Announcing the first ever International Operation cf_SQLprotect
Posted by
Brad Wood
Jul 24, 2008 12:58:00 UTC
Hear Ye, Hear Ye! I hereby declare Friday, July 25th as the first ever International Operation cf_SQLprotect. In response to the massive amount of SQL injection attacks in the past few weeks I want the ColdFusion community to be doing our darndest to keep our applications safe from harm. This Friday, I want everyone who has a site big or small, well known or obscure, to join the world and scan their code base for vulnerable queries and fix them.This week I have reviewed two very cool utilities that will scan your code base for you, find cfqueries with missing cfqueryparams and optionally fix them for you. It really doesn't get any easier than this. There are a number of "fixes" floating around to mitigate the SQL attacks by searching form fields and the query string, but the ONLY way to truly harden your cfqueries is to parameterize every unclean input into them and watch out for things like dynamic order by clauses. If you aren't sure where to use cfqueryparam and where not to use it feel free to ask. There are a number of blogs out there that help explain this too.
Peter Boughton's tool is pretty, more configurable, and will search your order by clauses:
http://www.codersrevolution.com/index.cfm/2008/7/22/QueryParam-Scanner-Youve-got-no-excuse-now Daryl Banttari's tool needs a small tweak to get .cfc files, but it will automatically fix about 95% of your queries for you! Very Cool! http://www.codersrevolution.com/index.cfm/2008/7/24/Parameterize-your-queries-without-lifting-a-finger Here's what I want you to do. Download one or both of these fine tools, scan every CF site you have, inspect any queries that aren't up to snuff and fix where appropriate. Keep a tally of how many vulnerable cfqueries you fixed in the process and E-mail me the number. I will NOT publish your name nor your company name since no one needs bad press, but I will keep a total for all to see of how many potential loop holes that have been eliminated as part of our efforts. Your reward for participation will be the comforting knowledge that you have taken a positive step in securing your web applications as well as the good name of ColdFusion. I want ColdFusion programmers to be known for writing good, secure code, and I want ColdFusion apps to have a reputation for being solid and safe. Yes, I am aware that there are MANY aspects to security, but since this particular issue is giving us a bit of a black eye right now, I want to borrow some of this momentum to improve our code bases out there. I won't lie to you-- it's a pain to go back and clean up an old or large code-base, but I guarantee you it won't be as bad as you thought after you are done, and you will feel so much better. Please tell your coworkers, friends, or ANYONE who codes ColdFusion about this. Spread the word to those who don't read blogs or subscribe to the CF-Talk list. I think we will be able to have great satisfaction in saying, "We have successfully secured x vulnerable cfqueries against attacks!" If you have already scanned your websites and fixed your queries before Friday you can still send me your numbers and I'll include them.
http://www.codersrevolution.com/index.cfm/2008/7/22/QueryParam-Scanner-Youve-got-no-excuse-now Daryl Banttari's tool needs a small tweak to get .cfc files, but it will automatically fix about 95% of your queries for you! Very Cool! http://www.codersrevolution.com/index.cfm/2008/7/24/Parameterize-your-queries-without-lifting-a-finger Here's what I want you to do. Download one or both of these fine tools, scan every CF site you have, inspect any queries that aren't up to snuff and fix where appropriate. Keep a tally of how many vulnerable cfqueries you fixed in the process and E-mail me the number. I will NOT publish your name nor your company name since no one needs bad press, but I will keep a total for all to see of how many potential loop holes that have been eliminated as part of our efforts. Your reward for participation will be the comforting knowledge that you have taken a positive step in securing your web applications as well as the good name of ColdFusion. I want ColdFusion programmers to be known for writing good, secure code, and I want ColdFusion apps to have a reputation for being solid and safe. Yes, I am aware that there are MANY aspects to security, but since this particular issue is giving us a bit of a black eye right now, I want to borrow some of this momentum to improve our code bases out there. I won't lie to you-- it's a pain to go back and clean up an old or large code-base, but I guarantee you it won't be as bad as you thought after you are done, and you will feel so much better. Please tell your coworkers, friends, or ANYONE who codes ColdFusion about this. Spread the word to those who don't read blogs or subscribe to the CF-Talk list. I think we will be able to have great satisfaction in saying, "We have successfully secured x vulnerable cfqueries against attacks!" If you have already scanned your websites and fixed your queries before Friday you can still send me your numbers and I'll include them.
Adrian Lynch
Nice work! Maybe this will be the place to point anyone who ever asks about cfqueryparam or cfprocparam :OD
James Holmes
Interestingly (and perhaps fittingly), that coincides with System Administrator Appreciation Day (http://www.sysadminday.com/).
As part of our security reminders at work I was about to blog on this; I'll make sure to include a link to here too :-)
Aaron Longnion
Another way is to use a RegEx in Eclipse - http://cfzen.instantspot.com/blog/2008/07/16/RegEx-to-find-SQL-in-code-without-CFQueryParam
btw - your blog software doesn't allow plus signs in email addresses (http://cfzen.instantspot.com/blog/2008/04/30/Does-your-email-validation-allow-plus-signs)
Radek
Very Nice! That's what I was looking for to learn something new and also around security. :)
Ben Nadel
Good initiative!
Brad Wood
Congratulations to those who have used already the scanners and tightened up their code. I'm waiting a couple more days for people to get back with me and tell me now many queries they secured before I give a final count.
Brad Wood
I have had people confirm at least 16,000 cfqueries that have been protected from SQL injection via usage of cfqueryparam!
http://www.codersrevolution.com/index.cfm/2008/7/31/Operation-cfSQLProtect-16000-cfqueries-protected