be passed as o''Mally.
  The simple SQL injection attack is to end a number value with a random value, that is followed with a ; to end the SQL statment and then another statement can be run, this is then followed by a single quote to comment out any other SQL in the original statement.  ColdFusion automatically escapes single quotes in text fields in most situations, so this is harder to do with text fields, but not impossible.

• SQL Injection attack

  After an SQL injection attack I followed the advice to use
  cfqueryparam in my cfquery statements. Unfortunatley this does not
  seem to have worked as many records in my database have again been
  appended with scripts linking to javascript files on another
  website.
  I haven't coded in Coldfusion in a while and would really
  appreciate it if someone could take a look at the code of one of my
  pages and let me know if I have missed anything or miss coded the
  cfqueryparam tag.
  Thanks in advance
  Neil

  You can add the following code to your application file.
  <!--- CREATE SQL REGULAR EXPRESSION--->
  <cfset sqlregex = "
  (SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
  (UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
  (INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
  (DELETE\sFROM\s[\d\w\'\=]+)|
  (DROP\sTABLE\s[\d\w\'\=]+)">
  <!--- CHECK FORM VARIABLES --->
  <cfloop collection="#form#" item="formelement">
  <cfif isSimpleValue(evaluate(formelement)) AND
  refindnocase(sqlregex, "#evaluate(formelement)#")>
  <cflocation url="messages.cfm?message=Invalid Input.
  Possible SQL Injection attack.">
  <cfset StructClear(form)>
  <cfabort>
  </cfif>
  </cfloop>
  <!--- CHECK URL VARIABLES --->
  <cfloop collection="#url#" item="formelement">
  <cfif isSimpleValue(evaluate(formelement)) AND
  refindnocase(sqlregex, "#evaluate(formelement)#")>
  <cflocation url="messages.cfm?message=Invalid Input.
  Possible SQL Injection attack.">
  <cfset StructClear(url)>
  <cfabort>
  </cfif>
  </cfloop>
  Good luck
  Mamdoh
  P.S: The credit for the script go to sys-con.com

• Lightswitch Security, Protection against SQL Injection attacks etc.

  Hi all,
  I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
  In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
  issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
  Is anyone aware of such documentation? I found this but it barely scratches the surface:
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  Thanks for any help, I am amazed that it is so difficult to find?

  LS is a tool built in top of other technologies including Entity Framework.
  Here is a security doc about EF.
  http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
  LS uses Linq to Entities and therefore is not susceptible to SQL injection.
  HTH,
  Josh
  PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier.  In that case, the web.config which contains connection strings is on the client machine, which is a risk.  Here is a discussion related
  to db security & 2 vs 3-tier.
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch