current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.
up vote -3 down vote favorite

Assuming ColdFusion 10,0,13,287689 and Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production.

With this example...

<cfquery name="q" datasource="ds">
    update someTable set
    #form.col#label = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.x#">
    where id = <cfqueryparam cfsqltype="cf_sql_decimal" value="#form.id#">
</cfquery>

Also assuming there is no data validation checking on #form.col#, how could this be exploited? Obviously they could cause the query to fail with an invalid column, but I don't see any way something more malicious (another UPDATE, SELECT, or DELETE) could be ran by the user since multiple statements cannot be ran in a single <cfquery>. So something like this does not work...

#form.col#:

id = 1; delete from users; --comment everything else out...

I'm aware that with SELECTs it's easier to exploit using unions to get data you're not authorized to see, but I'm curious about this specific update statement.

So is it possible in this example for an end user to run additional SELECTs, UPDATEs, or DELETEs?

Thanks for the answers so far but so we are clear, I'm not asking for how to protect the code or for best practices. I just want to know how to exploit that code if it were present for demonstrative purposes. I have been unsuccessful at exploiting it with Oracle.

share|improve this question

closed as off-topic by Mat's Mug, Marc-Andre, konijn, Juliano, JvR May 16 at 19:40

  • This question does not appear to be a code review request within the scope defined in the help center.
If this question can be reworded to fit the rules in the help center, please edit the question.
    
I find the wording of the question a bit strange. Are you looking for a security review of our code ? –  Marc-Andre May 16 at 16:35
    
Yes, I can't exploit it. Wondering if anyone else can. –  gfrobenius May 16 at 16:44
1  
Well have you read what's on-topic here? The edited part is precisely what we are about (how to protect the code, best practices etc.). –  Marc-Andre May 16 at 17:38
    
Another user told me to move it from stackoverflow to this forum. I don't know of a better stackExchange forum for this question. Which one should I move it to? –  gfrobenius May 16 at 17:49
4  
This question appears to be off-topic because it is not asking for code to be reviewed. –  Mat's Mug May 16 at 18:02

1 Answer 1

up vote 3 down vote

He's asking if form.col can be given some value that would attack his database.

  1. Multiple statements can definitely be run in a single CFQUERY tag.
  2. You should ALWAYS scrub form data, no matter where you're using it.
  3. You should wrap this in a TRANSACTION, just as a matter of practice. But in this case, when multiple commands are run, if something crashes, the transaction will be rolled back. If you don't use a transaction and multiple queries are run, then the valid queries will still have affected your DB.

This, perhaps, could delete your user table if the DB user has permission to DROP a table.

<cfset form.col = "foolabel = '1' WHERE id = 1;DROP dbo.USERS;Update sometable set foo" />
share|improve this answer
    
1. How with Oracle? 2. I know, this is for an example to show someone else how it could be exploited if not properly protected. (3) Yes I know thanks, I'm just wondering how to exploit code like in the example if it were present. I tried your example, with Oracle you get ORA-00911: invalid character because the syntax comes thru as: update someTable set unid = 1;DROP table someTable;label = (param 1) where id = (param 2) –  gfrobenius May 16 at 17:11
    
If I add an Oracle sql comment -- to the end so the rest is ignored I get Invalid parameter binding(s). for this text: update someTable set id = 1;DROP table someTable; --label = (param 1) where id = (param 2) –  gfrobenius May 16 at 17:12

Not the answer you're looking for? Browse other questions tagged or ask your own question.