Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Apr 2010
    Thanked 0 Times in 0 Posts

    Security a Cold Fusion Web Site

    I recently inherited administration of a Cold Fusion driven Web Site. The Site has around 750 different pages/support files associated with it. It was written by a "Professional" development company two years ago. I do know some other languages but I am pretty new to Cold Fusion. I have written/reworked a few of the pages but by new means I am completely familiar with large portions of the site.

    Just this week, our site was attacked by hackers. Large amounts of data were deleted, links were replaced by links to malware. I knew what that meant.....SQL Injection. I found the page they were hitting and it was pretty obvious when I looked at it. An Integer variable was being passed via URL with no Parameter/Val() to keep it from being abused. So much for the Professional development house. I knew of a few other places where variables were being passed via URL and checked them out. Same thing. I restored the site from backup and fixed the vulnerabilities.

    However, now I am responsible for a web site whose creators obviously had a dubious grasp of web security practices. Needless to say I am very nervous about the security of the rest of the pages. Does anyone have any suggestions about the best way to test for exploitable pages on a ColdFusion site? Software I might run, companies I may contact, things I might read, best practices, anything? Any input I could get would be greatly appreciated.

  2. #2
    New Coder
    Join Date
    Nov 2002
    Thanked 0 Times in 0 Posts

  3. #3
    Regular Coder
    Join Date
    Feb 2009
    NJ, USA
    Thanked 70 Times in 69 Posts
    Definitely use <cfqueryparam> for input values in dynamic SQL (with the <cfquery> tag). This will prevent SQL injection attempts.

    <cfqueryparam> automatically escapes quote characters for strings (varchar), and can also be set to only allow numeric values as well. Example:
    <cfquery name="myQuery" datasource="db">
        SELECT col FROM table
        WHERE someString = <cfqueryparam value="#url.someString#" cfsqltype="CF_SQL_VARCHAR">
    No matter what I put in the URL string with any injection attempt, <cfqueryparam> will make it look like all one value to the database.

    Even if I put in: &someString='; DELETE FROM users
    Then the resulting SQL will look like this:
    WHERE someString = '''; DELETE FROM users'
    Here, the red quotes have been escaped, and the rest of the "SQL" just becomes a normal string value to compare the someString column to, as far as the database is concerned.




Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts