"cross-site scripting" for CF - SQL exploit
Posted on 2002-03-15
I am running an environment which uses ColdFusion 5.0 as the application server. I was trying to replicate, in a test environment, what is described as the "The Deadly Database Exploit".
My SQL code imbedded in the ColdFusion code would read... for example:
<CFQUERY NAME="test" DATASOURCE="example_source">
WHERE test_item = '#Form.test_field#'
The variable test_field comes from a different page and is drive by input from the user. I was playing around with it trying to see what happens and used a series of inputs
1. 1324 TRUNCATE TABLE test_table
2. 1324' TRUNCATE TABLE test_table
3. 1234' </CFQUERY><CFQUERY NAME="test"
DATASOURCE="example_source">DELETE FROM test_table WHERE
I am sure you understand what I was trying to do, and why I added some of the single quotes, however none of these things worked. I was wondering if this exploit was fixed by Macromedia in the 5.0 release, because it does not seem that the existing ColdFusion code allows the user to enter CF commands. I am not runny any type of user input filter on the site, and am really interested in assessing whether this potential exploit affects me and is worth fixing.
I would appreciate your thoughts and responses.