6 Nov 2009

CF Admin SQL injection flaw

Nathan Mische has blogged about a surprising ‘flaw’ in the ColdFusion Administrator that’s supposed to allow you to disable SQL commands coming from CF such as delete, drop, alter, update, etc. Apparently this is ineffective against multi-line SQL injection attacks – the most common sort of injection.

Perhaps ‘flaw’ is the wrong word, but these settings do lead you to believe that any sql with delete, drop, etc in it would be prevented from being sent to the database.

The bottom line is to always use cfqueryparam or stored procedures and sanitise user input from forms and urls. Don’t trust users – assume they’re all up to no good! ;-)

1 comment:

  1. Not only that make sure that the database user that is "tied" to the DSN does't have more permissions than needed e.g. drop,grant,alter, etc... Unfortunately ,there are a lot CF DSN's out there using sa accounts!

    ReplyDelete