Re: Cold Fusion and Sql Injection

From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Mon Jun 23 2003 - 05:11:56 EDT


morning_wood wrote:
> mby some help at
> http://nothackers.org/pipermail/0day/2003-June/000091.html
>

I fail to see how your pointer (to an exploitation of a XSS
vulnerability in Coldfusion using iframes?) relates to the original
question (SQL injection + Cold Fusion).

Answering George, I would suggest that this is _not_ an error of Cold
Fusion input validation but of a stored procedure being used in the SQL
server. Probably, the cold fusion engine just calls an procedure in the
SQL server with the input as parameters and the code in there is the one
trying to do the conversion.

Notice that you are only seeing ODBC-SQL server errors, no errors code
from Cold Fusion there so it looks like Cold Fusion is passing things
blindly.

Regards

Javi

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT