 |
| [HOME] | [CURRENT USERS] | [TEST DRIVE] | [PRODUCTS] | [I RECOMMEND] | [FAQ] | [CONTACT] |
| You may be interested in seeing the hacker's attack weapon that was used on several sites on Thursday, July 18th, 2007.
Note the drop-down menu that allows the attacker to select asp pages or Cold Fusion pages. I blurred out the URL because otherwise I'd be advertizing
the form to other potential hackers.:
SQL Injection Attack Tool. |
|
SQL INJECTION PATCHES: Copy and paste the code below (in red) to the very top of the following cfm pages in your site: checkout.cfm insertorder.cfm shipping.cfm |
<cfif #OrderID# CONTAINS 'select' OR #OrderID# CONTAINS 'delete' OR #OrderID# CONTAINS 'update' OR #OrderID# CONTAINS 'insert'> <cfabort> </cfif> |
| Copy and paste the code below (in red) to the very top of the following cfm pages in your site:
index.cfm prodpage.cfm proddetail.cfm proddetail_pp.cfm proddetail_ppcart.cfm |
<cfif #Parameterexists(URL.CategoryID)#> <cfif #URL.CategoryID# CONTAINS 'select' OR #URL.CategoryID# CONTAINS 'delete' OR #URL.CategoryID# CONTAINS 'update' OR #URL.CategoryID# CONTAINS 'insert'> <cfabort> </cfif> </cfif> <cfif #Parameterexists(URL.SubCatID)#> <cfif #URL.SubCatID# CONTAINS 'select' OR #URL.SubCatID# CONTAINS 'delete' OR #URL.SubCatID# CONTAINS 'update' OR #URL.SubCatID# CONTAINS 'insert'> <cfabort> </cfif> </cfif> <cfif #Parameterexists(URL.ItemID)#> <cfif #URL.ItemID# CONTAINS 'select' OR #URL.ItemID# CONTAINS 'delete' OR #URL.ItemID# CONTAINS 'update' OR #URL.ItemID# CONTAINS 'insert'> <cfabort> </cfif> </cfif> |
| The following email was sent out on 19-July-2007:
I'm sorry to report that I became aware yesterday of a vulnerability in QuickEStore's code that can allow a hacker to extract sensitive customer information, including credit card information, from the QuickEStore database. The hack is known as a SQL injection attack, and it was perpetrated on the QuickEStore website yesterday. It's impossible to gauge the likelihood that your personal information was compromised, but that possibility exists. I wanted to make you aware as soon as possible, so that you can take appropriate measures. I regret this event and apologize for the inconvenience I know it casues.
If you are a merchant using QuickEStore, there is a patch for this vulnerability that should be applied immediately. It is available at http://www.quickestore.com/sqlinjection.cfm. Merchants hosting with me have already been patched. If you need any assistance applying the patch, simply contact
support@quickestore.com.
There is a huge population of hackers and thieves who spend their time looking for and exploiting these vulnerabilities, and it will only get worse. That's why earlier this year, when PayPal called and offered their internal development team to help me integrate PayPal's new checkout options, I embraced the offer and released QuickEStore version 8.4. With PayPal Express Checkout, your customers don't have to reveal their credit card information at all, since PayPal already has it. For the same reason, your customers don't even have to type their name and address at your site. I believe that your customers will appreciate this feature for the convenience and security that it offers, and it will drive more sales for you. I want to remind all merchants who have purchased a QuickEStore in the last year, or are currently on a support plan, that you can get the latest version at no cost. This version is fully patched against the SQL injection attack. To implement the PayPal checkout options, you will need a premier or business PayPal account.
Again, I want to apologize for this event, and the inconvenience it imposes on you. This violation causes me a lot of personal pain and anguish, mostly because of the negative impact I know it has on you, my customers. It's my worst nightmare come true.
If you have any questions, feel free to email me at jhoarty@quickestore.com
Thank you |