Code (not sql) injection by hackers via coldfusion

This is not an sql injection attack.  Nothing from the database is being read or displayed.  The application.cfm file is actually being edited somehow to include javascript calls to trojan software.  When I load up application.cfm, the lines have actually been physically added to the file itself.

I've seen these effects before (files being psychically modified on

the server). A developer machine with FTP access to the files was

compromised by a trojan, FTP username and passwords were compromised

and used by the attacker to connect to FTP, get the files, modify them

and upload them back.

Check your FTP logs on the server to confirm this (you should see a

download of the file followed quickly by an upload of the file - not

necessary from the same IP address).

Mack

I thought it might be an ftp/password crack myself after virus scan found some password sniffing trojans.  But after cleaning, password sanitizing, and now an entire OS reload, I am sure it's not.  Within a couple of hours of the os reload being complete the application.cfm files for almost all the coldfusion sites were updated with a new iframe code and the server was restarted.  I'm at my wits end.  My server provider is saying because the exploit is only taking advantage of the coldfusion application.cfm files then it must be a code exploit due to poor code so they're trying to wash their hands of it.

I've ruled out ftp/passwords... I've ruled out a file upload exploit.  I have no other idea what other exploit someone could use through coldfusion to accomplish this... but it also does make sense to me that if it's only affecting the coldfusion sites that it is probably some kind of coldfusion exploit -- after all why not alter the master page on the .net site or php sites on the site to have similar code.

Regarding, "One common defense against XSS is to use CFQUERYPARAM in your queries", the last time I tested this theory, I was able to successfully store javascript in a database and have it execute after selecting it.

Yes, we are confusing our attack vectors here.

1) Is SQL injection attacks.  This is where <cfqueryparam...> helps.  Using this tag will generate prepared SQL statements so the database knows what is SQL commands and what is SQL data and not try to run any SQL commands that a hacker attempts to insert into the SQL data.

2) Is XSS cross scripting attacks.  This is where a hacker inserts JavaScript into a web site so that the script hijacks a visitor and redirects or delivers to them undesired content.

Where these two cross paths is that the payload of some recent high visibility SQL injection attacks was XSS scripts into web content data.  But this is by no means the only way to insert XSS data into a web site nor is it the only SQL injection payload that a hacker may choose to use.

Back to the topic of the original post:

The first thing is to confirm is the server itself is locked down.  The attackers may have acquired simple FTP, Telnet or other remote access to the site and are capable of modifying the content as they desire.  Look at logs, change passwords and|or usernames and look for un-patched security holes, etc.

A large recent hole was published last week, where Windows IIS server that have WebDAV enabled can be tricked into allowing access to secured sections outside of the WebDAV directorys with special Unicode URL strings.

HTH

Ian

My apologies, I meant to write "One common defense against SQL injection attacks is to use CFQUERYPARAM in your queries", not "One common defense against XSS is to use CFQUERYPARAM in your queries". Thanks, Dan.

The first project link (http://portcullis.riaforge.org/) is the one that offers some relief and options for both XSS and SQL injections.