

SQL Injection Part II (Make Sure You Are Sitting Down) - Anon84
http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII

======
jm4
SQL Injection Part II? It's a textbook example of SQL injection. I guess it's
interesting if you haven't seen one before, but this isn't some new and more
evil version of an old attack. It's just the same old attack that's been
around since the beginning of SQL-backed applications. The moral of the story
is to always validate user input.

All these examples are in ColdFusion and for many years- going back at least 5
years ago when I used it- CF developers have known to use <cfqueryparam> to
pass user data to queries. It's the CF equivalent of binding parameters to a
query. Every example presented here can easily be protected against using that
method.

The only people that have to worry about this are the laziest of the lazy
developers.

------
rmason
Sigh, I had really hoped we had gotten past this Coldfusion bashing. CF has an
easy barrier to entry so there's a mix of code from poor to excellent.

Lots of open source people bash CF because it's a commercial product. Well in
October that's about to change in a big way.

Railo will become the newest member of the JBoss project. There will now be a
version of CFML with an LPGL2 license. PG always celebrates time to market and
CFML will quite simply get a startup there faster.

------
axod
_sigh_ just use parametrized sql statements. It's really really really not
rocket science. If your language/framework doesn't support them, don't use
that language/framework.

------
ghiotion
I got hit with this very same attack over July 4th weekend. I inherited an
abortion of a site written in "classic" ASP. The attacker inserted javascript
links into every VARCHAR database table it could. Took me hours to clean out
everything. Taking me even longer to go through and validate all the form
posts.

People complain you ought to need a license to have a kid. This kind of crap
makes me think you need a license to write a web app.

------
ajkirwin
Oh. ColdFusion.

And I thought this article might have had some relevance.

~~~
jm4
It's not the fact that the examples are in ColdFusion that makes this article
mostly irrelevant. To suggest that it does really just makes you sound
ignorant, especially since the particular attack being demonstrated is not
language specific.

ColdFusion isn't the best language, but it's certainly not one of the worst
either. I think the poor reputation mostly stems from complaints about the
joe-shmoe-friendly tag-based syntax and the fact that it's commercial, but
most of these probably come from people who have never even used it. I spent
some time with it and there are some pretty nifty things you can do with it.
The fact that it's built on Java is nice too since you can leverage the entire
Java standard library and run on all the so-called enterprise-y application
servers all without the pain of having to use Java. This leads to rapid,
corporate-friendly development which makes developers and PHBs happy. That's
probably there are still lots of businesses out there using it.

~~~
tptacek
Wasn't all of MySpace built on CF?

It's clearly not a win for security, whatever else you might say about it.

~~~
jm4
MySpace is the largest CF site I'm aware of. I think they actually use the
BlueDragon flavor of CF- or at least they did at one time. Most people haven't
heard of it, but there's actually another implementation besides the one from
Adobe. I remember some talk about MySpace being ported to .NET, but I still
see a bunch of .cfm URLs on there so I'm not sure what they're doing.

I don't know what you mean by that security remark. You can develop secure
applications in CF just like you can with any other language. Some languages
might require some more hoop jumping than others (example: protecting against
SQL injection in PHP was a real drag for a long time), but I'm not aware of
anything inherent in CF that makes it particularly difficult. In fact, I've
found that many things tend to be easier in CF.

Don't get me wrong- I'm not saying everyone should go out and learn
ColdFusion. I just think it may be undeserving of the snide comments it seems
to attract.

~~~
tptacek
Well, my company funds itself by, amongst other things, going out and breaking
web apps, and I'm going to assert without evidence that in both code quality
and in environmental security (admin interfaces, etc), CF sites rank at the
bottom, and .NET and J2EE sites are neck and neck at the top.

We're a Rails product shop and our dev team is recovery Lisp hippies, so
that's not a BigCo bias, it's just the empirical observation.

~~~
jm4
I won't dispute your results, but those alone are insufficient evidence to
suggest any correlation between languages and the ability to develop secure
applications. It's a huge leap to say that ApplicationX, developed in Blub++,
has more bugs than some completely different application developed in another
language, therefore Blub++ is an insecure language.

More likely, the correlation is between security and a number of factors far
from choice of language, such as developer experience, diversity of the
development team, budget, etc.

Based on my own experience, I've seen that many CF developers are typically
less experienced and work in smaller shops so those results aren't the least
bit surprising. It's important to keep in mind that they say far more about
the developers than the language the application was developed in.

