verynx SQL injection attack

Report · Jul 23, 2008

I have tried to submit this in a non-forum fashion, but being as this attack is well published on the internet I thought here is fine.

We are running linux and CF7 into a MSSQL 2000 backend and we have been on the recieving end of several SQL injection attacks. We have taken action to prevent this specific attack but I wondered if there is/will be a patch to remove this vulnerablility from CF7 ?

Details of attack here.

Cheers,
Matt.

Report · Jul 23, 2008

The vulnerability isn't necessarily something that you can magically fix in CF7 (or 6, or 5, or 8). If you write code that makes your server vulnerable (no proper bounds checking, etc), then there isn't much CF can do on the back end to stop it.

Report · Jul 23, 2008

UniWebDude wrote:
> I have tried to submit this in a non-forum fashion, but being as this attack is
> well published on the internet I thought here is fine.
>
> We are running linux and CF7 into a MSSQL 2000 backend and we have been on the
> recieving end of several SQL injection attacks. We have taken action to
> prevent this specific attack but I wondered if there is/will be a patch to
> remove this vulnerablility from CF7 ?
>
> http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57065
>
> Cheers,
> Matt.
>

Other then the proper usage of the existing <cfqueryparam...> tag. I do
not and would not expect a patch to come along.

Report · Jul 23, 2008

> I wondered if there is/will be a patch to remove this vulnerablility from CF7 ?

It's not a vulnerability in CF7. It's a vulnerability of poorly-written code. Anytime you don't validate the data users are submitting before sending it to the database, or use best-practices like cfqueryparam'ing all your query variables, you are vulnerable to this. This isn't unique to CF, it affects ASP.NET, PHP, JSP, etc.

Report · Jul 24, 2008

What you are all saying is of course correct, but we don't live in a perfect world and CF is getting hit hard by this - just google verynx.

Report · Jul 24, 2008

> CF is getting hit hard by this

That might be true, but the only people that will actually get "hit" by this are ones that wrote code vulnerable to _any_ SQL injection attack. The only difference about this one is it's more automated and widespread.

Doesn't change the fact that they're exploiting bad coding practices. It has nothing to do with CF, it has everything to do with the coders who wrote the code that is being exploited. This same attack will work against bad code written in other web scripting languages that interact with databases.

Report · Jul 25, 2008

UniWebDude wrote:
> What you are all saying is of course correct, but we don't live in a perfect world and CF is getting hit hard by this - just google verynx.

No CF isn't hit hard at all. Seriously, how many sites have been hit
that you would know about if you didn't go looking for it?

This attack has been running against the .asp extension since May. It is
also running against PHP now. And that it is running against multiple
languages should be enough of an indication that it is not targeting a
specific bug in a language, but a wrong design pattern in many
applications that use those languages.

Jochem

--
Jochem van Dieten
Adobe Community Expert for ColdFusion