Some Important CFWebstore Issues

A couple issues regarding CFWebstore have come up recently. You may have received an email regarding these issues, I am providing more information here to help detail the issues and what should be done, and to help reach anyone that may not have received an email or been on the email list where these have been discussed.

Recently, a new SQL injection attack has been making the rounds of the internet, and has been effecting some older CFWebstore versions. Previously, most people thought that character fields in a URL string were not susceptible to SQL injection as the ColdFusion server escapes the characters in the string. However by using the CAST function, this attack can get around this. Many sites, not just ColdFusion ones are being hit, so it's important if you are running a version 5 or older store, that you spend some time updating your site. As an easy stop-gap measure, you can add some code to your Application.cfm to detect the specific attack, like this:

Ideally, budget the time and money to do an upgrade to version 6. This version is not only coded to prevent such attacks, it has other code improvements to protect against other attacks that were not as well know when version 5 was written, such as cross-site scripting. If you are not able to do an upgrade, you would need to update your version 5 or older store so that all user-based inputs in a query, including text inputs, use cfqueryparam. Version 5.73 is already coded to do many of these, but many text inputs are not similarly sanitized as they are in version 6.

If you are using a version 6 store, you should be pretty safe from this attack, but if you wish to add some additional code to your site to at least prevent errors from being thrown, you can add this to a version 6.20 or later release to block the attack and just display an error to the user. Add this code to the browserdetect.cfm somewhere below the 'if' statement on line 14:

I will be releasing an update for version 6 shortly which will include some additional code to protect some other areas that potentially could be at risk, they aren't at risk from this current attack or will show up as vulnerabilities, but I believe in being proactive when it comes to hackers and want to make 100% sure that anything accessible to a public user is being fully scrubbed, whether it's a URL, form submission, etc. So keep an eye out for that. There is also a tool available from HP called Scrawlr which can crawl your site and locate any injection points in the pages. A nice free tool to use to check your site quickly. Scrawlr

The other issue relates to the demo store that is provided along with a copy of CFWebstore. An image was inadvertently included in the demo that is owned by an online stock photo gallery. This has been removed from the current release, but if you are running the demo on your server for any reason, this image should be removed. Ideally, any CFWebstore user should make sure the image has been deleted off their server, to prevent any accidental use of it. The image is a photo of a young woman and would be found in the "images" directory. A new demo store is also under development which will released in the next month or so.

Feel free to contact me if you have any questions about either of these issues or need help with upgrading your site.

UPDATE! Version 6.31 is now available, this includes some new security features to block hack attempts and prevent any errors from being generated. It's highly recommended that all version 6 users upgrade to this version.