I've been debating posting this for the past few days. But, as it does not really disclose anything more than has been publicly discussed as of late (on this blog and elsewhere), and as it actually makes useful suggestions pertaining to securing ColdFusion (specifically from SQL injection attacks), here goes ...
Last week 0x000000 # The Hacker Webzine posted an entry entitled Attacking ColdFusion. The post primarily describes SQL injection attacks, and explains the danger inherent in not using <CFQUERYPARAM>, and also shows the right way to use the tag. It also notes:
The cfqueryparam is generally secure because it utilizes a prepared statement, that is always binded as a string, which in term is nearly not exploitable. But, many ColdFusion applications do not use the cfqueryparam mainly because developers do not know about this, and also because this feature came only in to being, with later versions of ColdFusion.
I strongly recommend that you read this post, if for no other reason then to reinforce the reality that this risk is publicly known and being exploited, and to remind yourself (and your managers, coworkers, clients, etc.) that you must address this potential vulnerability immediately!
The 0x000000 post was also referred to yesterday by ScanSafe STAT Blog in an entry which notes that monitoring in recent days indicates that ColdFusion is now the target of an attack that had been previously targeting SQL Server powered ASP sites.
