Infoweek security issues
Today, while I was surfing the website of InfoWeek, a leading IT magazines in Switzerland, in order to change my email subscription I was granted with the following error message:
At first I am happy to see that they are using CFML as their choice of deplyoment, but when looking at the above code I saw some poor coding techniques at work.
First off, one should never use the “*” for getting back all the columns of the database. This is slowing the database server down and is a poor man coding style. In todays tool environment there is no excuse for using the “*” anymore (I am talking for production use here).
The next thing is that the variable “MailAdress” is not scoped and far worse is subject to the famous SQL Injection, because the developers neglected the <cfqueryparam> tag. Sure enough, I was able to log in to my account with adding the variable to the URL. If I wanted to, I could even see and alter some other email addresses.
The solution to the above is so simply, one wonders why developers still chose to neglect it. With a simple;
<cfqueryparam cfsqltype=”cf_sql_varchar” value=”#post.MailAdress#”>
the variable is scoped and secured against SQL Injection code at the same time.
As long as I see applications like this on the web (believe me I see a couple of these things in a week) I am sure my company has enough to do 
…..and yes I did call them and told them the error, but it looks like they are not in a hurry to fix it.
About this entry
You’re currently reading “Infoweek security issues,” an entry on Razuna Blog
- Published:
- Tuesday, September 23rd, 2008 at 12:01 pm
- Author:
- Razuna
- Category:
- SixSigns
- Tags:
- CFML, Security, security issues, sql injection
13:26 UTC
Too bad for them…
The FORM scope is the one to use for POST submission though
13:29 UTC
OK no way to post code here. Sorry for spamming your blog
13:29 UTC
This error was coming from a form. Forgot to mention this, but I thought it was obvious.
14:21 UTC
I am not sure how Adobe do things, but with OpenBD, you cannot perform an SQL injection with CFQUERY for MySQL. this is because the MYSQL driver will not permit two statements in one go. Try it, you will find you will not be able to do it.
14:58 UTC
Alan,
You cannot with Adobe CF either.
-Randy
15:04 UTC
There are issues with about every application server. Some drivers recognizes this others don’t. There is much information about this from Ben Forta at http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already
Judging from the date this is recent! Just wade through the comments….
7:17 UTC
@Randy and @Alan: You most certainly can perform SQLi with BD and Adobe CF on MySQL since not all SQL injection requires two statements. Secondly many people (including myself) enable the allowMultiQueries flag because they find the single statement limitation annoying. Regardless, it’s a feature of the DBMS, not the app server.
In regards to the original post, that site really needs to get a site-wide error handler.
13:54 UTC
@Brad,
wow I did not know about the allowMultiQueries flag.
Yep you are right, injection attacks do not require two statements. The latest round of injection attacks which have been hitting my sites are multi-statement which I was referring to. I have captured 18000 distinct ipaddresses in the past two months. Crazy.