verynx strikes24 Jul 2008 | Comments
Unfortunately some of our sites were not immune to this attack, because apparently these are olders apps built on the days where cfqueryparam either didn't exist or not widely used.
I am just wondering whether this is the case where ColdFusion developers take security for granted because ColdFusion is meant to be secure right? I mean you did pay for the server.. I remember back on my PHP days, when we have to write our own sanitizer to handle form inputs, because we know security is an issue with PHP.
Although it's easy to get angry with the attackers, but not having your application secured thoroughly is also plain silly. You are asking for it, and you get it served.
There is no longer excuse for not using <cfqueryparam>, at least now everyone sees the need for it.
A simple short term solution at the moment is to filter SQL keywords in URL and FORM scope (variant of EXEC especially). A longer term solution would be to scan the older applications for queries with cfqueryparam and make it mandatory now for cfqueryparam to be used.
Come to think of it, this was a very clever attack and quite harmless in a way, no drop tables or anything nasty like that. It served as timely reminder for us (and to me as well) to not taking security for granted in whatever platform you are developing. Thank you hacker, but I hope you go to jail for this.