Web form security - REreplaceNoCase or is there something better?

[Franklin Cross]

What is the best way to prevent users in a BB type scenario from posting
script or SQL into a textfield or textarea? Making changes to the
administrator is not an option.

I figured there must be something better than REreplaceNoCase. However, if
REreplaceNoCase is the best option, does anyone have a readymade snippet of
code that will encompass the most malicious tags, SQL attacks, etc?

[Cam Penner]

In article <Ljs7f.472$rE2.134@fe10.lga>, CrossBaby111
@hotmail.com says...

> What is the best way to prevent users in a BB type scenario from posting
> script or SQL into a textfield or textarea? Making changes to the
> administrator is not an option.
>
> I figured there must be something better than REreplaceNoCase. However, if
> REreplaceNoCase is the best option, does anyone have a readymade snippet of
> code that will encompass the most malicious tags, SQL attacks, etc?

One of the best ways is to use <cfqueryparam> statements in
your SQL to limit the datatypes passed in.

--
Cam

[Franklin Cross]

"Cam Penner" <cam.pennerATpleasedontspamgoldmedalsystems.com@ho tmail.com>
wrote in message news:MPG.1dc7f2dae73439c29896ea@news.gv.shawcable. net...

> In article <Ljs7f.472$rE2.134@fe10.lga>, CrossBaby111
> @hotmail.com says...

>> What is the best way to prevent users in a BB type scenario from posting
>> script or SQL into a textfield or textarea? Making changes to the
>> administrator is not an option.
>>
>> I figured there must be something better than REreplaceNoCase. However,
>> if
>> REreplaceNoCase is the best option, does anyone have a readymade snippet
>> of
>> code that will encompass the most malicious tags, SQL attacks, etc?

>
> One of the best ways is to use <cfqueryparam> statements in
> your SQL to limit the datatypes passed in.
>
> --
> Cam

Can you give me an example of how this is used?

[Cam Penner]

In article <oNs7f.17620$1X1.14993@fe12.lga>, CrossBaby111
@hotmail.com says...

>
> "Cam Penner" <cam.pennerATpleasedontspamgoldmedalsystems.com@ho tmail.com>
> wrote in message news:MPG.1dc7f2dae73439c29896ea@news.gv.shawcable. net...

> > In article <Ljs7f.472$rE2.134@fe10.lga>, CrossBaby111
> > @hotmail.com says...

> >> What is the best way to prevent users in a BB type scenario from posting
> >> script or SQL into a textfield or textarea? Making changes to the
> >> administrator is not an option.
> >>
> >> I figured there must be something better than REreplaceNoCase. However,
> >> if
> >> REreplaceNoCase is the best option, does anyone have a readymade snippet
> >> of
> >> code that will encompass the most malicious tags, SQL attacks, etc?

> >
> > One of the best ways is to use <cfqueryparam> statements in
> > your SQL to limit the datatypes passed in.
> >
> > --
> > Cam

>
> Can you give me an example of how this is used?

[url]http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/tags[/url]
-b20.htm

--
Cam

[Franklin Cross]

"Cam Penner" <cam.pennerATpleasedontspamgoldmedalsystems.com@ho tmail.com>
wrote in message news:MPG.1dc7fb6214c295d59896eb@news.gv.shawcable. net...

> In article <oNs7f.17620$1X1.14993@fe12.lga>, CrossBaby111
> @hotmail.com says...

>>
>> "Cam Penner" <cam.pennerATpleasedontspamgoldmedalsystems.com@ho tmail.com>
>> wrote in message news:MPG.1dc7f2dae73439c29896ea@news.gv.shawcable. net...

>> > In article <Ljs7f.472$rE2.134@fe10.lga>, CrossBaby111
>> > @hotmail.com says...
>> >> What is the best way to prevent users in a BB type scenario from
>> >> posting
>> >> script or SQL into a textfield or textarea? Making changes to the
>> >> administrator is not an option.
>> >>
>> >> I figured there must be something better than REreplaceNoCase.
>> >> However,
>> >> if
>> >> REreplaceNoCase is the best option, does anyone have a readymade
>> >> snippet
>> >> of
>> >> code that will encompass the most malicious tags, SQL attacks, etc?
>> >
>> > One of the best ways is to use <cfqueryparam> statements in
>> > your SQL to limit the datatypes passed in.
>> >
>> > --
>> > Cam

>>
>> Can you give me an example of how this is used?

>
> [url]http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/tags[/url]
> -b20.htm
>
> --

This still does not explain how this feature can be used to filter out
script and SQL from a large textblob.

[Bob Dively]

In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com> wrote:

[re: cfqueryparam]

: This still does not explain how this feature can be used to filter out
: script and SQL from a large textblob.

Cfqueryparam doesn't filter out anything. It does prevent SQL
injection attacks by preventing any SQL in a form field from
being evaluated.

--
Bob Dively | I used to be indecisive, but now I'm not sure...

[Franklin Cross]

"Bob Dively" <dive@panix.com> wrote in message
news:djlr6l$qq7$4@reader2.panix.com...

> In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com>
> wrote:
>
> [re: cfqueryparam]
>
> : This still does not explain how this feature can be used to filter out
> : script and SQL from a large textblob.
>
> Cfqueryparam doesn't filter out anything. It does prevent SQL
> injection attacks by preventing any SQL in a form field from
> being evaluated.
>

But how can I prevent people from executing malicious scripts in a textarea?
Or for that matter, inserting pornographic image tags into it?

[Franklin Cross]

"Bob Dively" <dive@panix.com> wrote in message
news:djlr6l$qq7$4@reader2.panix.com...

> In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com>
> wrote:
>
> [re: cfqueryparam]
>
> : This still does not explain how this feature can be used to filter out
> : script and SQL from a large textblob.
>
> Cfqueryparam doesn't filter out anything. It does prevent SQL
> injection attacks by preventing any SQL in a form field from
> being evaluated.
>
> --
> Bob Dively | I used to be indecisive, but now I'm not sure...

What I meant by the pornographic img tags is how do I prevent them from
using any sort of html code, javascript, etc.

[Bob Dively]

In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com> wrote:

: But how can I prevent people from executing malicious scripts in a textarea?
: Or for that matter, inserting pornographic image tags into it?

You can use ReReplaceNoCase to remove tags that you don't want:

<cfset test = '<script language="JavaScript">script contents</script>'>
<cfset test = ReReplaceNoCase(test, "<script.*>.*</script>", "", "ALL")>

For IMG tags:

ReReplaceNoCase(form_var, "<img.*>", "", "ALL")

Those examples don't cover all cases. Regular expressions are
tricky, so test a lot.

There are also several custom tags available:

[url]http://www.cflib.org/udf.cfm?ID=774[/url]
[url]http://www.macromedia.com/cfusion/exchange/index.cfm?view=sn130#loc=en_us&view=sn106&viewName =Exchange%20Search%20Details&authorid=33572169&pag e=0&scrollPos=0&subcatid=0&snid=sn106&itemnumber=3 &extid=1002316&catid=0[/url]

Or you can google for "coldfusion strip html" or something
similar.

--
Bob Dively | I used to be indecisive, but now I'm not sure...

[George Farnsworth]

What I do is test for the existance of any "<" with plain old CFFind and if
I see one, reject the submission with an appropriate note to the submitter.
As far as html, that should fix it. If someone does insert a plain link --
like [url]www.xyz.com[/url] -- without an anchor tag -- there's not much you can do, I
think. But at least a visitor who sees it will have to cut-and-paste it into
a browser.


"Franklin Cross" <CrossBaby111@hotmail.com> wrote in message
news:Bju7f.18009$1X1.7394@fe12.lga...

>
> "Bob Dively" <dive@panix.com> wrote in message
> news:djlr6l$qq7$4@reader2.panix.com...

>> In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com>
>> wrote:
>>
>> [re: cfqueryparam]
>>
>> : This still does not explain how this feature can be used to filter out
>> : script and SQL from a large textblob.
>>
>> Cfqueryparam doesn't filter out anything. It does prevent SQL
>> injection attacks by preventing any SQL in a form field from
>> being evaluated.
>>
>> --
>> Bob Dively | I used to be indecisive, but now I'm not sure...

>
> What I meant by the pornographic img tags is how do I prevent them from
> using any sort of html code, javascript, etc.
>

[Franklin Cross]

"George Farnsworth" <GeorgeF@GFonline.org> wrote in message
news:9av7f.20258$hP6.12345@trnddc05...

> What I do is test for the existance of any "<" with plain old CFFind and
> if I see one, reject the submission with an appropriate note to the
> submitter. As far as html, that should fix it. If someone does insert a
> plain link -- like [url]www.xyz.com[/url] -- without an anchor tag -- there's not
> much you can do, I think. But at least a visitor who sees it will have to
> cut-and-paste it into a browser.
>
>

huh? I never heard of CFFind. Is this new? It isn't listed in any of my
books and a search for information about it yielded nothing.

[Franklin Cross]

"Bob Dively" <dive@panix.com> wrote in message
news:djlt4j$7q8$1@reader2.panix.com...

> In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com>
> wrote:
>
> : But how can I prevent people from executing malicious scripts in a
> textarea?
> : Or for that matter, inserting pornographic image tags into it?
>
> You can use ReReplaceNoCase to remove tags that you don't want:
>
> <cfset test = '<script language="JavaScript">script contents</script>'>
> <cfset test = ReReplaceNoCase(test, "<script.*>.*</script>", "", "ALL")>
>
> For IMG tags:
>
> ReReplaceNoCase(form_var, "<img.*>", "", "ALL")
>
> Those examples don't cover all cases. Regular expressions are
> tricky, so test a lot.
>
> There are also several custom tags available:
>
> [url]http://www.cflib.org/udf.cfm?ID=774[/url]
> [url]http://www.macromedia.com/cfusion/exchange/index.cfm?view=sn130#loc=en_us&view=sn106&viewName =Exchange%20Search%20Details&authorid=33572169&pag e=0&scrollPos=0&subcatid=0&snid=sn106&itemnumber=3 &extid=1002316&catid=0[/url]
>
> Or you can google for "coldfusion strip html" or something
> similar.
>
> --
> Bob Dively | I used to be indecisive, but now I'm not sure...

Ok thanks again Bob. I will go investigate these.

[Bob Dively]

In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com> wrote:

: "George Farnsworth" <GeorgeF@GFonline.org> wrote in message
: news:9av7f.20258$hP6.12345@trnddc05...
: > What I do is test for the existance of any "<" with plain old CFFind and

: huh? I never heard of CFFind. Is this new? It isn't listed in any of my
: books and a search for information about it yielded nothing.

I'm sure that he meant "CF Find", as in ColdFusion's standard Find
function.

--
Bob Dively | I used to be indecisive, but now I'm not sure...

[Franklin Cross]

"Bob Dively" <dive@panix.com> wrote in message
news:djm1ic$erl$1@reader2.panix.com...

> In alt.comp.lang.coldfusion Franklin Cross <CrossBaby111@hotmail.com>
> wrote:
>
> : "George Farnsworth" <GeorgeF@GFonline.org> wrote in message
> : news:9av7f.20258$hP6.12345@trnddc05...
> : > What I do is test for the existance of any "<" with plain old CFFind
> and
>
> : huh? I never heard of CFFind. Is this new? It isn't listed in any of my
> : books and a search for information about it yielded nothing.
>
> I'm sure that he meant "CF Find", as in ColdFusion's standard Find
> function.
>

Ah, that clears it up. Yeah I avoided using Find() because of its
restriction of only being able to specify a single string, so (the way my
limited mind envisions it) I would run about a thousand cfif statements for
each tag I didn't want. Although actually this might work for just alerting
people they can't use a < in their submissions.

[Weary]

Try this:

[url]http://tinyurl.com/bdqey[/url]

[Peter Tilbrook]

Franklin Cross wrote:

> What is the best way to prevent users in a BB type scenario from posting
> script or SQL into a textfield or textarea? Making changes to the
> administrator is not an option.
>
> I figured there must be something better than REreplaceNoCase. However, if
> REreplaceNoCase is the best option, does anyone have a readymade snippet of
> code that will encompass the most malicious tags, SQL attacks, etc?
>
>

Franklin, have reviewed your question, and definately using CFQUERYPARAM
is the best way to verify input to a particular database table record
(eg use maxlength 16 and any longer would fail). Do not neglect client
side validation but do not depend on it as it can be circumvented - the
reasonf for CFQUERYPARAM.

But am not satisfied so have asked further afield for advice and will
come back.

But you asked a bloody good question - one of the better ones of late -
so this demands a good answer!

BRB!

Peter Tilbrook
Manager, ACTCFUG.

[Peter Tilbrook]

Bob (Divvit) is right.

SQL "injection" is the ability to execute database code through a
standard HTML "FORM" or values cleverly appended to say a URL (or
another diabolical method). There may even be much more devious methods.

It is really nasty and potentially disastrous!

The trick is to fool the application server - for this discussion the
CFML engine - to execute the injected code.

For example it used to be possible to "DROP" all tables from your
database using SQL injection through CFML.

How do you inject SQL?

[Peter Tilbrook]

Franklin Cross wrote:

> What is the best way to prevent users in a BB type scenario from posting
> script or SQL into a textfield or textarea? Making changes to the
> administrator is not an option.
>
> I figured there must be something better than REreplaceNoCase. However, if
> REreplaceNoCase is the best option, does anyone have a readymade snippet of
> code that will encompass the most malicious tags, SQL attacks, etc?
>
>

Franklin, this response from Tim Buntel of MM:

Client side validation has been beefed up in CF 7, too. A regex on the
client can help restrict content that gets posted before it even gets to
the server. You could also consider using the scriptProtect attribute
of the cfapplication tag. That provides an easy way to filter out
certain tag names to help prevent cross site scripting attacks.

I’m not aware of any readymade scripts, though…

>>

CFFORM has for a while supported the scriptsrc" attribute. It was mainly
for the poor shared hosting ppl. But think about it. Het your own
scripts AOK'ed...

So basically help Tim Buntel and the rest of the team make this a no
brainer. We cannot do your work for you as it differs each project.

Hold tight as MM are on the ball!

PT, ACTCFUG

[Peter Tilbrook]

Franklin Cross wrote:

> What is the best way to prevent users in a BB type scenario from posting
> script or SQL into a textfield or textarea? Making changes to the
> administrator is not an option.
>
> I figured there must be something better than REreplaceNoCase. However, if
> REreplaceNoCase is the best option, does anyone have a readymade snippet of
> code that will encompass the most malicious tags, SQL attacks, etc?
>
>

Might cost a bit (US$100 per site) but ActiveEdit works well. Slow. But
works!

[Peter Tilbrook]

You could also consider using the scriptProtect attribute

> of the cfapplication tag. That provides an easy way to filter out
> certain tag names to help prevent cross site scripting attacks.
>

Pretty sure this is only with ColdFusion MX 7.01 (basically the cool
updater).

It is a free patch that will let you lock down both dev and production
servers. Infact apply the latest patches for IIS (if you use IIS) or
JRun4 Updater 6 if you use the JRun which craps on IIS at any rate. This
will also fix many MySQL issues. Which by the way V5 has been released.
How long can you hold Your breath?