Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coldfusion and MSSQL database security


  • Please log in to reply
3 replies to this topic

#1 lanzd

lanzd

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 05 March 2012 - 10:37 AM

I have an account on a coldfusion/MSSQL shared server hosting service and have been targeted by what I believe to be a SQL injection attack. I have a absolute path to a javascript file in nearly every field of every table. It seems the script hides majority of the text and features on every page it is on. I'm lucky enough to be able to restore the database to a reasonable point, but I need to prevent this from happening again. Is there anything else I can do besides <cfqueryparam></cfqueryparam> ?

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:55 PM

Posted 05 March 2012 - 03:34 PM

Sanitize all input before inserting it into the database. Of course, this is assuming that your web pages even have a way for users to input text.

#3 lanzd

lanzd
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 05 March 2012 - 03:45 PM

Yeah, thats what I believe <cfqueryparams> does. But apparently that wasn't enough. Looking around on the internet I've found other ways of authenticating the date. Some include generating a random number, encrypting it, and then setting it to a session variable AND a hidden form field. Then go ahead and check if the two match on the receiving page. Among others. But A lot of the solutions I have found require some server tweaking and this is a shared server host, so that isn't really all that possible. But you gotta do what you gotta do :). Thank you.

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:55 PM

Posted 05 March 2012 - 04:21 PM

You might want to look here also:
http://www.adobe.com/devnet/coldfusion/articles/sql_injection.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users