Orange is my favorite color

As I mentioned in my last post, there has been a fast-moving SQL Injection script targeting many ColdFusion sites around the web lately that relies on SQL queries unprotected by CFQUERYPARAM. The script kids finally got around to probing one of my sites and while my application is protected, the requests are generating lots of error emails because they create broken Model-Glue event names which our system reports on.

As these suckers were exploring the machine, I saw about 3x the normal number of active sessions on the ColdFusion server and about 2x the number of active threads running. Luckily, RAM usage stayed sane as we have a system we to expire bot-generated sessions rapidly so the system was stable. These attacks are not just a potential security problem but also a waste of server resources. This Apache mod_rewrite script will return a 403 “Forbidden” response to these requests, saving it from ever reaching ColdFusion and reducing your load (assuming you have mod_rewrite loaded):

# to stop annoying messages from CAST sql injection
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*(cast|declare).* [NC]
RewriteRule . - [F]

This looks for a case-insensitive match for CAST or DECLARE in the query string and, if found, returns a 403 error immediately. Nothing fancy.

This is a stop gap example for a single attack from a single script so you obviously can’t scale this approach to stop all attacks from all scripts. One answer for Apache is to get the more robust mod_security web application firewall and use their rule set or one from gotroot.com which is more extensive (but may require more tuning).

Comments are closed.