Some Important CFWebstore Issues
A couple issues regarding CFWebstore have come up recently. You may have received an email regarding these issues, I am providing more information here to help detail the issues and what should be done, and to help reach anyone that may not have received an email or been on the email list where these have been discussed.
Recently, a new SQL injection attack has been making the rounds of the internet, and has been effecting some older CFWebstore versions. Previously, most people thought that character fields in a URL string were not susceptible to SQL injection as the ColdFusion server escapes the characters in the string. However by using the CAST function, this attack can get around this. Many sites, not just ColdFusion ones are being hit, so it's important if you are running a version 5 or older store, that you spend some time updating your site. As an easy stop-gap measure, you can add some code to your Application.cfm to detect the specific attack, like this:
<cfabort>
<cfelseif FindNoCase("CAST(", CGI.Query_String) OR FindNoCase("CAST(", CGI.Script_Name) OR FindNoCase("CAST(", CGI.Path_Info)>
<cfabort>
</cfif>
Ideally, budget the time and money to do an upgrade to version 6. This version is not only coded to prevent such attacks, it has other code improvements to protect against other attacks that were not as well know when version 5 was written, such as cross-site scripting. If you are not able to do an upgrade, you would need to update your version 5 or older store so that all user-based inputs in a query, including text inputs, use cfqueryparam. Version 5.73 is already coded to do many of these, but many text inputs are not similarly sanitized as they are in version 6.
If you are using a version 6 store, you should be pretty safe from this attack, but if you wish to add some additional code to your site to at least prevent errors from being thrown, you can add this to a version 6.20 or later release to block the attack and just display an error to the user. Add this code to the browserdetect.cfm somewhere below the 'if' statement on line 14:
browserName="hack attempt";
}
else if (FindNoCase("CAST(", query_string) OR FindNoCase("CAST(", CGI.Script_Name) OR FindNoCase("CAST(", CGI.Path_Info)) {
browserName="hack attempt";
}
I will be releasing an update for version 6 shortly which will include some additional code to protect some other areas that potentially could be at risk, they aren't at risk from this current attack or will show up as vulnerabilities, but I believe in being proactive when it comes to hackers and want to make 100% sure that anything accessible to a public user is being fully scrubbed, whether it's a URL, form submission, etc. So keep an eye out for that. There is also a tool available from HP called Scrawlr which can crawl your site and locate any injection points in the pages. A nice free tool to use to check your site quickly. Scrawlr
The other issue relates to the demo store that is provided along with a copy of CFWebstore. An image was inadvertently included in the demo that is owned by an online stock photo gallery. This has been removed from the current release, but if you are running the demo on your server for any reason, this image should be removed. Ideally, any CFWebstore user should make sure the image has been deleted off their server, to prevent any accidental use of it. The image is a photo of a young woman and would be found in the "images" directory. A new demo store is also under development which will released in the next month or so.
Feel free to contact me if you have any questions about either of these issues or need help with upgrading your site.
UPDATE! Version 6.31 is now available, this includes some new security features to block hack attempts and prevent any errors from being generated. It's highly recommended that all version 6 users upgrade to this version.
Try this (from: http://www.shareddynamics.com/index.cfm/2008/8/11/...)
<code>
<cfsilent>
<!---
name: _SQLPrev.cfm
desc: Helps Prevent SQL Injection Attacks (CF5).
author: Justin D. Scott of GravityFree (jscott@gravityfree.com)
date: November 7, 2005
update: August 7, 2008
notes:
DIRECTIONS
Include this in the Application.cfm file to help prevent SQL injection attacks.
Compatible with ColdFusion 5 and may also work with ColdFusion MX. There is
an MX specific version at http://www.gravityfree.com/_sqlprev.cfm.txt.
If you update this code to be more effective, please send a copy of the changes
back to me so they can be implemented more widely.
DISCLAIMER
Justin Scott and GravityFree make no representation about the suitability or
accuracy of software or data for any purpose, and makes no warranties, either
expressed or implied, including merchantability and fitness for a particular
purpose or that the use of these software or data will not infringe any third
party patents, copyrights, trademarks, or other rights. The software and data
are provided "as is". Use at your own risk.
LICENSE
This code is hereby released into the public domain.
--->
<!--- E-Mail address for attack notifications --->
<cfparam name="request.errorEmail" default="me@yourdomain.com" />
<!--- On attack, TRUE to abort FALSE to redirect to rootURL --->
<cfparam name="request.errorAbort" default="FALSE" />
<!--- On attack, TRUE to notify via e-mail --->
<cfparam name="request.errorNotify" default="TRUE" />
<!--- Redirection URL --->
<cfparam name="request.rootURL" default="/" />
<cfscript>
// Default to nothing. variables.SQLPrev_Found = "";
// What are the SQL Keywords? variables.SQLPrev_Keywords = structNew();
// Populate the structure. structInsert(variables.SQLPrev_Keywords, "EXEC", "");
structInsert(variables.SQLPrev_Keywords, "ALTER", "");
structInsert(variables.SQLPrev_Keywords, "EXECUTE", "");
structInsert(variables.SQLPrev_Keywords, "PROC", "");
structInsert(variables.SQLPrev_Keywords, "ASC", "");
structInsert(variables.SQLPrev_Keywords, "FILE", "");
structInsert(variables.SQLPrev_Keywords, "PROCEDURE", "");
structInsert(variables.SQLPrev_Keywords, "AUTHORIZATION", "");
structInsert(variables.SQLPrev_Keywords, "BACKUP", "");
structInsert(variables.SQLPrev_Keywords, "RAISERROR", "");
structInsert(variables.SQLPrev_Keywords, "FOREIGN", "");
structInsert(variables.SQLPrev_Keywords, "FREETEXT", "");
structInsert(variables.SQLPrev_Keywords, "READTEXT", "");
structInsert(variables.SQLPrev_Keywords, "BREAK", "");
structInsert(variables.SQLPrev_Keywords, "FREETEXTTABLE", "");
structInsert(variables.SQLPrev_Keywords, "RECONFIGURE", "");
structInsert(variables.SQLPrev_Keywords, "BROWSE", "");
structInsert(variables.SQLPrev_Keywords, "REFERENCES", "");
structInsert(variables.SQLPrev_Keywords, "BULK", "");
structInsert(variables.SQLPrev_Keywords, "FULL", "");
structInsert(variables.SQLPrev_Keywords, "REPLICATION", "");
structInsert(variables.SQLPrev_Keywords, "FUNCTION", "");
structInsert(variables.SQLPrev_Keywords, "RESTORE", "");
structInsert(variables.SQLPrev_Keywords, "CASCADE", "");
structInsert(variables.SQLPrev_Keywords, "GOTO", "");
structInsert(variables.SQLPrev_Keywords, "RESTRICT", "");
structInsert(variables.SQLPrev_Keywords, "GRANT", "");
structInsert(variables.SQLPrev_Keywords, "RETURN", "");
structInsert(variables.SQLPrev_Keywords, "CHECK", "");
structInsert(variables.SQLPrev_Keywords, "GROUP", "");
structInsert(variables.SQLPrev_Keywords, "REVOKE", "");
structInsert(variables.SQLPrev_Keywords, "CHECKPOINT", "");
structInsert(variables.SQLPrev_Keywords, "HAVING", "");
structInsert(variables.SQLPrev_Keywords, "RIGHT", "");
structInsert(variables.SQLPrev_Keywords, "CLOSE", "");
structInsert(variables.SQLPrev_Keywords, "HOLDLOCK", "");
structInsert(variables.SQLPrev_Keywords, "ROLLBACK", "");
structInsert(variables.SQLPrev_Keywords, "CLUSTERED", "");
structInsert(variables.SQLPrev_Keywords, "IDENTITY", "");
structInsert(variables.SQLPrev_Keywords, "ROWCOUNT", "");
structInsert(variables.SQLPrev_Keywords, "COALESCE", "");
structInsert(variables.SQLPrev_Keywords, "IDENTITY_INSERT", "");
structInsert(variables.SQLPrev_Keywords, "ROWGUIDCOL", "");
structInsert(variables.SQLPrev_Keywords, "COLLATE", "");
structInsert(variables.SQLPrev_Keywords, "IDENTITYCOL", "");
structInsert(variables.SQLPrev_Keywords, "COLUMN", "");
structInsert(variables.SQLPrev_Keywords, "COMMIT", "");
structInsert(variables.SQLPrev_Keywords, "SCHEMA", "");
structInsert(variables.SQLPrev_Keywords, "COMPUTE", "");
structInsert(variables.SQLPrev_Keywords, "INDEX", "");
structInsert(variables.SQLPrev_Keywords, "SELECT", "");
structInsert(variables.SQLPrev_Keywords, "CONSTRAINT", "");
structInsert(variables.SQLPrev_Keywords, "INNER", "");
structInsert(variables.SQLPrev_Keywords, "SESSION_USER", "");
structInsert(variables.SQLPrev_Keywords, "CONTAINS", "");
structInsert(variables.SQLPrev_Keywords, "INSERT", "");
structInsert(variables.SQLPrev_Keywords, "SET", "");
structInsert(variables.SQLPrev_Keywords, "CONTAINSTABLE", "");
structInsert(variables.SQLPrev_Keywords, "INTERSECT", "");
structInsert(variables.SQLPrev_Keywords, "SETUSER", "");
structInsert(variables.SQLPrev_Keywords, "CONTINUE", "");
structInsert(variables.SQLPrev_Keywords, "INTO", "");
structInsert(variables.SQLPrev_Keywords, "SHUTDOWN", "");
structInsert(variables.SQLPrev_Keywords, "CONVERT", "");
structInsert(variables.SQLPrev_Keywords, "CREATE", "");
structInsert(variables.SQLPrev_Keywords, "JOIN", "");
structInsert(variables.SQLPrev_Keywords, "STATISTICS", "");
structInsert(variables.SQLPrev_Keywords, "CROSS", "");
structInsert(variables.SQLPrev_Keywords, "KEY", "");
structInsert(variables.SQLPrev_Keywords, "SYSTEM_USER", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT", "");
structInsert(variables.SQLPrev_Keywords, "KILL", "");
structInsert(variables.SQLPrev_Keywords, "TABLE", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_DATE", "");
structInsert(variables.SQLPrev_Keywords, "LEFT", "");
structInsert(variables.SQLPrev_Keywords, "TEXTSIZE", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_TIME", "");
structInsert(variables.SQLPrev_Keywords, "LIKE", "");
structInsert(variables.SQLPrev_Keywords, "THEN", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_TIMESTAMP", "");
structInsert(variables.SQLPrev_Keywords, "LINENO", "");
structInsert(variables.SQLPrev_Keywords, "CURRENT_USER", "");
structInsert(variables.SQLPrev_Keywords, "LOAD", "");
structInsert(variables.SQLPrev_Keywords, "TOP", "");
structInsert(variables.SQLPrev_Keywords, "CURSOR", "");
structInsert(variables.SQLPrev_Keywords, "NATIONAL", "");
structInsert(variables.SQLPrev_Keywords, "TRAN", "");
structInsert(variables.SQLPrev_Keywords, "DATABASE", "");
structInsert(variables.SQLPrev_Keywords, "NOCHECK", "");
structInsert(variables.SQLPrev_Keywords, "TRANSACTION", "");
structInsert(variables.SQLPrev_Keywords, "DBCC", "");
structInsert(variables.SQLPrev_Keywords, "NONCLUSTERED", "");
structInsert(variables.SQLPrev_Keywords, "TRIGGER", "");
structInsert(variables.SQLPrev_Keywords, "DEALLOCATE", "");
structInsert(variables.SQLPrev_Keywords, "TRUNCATE", "");
structInsert(variables.SQLPrev_Keywords, "DECLARE", "");
structInsert(variables.SQLPrev_Keywords, "NULL", "");
structInsert(variables.SQLPrev_Keywords, "TSEQUAL", "");
structInsert(variables.SQLPrev_Keywords, "DEFAULT", "");
structInsert(variables.SQLPrev_Keywords, "NULLIF", "");
structInsert(variables.SQLPrev_Keywords, "UNION", "");
structInsert(variables.SQLPrev_Keywords, "DELETE", "");
structInsert(variables.SQLPrev_Keywords, "UNIQUE", "");
structInsert(variables.SQLPrev_Keywords, "DENY", "");
structInsert(variables.SQLPrev_Keywords, "OFF", "");
structInsert(variables.SQLPrev_Keywords, "UPDATE", "");
structInsert(variables.SQLPrev_Keywords, "DESC", "");
structInsert(variables.SQLPrev_Keywords, "OFFSETS", "");
structInsert(variables.SQLPrev_Keywords, "UPDATETEXT", "");
structInsert(variables.SQLPrev_Keywords, "DISK", "");
structInsert(variables.SQLPrev_Keywords, "USE", "");
structInsert(variables.SQLPrev_Keywords, "DISTINCT", "");
structInsert(variables.SQLPrev_Keywords, "OPEN", "");
structInsert(variables.SQLPrev_Keywords, "USER", "");
structInsert(variables.SQLPrev_Keywords, "DISTRIBUTED", "");
structInsert(variables.SQLPrev_Keywords, "OPENDATASOURCE", "");
structInsert(variables.SQLPrev_Keywords, "VALUES", "");
structInsert(variables.SQLPrev_Keywords, "DOUBLE", "");
structInsert(variables.SQLPrev_Keywords, "OPENQUERY", "");
structInsert(variables.SQLPrev_Keywords, "VARYING", "");
structInsert(variables.SQLPrev_Keywords, "DROP", "");
structInsert(variables.SQLPrev_Keywords, "OPENROWSET", "");
structInsert(variables.SQLPrev_Keywords, "VIEW", "");
structInsert(variables.SQLPrev_Keywords, "DUMMY", "");
structInsert(variables.SQLPrev_Keywords, "OPENXML", "");
structInsert(variables.SQLPrev_Keywords, "WAITFOR", "");
structInsert(variables.SQLPrev_Keywords, "DUMP", "");
structInsert(variables.SQLPrev_Keywords, "OPTION", "");
structInsert(variables.SQLPrev_Keywords, "WHEN", "");
structInsert(variables.SQLPrev_Keywords, "WHERE", "");
structInsert(variables.SQLPrev_Keywords, "END", "");
structInsert(variables.SQLPrev_Keywords, "ORDER", "");
structInsert(variables.SQLPrev_Keywords, "WHILE", "");
structInsert(variables.SQLPrev_Keywords, "ERRLVL", "");
structInsert(variables.SQLPrev_Keywords, "OUTER", "");
structInsert(variables.SQLPrev_Keywords, "WITH", "");
structInsert(variables.SQLPrev_Keywords, "ESCAPE", "");
structInsert(variables.SQLPrev_Keywords, "OVER", "");
structInsert(variables.SQLPrev_Keywords, "WRITETEXT", "");
// Now check through the URL variables for possible SQL attacks. for (SQLPrev_Index1 in URL) {
// Bring in the URL value. variables.SQLPrev_Value = URL[SQLPrev_Index1];
// Find any of the keywords in this value. for (SQLPrev_Index2 in variables.SQLPrev_Keywords) {
if (findNoCase(SQLPrev_Index2, variables.SQLPrev_Value) and find(";", variables.SQLPrev_Value)) {
variables.SQLPrev_Found = "sql";
}
}
}
// Kill the temp struct with the SQL keywords. structClear(variables.SQLPrev_Keywords);
</cfscript>
<!--- Did we find anything? --->
<cfif len(variables.SQLPrev_Found)>
<!--- E-Mail the error for tracking. --->
<cfif request.errorNotify>
<cfmail to="#request.errorEmail#" from="#request.errorEmail#" subject="SQL Injection Attempt" type="HTML">
<p>Date: #now()#</p>
<p>Site: #cgi.server_name#</p>
<p>URL: #cgi.script_name#?#cgi.query_string#</p>
<p>IP: #cgi.remote_addr#</p>
<cfdump var="#url#">
<cfdump var="#variables#">
</cfmail>
</cfif>
<!--- Abort or redirect to home. --->
<cfif request.ErrorAbort>
<cfabort>
<cfelse>
<cflocation url="#request.rootURL#" addtoken="no">
</cfif>
</cfif>
</cfsilent>
</code>
P.S. The best torrents search engine.
http://www.queentorrent.com