Iframe Injection Attack in Coldfusion
Hi,
Recently one of my sites have been hit with an iframe injection:
<iframe scrolling="no" frameborder="0" src="the source changes but normally htttp://collegefun4u.com/" width="0" height="1"></iframe>
It happens at random times and gets inserted in random include files.
We have clean scanned all computers + server for viruses, changed all ftp/remote desktop passwords but the problem still occurs.
I don't think that it's an SQL injection attack because it is not hitting the database and only being injected into include files.
Some advice would really be appreciated as I have tried extensivley to get rid of it with no avail!
I am currently using CF9 runnning on a Windows 2003 server.
Thanks!
I'm afraid you don't give us much to go on.
Are all of the include files in the same directory?
It could be any number of things from an FTP exploit (just changing passwords may not be enough) to a completely unrelated page being exploited to rewrite other files.
There is really no way of telling, based on what you have provided, to determine what the problem is. If you're looking for a known exploit that would make this possible, there are none that I am aware of.
If you can, I would say disable your FTP when it is not in use and see if the problem stops. Is your FTP open to the internet? If so, does it need to be? Could you block that port and see if the problem stops?
That could give you a TON of information right there. Also make sure the filewall is adequately protecting your server. No unneeded ports open.
Jason
Similar Messages
-
After an SQL injection attack I followed the advice to use
cfqueryparam in my cfquery statements. Unfortunatley this does not
seem to have worked as many records in my database have again been
appended with scripts linking to javascript files on another
website.
I haven't coded in Coldfusion in a while and would really
appreciate it if someone could take a look at the code of one of my
pages and let me know if I have missed anything or miss coded the
cfqueryparam tag.
Thanks in advance
NeilYou can add the following code to your application file.
<!--- CREATE SQL REGULAR EXPRESSION--->
<cfset sqlregex = "
(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+)|
(DROP\sTABLE\s[\d\w\'\=]+)">
<!--- CHECK FORM VARIABLES --->
<cfloop collection="#form#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(form)>
<cfabort>
</cfif>
</cfloop>
<!--- CHECK URL VARIABLES --->
<cfloop collection="#url#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(url)>
<cfabort>
</cfif>
</cfloop>
Good luck
Mamdoh
P.S: The credit for the script go to sys-con.com -
Any Admins aware of possible SQL "injection" attacks like this?
For example in your web sites login.asp or similar:
select * from users
where uname='%value1%'
and pwd='%value2%'
where %value1% equals "garbage"
and %value2% equals "garbage' or TRUE or '"
select * from users
where uname='garbage'
and pwd='garbage' or TRUE or ''
Useful source of security info:
http://www.nextgenss.com/news.html
Get Oracle Security Patches:
http://otn.oracle.com/deploy/security/alerts.htm
Adeeva.There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
RETURN INTEGER
IS
x INTEGER;
sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
BEGIN
EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
RETURN x;
END;
This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
Nothing is foolproof but at least it makes it harder for them. -
Preventing/securing against sql injection attacks
What's the best way to go about trying to secure/prevent from mysql injection attacks.
I guess this is not so good?
$JobTitle = $_POST['JobTitle'];
$sql = 'SELECT * FROM jobs WHERE JobTitle = "'.$JobTitle.'"';
So I'm currently using the mysqli real_escape_string:
$JobTitle = $_POST['JobTitle'];
$JobTitle = $conn->real_escape_string($JobTitle);
$sql = 'SELECT * FROM jobs WHERE JobTitle = "'.$JobTitle.'"';
or I could use:
$sql = 'SELECT * FROM jobs WHERE JobTitle = "$_POST['JobTitle'];"';
but I don't know about the above having not used it at all.
or I could use prepared statements which I dont particularly want to do because they are so long-winded especially when you have about 20 or so rows of data to insert/update into a database table
???????????????????? (ssssssssssssssss) I mean who the **** can keep track of that ****
Is there anything bad about using the below (no user input i.e., $_POST or $_GET)
$date = date('Y-m-d');
$sql = 'SELECT * FROM jobs WHERE jobDate < "'.$date.'"';
Just trying to get a handle on reasonable practices to use, when and where.
Any thoughts
Cheers
OsHi Ken,
Thanks for that. It seems as though this area is a bit of a grey one. I've searched just about everywhere and can't find any kind of difinitive answer.
I'm specifically exploring sqli as that is the way ahead now that sql is being dropped from future php releases.
I'm using prepared statements to insert and update the database and boy are they a pita to work with. My eyes can't cope with it....simply ridiculous to have to keep track of the binding method:
??????????????????????? and sssssssssssssssssss
Was looking for something simpler when selecting results to display on a page. Think for now I'll just go with the real_escape_string method and hope it provides some form of security.
$foo = $_POST['foo'];
$foo = $conn->real_escape_string($foo);
I'll just assume there is no risk if a user can't input any data i.e,
$variable = "foo";
SELECT * from table Where id = "'.$variable.'" -
Preventing Sql Injection Attacks
Please see my posting on "Sql Injection" in the Technologies\Security forum. I am interested in preventing sql injection attacks on our server. It was difficult to decide where to post it as it is a security issue but it may be general server issue. Or is it???
It would have helpful if you had either repeated the text of your other post here, or else included a link Sql Injection.
Tom Best posted a link to an interesting sounding paper in Injection Attack. I haven't had the chance to read it yet, but it is probably the best best place to start (as no-one else posted to that thread).
Cheers, APC -
Lightswitch Security, Protection against SQL Injection attacks etc.
Hi all,
I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
Is anyone aware of such documentation? I found this but it barely scratches the surface:
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
Thanks for any help, I am amazed that it is so difficult to find?LS is a tool built in top of other technologies including Entity Framework.
Here is a security doc about EF.
http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
LS uses Linq to Entities and therefore is not susceptible to SQL injection.
HTH,
Josh
PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier. In that case, the web.config which contains connection strings is on the client machine, which is a risk. Here is a discussion related
to db security & 2 vs 3-tier.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch -
Preventing sql injection attack
string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
OleDbConnection myConnection9 = new OleDbConnection(objConn9);
string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
myCommand9.Parameters.Add(":username", txtUsername.Text);
myCommand9.Parameters.Add(":password", txtPassword.Text);
myConnection9.Open();
myCommand9.ExecuteNonQuery();
myConnection9.Close();
i'm using this code to try to remove the problem of
users entering a comma or an semi colon and throwing off my query, but its not working...
is there an easy way to insert text values into oracle 8i
that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.netI may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
It is only when concatenating a string together to make a sql statement that injection attacks can occur.
See
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
and search for injection.
Or just go to
http://asktom.oracle.com
and search for "sql injection bind variable" for lots of other references. -
Injection attacks on Runtime.exec
Hey all,
I am trying to prove that an injection attack is not possible on the following code, where "filePath" and "args" are supplied from an unknown source.
Process p = Runtime.getRuntime().exec("java -Djava.security.manager " + filePath + " " + args, null, new File("C:\\Program Files\\eclipse\\workspace\\bin"));
I have verified that filePath does indeed point to a Java class file that is a child of the bin directory. NB -Djava.security.manager is the default java security manager which will invoke the program with similar privileges to that of an applet (so the invoked program is fully sandboxed).
Thanks,
WillFor example, if I do the following:
touch erase_me
echo `rm -f .`the file is actually erased. Have you tried something like this when you pass in a value for 'args'?
- Saish -
Sql injection attack - need help changing ASP code
Our web server was attacked yesterday by SQL injection. So I
quickly learned about the holes in the code that was generated by
Dreamweaver MX 2004.
I found the help article on the Adobe website to fix the ASP
code; however I need more information for my particular case. I
don't know how to get my cursor type and location settings into the
new code.
MY ORIGINAL CODE
<%
Dim Recordset1
Dim Recordset1_numRows
Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()
Recordset1_numRows = 0
%>
THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append
Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>
What exactly is the 5,1,-1 in the code above?
Any help would be very much appreciated as my ASP page
(although secured from SQL injection) is not working properly.
Thanks,
--Jen
--JenThe new snippet is not vulnerable to SQL injection. It uses a
command
object and actual defined parameters, so you're safe. You
cannot change the
cursor type or location on that object.
"jennday" <[email protected]> wrote in
message
news:f85omh$ngg$[email protected]..
> Our web server was attacked yesterday by SQL injection.
So I quickly
> learned
> about the holes in the code that was generated by
Dreamweaver MX 2004.
> I found the help article on the Adobe website to fix the
ASP code; however
> I
> need more information for my particular case. I don't
know how to get my
> cursor type and location settings into the new code. -
How to block Iframe injections?
Hi,
I am maintaining a web site. When it is browsed through a wireless internet service provider, an iframe appeared in the site. The wireless internet service provider is injecting the iframe. Please let me know is there any way to block the IFrames in the code like jsp/htmal(css) lenvel? Please help me as i need the solution.
Thnaks in advance.
Regards,
PrasadHi. if you see these pop ups this may be the symptom of adware. Download, open adwaremedic dmg file , and run it by clicking “Scan for Adware” button to remove adware.
Once done, quit AdwareMedic and restart your mac: http://www.adwaremedic.com/
Install adblock for your browser: https://adblockplus.org/ -
OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224
Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice
Hi,
From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
https://www.openssl.org/news/vulnerabilities.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
CVE-2014-0224: 5th June 2014
An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
If you have any feedback on our support, please send to [email protected] -
Ban iFrames Due To Attacks!
Ban iFrames Due To Attacks!
We as Web Designers & Developers need to take a more
active role in Online Security. One if the simplest things we can
do is Ban iFrames. Just don't use them and Chastise those who do.
Here is a little more in-depth reading.
iFrame attacks surge, security firm says
http://www.networkworld.com/nldailynewsam135207
A flood of SQL injection attacks on Microsoft Internet
Information Servers are leaving Web pages with malicious
iFrames
in them, and Panda Security is urging network managers to
make
sure their Web pages haven't been infected.
iFrame attacks
http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=iFrame+attacks.oO(EastTexas)
>Ban iFrames Due To Attacks!
>
> We as Web Designers & Developers need to take a more
active role in Online
>Security. One if the simplest things we can do is Ban
iFrames. Just don't use
>them and Chastise those who do.
>
>
> Here is a little more in-depth reading.
>
> iFrame attacks surge, security firm says
>
http://www.networkworld.com/nldailynewsam135207
> A flood of SQL injection attacks on Microsoft Internet
> Information Servers are leaving Web pages with malicious
iFrames
> in them, and Panda Security is urging network managers
to make
> sure their Web pages haven't been infected.
What does this have to do with legitimate iFrames? And what
does an
iFrame have to do with SQL injection?
Micha -
Hello all-
I've got a server with a huge number of ColdFusion templates
(over 10,000) which I really need to protect agains SQL Injection.
I know that CFQUERYPARAM is the best way to do this. I'd love
to do it that way, but with so many pages, and so many queries it
would take weeks/months to fix the queries, then test to make sure
I didn't screw something up.
So, I've come up with a plan that I wanted to get some input
on.
Currently, I have a page on my server that is included in
almost every page that runs. It is a simple page that I can modify
to change the status of my systems in the event of a database
changeover, or some other sort of failure. (The pages still run,
but no updating is allowed, only reading)
Okay, so on this page which is always included, I was
thinking about analyzing the variables that come over. I was
thinking about looking for things that looked like a SQL injection
attack and blocking the page from running.
I wanted to know if this would work- anyone have ideas? This
would be great because I could protect the entire server in about
an hour. But, I don't want to give myself a false sense of security
if this won't really do the job.First, here are some simple things you can do to protect all
pages before you follow the other advice and plans in this thread:
In CF administrator, click on your datasources and then the
"Advanced" button.
There you will uncheck all but the read and stored procedure
and (possibly) write permissions. "Drop", "Create", etc., are
definite no-nos here.
If you haven't already, make one data source read-permissions
only and refactor your code to use it everywhere except for
carefully segregated updates, inserts and deletes.
Now, in SQL Server itself, remove all permissions from the
users that CF uses except for data_reader and (selectively) data
writer and exec permissions on any procedures or functions you use.
In SQL server, setup at least two CF users. One, should have
only the data_reader permission (plus any read-only stored
procedures).
Find articles, such as this one:
http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
and follow their advice, start with locking down xp_cmdshell.
These measures require little or no CF code changes but will
block all but the most determined and skilled hackers. You still
need to follow Adam's advice though.
BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
injection.
SQL server is not even the most vulnerable anymore (Studies
show that Oracle now has that "honor"). -
We have recently had an SQL injection attack on our site. The web form in question was calling a second cfm with a post command. The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:
- implemented the cfqueryparam tag on all applicable fields being entered in the form
- introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric
- consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)
However, I am still getting intermittent injection errors into my MS SQL table. I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.
I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties. I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it. I've researched the web and found no assistance on how to use this utility. Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?
Any assistance would be very much appreciated.Ian:
Thanks for the information. The utility is helpful and confirmed for me that my page was secure from SQL injection. The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack. A web vulnerability utility from Acunetix helped me determine that.
Thanks again,
...Wes -
SQL injection embeded .js file to execute CF hack
I am a programmer sent to investigate suspicious activity at
a client's web application. I cannot attach a file in case of
infection potential. The Coldfusion code is open to SQL injection
attack which is how we believe the Apache web server became
infected. Upon investigation we found javascript files which had
been written with CFML code programatically scripted to fit within
a .js javascript file and write and read data from the server.
Has ANYONE seen this type of attack before? I cannot disclose
the client or specific data as we are under a NDA (Non-Disclosure
Agreement), however, I need help of other Coldfusion programmers to
fully understand this attack. Has anyone seen CFML code programmed
into a .js javascript file and run by calling the .js javascript
file before?
We have found japanese or chinese language within the code
and within files on the server. The client states they have NOT
installed any language packs or anything referencing other
languages than English. There have been japanese characters found
on the database server. There are hundreds of .js and .xml files on
the server which reference japanese. Furthermore, we have found
many XML files on the server,but the client does not use .xml so
these .xml files would then be foreign and potentially
programatically scripted by the server launching code to write
these files under the un-knowing eyes of the client.
So we need to understand the limits or potential threats:
1. Can CFML scripting be embedded into a .js javascript file
2. If database parameters are not locked, what are the
possible attacks available to SQL injection
Any help would be appreciated.
Thank you in advance.
Alex Dove1. Only if the server is set to parse a .js file as CFML
2. A lot!
http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already
http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARA M
Ken Ford
Adobe Community Expert - Dreamweaver/ColdFusion
Fordwebs, LLC
http://www.fordwebs.com
"ajdove" <[email protected]> wrote in
message news:[email protected]...
>
> I am a programmer sent to investigate suspicious
activity at a client's web
> application. I cannot attach a file in case of infection
potential. The
> Coldfusion code is open to SQL injection attack which is
how we believe the
> Apache web server became infected. Upon investigation we
found javascript
> files which had been written with CFML code
programatically scripted to fit
> within a .js javascript file and write and read data
from the server.
>
> Has ANYONE seen this type of attack before? I cannot
disclose the client or
> specific data as we are under a NDA (Non-Disclosure
Agreement), however, I need
> help of other Coldfusion programmers to fully understand
this attack. Has
> anyone seen CFML code programmed into a .js javascript
file and run by calling
> the .js javascript file before?
>
> We have found japanese or chinese language within the
code and within files on
> the server. The client states they have NOT installed
any language packs or
> anything referencing other languages than English. There
have been japanese
> characters found on the database server. There are
hundreds of .js and .xml
> files on the server which reference japanese.
Furthermore, we have found many
> XML files on the server,but the client does not use .xml
so these .xml files
> would then be foreign and potentially programatically
scripted by the server
> launching code to write these files under the un-knowing
eyes of the client.
>
> So we need to understand the limits or potential
threats:
> 1. Can CFML scripting be embedded into a .js javascript
file
> 2. If database parameters are not locked, what are the
possible attacks
> available to SQL injection
>
> Any help would be appreciated.
> Thank you in advance.
> Alex Dove
>
>
Maybe you are looking for
-
AV Receiver doesn't play TV sound
Hi, we recently purchased the STRDH550 Sony AV system to work with out Samsung UHD TV. The components etc play through their respective inputs just fine, but I can't get the TV to play sound through the AV system. The TV Out component on the AV recei
-
Hi I ripped some South Park DVDs. And I added metadata with Lostify. For some reason in iTunes I have to shows one is called "South Park" and one is called "South Park " with a blank at the end of the name. But when I copy the stuff onto my iPod, I h
-
WatchFolder PDF Generator throws error: ALC-PDG-010-012-PDFMaker ...
When setting up the WatchFolder after initial TURNKEY install, I am receiving the following error: ALC-PDG-010-012-PDFMaker reported an error while printing the document in the failure.log file (full text of error below). This is, of course, after
-
Past calendar events don't show in Outlook
My calendar events from 4 months back doesn't show in Outlook, but I am able to see everything through the oracle client. Is there any setting I can use to correst that.
-
How to activate all standard datasources..
Hi Experts, i am phasing issue in DM1 system. All standard data sources are goes to deactivate stage as shown in the below screen shot. if anybody has known the solution please let me know.. Best Regards, Sowjanyak.