Jared Rypka-Hauer, Lead ColdFusion Developer, Minneapolis, MN
Proud Parents of SQLSurveyor and PayPalMX
Viewing By Entry / Main
July 23, 2008 - back to top
This just in from 0x000000 # The Hacker Webzine via Ben Forta's blog: an article that is both called and about Attacking ColdFusion.
I find this to be very significant on several points:
- Even according to the hackers, dilligent use of cfqueryparam makes SQL injection largely impossible
- The only real hacking info is about SQL Injection, most critically IIS (because apparently with IIS you can use SQL injection to launch the CMD shell!)
- The other thing that's noted is some of the CFIDE stuff, like the component explorer
- They do mention that raw error messages expose a great deal of information that can be used to attack your application.
- Simply the fact that they noticed CF is pretty big news, IMO... it's like a Mac hack: so far it just hasn't been mainstream enough to bother. In a way, we've arrived.
So what did we learn from their article? A few more bullets are in order:
- Use CFQUERYPARAM religiously or be sorry.
- IIS has some inherent (and scary) vulnerabilities via SQL injection, so it's not just your DB at risk.
- Never, ever, EVER leave the ColdFusion Aministrator or component explorer available on a production server
- ColdFusion, because of it's J2EE roots and it's design, is a stable, secure platform without a great number of significant vulnerabilities... and the ones that are there are mostly the fault of the application developer misusing the platform, not ColdFusion itself
- Due to the massive spate of SQL injection attacks on ColdFusion applications in the last 2 weeks, people are paying attention to us...
Well folks, this is good news and bad news. The bad news is that we're no longer invisible, so we're going to have to be better at our jobs and follow best practices dilligently. The good news, though, is that we're actually gaining ground in terms of marketshare and attention. When hackers start paying attention, the rest of the world tends to take notice as well!
Or at least that's how I see it...
Laterz!
Comments
Yeah, I've been watching the attacks carefully. It is sort of a cool thing to have received the attention, but I hope people wake up and learn how to secure their code-- it's a jungle out there. :)
Also, what about IIS can make SQL injection easier. I think the point may have been actually been MS SQL (which requires windows, as does IIS). MS SQL does stuff with the command shell that DBMS's like MySQL don't offer.
I was reading an interesting article the other day talking about how the older versions of MySQL were harder to hack. Not becuase they were more secure-- just becuase they were so basic there wasn't as many options for hackers to exploit like INFORMATION_SCHEMA and such.
Also, what about IIS can make SQL injection easier. I think the point may have been actually been MS SQL (which requires windows, as does IIS). MS SQL does stuff with the command shell that DBMS's like MySQL don't offer.
I was reading an interesting article the other day talking about how the older versions of MySQL were harder to hack. Not becuase they were more secure-- just becuase they were so basic there wasn't as many options for hackers to exploit like INFORMATION_SCHEMA and such.
I'm thinking that they meant using CF+IIS to trigger stack overflows in SQL Server to use built-in commands like execute() to launch system processes. I'm also assuming that they said IIS because it's the most common web server in a Windows-based server stack. My assumption is that even if you swapped Apache for IIS, SQL Server is the culprit when it comes to certain SQL injection attacks.
I think that is the case-- the exploits really lie in MS SQL server, and IIS just happens to be an accomplice most of the time. It kind of bugs me though because I've seen that turn into an "apache is therefore better" spin and that's really not true.
Also, I don't think they need anything as fancy as a stack overflow to do dirty things-- they just need an un-parameterized numeric variable in a cfquery.
Also, I don't think they need anything as fancy as a stack overflow to do dirty things-- they just need an un-parameterized numeric variable in a cfquery.
I hate SQL - I just have never gotten the hang of it - I can read php but.... I hate it... sigh... I'm slinking off....
Nice site.
Look here:
<a href= http://xanaxtramadol.com/lizing/map.html >lizing</a> [url=http://xanaxtramadol.com/lizing/map.html]lizing[/url] <a href= http://buyasoma.com/video-strip-poker/map.html >video strip poker</a> [url=http://buyasoma.com/video-strip-poker/map.html]video strip poker[/url] <a href= http://buyasoma.com/play-poker/map.html >play poker</a> [url=http://buyasoma.com/play-poker/map.html]play poker[/url] <a href= http://buyasoma.com/Quetiapine/map.html >Quetiapine</a> [url=http://buyasoma.com/Quetiapine/map.html]Quetiapine[/url] <a href= http://xanaxtramadol.com/refinance/map.html >refinance</a> [url=http://xanaxtramadol.com/refinance/map.html]refinance[/url] <a href= http://buyasoma.com/levothyroxine/map.html >levothyroxine</a> [url=http://buyasoma.com/levothyroxine/map.html]levothyroxine[/url] <a href= http://xanaxtramadol.com/Aleve/map.html >Aleve</a> [url=http://xanaxtramadol.com/Aleve/map.html]Aleve[/url]
Look here:
<a href= http://xanaxtramadol.com/lizing/map.html >lizing</a> [url=http://xanaxtramadol.com/lizing/map.html]lizing[/url] <a href= http://buyasoma.com/video-strip-poker/map.html >video strip poker</a> [url=http://buyasoma.com/video-strip-poker/map.html]video strip poker[/url] <a href= http://buyasoma.com/play-poker/map.html >play poker</a> [url=http://buyasoma.com/play-poker/map.html]play poker[/url] <a href= http://buyasoma.com/Quetiapine/map.html >Quetiapine</a> [url=http://buyasoma.com/Quetiapine/map.html]Quetiapine[/url] <a href= http://xanaxtramadol.com/refinance/map.html >refinance</a> [url=http://xanaxtramadol.com/refinance/map.html]refinance[/url] <a href= http://buyasoma.com/levothyroxine/map.html >levothyroxine</a> [url=http://buyasoma.com/levothyroxine/map.html]levothyroxine[/url] <a href= http://xanaxtramadol.com/Aleve/map.html >Aleve</a> [url=http://xanaxtramadol.com/Aleve/map.html]Aleve[/url]
Nice site.
Look here:
<a href= http://xanaxtramadol.com/lizing/map.html >lizing</a> [url=http://xanaxtramadol.com/lizing/map.html]lizing[/url] <a href= http://buyasoma.com/video-strip-poker/map.html >video strip poker</a> [url=http://buyasoma.com/video-strip-poker/map.html]video strip poker[/url] <a href= http://buyasoma.com/play-poker/map.html >play poker</a> [url=http://buyasoma.com/play-poker/map.html]play poker[/url] <a href= http://buyasoma.com/Quetiapine/map.html >Quetiapine</a> [url=http://buyasoma.com/Quetiapine/map.html]Quetiapine[/url] <a href= http://xanaxtramadol.com/refinance/map.html >refinance</a> [url=http://xanaxtramadol.com/refinance/map.html]refinance[/url] <a href= http://buyasoma.com/levothyroxine/map.html >levothyroxine</a> [url=http://buyasoma.com/levothyroxine/map.html]levothyroxine[/url] <a href= http://xanaxtramadol.com/Aleve/map.html >Aleve</a> [url=http://xanaxtramadol.com/Aleve/map.html]Aleve[/url]
Look here:
<a href= http://xanaxtramadol.com/lizing/map.html >lizing</a> [url=http://xanaxtramadol.com/lizing/map.html]lizing[/url] <a href= http://buyasoma.com/video-strip-poker/map.html >video strip poker</a> [url=http://buyasoma.com/video-strip-poker/map.html]video strip poker[/url] <a href= http://buyasoma.com/play-poker/map.html >play poker</a> [url=http://buyasoma.com/play-poker/map.html]play poker[/url] <a href= http://buyasoma.com/Quetiapine/map.html >Quetiapine</a> [url=http://buyasoma.com/Quetiapine/map.html]Quetiapine[/url] <a href= http://xanaxtramadol.com/refinance/map.html >refinance</a> [url=http://xanaxtramadol.com/refinance/map.html]refinance[/url] <a href= http://buyasoma.com/levothyroxine/map.html >levothyroxine</a> [url=http://buyasoma.com/levothyroxine/map.html]levothyroxine[/url] <a href= http://xanaxtramadol.com/Aleve/map.html >Aleve</a> [url=http://xanaxtramadol.com/Aleve/map.html]Aleve[/url]
Nice site.
Look here:
<a href= http://buyasoma.com/debt/map.html >debt</a> [url=http://buyasoma.com/debt/map.html]debt[/url] <a href= http://buyasoma.com/computer/map.html >computer</a> [url=http://buyasoma.com/computer/map.html]computer[/url] <a href= http://buyasoma.com/supplier-viagra/map.html >supplier viagra</a> [url=http://buyasoma.com/supplier-viagra/map.html]supplier viagra[/url] <a href= http://buyasoma.com/life/map.html >life</a> [url=http://buyasoma.com/life/map.html]life[/url] <a href= http://buyasoma.com/day-trading-stocks/map.html >day trading stocks</a> [url=http://buyasoma.com/day-trading-stocks/map.html]day trading stocks[/url] <a href= http://xanaxtramadol.com/antivirus/map.html >antivirus</a> [url=http://xanaxtramadol.com/antivirus/map.html]antivirus[/url] <a href= http://xanaxtramadol.com/Pantoprazole/map.html >Pantoprazole</a> [url=http://xanaxtramadol.com/Pantoprazole/map.html]Pantoprazole[/url]
Look here:
<a href= http://buyasoma.com/debt/map.html >debt</a> [url=http://buyasoma.com/debt/map.html]debt[/url] <a href= http://buyasoma.com/computer/map.html >computer</a> [url=http://buyasoma.com/computer/map.html]computer[/url] <a href= http://buyasoma.com/supplier-viagra/map.html >supplier viagra</a> [url=http://buyasoma.com/supplier-viagra/map.html]supplier viagra[/url] <a href= http://buyasoma.com/life/map.html >life</a> [url=http://buyasoma.com/life/map.html]life[/url] <a href= http://buyasoma.com/day-trading-stocks/map.html >day trading stocks</a> [url=http://buyasoma.com/day-trading-stocks/map.html]day trading stocks[/url] <a href= http://xanaxtramadol.com/antivirus/map.html >antivirus</a> [url=http://xanaxtramadol.com/antivirus/map.html]antivirus[/url] <a href= http://xanaxtramadol.com/Pantoprazole/map.html >Pantoprazole</a> [url=http://xanaxtramadol.com/Pantoprazole/map.html]Pantoprazole[/url]