Security a Cold Fusion Web Site

Carnage04 · 04-08-2010, 06:49 AM

I recently inherited administration of a Cold Fusion driven Web Site. The Site has around 750 different pages/support files associated with it. It was written by a "Professional" development company two years ago. I do know some other languages but I am pretty new to Cold Fusion. I have written/reworked a few of the pages but by new means I am completely familiar with large portions of the site.

Just this week, our site was attacked by hackers. Large amounts of data were deleted, links were replaced by links to malware. I knew what that meant.....SQL Injection. I found the page they were hitting and it was pretty obvious when I looked at it. An Integer variable was being passed via URL with no Parameter/Val() to keep it from being abused. So much for the Professional development house. I knew of a few other places where variables were being passed via URL and checked them out. Same thing. I restored the site from backup and fixed the vulnerabilities.

However, now I am responsible for a web site whose creators obviously had a dubious grasp of web security practices. Needless to say I am very nervous about the security of the rest of the pages. Does anyone have any suggestions about the best way to test for exploitable pages on a ColdFusion site? Software I might run, companies I may contact, things I might read, best practices, anything? Any input I could get would be greatly appreciated.

Jt107 · 04-08-2010, 10:22 PM

Here are some links on prevention of data injection, not sure if that is what you are looking for.
http://www.dreamweavercoldfusion.com...injection.html
http://www.hosting.com/support/cfusion/cfsqlinjection/
http://br.sys-con.com/node/165921
http://www.coldfusioncookbook.com/en...ection-attacks

hope it helps.

Gjslick · 04-09-2010, 06:33 AM

Definitely use <cfqueryparam> for input values in dynamic SQL (with the <cfquery> tag). This will prevent SQL injection attempts.

<cfqueryparam> automatically escapes quote characters for strings (varchar), and can also be set to only allow numeric values as well. Example:

Code:

<cfquery name="myQuery" datasource="db">
    SELECT col FROM table
    WHERE someString = <cfqueryparam value="#url.someString#" cfsqltype="CF_SQL_VARCHAR">
</cfquery>

No matter what I put in the URL string with any injection attempt, <cfqueryparam> will make it look like all one value to the database.

Even if I put in: &someString='; DELETE FROM users
Then the resulting SQL will look like this:

Code:

SELECT col FROM TABLE
WHERE someString = '''; DELETE FROM users'

Here, the red quotes have been escaped, and the rest of the "SQL" just becomes a normal string value to compare the someString column to, as far as the database is concerned.

http://help.adobe.com/en_US/ColdFusi...2c24-7f6f.html

-Greg