COMBELL Tech: now, SQL injection is also popular on ColdFusion websites

These past 3 months, a new ‘SQL injection’ hype reared its head, infecting over half a million websites. This type of hacking mostly targets the underlying database and aims to perform as many modifications to it as possible. COMBELL has investigated this phenomenon and offers you some tips to prevent this type of abuse.

Until recently, this new trend was only spotted on ASP or ASP.NET websites. We have now established that ColdFusion websites are also targeted. Although the used programming language is a variable, a few constants remain:

- The cause is always code leakage
- The underlying database is always a Microsoft SQL Server database
- One observes the injection of JavaScript into one’s database data

These are undoubtedly not accidental constants; they lie at the basis of the injection: the lack of validation and security on the level of URL parameters makes it possible for hackers to inject their own SQL statements. To do this, they do not need any login data because the script provides them access to the database.

The extent and the impact of the injection are related to the architecture of Microsoft SQL Server: the data dictionary that is included in the different database tables can be used to map all tables and fields. Via the table “dbo.sysobjects”, hackers get an overview of all the available tables; via “dbo.syscolumns”, they can learn for each table which fields are present and via “dbo.systypes”, they finally get to know which fields can contain alphanumeric values. This combination allows hackers to replace all alphanumeric fields by their own text, without needing any concrete knowledge of your database structure.

This leads us to the last constant, namely the presence of JavaScript code. The SQL injection is not the final objective of the operation. What these hackers really aim to do is to mix small fragments of JavaScript code with the healthy alphanumeric data in the tables. In doing this, they hope that these data are executed as HTML on the website, so that the JavaScript is executed along with it. The JavaScript code in question generates a link pointing to code that is hosted on ill-intentioned websites and that contains viruses. In many cases, these websites are located in Russia and China.

Now that this plague has also hit the world of ColdFusion, it is important to reflect on what is referred to as “database sanitizing”, which comes down to “keeping the SQL statements clean”. Via ColdFusion, this can easily be done through the “CFQUERYPARAM” tag. By doing so, you can make sure that a query parameter does not contain any “forbidden” data.