Posted by Aaron West at 2:27 PM in ColdFusion

I received a few error e-mails early this morning from someone trying to hack my Web site. Oddly enough, they were attempting to do so through the RSS feed and overloading the dynamic query parameters. Anyone familiar with BlogCFC will know you can subscribe to category specific feeds. This allows blog aggregators to send in a UUID for the category and retrieve only relevant posts. This morning someone attempted to overload the category query param in an effort to retrieve other information from my database. Ray Camden, being the good programmer and security proponent he is, stopped the attempt with judicious use of the CFQUERYPARAM tag. The tag saw the extra parameters tacked onto the category UUID and immediately threw an exception (which I received via e-mail).

So, thanks to Ray for always pushing Web site security and for utilizing security mechanisms in the software he builds.

Aaron West's Gravatar
About this post:

This entry was posted by Aaron West on December 10, 2006 at 2:27 PM. It was filed in the following categories: ColdFusion. It has been viewed 2543 times and has 6 comments.

6 Responses to This Is Why You Use CFQUERYPARAM

  1. I get those too. Whenever I get around to it I'm going to add an additional check so that this error never even shows up. In other words, I'll cfabort or just redirect the request to /.

  2. So Thats Why I get soo many emails some times

  3. I could also just edit the error handler to not bother sending emails for that error. :)

  4. >I could also just edit the error handler to not bother sending emails for that error. :)

    Or, have a super cool section in the admin where users can manage preferences related to what e-mail the error manager sends and doesn't send. =)

  5. Better yet, have a ubber cool feature that finds the hacker and bombards their machine into oblivion so they will leave my blog alone. ;o)

  6. If they are testing your server, i'd bet there's a human on the end of it rather than an intelligent bot trying the exploit.

    I'm not sure of the legality of it, but I've contemplated a <cflocation url=""...; when there is an obvious hack attempt. Maybe throw in a few url parameters, which though not caught in the standard html page, would surely end up in their logs and get the FBI's attention.