[thelist] The URL SemiColon Exploit
Dan Slater
dan_slater at imaginuity.com
Tue Jan 15 23:33:27 CST 2002
Hi all,
I've been wrestling with this problem for some time now.
In case you didn't know, there's a way to pass any SQL Server command via
the URL by simply adding a semicolon at the end of the address, followed by
the SQL command. Apparently it only works if you pass a URL parameter
first. (example: mysite.com?thisVar=True)
Trying to prevent this exploit has proven to be quite a challenge.
One option is to create a brand new user (as the cold fusion login to the
datasource(s) and only grant certain priveleges to that user. A great idea,
but seemingly impossible to implement given my limited ability as a SQL
Server DBA.
The other option I explored was to create two of each DSN and grant only
SELECT, UPDATE, INSERT permissions to one, while the other DSN was unlimited
in ability - but only available to administrative pages. The problem with
this is that the site i'm trying to fix has made extensive use of stored
procedures. I can give the DSN permission to execute stored procedures -
but that would then allow a malicious user to execute several "bad" SP's.
The third option, and i think the best. Is to check for the existence of a
semicolon on every page load, and handle it there.
To that end, i've added the following code in the root dirs application.cfm:
<cfset BadChar=";">
<cftry> <!--- Require CH_Number --->
<cfif ListContains(cgi.query_string,BadChar,1) NEQ 0>
<cfthrow message="Invalid Operation">
</cfif>
<cfcatch>
<h1>Invalid Operation!!!!</h1>
<a href="http://www.thehomepage.com">Back to the homepage!</a>
<cfabort>
</cfcatch>
</cftry>
Basically, i'm just checking the url for any semicolons, and if found, let
the user know what the issue is, provide them with a link to the homepage
and abort the rest of the page loading.
Does this sound like a good way to defeat the use of the semicolon exploit?
Since i've found no other examples of this "technique" - i'm wondering if
i'm missing something here that could easily defeat my "fix".
Thanks in advance,
Dan Slater
More information about the thelist
mailing list