Skip to main content

protect your coldfusion site against sql injection attacks

As of this writing, a particularly virulent SQL injection spider attack is largely targeting sites running ColdFusion.

Here's how the attack appears in server logs:


The code creates a cursor of all the user tables and all the character columns in the database. It then appends a string to each of the columns, making an ungodly mess.

Mark Kruger's post goes into a great deal of helpful detail about how this spider operates. If you do a Google search on this attack, you will quickly get a feeling for how widespread this is.

If your site is getting hammered, and you need to buy time while you fix vulnerable code, there are scripts such as this one posted in ColdFusion Developer's Journal on August 8, 2008, which can be modified to thwart this most recent attack thus.

Be aware that this only buys time. The most effective course is to make sure your queries are protected with cfqueryparam. Ben Forta's primer on cfqueryparam provides a very good start on protecting code from SQL injection scripts. While you're fixing your queries, don't forget the ORDER BY clause, another frequently overlooked vulnerability.

It can be time consuming checking all your queries if you have a large amount of ColdFusion code to wade through, not to mention nerve-racking if you are doing so while the attacks are rolling in. Fortunately there are tools such as QueryParam Scanner that will peruse your code and return a list of any unprotected queries. Unzip this application and place it in a directory in the Web root of your development server. Go to the application in a Web browser, follow its directions, and you will quickly have a report of any vulnerable queries.

Popular posts from this blog

Announcing the 45th Eastern Primitive Rendezvous

The 45th Eastern Primitive Rendezvous takes place September 23-October 1, 2022.   For more information, visit the official EPR website and Facebook group . We will be hosting the 45th Eastern Primitive Rendezvous on our family farm, near East Smithfield, PA. The dates are September 23 - October 1, 2022.  This is a living-history event depicting 18th-century activities. Visitors can tour the camp each day from 10 a.m. to 4 p.m.  Tuesday, September 27 is School Tours Day, during which we welcome classes from all of the area schools. Campers need to preregister ( nrlhf.org/pdf/pre-reg.pdf ), and period-correct clothing and gear are required.  For the exact location and more details, visit the  official EPR website  and Facebook group . For those of you who attended the 2017 EPR, this is the same location.

the case for incremental redesign: part i

Consider the dashboard of your automobile. Aside from a number of extras that have crept in over the decades, it's essentially configured the same as the dash of the car you drove as a kid. In fact, the design of the automobile's critical controls hasn't significantly altered since the Model T Ford. It's worked for more than 100 years, and we love it.