macromedia.coldfusion.cfml_general_discussion
[Top] [All Lists]
<prev [Date] next>
Google
 
<prev [Thread] next>

Re: SQL injection embeded .js file to execute CF hack

from [Ken Ford]
Subject: Re: SQL injection embeded .js file to execute CF hack
From: "Ken Ford" <newsgroups2@xxxxxxxxxxxx>
Date: Sun, 27 Jul 2008 21:44:47 -0500
Newsgroups: macromedia.coldfusion.cfml_general_discussion 


1. Only if the server is set to parse a .js file as CFML

2. A lot!

http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already

http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARAM

--
Ken Ford
Adobe Community Expert - Dreamweaver/ColdFusion
Fordwebs, LLC
http://www.fordwebs.com


"ajdove" <webforumsuser@xxxxxxxxxxxxxx> wrote in message 
news:g6jbdj$gmk$1@xxxxxxxxxxxxxxxxxxxxxxxx

:shocked;
I am a programmer sent to investigate suspicious activity at a client's web application. I cannot attach a file in case of infection potential. The Coldfusion code is open to SQL injection attack which is how we believe the Apache web server became infected. Upon investigation we found javascript files which had been written with CFML code programatically scripted to fit within a .js javascript file and write and read data from the server.
Has ANYONE seen this type of attack before? I cannot disclose the client or specific data as we are under a NDA (Non-Disclosure Agreement), however, I need help of other Coldfusion programmers to fully understand this attack. Has anyone seen CFML code programmed into a .js javascript file and run by calling the .js javascript file before?
We have found japanese or chinese language within the code and within files on the server. The client states they have NOT installed any language packs or anything referencing other languages than English. There have been japanese characters found on the database server. There are hundreds of .js and .xml files on the server which reference japanese. Furthermore, we have found many XML files on the server,but the client does not use .xml so these .xml files would then be foreign and potentially programatically scripted by the server launching code to write these files under the un-knowing eyes of the client. 

So we need to understand the limits or potential threats:
1. Can CFML scripting be embedded into a .js javascript file
2. If database parameters are not locked, what are the possible attacks available to SQL injection 

Any help would be appreciated.
Thank you in advance.
Alex Dove
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SQL injection embeded .js file to execute CF hack, ajdove
Next by Date:  Re: setFocus, Ken Ford
Previous by Thread:  SQL injection embeded .js file to execute CF hack, ajdove
Next by Thread:  Re: SQL injection embeded .js file to execute CF hack, Kronin555
Indexes:  [Date] [Thread] [Top] [All Lists]