Should the senate appropriate some better coldfusion?





  • lol! sql injection anyone?



  • that's more than a wtf, thats an omfg



  • That's the output from a tag called cfdump that is used for debugging
    purposes.  So, somebody knew there was a problem and was in the
    process of fixing it (when, presumably, 3:30PM rolled around and it was
    time for him to go home for the day).



    I don't see anything there that would enable a sql injection attack.



    Unlike PHP, coldfusion automatically escapes all sql control characters
    like quotes, etc.  I've been doing coldfusion for more than 6
    years.  In very early versions, you could get a "smart quote" that
    microsoft word puts into documents past the coldfusion escaping
    process, but it would still be recognized as a quote by sql
    server.  That was fixed long ago and I haven't seen that kind of
    sql injection since - and believe me, I'm paranoid about it and try to
    hack it all the time.



    It's a lot safer than PHP or even .NET.  That doesn't mean that
    you don't have to be careful. It just means that you have a better
    safety net. The only way that I'm aware of to get a real, PHP-like sql
    injection in coldfusion is if you have for some reason used the fuction
    preserveSingleQuotes() in the query.  If anyone knows of any other
    way, I'd love to see you prove it by showing some sample code.



  • @tofu said:

    That's the output from a tag called cfdump that is used for debugging
    purposes.  So, somebody knew there was a problem and was in the
    process of fixing it (when, presumably, 3:30PM rolled around and it was
    time for him to go home for the day).



    I don't see anything there that would enable a sql injection attack.



    Unlike PHP, coldfusion automatically escapes all sql control characters
    like quotes, etc.  I've been doing coldfusion for more than 6
    years.  In very early versions, you could get a "smart quote" that
    microsoft word puts into documents past the coldfusion escaping
    process, but it would still be recognized as a quote by sql
    server.  That was fixed long ago and I haven't seen that kind of
    sql injection since - and believe me, I'm paranoid about it and try to
    hack it all the time.



    It's a lot safer than PHP or even .NET.  That doesn't mean that
    you don't have to be careful. It just means that you have a better
    safety net. The only way that I'm aware of to get a real, PHP-like sql
    injection in coldfusion is if you have for some reason used the fuction
    preserveSingleQuotes() in the query.  If anyone knows of any other
    way, I'd love to see you prove it by showing some sample code.

    Did you just describe the ColdFusion equivalent of PHP's magic quotes, or am I reading it wrong? Because magic quotes are one of the stupidest things PHP has ever done...



  • Sort of.  PHP does the magic quotes thing to form fields as they
    come in.  That's a good thing if you put the data into SQL. 
    It's a bad thing if you wanted to display it on the screen.



    coldfusion's approach is a little more intuitive.  They escape
    quotes at the point that you put them into the database - which is
    probably what you intended to happen - and what you would have done
    manually with the PHP addSlashes() function in the past.  With
    coldfusion, this is the default behaviour.  You have to
    specifically override it if you don't want it.  It's a big safety
    net for newbies.



    Stilll, the best thing to do in coldfusion is to use
    cfQueryParam.  Not only does that absolutely prevent sql injection
    (there's not even a way to override it and shoot yourself in the foot),
    but now MS SQL Server can actually cache the query plan.  So you
    get safety and a performance boost.



    I really like coldfusion.



  • Ah, so it only does it to the data that you're actually putting into the query... that's a lot saner.

    I still have an irrational hate of CF though.



  • @tofu said:

    Sort of.  PHP does the magic quotes thing to form fields as they
    come in.  That's a good thing if you put the data into SQL. 
    It's a bad thing if you wanted to display it on the screen.

    I think it only does if you activate the magic_quotes option in php.ini, and I also think that this option is turned off by default and will get booted from php6 because it sucks, is stupid, and mostly doesn't work

    @tofu said:
    coldfusion's approach is a little more intuitive.  They escape quotes at the point that you put them into the database - which is probably what you intended to happen - and what you would have done manually with the PHP addSlashes() function in the past.  With coldfusion, this is the default behaviour.  You have to specifically override it if you don't want it.  It's a big safety net for newbies.

    You mentioned .Net. I'd be REALLY surprised if the standard .Net DB interface didn't have safe query parameters (I don't know .Net btw), any language in which you have to secure your db parameters yourself is a piece of shit and should burn in hell (yes php, i'm talking about you too)



  • The real source of the WTF is that I got that hyperlink from Google search results. Google "Invalid data for CFSQLTYPE CF_SQL_INTEGER"

    So I guess they've been debugging that for a while now?



  • @maldrich said:

    The real source of the WTF is that I got that
    hyperlink from Google search results. Google "Invalid data for
    CFSQLTYPE CF_SQL_INTEGER"

    So I guess they've been debugging that for a while now?




    ah, using google to look for broken websites are we?  You sly dog.



    I remember the good old days when kazaa would offer to index and share
    our whole hard drive and you could find lots of good stuff by searching
    for things like autoexec.bat.






  • Pure coincidence -- I found it while looking for a workaround for a CF bug with CFSQLTYPE CF_SQL_INTEGER. Did not expect to get a live demo, though :-).

    Gosh, gee whiz, I'd never go out there searching for WTFs. That would be mean.



  • care to describe the bug?



  • Sure. My company, alas, is still running one vintage system on ColdFusion 4.5. (Data is stored on 256k cunieform tablets made of clay). No plans to upgrade; no time to migrate to something else. Long story.
    I was having a problem with getting output parameters from SQL Server stored procedures using CFSTOREDPROC, and it turned out that if any of the cold fusion parameters in the tag were of type "CF_SQL_TIMESTAMP" then it would inexplicably hose the content of the output parameter. Changing the type to "VARCHAR" as a hack-around ultimately made the problem go away, though I hesitate to call that a solution :-)



  • hmm, timestamps get sent to the database in that funky {'
    notation.  I guess maybe the database didn't like that in this
    case. Well, glad that you fixed it.



  • @masklinn said:

    You mentioned .Net. I'd be REALLY surprised if the standard .Net DB interface didn't have safe query parameters (I don't know .Net btw), any language in which you have to secure your db parameters yourself is a piece of shit and should burn in hell (yes php, i'm talking about you too)



    .NET has secure params via SqlParameter objects.  It's quite easy to write vulnerable queries, though (I've seen quite a bit of crap like this: "select * from blah where id = " + txt1.Text)



  • @warispeace said:

    @masklinn said:

    You mentioned .Net. I'd be REALLY surprised if the standard .Net DB interface didn't have safe query parameters (I don't know .Net btw), any language in which you have to secure your db parameters yourself is a piece of shit and should burn in hell (yes php, i'm talking about you too)



    .NET has secure params via SqlParameter objects.  It's quite easy to write vulnerable queries, though (I've seen quite a bit of crap like this: "select * from blah where id = " + txt1.Text)

    It's always easy to write vulnerable queries by bypassing the built-in query preparators, you can't really do anything about it except shooting the culprit to death though :/


Log in to reply