Glenn on the Web » ColdFusion http://www.glenncrocker.com Wed, 27 Jan 2010 21:32:17 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 ColdFusion SQL Injection Troubles http://www.glenncrocker.com/2008/08/coldfusion-sql-injection-troubles/ http://www.glenncrocker.com/2008/08/coldfusion-sql-injection-troubles/#comments Fri, 29 Aug 2008 10:34:05 +0000 Glenn Crocker http://www.glenncrocker.com/?p=23 This has been an issue for a long time, but the past few weeks, we’ve started to see some automated attacks against ColdFusion sites trying to inject rogue SQL via forms and other parameters.  Ugh.  I’ve been working with a great piece of code called Portcullis, but it has a few rough edges that make it hard to deploy.  Here’s my application.cfm, in case it’s useful for anybody else fighting this:

<cftry>
	<cfif isdefined("application.Portcullis") eq false or isdefined("url.reset")>
	<cfset application.Portcullis = createObject("component","com.fusionlink.Portcullis").init()/>
	</cfif>

	<cfset application.Portcullis.scan(url,"url",cgi.remote_addr)>
	<cfset application.Portcullis.scan(form,"form",cgi.remote_addr)>
	<cfset application.Portcullis.scan(cookie,"cookie",cgi.remote_addr)>

	<cfif application.Portcullis.isBlocked(cgi.remote_addr) eq true>
	 Sorry, there was an error detected.
	 <cfmail from="you@you.com"
	  to="you@you.com"
	  subject="SEI Portcullis: User Blocked" type="html">
	  <cfdump var="#cgi#"/>
	 </cfmail>
	 <cfabort/>
	</cfif>

	<cfcatch type="any">
	 <cfmail from="you@you.com"
	  to="you@you.com"
	  subject="SEI Portcullis Threw Exception" type="html">
<a href="http://#CGI.SERVER_NAME##CGI.SCRIPT_NAME#?#CGI.QUERY_STRING#">Page URL</a>
#cfcatch.message#
	detail: #cfcatch.Detail# <br />
	<cfif IsDefined("cfcatch.SQLState")>
	sqlstate: #cfcatch.SQLState# <br />
	</cfif>
	type: #cfcatch.type# <br />
	  <cfdump var="#cgi#"/>
	 </cfmail>
	</cfcatch>
</cftry>
]]> http://www.glenncrocker.com/2008/08/coldfusion-sql-injection-troubles/feed/ 1