Rash of Attacks Target Coldfusion

In the last few days there have been a rash of attacks seemly targeted at Coldfusion. More specifically older Coldfusion applications/sites that do not make use of parameterized queries

using cfqueryparam and/or properly sanitize incoming url parameters.

The classic example being:


<cfquery name="myquery" datasource="#request.dsn#>
Select * from mytable
where id = #url.id#
</cfquery>

The above code snippet is particularly vulnerable to sql-injection.

The attack making it's rounds injects a SQL script that once executed goes through the sysobject system table looking for all varchar columns in every single table in the database.

It then loops through all the columns and appends Javascript script pointing to a Javscript file on a Chinese domain (I was unable to access the js file to see what it contained, the site was unreachable when I tried).

The first thing to do to protect yourself from this type of attack is to use the cfqueryparam tag especially for queries that make use of url or form variables.

The above query using cfqueryparam would look like:


<cfquery name="myquery" datasource="#request.dsn#>
Select * from mytable
where id = <cfqueryparam value="
#id#" cfsqltype="CF_SQL_BIGINT">
</cfquery>

Secondly be smart about your datasources, create a specific database user for your application that restricts access to only those rights that it specifically needs to do it's job. Giving every Coldfusion Datasource admin rights is asking for trouble.

Thirdly don't give your potential hacker any information about your server. Catch all errors using a site wide error handler and display a generic error message. At the least turn off detailed debugging on your production server.

It might be time to look again at some of those old applications you wrote years ago and check that you aren't vulnerable.

Happy Coding...

12 Comments to "Rash of Attacks Target Coldfusion"- Add Yours
Katie's Gravatar Tell me about it - having a nightmare trying to sort out our websites! Urgh, oh well, lesson learnt, cfqueryparam all the way!
# Posted By Katie | 7/23/08 3:10 PM
Gary Gilbert's Gravatar There are a few sql/cf scripts floating around that will clean up your db automatically using the same technique that the attack used.
# Posted By Gary Gilbert | 7/23/08 4:36 PM
Joshua Cyr's Gravatar Was it really just focused on CF? I hadn't seen that suggestion before.
# Posted By Joshua Cyr | 7/23/08 5:53 PM
Gary Gilbert's Gravatar Josh,

I noticed an entry on scansafe.com's blog that specifically mentions Coldfusion. As far as attacks go I haven't heard of any php sites being hit by the attack. Its quite possible that the automated attack went just after cfm pages. Either that or php doesn't have an sql-injection weakness (which I know isn't the case)
# Posted By Gary Gilbert | 7/23/08 6:00 PM
Joshua Cyr's Gravatar Interesting. Thanks Gary!
# Posted By Joshua Cyr | 7/23/08 6:12 PM
Eric's Gravatar It actually started out targeting classic ASP about 3 weeks ago, and it's just now evolved to hitting CF. To be honest, I think it's really targeting MS SQL Server, and it's making its rounds through any of the server side languages.
# Posted By Eric | 7/23/08 6:33 PM
Steve Bryant's Gravatar Here is a link to one of the tools that Gary mentioned:
http://qpscanner.riaforge.org/

(thanks to Brad Wood for the recent blog entry on this)
# Posted By Steve Bryant | 7/23/08 6:41 PM
Anthony's Gravatar Am I correct in thinking this is an MS SQL problem, and something MySQL is immune to? I have never been able to break MySQL with these injection attacks. If it is possible to cause grief with MySQL can someone give me an example?
# Posted By Anthony | 7/23/08 6:49 PM
Joshua Cyr's Gravatar While the current attack is mssql specific (from what I read) sql injection can indeed work on mysql.
# Posted By Joshua Cyr | 7/23/08 6:53 PM
Gary's Gravatar This particular attack as Josh mentioned will only work on mssql as I don't beleive the mysql has the same sys tables structure (I would find that rather odd if it did), or supports the exec command the same way as
mssql.
# Posted By Gary | 7/23/08 7:34 PM
Scott Bennett's Gravatar Someone was trying to use SQL injection on one of my sites on 7/12/2008 at about 9:30pm. I have use cfqueryparam and other methods to stop SQL injection attacks and display a nice friendly error message to the user. I also have my system set up to notify me via email if a particular error is occurring repeatedly, so when I saw a bunch of these errors coming from the same IP (58.186.123.178) I blocked that IP by redirecting all requests from that IP to a page with a not-too-friendly message telling them stop trying to SQL inject my site, then the requests all stopped shortly there after. The requests were comming fast enough that it was definitely scripted and nobody probably read my message, but it made me feel better anyways =).
# Posted By Scott Bennett | 7/23/08 8:06 PM
Joe Ravgiala's Gravatar How did you do that? Detecting ip and sending info off. I've noticed it's happening on IIS/MSSQL sites eberywhere that may or may not have ColdFusion. ANy other tips to consideronsider?
# Posted By Joe Ravgiala | 8/22/08 2:11 PM

Powered By Railo

Subscribe

Subscribe via RSS
Follow garyrgilbert on Twitter Follow me on Twitter
Or, Receive daily updates via email.

Tags

adobe air ajax apple cf community cfml coldfusion examples ext flash flex google javascript max2007 max2008 misc open source programming railo software technology ui

Recent Entries

No recent entries.

Blogroll

An Architect's View
CFSilence
Rey Bango
TalkingTree

Wish List

My Amazon.com Wish List