Comments on: Infoweek security issues http://blog.razuna.com/2008/09/23/infoweek-security-issues/ Razuna - Open Source Digital Asset Management (DAM) / Open Source Media Asset Management (MAM), Hosted SaaS DAM Wed, 08 Sep 2010 20:35:56 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Randy Johnsonhttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-430 Randy Johnson Wed, 24 Sep 2008 12:54:43 +0000 http://blog.sixsigns.com/?p=499#comment-430 @Brad,wow I did not know about the allowMultiQueries flag.Yep you are right, injection attacks do not require two statements. The latest round of injection attacks which have been hitting my sites are multi-statement which I was referring to. I have captured 18000 distinct ipaddresses in the past two months. Crazy. @Brad,

wow I did not know about the allowMultiQueries flag.

Yep you are right, injection attacks do not require two statements. The latest round of injection attacks which have been hitting my sites are multi-statement which I was referring to. I have captured 18000 distinct ipaddresses in the past two months. Crazy.

]]> By: Brad Woodhttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-428 Brad Wood Wed, 24 Sep 2008 06:17:59 +0000 http://blog.sixsigns.com/?p=499#comment-428 @Randy and @Alan: You most certainly can perform SQLi with BD and Adobe CF on MySQL since not all SQL injection requires two statements. Secondly many people (including myself) enable the allowMultiQueries flag because they find the single statement limitation annoying. Regardless, it's a feature of the DBMS, not the app server.In regards to the original post, that site really needs to get a site-wide error handler. @Randy and @Alan: You most certainly can perform SQLi with BD and Adobe CF on MySQL since not all SQL injection requires two statements. Secondly many people (including myself) enable the allowMultiQueries flag because they find the single statement limitation annoying. Regardless, it’s a feature of the DBMS, not the app server.

In regards to the original post, that site really needs to get a site-wide error handler.

]]> By: SixSignshttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-427 SixSigns Tue, 23 Sep 2008 14:04:58 +0000 http://blog.sixsigns.com/?p=499#comment-427 There are issues with about every application server. Some drivers recognizes this others don't. There is much information about this from Ben Forta at http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-AlreadyJudging from the date this is recent! Just wade through the comments.... There are issues with about every application server. Some drivers recognizes this others don’t. There is much information about this from Ben Forta at http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already

Judging from the date this is recent! Just wade through the comments….

]]> By: Randy Johnsonhttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-426 Randy Johnson Tue, 23 Sep 2008 13:58:36 +0000 http://blog.sixsigns.com/?p=499#comment-426 Alan,You cannot with Adobe CF either.-Randy Alan,

You cannot with Adobe CF either.

-Randy

]]> By: Alanhttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-425 Alan Tue, 23 Sep 2008 13:21:14 +0000 http://blog.sixsigns.com/?p=499#comment-425 I am not sure how Adobe do things, but with OpenBD, you cannot perform an SQL injection with CFQUERY for MySQL. this is because the MYSQL driver will not permit two statements in one go. Try it, you will find you will not be able to do it. I am not sure how Adobe do things, but with OpenBD, you cannot perform an SQL injection with CFQUERY for MySQL. this is because the MYSQL driver will not permit two statements in one go. Try it, you will find you will not be able to do it.

]]> By: SixSignshttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-424 SixSigns Tue, 23 Sep 2008 12:29:21 +0000 http://blog.sixsigns.com/?p=499#comment-424 This error was coming from a form. Forgot to mention this, but I thought it was obvious. This error was coming from a form. Forgot to mention this, but I thought it was obvious.

]]> By: Salvohttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-423 Salvo Tue, 23 Sep 2008 12:29:10 +0000 http://blog.sixsigns.com/?p=499#comment-423 OK no way to post code here. Sorry for spamming your blog ;-) OK no way to post code here. Sorry for spamming your blog ;-)

]]> By: Salvohttp://blog.razuna.com/2008/09/23/infoweek-security-issues/comment-page-1/#comment-421 Salvo Tue, 23 Sep 2008 12:26:09 +0000 http://blog.sixsigns.com/?p=499#comment-421 Too bad for them... The FORM scope is the one to use for POST submission though Too bad for them…
The FORM scope is the one to use for POST submission though

]]>