ColdFusion Muse

Cfinclude for Good or Evil

Yesterday I was doing some searches on a sick server to troubleshoot the Iframe Injection issue. A user had posted some additional information regarding a file that appeared on his server that had this issue. The file was named "fection.cfm" so we now know the hacker casually removes his prefixes (or I should say 'emoves his 'efixes). I began my search by looking for the file specifically, then moved on to look for the string "cfexecute" in all of the *.cfm files. But that got me thinking. A clever hacker might know some things about ColdFusion. He could in fact, further obscure his code with some knowledge of cfinclude and IIS. Such a technique can be used to secure your code as well. You can create code that is only runnable by ColdFusion using cfinclude. Here's the skinny.


ISAPIRewrite or Mod_Rewrite Rules

For those of you interested in stopping the SQLi attack before it even hits your ColdFusion server, you might try these rewrite rules are from the CF-Linux email list (run by House of Fusion). They were provided by list member Mike Chytracek and forwarded to me by Linux CFG Ryan Stille. These rules are for for use with Helicon's ISAPI Rewrite filter, but with very little tweaking these rules aught to work for Apache Mod_rewrite as well.

# Helicon ISAPI_Rewrite configuration file
# Version
RewriteEngine On
RewriteCompatibility2 On
RepeatLimit 20
# unsupported directive: [ISAPI_Rewrite]
# CacheClockRate 300
RewriteRule ^.*DECLARE%20.*$ [NC]
RewriteRule ^.*NVARCHAR.*$ [NC]
RewriteRule ^.*sp_password.*$
[NC] RewriteRule ^.*%20xp_.*$ [NC]
RewriteRule ^.*EXEC\(@.*$ [NC]
RewriteRule ^.*%20@.*$ [NC]

Please note that these rules will actually redirect the request to the governments cybercrime website. That's going to freak a few folks out if you end up with any fals positives :)

SQLi Attack on the Rise (Film at 11:00)

Unless you have had your head in the sand (those of you on your honeymoon are excused) you know that the ColdFusion world has been awash in SQL Injection attacks over the last month. Anecdotally I am seeing a significant increase in attacks this week - about 15 times what they were a few days ago. Michael Dinowitz reports that house of fusion was receiving 4000 attacks in 5 minutes (that's nearly 50 thousand an hour). Brad Wood reports no less 90 request per second. The suspicion is that the attack is driven by searching Google for sites with ".cfm" pages. That means the more successful that you are at search engine optimization the more likely you are to be targeted. Conversely if you don't have a good number of pages ranked then you are probably then you will see fewer attacks.

It seems these attacks are orchestrated using infected computers throughout the internet. Some effort is underway to collect IP addresses to see if a pattern emerges. I suspect that approach will not yield fruit, but I still applaud the effort. We (CF Webtools) are continuing to assist customers in any way we can - everything from wholesale changes to sites, to blacklist techniques to friendly advice over the phone. As these attacks accelerate they become more like Denial of Service attacks than anything else. Even if you are binding all your variables and you have great controls you will still have to deal with a bombardment of thousands of requests against your CF pages. I recommend that you use one of the many blacklist techniques out there - at least temporarily. Some folks have started out sending emails alerts when these attacks are underway but quickly discovered that the volume of email can be pretty hefty. I recommend just killing the request - abort it at the top of your application prior to the application being instantiated. Then at least you have kept it from filling up your error log. Meanwhile this round of attacks has had the positive affect of causing folks to suddenly pay attention to a great deal of vulnerable code. Here's another silver lining you may not have considered...


Ask-a-Muse: How Can Cfqueryparam Protect Me?

Muse Reader Asks:
If you want to allow someone to search your site by keyword, how do you protect against an SQL injection? CFqueryParam is great if testing for an integer, but what about for a string? Surely there's got to be a way to do it since all kinds of sites let you perform keyword searches. Thanks!

Whoa... slow down there. Do my ears deceive me? Did my reader just indicate that he (or she) thinks that cfqueryparam "tests" for a string? I hate to break it to you, but the purpose of Cfqueryparam is not to insure that the value passed into the tag is one thing or another. The validation that occurs is more of a by-product of binding. Sure, the tag will error out when you try to pass "abc" instead of "123" to a param of the "integer" type, but that is a result of type binding. It's simply trying to bind variables of type for the driver to use, so naturally it errors out. But pass in a decimal like 123.123 and it says "okey dokey - that will work". Testing to see what a form element contains is the job of the developer, not the job of a magic box tag.

But to answer your question more specifically, cfqueryparam will protect you from those malicious hack attempts anyway - even if the attack is passed to the database. Let's examine a working case and see if we can figure out what is happening.


A Better Blacklist Function for SQLi

Please note - I have not changed my stance on the use of CFQUERYPARAM. The real "fix" for injection is validation routines for form inputs and binding variables using Cfqueryparam. A blacklist function (a function that checks for "known bad" input) is useful in that it provides protection on the perimeter. It can help you intercept hack attempts before they reach your DB - where presumably they would fail in any case. They are also useful for thwarting immediate threats if you discover a security flaw that might take some time to fix. The recent spate of attacks caused a proliferation of blacklist techniques from simple to complex. In my own post on the vulnerability of using string concatenated SQL I published a snippet that made use of the iSQLInject function from CF Lib. There is a better approach however.


Adding Cfqueryparams to a Legacy Site Without Losing Your Hair

So you got hit with the latest SQLi attack eh? SQLi is the hip acronym for "sql injection" that fancy pants security people use. You've put in some stop gap measures and now you are slogging through 3000 queries trying to add cfqueryparam to everything. It's a laborious task to be sure. Here are some special tips from the muse that might help shorten it.


SQL Injection Part III - Don't Forget Sorting

So... you have diligently added CFQUERYPARAM to every input variable. Your database is secure and safe from SQL Injection - right? Well... maybe not. Did you remember to account for the ORDER BY Clause? Let me explain.


Combining SQL Query Strings and CFQUERYPARAM

If you have been following the muse the last few days you will know that I've had my shoulder to the wheel helping customers and fellow developers sort through making changes to their site to protect against a particularly malicious SQL Injection attack (read about the details here). Some of the folks who have contacted me are dealing with extra problems because their code uses string concatenation to build dynamic SQL strings. So the question has been asked a few times, "How do I go about building an SQL string with CFQUERYPARAMs in it?" Unfortunately, if you have chosen this approach it's going to be difficult to help you without seriously refactoring your code. Here's a few tips that can help, and one approach that might get you most of the way there.


SQL Injection Part II (Make Sure You Are Sitting Down)

Back in February I wrote a blog post on SQL Injection that included an example of how a malicious user might inject into a character field even though ColdFusion escapes single quote marks. The attack involved other forms of escaping single quotes - and was effective against MySQL. This week I stumbled upon (more like a train wreck) an attack that is much more sophisticated - and also involves injection into a character field. I am told that others have discovered and written on this attack over the last few weeks - but I was unaware of it until a customer of ours was victimized. Amazingly, the specific real world attack I discovered and fixed allowed the hacker to append a string to every char column in every table of the database. It was so pervasive it left me wondering if it was SQL injection at all - until I found a URL entry that looked something like this:


Webmaniacs - Cryptography and Dentistry

On Tuesday I took in a workshop on Cryptography by Dean Saxe. Dean is an impressive character with a head stuffed full of knowledge and spilling out everywhere. He obviously knew what he was talking about. As a topic, cryptography is so impossibly complicated and intricate that he could not do it justice in a 50 minute session. Most discussions about cryptography center around keys, algorithms and best practices - and this was no exception. Dean recommended against relying on CF's own encrypt and decrypt functions for anything but the most rudimentary encryption. In fact, he probably didn't even go that far. That tidbit of advice is common from almost every security pro I have ever heard mention the subject. When it came to discussing keys it was like a trip to the dentist.


Disabling Backslash Escaping in MySQL

For muse readers who read my previous post on SQL injection examples that use character rather than numeric fields, I offer this tip I picked up on CF-Talk from Azadi Saryev. It appears you can disable the ability to escape special characters using the backslash. Here is the exact note from Azadi.


SQL Injection Using a Character Field

Ok, I admit it. Most of the examples of SQL injection that I give use a numeric field. Why? Because to inject using a character field requires manipulating single quotes. Since Coldfusion escapes single quotes automatically when using the cfquery tag these attacks are much more difficult to pull off. It may surprise you to know that your character fields can still be vulnerable and it is my belief that you should still use CFQueryparam. In fact, one of the attacks below can work even if you do use cfqueryparam. Check it out.


Does CFArgument Typing Protect Against SQL Injection

This question was asked on one of the several lists to which I subscribe. The author wanted to know if he needed to do anything else as long as he was specifying the "type" attribute of the Cfargument tag - or was that sufficient protection against the dreaded SQL Injection Attack (see my previous post on Application Security). Like the Elves of the Shire my answer is both yea and nay. Consider this example:


Web Logs and Security - Do You Know What's in Your Log Files?

So you have a new ecommerce application eh? You say you've done your homework. You are using a reputable gateway. You think you are PCI compliant. You are not storing Credit card numbers anywhere and you are using SSL (plus you have new snazzy haircut). Life is good. Hmmmm.... do you ever stay awake at night wondering if you forgot something? One of the things that you might have overlooked is the web log files. I'm sure you are aware of these files... the ones that your customer is always running reports on so he can marvel at the ip geocoding and exclaim "Well would you look at that" about the 4 people from Uzbekistan that visited the site yesterday. Web logs come in a number of flavors, but most of them are able to track the URL "query_string" variable in the log. Many of them are set up this way by default. This can be helpful to figure out traffic patterns. If you handle credit cards a certain way however, they can lead to the pit of despair. Take this example....


Handling Credit Card Data and PCI Compliance

Muse Reader Asks:
"I thought I would ask your opinion on how to use CF as a front-end to SQL database with CC information and still be compliment with PCI standard 10.2 and 10.3. We are going to have an appliance to capture and store the information needed by the auditors. But I can't have everything showing up as the CF service."

I asked my good friend Brian Harvey from Studio Cart to answer this question. He has been a good resource for us on the pitfalls of working with Credit Card data and PCI compliance. His response is quite informative.


More Entries

Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.