As of this writing, a particularly virulent SQL injection spider attack is largely targeting sites running ColdFusion.
Here's how the attack appears in server logs:
The code creates a cursor of all the user tables and all the character columns in the database. It then appends a string to each of the columns, making an ungodly mess.
Mark Kruger's post goes into a great deal of helpful detail about how this spider operates. If you do a Google search on this attack, you will quickly get a feeling for how widespread this is.
If your site is getting hammered, and you need to buy time while you fix vulnerable code, there are scripts such as this one posted in ColdFusion Developer's Journal on August 8, 2008, which can be modified to thwart this most recent attack thus.
Be aware that this only buys time. The most effective course is to make sure your queries are protected with cfqueryparam. Ben Forta's primer on cfqueryparam provides a very good start on protecting code from SQL injection scripts. While you're fixing your queries, don't forget the ORDER BY clause, another frequently overlooked vulnerability.
It can be time consuming checking all your queries if you have a large amount of ColdFusion code to wade through, not to mention nerve-racking if you are doing so while the attacks are rolling in. Fortunately there are tools such as QueryParam Scanner that will peruse your code and return a list of any unprotected queries. Unzip this application and place it in a directory in the Web root of your development server. Go to the application in a Web browser, follow its directions, and you will quickly have a report of any vulnerable queries.
Here's how the attack appears in server logs:
The code creates a cursor of all the user tables and all the character columns in the database. It then appends a string to each of the columns, making an ungodly mess.
Mark Kruger's post goes into a great deal of helpful detail about how this spider operates. If you do a Google search on this attack, you will quickly get a feeling for how widespread this is.
If your site is getting hammered, and you need to buy time while you fix vulnerable code, there are scripts such as this one posted in ColdFusion Developer's Journal on August 8, 2008, which can be modified to thwart this most recent attack thus.
Be aware that this only buys time. The most effective course is to make sure your queries are protected with cfqueryparam. Ben Forta's primer on cfqueryparam provides a very good start on protecting code from SQL injection scripts. While you're fixing your queries, don't forget the ORDER BY clause, another frequently overlooked vulnerability.
It can be time consuming checking all your queries if you have a large amount of ColdFusion code to wade through, not to mention nerve-racking if you are doing so while the attacks are rolling in. Fortunately there are tools such as QueryParam Scanner that will peruse your code and return a list of any unprotected queries. Unzip this application and place it in a directory in the Web root of your development server. Go to the application in a Web browser, follow its directions, and you will quickly have a report of any vulnerable queries.
- For more links on this particular attack and how to thwart it, go to http://delicious.com/rpruyne/coldfusion.