Two days ago security bulletin from Adobe indicated that Dreamweaver "server behaviors" that generate query code will leave you vulnerable to SQL injection attacks. It went on to say that the sky is blue, politicians are dishonest and Michael Jackson is a little odd. This is not news to anyone save Adobe. Using a wizard to generate query code is, at best, only a starting point. Server behaviors have been around for years and they have always generated lousy query code. Scrub the variables you pass to the query or use Cfqueryparam. I would add that the "work-around" example is pretty poor as well. Rather than detail it, I will refer you to Dave Carabetta's excellent blog article on the subject. The bulletin indicates upgrading to DW 8.02 will "fix" the problem. I have a feeling it will generate more code in need of a rewrite. Don't they have any actual CF programmers writing these behaviors?
I got an email from someone on my blog about implementing SPF that said it should cut down on email injection attacks. The reasoning was that the email injection attack typically sends "from" the domain of the web site. Since SPF dictates the servers or domains mail can come "from" then mail from the web server would be rejected. Stopping Email Injection Bots would be a nice side effect of SPF, but it is unlikely. This reasoning does not take into account 2 important details.
Read More
In the last few weeks I've noticed a new attack making the rounds on my CF server. Although it's not an effective attack against a CF server, it does illustrate how spammers are a boil on the butt of humanity. It's called "email injection" and it's actually an attempt to leverage a PHP vulnerability (or perhaps I should say a “bad PHP coding” vulnerability). How do you know if you are being attacked? If you have a web site with a "contact us" form or any other form whose result is a sent email, and you are getting emails "from" your own domain and "to" your own domain - using bogus email addresses you are probably seeing this technique in action. You will also get bounces and if you look in the raw bounce code you will see something like "bcc: *some email address*". That's the tip off. Please note, this technique does NOT work against Coldfusion as far as I know - only PHP seems to be referenced in the various online discussions of the topic. If you are interested read on.
Read More
Recent discussions on a popular email list regarding some large hosts with many CF customers have reminded me of an often overlooked security problem that crops up from time to time on CF enterprise. If you install CF enterprise you get a full functioning JRUN server with it. If you intend to use the server as a shared server however, you should be aware that by default, the JRUN server will handle JSP pages. This gives users with JSP knowledge a way of hacking the server that circumvents the CF server (since JRUN is agnostic of the CF sandbox). It's easy to fix however...
Read More