Penetration Testing mailing list archives
Re: Cold Fusion and Sql Injection
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 23 Jun 2003 11:11:56 +0200
morning_wood wrote:
mby some help at http://nothackers.org/pipermail/0day/2003-June/000091.html
I fail to see how your pointer (to an exploitation of a XSS vulnerability in Coldfusion using iframes?) relates to the original question (SQL injection + Cold Fusion).
Answering George, I would suggest that this is _not_ an error of Cold Fusion input validation but of a stored procedure being used in the SQL server. Probably, the cold fusion engine just calls an procedure in the SQL server with the input as parameters and the code in there is the one trying to do the conversion.
Notice that you are only seeing ODBC-SQL server errors, no errors code from Cold Fusion there so it looks like Cold Fusion is passing things blindly.
Regards Javi --------------------------------------------------------------------------- Latest attack techniques.You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980
----------------------------------------------------------------------------
Current thread:
- Cold Fusion and Sql Injection George Fekkas (Jun 20)
- Re: Cold Fusion and Sql Injection morning_wood (Jun 20)
- Re: Cold Fusion and Sql Injection Javier Fernandez-Sanguino (Jun 23)
- Re: Cold Fusion and Sql Injection Cesar (Jun 23)
- Re: Cold Fusion and Sql Injection morning_wood (Jun 20)