Skip to main content
U
UniWebDude
Participant
July 23, 2008
Question

verynx SQL injection attack

  • July 23, 2008
  • 5 replies
  • 671 views
I have tried to submit this in a non-forum fashion, but being as this attack is well published on the internet I thought here is fine.

We are running linux and CF7 into a MSSQL 2000 backend and we have been on the recieving end of several SQL injection attacks. We have taken action to prevent this specific attack but I wondered if there is/will be a patch to remove this vulnerablility from CF7 ?

Details of attack here.

Cheers,
Matt.
    This topic has been closed for replies.

    5 replies

    N
    Newsgroup_User
    Inspiring
    July 25, 2008
    UniWebDude wrote:
    > What you are all saying is of course correct, but we don't live in a perfect world and CF is getting hit hard by this - just google verynx.

    No CF isn't hit hard at all. Seriously, how many sites have been hit
    that you would know about if you didn't go looking for it?

    This attack has been running against the .asp extension since May. It is
    also running against PHP now. And that it is running against multiple
    languages should be enough of an indication that it is not targeting a
    specific bug in a language, but a wrong design pattern in many
    applications that use those languages.

    Jochem

    --
    Jochem van Dieten
    Adobe Community Expert for ColdFusion
    U
    UniWebDudeAuthor
    Participant
    July 24, 2008
    What you are all saying is of course correct, but we don't live in a perfect world and CF is getting hit hard by this - just google verynx.
    K
    Kronin555
    Participating Frequently
    July 25, 2008
    > CF is getting hit hard by this

    That might be true, but the only people that will actually get "hit" by this are ones that wrote code vulnerable to _any_ SQL injection attack. The only difference about this one is it's more automated and widespread.

    Doesn't change the fact that they're exploiting bad coding practices. It has nothing to do with CF, it has everything to do with the coders who wrote the code that is being exploited. This same attack will work against bad code written in other web scripting languages that interact with databases.
    K
    Kronin555
    Participating Frequently
    July 23, 2008
    > I wondered if there is/will be a patch to remove this vulnerablility from CF7 ?

    It's not a vulnerability in CF7. It's a vulnerability of poorly-written code. Anytime you don't validate the data users are submitting before sending it to the database, or use best-practices like cfqueryparam'ing all your query variables, you are vulnerable to this. This isn't unique to CF, it affects ASP.NET, PHP, JSP, etc.
    N
    Newsgroup_User
    Inspiring
    July 23, 2008
    UniWebDude wrote:
    > I have tried to submit this in a non-forum fashion, but being as this attack is
    > well published on the internet I thought here is fine.
    >
    > We are running linux and CF7 into a MSSQL 2000 backend and we have been on the
    > recieving end of several SQL injection attacks. We have taken action to
    > prevent this specific attack but I wondered if there is/will be a patch to
    > remove this vulnerablility from CF7 ?
    >
    > http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065
    >
    > Cheers,
    > Matt.
    >


    Other then the proper usage of the existing <cfqueryparam...> tag. I do
    not and would not expect a patch to come along.
    A
    Anonymous
    July 23, 2008
    The vulnerability isn't necessarily something that you can magically fix in CF7 (or 6, or 5, or 8). If you write code that makes your server vulnerable (no proper bounds checking, etc), then there isn't much CF can do on the back end to stop it.
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices