Re: Cold Fusion and Sql Injection

From: Javier Fernandez-Sanguino (jfernandez_at_germinus.com)
Date: 06/23/03

  • Next message: Cesar: "Re: Cold Fusion and Sql Injection"
    Date: Mon, 23 Jun 2003 11:11:56 +0200
    To: morning_wood <se_cur_ity@hotmail.com>
    
    

    morning_wood wrote:
    > mby some help at
    > http://nothackers.org/pipermail/0day/2003-June/000091.html
    >

    I fail to see how your pointer (to an exploitation of a XSS
    vulnerability in Coldfusion using iframes?) relates to the original
    question (SQL injection + Cold Fusion).

    Answering George, I would suggest that this is _not_ an error of Cold
    Fusion input validation but of a stored procedure being used in the SQL
    server. Probably, the cold fusion engine just calls an procedure in the
    SQL server with the input as parameters and the code in there is the one
    trying to do the conversion.

    Notice that you are only seeing ODBC-SQL server errors, no errors code
    from Cold Fusion there so it looks like Cold Fusion is passing things
    blindly.

    Regards

    Javi

    ---------------------------------------------------------------------------
    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team? Now you can get
    trustworthy commercial-grade exploits and the latest techniques from a
    world-class research group.

    Visit us at: www.coresecurity.com/promos/sf_ept1
    or call 617-399-6980
    ----------------------------------------------------------------------------


  • Next message: Cesar: "Re: Cold Fusion and Sql Injection"

    Relevant Pages

    • SQL Server and Cold Fusion
      ... baseline CPU utlization for the box is about 55%-60%. ... The interesting thing is that SQL doesn't seem to be the ... A Cold Fusion server has been set up on the same ... Cold Fusion is the primary CPU hog when the box is ...
      (microsoft.public.sqlserver.server)
    • New network setup suggestions needed
      ... One server: running SBS2000, including active dir, SQL, ... Cold Fusion & IIS and ISA ... There is also a struts application that connects ...
      (microsoft.public.windows.server.setup)
    • RE: only Japanese got error from WebSphere to SQL 2000
      ... I download and installed the MS SQL JDBC driver SP2. ... The traditional Chinese, simple Chinese, German, Franch are OK. ... I copy theis sql statement into a cold fusion ... How can I get the help from MS because the document said that this JDBC driver will be supported by MS? ...
      (microsoft.public.sqlserver.jdbcdriver)
    • Re: I work for an outfit using cold fusion and .net and wow they suck!!!
      ... SQL. ... ;-) I still fail to see why anyone relies on MS SQL for ... But re cold fusion: ...
      (comp.lang.lisp)
    • RE: cold fusion 5.0 cfrethrow exploit
      ... cold fusion 5.0 cfrethrow exploit ... ColdFusion Server 5 for Linux related to the CFRETHROW CFML language ...
      (Bugtraq)