ColdFusion SQL Injection Troubles

29 Aug, 2008  |  Written by  |  under ColdFusion

This has been an issue for a long time, but the past few weeks, we’ve started to see some automated attacks against ColdFusion sites trying to inject rogue SQL via forms and other parameters.  Ugh.  I’ve been working with a great piece of code called Portcullis, but it has a few rough edges that make it hard to deploy.  Here’s my application.cfm, in case it’s useful for anybody else fighting this:

<cftry>
	<cfif isdefined("application.Portcullis") eq false or isdefined("url.reset")>
	<cfset application.Portcullis = createObject("component","com.fusionlink.Portcullis").init()/>
	</cfif>

	<cfset application.Portcullis.scan(url,"url",cgi.remote_addr)>
	<cfset application.Portcullis.scan(form,"form",cgi.remote_addr)>
	<cfset application.Portcullis.scan(cookie,"cookie",cgi.remote_addr)>

	<cfif application.Portcullis.isBlocked(cgi.remote_addr) eq true>
	 Sorry, there was an error detected.
	 <cfmail from="you@you.com"
	  to="you@you.com"
	  subject="SEI Portcullis: User Blocked" type="html">
	  <cfdump var="#cgi#"/>
	 </cfmail>
	 <cfabort/>
	</cfif>

	<cfcatch type="any">
	 <cfmail from="you@you.com"
	  to="you@you.com"
	  subject="SEI Portcullis Threw Exception" type="html">
<a href="http://#CGI.SERVER_NAME##CGI.SCRIPT_NAME#?#CGI.QUERY_STRING#">Page URL</a>
#cfcatch.message#
	detail: #cfcatch.Detail# <br />
	<cfif IsDefined("cfcatch.SQLState")>
	sqlstate: #cfcatch.SQLState# <br />
	</cfif>
	type: #cfcatch.type# <br />
	  <cfdump var="#cgi#"/>
	 </cfmail>
	</cfcatch>
</cftry>

One Response so far | Have Your Say!

  1. His_wife34  |  October 23rd, 2009 at 7:33 am #

    Thanks for a remarkably informative post. ,

    His_wife34 - Gravatar

Leave a Reply