Sunday, July 13, 2008

Yey another lame attack on Coldfusion

I have been following the 0x000000 # The Hacker Webzine blog for a while and was really dumbstruck when i read the following article Attacking ColdFusion.

It was one of the lamest "security" notes I have read in a while, utterly rubbish, valid, but there's nothing really Coldfusion specific in there and all the potential holes described some require some dumb configuration changes or setup.

Sure there are might be some old vulnerable apps out there, as there are for php or asp, but best practise is oft discussed & preached in CF land and the same criticism's could be applied to most programming languages ....

I wait with baited breath to hear of exploits that were reported to Adobe, fixed and then rolled out as a update being publicised....

meanwhile, CF continues to be a pleasure to work with :)

3 comments:

Anonymous said...

Wow, that's really interesting. Half of his code samples are totally bogus. (Since when did the cfqueryparam tag go INSIDE the cfquery tag?)

Regardless, it should be a wake up call that ANY public facing site needs to cfqueryparam all SQL, turn OFF rebust errors, and use strong passwords. Basic stuff, really.

Also, is that true what he was saying about escaping the single tick with mysql? I'll have to try that one out...

Anonymous said...

Yea, you are right. The fact that all of their exploits deal with people not using the cfqueryparam is lame. If that is your only hack, then you won't be hacking many large projects out there. But, if you think about it...there are a bunch of apps and sites out there that don't use cfqueryparam, so there are some vulnerable sites in the wild right now.

Mark Mandel said...

Actually, I didn't read this at all as an attack on ColdFusion.

It read to me more as a 'Hi, I'm a hacker, and I feel like hacking a ColdFusion application, what options are available to me to take advantage of possible security holes in a CF app'.

At no point does this article say that the language itself is potentially insecure, or really anything that negative towards the language at all, it simply lists the ways in which if a CF application is not built correctly, there could be potential for hacking.

In fact, one could almost claim this should be required reading for many new CF developers, so that they know where the potential security flaws CAN lie, and therefore, how to avoid them.