ColdFusion Muse

A Better Blacklist Function for SQLi

Please note - I have not changed my stance on the use of CFQUERYPARAM. The real "fix" for injection is validation routines for form inputs and binding variables using Cfqueryparam. A blacklist function (a function that checks for "known bad" input) is useful in that it provides protection on the perimeter. It can help you intercept hack attempts before they reach your DB - where presumably they would fail in any case. They are also useful for thwarting immediate threats if you discover a security flaw that might take some time to fix. The recent spate of attacks caused a proliferation of blacklist techniques from simple to complex. In my own post on the vulnerability of using string concatenated SQL I published a snippet that made use of the iSQLInject function from CF Lib. There is a better approach however.


Adding Cfqueryparams to a Legacy Site Without Losing Your Hair

So you got hit with the latest SQLi attack eh? SQLi is the hip acronym for "sql injection" that fancy pants security people use. You've put in some stop gap measures and now you are slogging through 3000 queries trying to add cfqueryparam to everything. It's a laborious task to be sure. Here are some special tips from the muse that might help shorten it.


SQL Injection Part III - Don't Forget Sorting

So... you have diligently added CFQUERYPARAM to every input variable. Your database is secure and safe from SQL Injection - right? Well... maybe not. Did you remember to account for the ORDER BY Clause? Let me explain.


Combining SQL Query Strings and CFQUERYPARAM

If you have been following the muse the last few days you will know that I've had my shoulder to the wheel helping customers and fellow developers sort through making changes to their site to protect against a particularly malicious SQL Injection attack (read about the details here). Some of the folks who have contacted me are dealing with extra problems because their code uses string concatenation to build dynamic SQL strings. So the question has been asked a few times, "How do I go about building an SQL string with CFQUERYPARAMs in it?" Unfortunately, if you have chosen this approach it's going to be difficult to help you without seriously refactoring your code. Here's a few tips that can help, and one approach that might get you most of the way there.


SQL Injection Part II (Make Sure You Are Sitting Down)

Back in February I wrote a blog post on SQL Injection that included an example of how a malicious user might inject into a character field even though ColdFusion escapes single quote marks. The attack involved other forms of escaping single quotes - and was effective against MySQL. This week I stumbled upon (more like a train wreck) an attack that is much more sophisticated - and also involves injection into a character field. I am told that others have discovered and written on this attack over the last few weeks - but I was unaware of it until a customer of ours was victimized. Amazingly, the specific real world attack I discovered and fixed allowed the hacker to append a string to every char column in every table of the database. It was so pervasive it left me wondering if it was SQL injection at all - until I found a URL entry that looked something like this:


Webmaniacs - Cryptography and Dentistry

On Tuesday I took in a workshop on Cryptography by Dean Saxe. Dean is an impressive character with a head stuffed full of knowledge and spilling out everywhere. He obviously knew what he was talking about. As a topic, cryptography is so impossibly complicated and intricate that he could not do it justice in a 50 minute session. Most discussions about cryptography center around keys, algorithms and best practices - and this was no exception. Dean recommended against relying on CF's own encrypt and decrypt functions for anything but the most rudimentary encryption. In fact, he probably didn't even go that far. That tidbit of advice is common from almost every security pro I have ever heard mention the subject. When it came to discussing keys it was like a trip to the dentist.


Disabling Backslash Escaping in MySQL

For muse readers who read my previous post on SQL injection examples that use character rather than numeric fields, I offer this tip I picked up on CF-Talk from Azadi Saryev. It appears you can disable the ability to escape special characters using the backslash. Here is the exact note from Azadi.


SQL Injection Using a Character Field

Ok, I admit it. Most of the examples of SQL injection that I give use a numeric field. Why? Because to inject using a character field requires manipulating single quotes. Since Coldfusion escapes single quotes automatically when using the cfquery tag these attacks are much more difficult to pull off. It may surprise you to know that your character fields can still be vulnerable and it is my belief that you should still use CFQueryparam. In fact, one of the attacks below can work even if you do use cfqueryparam. Check it out.


Does CFArgument Typing Protect Against SQL Injection

This question was asked on one of the several lists to which I subscribe. The author wanted to know if he needed to do anything else as long as he was specifying the "type" attribute of the Cfargument tag - or was that sufficient protection against the dreaded SQL Injection Attack (see my previous post on Application Security). Like the Elves of the Shire my answer is both yea and nay. Consider this example:


Web Logs and Security - Do You Know What's in Your Log Files?

So you have a new ecommerce application eh? You say you've done your homework. You are using a reputable gateway. You think you are PCI compliant. You are not storing Credit card numbers anywhere and you are using SSL (plus you have new snazzy haircut). Life is good. Hmmmm.... do you ever stay awake at night wondering if you forgot something? One of the things that you might have overlooked is the web log files. I'm sure you are aware of these files... the ones that your customer is always running reports on so he can marvel at the ip geocoding and exclaim "Well would you look at that" about the 4 people from Uzbekistan that visited the site yesterday. Web logs come in a number of flavors, but most of them are able to track the URL "query_string" variable in the log. Many of them are set up this way by default. This can be helpful to figure out traffic patterns. If you handle credit cards a certain way however, they can lead to the pit of despair. Take this example....


Handling Credit Card Data and PCI Compliance

Muse Reader Asks:
"I thought I would ask your opinion on how to use CF as a front-end to SQL database with CC information and still be compliment with PCI standard 10.2 and 10.3. We are going to have an appliance to capture and store the information needed by the auditors. But I can't have everything showing up as the CF service."

I asked my good friend Brian Harvey from Studio Cart to answer this question. He has been a good resource for us on the pitfalls of working with Credit Card data and PCI compliance. His response is quite informative.


Adobe Declares, "Water is Wet" and Other Obvious Things

Two days ago security bulletin from Adobe indicated that Dreamweaver "server behaviors" that generate query code will leave you vulnerable to SQL injection attacks. It went on to say that the sky is blue, politicians are dishonest and Michael Jackson is a little odd. This is not news to anyone save Adobe. Using a wizard to generate query code is, at best, only a starting point. Server behaviors have been around for years and they have always generated lousy query code. Scrub the variables you pass to the query or use Cfqueryparam. I would add that the "work-around" example is pretty poor as well. Rather than detail it, I will refer you to Dave Carabetta's excellent blog article on the subject. The bulletin indicates upgrading to DW 8.02 will "fix" the problem. I have a feeling it will generate more code in need of a rewrite. Don't they have any actual CF programmers writing these behaviors?

Email Injection Bot Attacks and SPF Records

I got an email from someone on my blog about implementing SPF that said it should cut down on email injection attacks. The reasoning was that the email injection attack typically sends "from" the domain of the web site. Since SPF dictates the servers or domains mail can come "from" then mail from the web server would be rejected. Stopping Email Injection Bots would be a nice side effect of SPF, but it is unlikely. This reasoning does not take into account 2 important details.


Contact Us Form - Email Injection Attack

In the last few weeks I've noticed a new attack making the rounds on my CF server. Although it's not an effective attack against a CF server, it does illustrate how spammers are a boil on the butt of humanity. It's called "email injection" and it's actually an attempt to leverage a PHP vulnerability (or perhaps I should say a “bad PHP coding” vulnerability). How do you know if you are being attacked? If you have a web site with a "contact us" form or any other form whose result is a sent email, and you are getting emails "from" your own domain and "to" your own domain - using bogus email addresses you are probably seeing this technique in action. You will also get bounces and if you look in the raw bounce code you will see something like "bcc: *some email address*". That's the tip off. Please note, this technique does NOT work against Coldfusion as far as I know - only PHP seems to be referenced in the various online discussions of the topic. If you are interested read on.


JSP on CF Enterprise can open a security Hole

Recent discussions on a popular email list regarding some large hosts with many CF customers have reminded me of an often overlooked security problem that crops up from time to time on CF enterprise. If you install CF enterprise you get a full functioning JRUN server with it. If you intend to use the server as a shared server however, you should be aware that by default, the JRUN server will handle JSP pages. This gives users with JSP knowledge a way of hacking the server that circumvents the CF server (since JRUN is agnostic of the CF sandbox). It's easy to fix however...


Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.