Is cfinsert and cfupdate open to SQL Injection

Similar Messages

• SQL injection embeded .js file to execute CF hack

  I am a programmer sent to investigate suspicious activity at
  a client's web application. I cannot attach a file in case of
  infection potential. The Coldfusion code is open to SQL injection
  attack which is how we believe the Apache web server became
  infected. Upon investigation we found javascript files which had
  been written with CFML code programatically scripted to fit within
  a .js javascript file and write and read data from the server.
  Has ANYONE seen this type of attack before? I cannot disclose
  the client or specific data as we are under a NDA (Non-Disclosure
  Agreement), however, I need help of other Coldfusion programmers to
  fully understand this attack. Has anyone seen CFML code programmed
  into a .js javascript file and run by calling the .js javascript
  file before?
  We have found japanese or chinese language within the code
  and within files on the server. The client states they have NOT
  installed any language packs or anything referencing other
  languages than English. There have been japanese characters found
  on the database server. There are hundreds of .js and .xml files on
  the server which reference japanese. Furthermore, we have found
  many XML files on the server,but the client does not use .xml so
  these .xml files would then be foreign and potentially
  programatically scripted by the server launching code to write
  these files under the un-knowing eyes of the client.
  So we need to understand the limits or potential threats:
  1. Can CFML scripting be embedded into a .js javascript file
  2. If database parameters are not locked, what are the
  possible attacks available to SQL injection
  Any help would be appreciated.
  Thank you in advance.
  Alex Dove

  1. Only if the server is set to parse a .js file as CFML
  2. A lot!
  http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already
  http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARA M
  Ken Ford
  Adobe Community Expert - Dreamweaver/ColdFusion
  Fordwebs, LLC
  http://www.fordwebs.com
  "ajdove" <[email protected]> wrote in
  message news:[email protected]...
  >
  > I am a programmer sent to investigate suspicious
  activity at a client's web
  > application. I cannot attach a file in case of infection
  potential. The
  > Coldfusion code is open to SQL injection attack which is
  how we believe the
  > Apache web server became infected. Upon investigation we
  found javascript
  > files which had been written with CFML code
  programatically scripted to fit
  > within a .js javascript file and write and read data
  from the server.
  >
  > Has ANYONE seen this type of attack before? I cannot
  disclose the client or
  > specific data as we are under a NDA (Non-Disclosure
  Agreement), however, I need
  > help of other Coldfusion programmers to fully understand
  this attack. Has
  > anyone seen CFML code programmed into a .js javascript
  file and run by calling
  > the .js javascript file before?
  >
  > We have found japanese or chinese language within the
  code and within files on
  > the server. The client states they have NOT installed
  any language packs or
  > anything referencing other languages than English. There
  have been japanese
  > characters found on the database server. There are
  hundreds of .js and .xml
  > files on the server which reference japanese.
  Furthermore, we have found many
  > XML files on the server,but the client does not use .xml
  so these .xml files
  > would then be foreign and potentially programatically
  scripted by the server
  > launching code to write these files under the un-knowing
  eyes of the client.
  >
  > So we need to understand the limits or potential
  threats:
  > 1. Can CFML scripting be embedded into a .js javascript
  file
  > 2. If database parameters are not locked, what are the
  possible attacks
  > available to SQL injection
  >
  > Any help would be appreciated.
  > Thank you in advance.
  > Alex Dove
  >
  >

• SQL Injection -- DBA role..

  Hi all,
  I'm working as a SQL Server DBA,Now a days we are facing issue with attacks(SQL Injection),most of attacks are taken care by Firewalls but still some attacks hitting Database.
  As a DBA  How to check whether database got effected
  Please help me by providing hints and tips to analysis SQL injection.
  Thanks in advance

  There is no easy ways to detect sql injection. You should analyze activity against databases and work with developers to address it.
  Basically, you can capture sql_completed/rpc_completed events in XEvent or SQL Trace and review them. Anything, which is not parameterized, could be the subject of injection attach (it depends on Client Code and implementation). 
  As the side note, script below provides you the list of the databases together with number of cached execution plans that were used just once. SQL Injection targets non-parameterized queries. So the databases with large number of single-used plans are more
  likely to be affected. In any case, do not rely on output much - large number of single-used plans could be just the sign of bad design rather than being affected. As I said, you need to review client app code just to be sure.
  select
  epa.value as [DB ID],
  db_name(convert(int,epa.value)) as [DB Name],
  count(*) as [Single Use Plans]
  from
  sys.dm_exec_cached_plans p
  cross apply sys.dm_exec_plan_attributes(plan_handle) AS epa
  where
  p.usecounts = 1 and
  p.objtype in ('Adhoc','Prepared') and
  epa.attribute = 'dbid'
  group by
  epa.value
  option (recompile)
  Thank you!
  Dmitri V. Korotkevitch (MVP, MCM, MCPD)
  My blog: http://aboutsqlserver.com

• CS3/CS4 protecting against SQL Injection

  Hi:
  I was wondering if the newer versions of Dreamweaver like CS3/CS4 do a good enough job to protect against SQL Injection when using the built in Insert/Update/Delete behaviors or should I use Commands with Stored Procedures (MS SQL)?
  Thanks!
  Mitch

  David , Günter - many thanks for your help !
  In my ignorance I appear to have been misled by my website host who, in response to a related problem, informed me as follows:
  "your website's scripting does appear to be highly vulnerable to SQL  injection attack, this can be easily seen via the following example:
  /s-sub_detail.php?cat_id=TEST
  As  you can see, arbitrary data entered as the cat_id variable of the shopping cart  script is being passed unchecked to the SQL server, which is then returning a  notice relevant to the data passed (in the above example case this is an  "unknown column" error) - This effectively demonstrates that your shopping cart  script performs no validation on variables used within the script and passes  them directly to the SQL server, which means arbitrary commands can potentially  be added as variable data for the SQL server to execute.
  In order to  correct this all variables and any other posted data used by the shopping cart  script must be fully validated by the script itself before being passed to the  SQL server so that SQL commands cannot be executed by simply manually entering  these as a script variable".
  Thanks to David I understand the issue with the need for data validation but the response above appears to indicate that they believe there is more to it.
  David and Günter - I would welcome your response to the above and perhaps recommendations for SQL injection vulnerability testing.
  Kind regards
  J

• CFInsert/Update: protection against SQL injection?

  Hello,
  I'm trying to find out if the use of CFInsert or CFUpdate
  offers any protection against a SQL Injection attack. We are on a
  project that uses many CFInserts and Updates, and lack the time to
  rewrite new queries using CFQueryParam. Will a CFInsert or Update
  handle the situation?

  Validate every field before you get to the cfinsert/cfupdate
  tag, something you should have been doing anyway.

• SQL Injection - cfqueryparam and other techniques to stop abuse?

  We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
  First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
  What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
  Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
  Thanks for any other suggestions.

  CFqueryparam is a good fist step, though you should note that it will not protect some queries.  For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case.  You will need to review data and validate for that.
  You should also be checking for XSS vulnarabilities.
  http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in- ColdFusion
  The blog above has a great number of CF sercurity related posts.
  Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
  http://www.petefreitag.com/item/721.cfm
  There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
  http://portcullis.riaforge.org/
  Finally there are several conferences in the CF world coming up, and all surely have some security sessions.  You may want to attend.

• ADF and SQL-Injection?

  Hi
  As I understand there is no any protection!!! Do view parameters work as parameters in JDBC prepared statement? I looked at examples and it looks they are just replaced with string as parameter value to make new string !!!
  Andrius

  Andrius,
  to my knowledge only prepared statements provide you some level of safety and even herte I would recommend caution. The recommended approach for SQL Injection is to filter it either in a Servlet filter (which may be hard to do, but there is a library called mod_security by Ian Ristic that is open source and can be configured for additional security). In addition you can add custom code to the BC code that sets the parameters for the parameterized query to check for SQL injection. This can be done with Regular Expressions:
  As an example:
  Pattern p = Pattern.compile("(?i)\\bcreate|insert|delete|drop|update\\b");
  Matcher m = p.matcher(username);
  if (m.find())
  // reject the request
  Note that the example doesn't check for all possible patterns
  Depending on your front end, additional checks can be provided. If e.g. in teh future you build applications with JSF, you could create a RegEx Validator to filter SQL injections.
  Oracle ADF V2 comes with a declarative validator on the data binding level that support Regular Expressions defined on the attribute level. This I think should provide you the level of security you will expect.
  Frank

• SQL Injection and variable substitutions

  Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
  with the variable substitutions in order to protect from sql injections.
  I'm using apex 3.0.0.00.20
  The trickiest component seems to be a Report of type "pl/sql returning sql", since
  multiple dynamic sql interpretations are done there.
  consider the following innocent looking disaster:
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
  RETURN l_out;
  END;
  if NAME is a single quote the report will return:
  failed to parse SQL query: ORA-00911: invalid character
  which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
  as in: '||lower('S')||'
  I also tried to put there a function that runs in a autonomous transaction to log its calls, and
  I see that it's called five times for each request.
  consider now the similar solution (notice the two single quotes):
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
  RETURN l_out;
  END;
  with this second example nothing of the above is possible.
  So my theory (please confirm it or refute it) is that there is a first variable substitution done
  at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
  Then the dynamic sql is executed and it returns the following string:
  select * from test_injection t where t.name like '%' || :NAME || '%'
  now another substitution is done (at an "APEX" level) and then query is finally executed to return
  the rows to the report.
  The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
  with the single quote), while the second substitution does.
  Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
  the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
  Thanks

  Giovanni,
  You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
  Scott

• SQL Injection with CF7 and MS SQL 2005

  I looked through a bunch of SQL injection posts and couldn't
  find a definitive answer to this...
  Let me introduce this by saying that I know I should be using
  CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
  But for a necessary quick fix, if I only use it for numeric
  DB fields, is SQL injection still possible (using MS SQL 2005)?
  I've yet to successfully perform SQL injection while manipulating a
  variable surrounded by single quotes in the query.
  Scenario 1) select * from users where user_id=#form.user_id#
  ...is a gimme to hack, but
  Scenario 2) select * from users where
  password='#form.password#' ...is another story
  Has anyone ever heard of a successful SQL injection attack in
  a Scenario 2 situation.
  I'll fix everything up eventually, but I've got a Pen Test
  coming up soon, and a lot of raw code to review.
  Thanks

  quote:
  Originally posted by:
  Dan Bracuk
  What others can do is more relevent than what we think. When
  in doubt, test.
  very true, although my final solution went more like, "When
  in doubt, manually add about 600 cfqueryparams in 406 cfquery
  tags".

• XML Validation using java for SQL Injection and script validation

  I have an input coming from xml file.
  I have to read that input and validate the input against sql injections and scripts.
  I require help now how to read this xml data and validate against the above two options.
  I am a java developer.
  in this context what is marshelling?

  http://www.ibm.com/developerworks/library/x-javaxmlvalidapi.html?ca=dgr-lnxw07Java-XML-Val
  http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/validation/package-summary.html
  The following code validates the xml against a xml schema
  // define the type of schema - we use W3C:
  String schemaLang = "http://www.w3.org/2001/XMLSchema";
  SchemaFactory factory = SchemaFactory.newInstance(schemaLang);
  Schema schema = factory.newSchema(new StreamSource("sample.xsd"));
  Validator validator = schema.newValidator();
  // at last perform validation:
  validator.validate(new StreamSource("sample.xml"));Message was edited by:
  haishai

• [ask] about oracle sql injection and escalation

  Hello,i'm student , i'm studying oracle,now i want to research about oracle sql injection,i had read some tuttorial such as *'Hacking Oracle From Web,Advanced SQL Injection In Oracle Databases,Oracle Hacker HandBook ...'* but when i try to demo on localserver (11.0.1.6) but not run,and this is my demo
  -- first,i created table users
  create table users (name nvarchar2(50),pass nvarchar2(50))
  -- then i created procedure with system user
  create or replace procedure system.adduser(u nvarchar2,p nvarchar2)
  as
  begin
    insert into users values(u,p);
  end;
  -- grant execute privilege to oc user
  grant execute on adduser to oc
  -- login with user oc and create a procedure
  create or replace procedure sqli
  as
  begin
    execute immediate 'grant dba to oc';
  end;
  -- and then,i run system's procedure
  declare
  begin
    system.adduser('admin','admin'' ; execute immediate  ''declare begin sqli() end;');
  end;
  i hope oracle master help me to i can understand and improving my knowledge
  Thanks

  The best forum for this is probably Forum Home » Java » SQLJ/JDBC
  Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum.

• SQL Injection and Java Regular Expression: How to match words?

  Dear friends,
  I am handling sql injection attack to our application with java regular expression. I used it to match that if there are malicious characters or key words injected into the parameter value.
  The denied characters and key words can be " ' ", " ; ", "insert", "delete" and so on. The expression I write is String pattern_str="('|;|insert|delete)+".
  I know it is not correct. It could not be used to only match the whole word insert or delete. Each character in the two words can be matched and it is not what I want. Do you have any idea to only match the whole word?
  Thanks,
  Ricky
  Edited by: Ricky Ru on 28/04/2011 02:29

  Avoid dynamic sql, avoid string concatenation and use bind variables and the risk is negligible.

• SQL injection and SQLFury

  We have recently had an SQL injection attack on our site.  The web form in question was calling a second cfm with a post command.  The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:
  - implemented the cfqueryparam tag on all applicable fields being entered in the form
  - introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric
  - consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)
  However, I am still getting intermittent injection errors into my MS SQL table.  I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.
  I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties.  I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it.  I've researched the web and found no assistance on how to use this utility.  Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?
  Any assistance would be very much appreciated.

  Ian:
  Thanks for the information.  The utility is helpful and confirmed for me that my page was secure from SQL injection.  The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack.  A web vulnerability utility from Acunetix helped me determine that.
  Thanks again,
  ...Wes

• SQL Injection and cfqueryparam

  I was told to look into <cfqueryparam> to assist in
  fighting sql-injection
  and it makes perfect sense, up until I thought of a different
  scenario...
  This tag seems great when you are dealing with numbers or
  text that you can
  restrict the number of characters, but what if you have a
  textarea that
  allows for a large amount of text to be entered? I.E. a
  search field for
  records that uses keywords.
  How you stop someone from entering damaging sql into an area
  that accepts
  this?
  Thanks for any education.
  Wally Kolcz
  MyNextPet.org
  Founder / Developer
  586.871.4126

  WebDev wrote:
  It works because <cfqueryparam ....> tells the DBMS
  that this data is a
  value NOT SQL. The DBMS will then never process it as SQL.
  When you
  write the SQL and Values straight into the code, then the
  DBMS does not
  know what is what and assumes it all must be SQL.
  An Example...
  <cfquery ....>
  SELECT aField FROM aTable WHERE aField = '#aValue#'
  </cfquery>
  With this code, ColdFusion process the entire body of the
  <cfquery...>
  tag into a string and sends that entire string to the DBMS as
  SQL. The
  DBMS then processes what it was given. If somebody can modify
  the
  aValue variable to change the SQL string - that is what is
  processed.
  <cfquery ...>
  SELECT aField FROM aTable WHERE aField = <cfqueryParam
  value="#aValue#"...>
  </cfquery>
  With this code ColdFusion process the SQL and the queryParam
  as separate
  things. It sends the DBMS the SQL with parameters and a list
  of values
  to be used in those parameters. The DBMS knows the parameters
  are not
  SQL and will not process it as SQL and if the parameter
  contains SQL it
  will just be used as a value and not parsed.
  FYI... That is how <cfqueryparam...> can improve
  performance. By
  knowing what parts of the SQL are variables, it can cache the
  SQL and
  just use different variables when they are passed to the
  DBMS.
  HTH
  Ian

• SQL Injections and XSS - Escaping Special Characters

  Hi, hope someone can help in regards to security and SQL Injections and XSS.
  We are using APEX 4.0.2 on Oracle 11.2.0.2.
  1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
  Surely I don't have to manually do each of then.
  Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&amp;&lt;&gt;' in session state and/or the database ?
  2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
  Thx
  Nigel

  Recx Ltd wrote:
  Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
  Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
  Apex applications that share the database with other applications will also be affected.
  The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
  Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use&mdash;see 6(j).
  Promotional posts like this are liable to be removed by the moderators.