Jared Rypka-Hauer, Lead ColdFusion Developer, Minneapolis, MN

Proud Parents of SQLSurveyor and PayPalMX
July 24, 2008 - back to top
Comcast Woes: The Endgame
Well, Comcast Dude was just here... and the cable modem is back where it started, at my desk. Apparently (according to him anyway) the fact that it was down when I started and worked on the other side of the house was pure freak coincidence. They were, apparently, working on the line in the neighborhood and have a bypass for the TV side of things but not for the internet/phone frequencies.

I'm not convinced, but it's up and working again, and I know how to check the cable modem for signal strength. And, if it goes down again, I know where to take the modem to test my theory, that it really is the signal strength from this side of the house. I will say, though, that the guy didn't seem like an idiot and he didn't seem like a fibber, so I have confidence that he wasn't BSing me.

In the end, everything is working in spite of Comcrap's inability to provide decent customer support... a 36-hour wait for a tech? FEH! ;)

Laterz!

Posted At : 3:37 PM. | Posted By : Jared | Link | General Interest | Comments (4)
A few more thoughts on SQL injection
This whole 0x000000 thing really has me thinking, and I'd like to postulate a few more things you can do to offset the likelihood of SQL injection becoming a serious pain in your day. While I think that cfqueryparam is a very significant tool to defeat this attack, There are several other things you can do to alleviate the problem.

I'd like to propose some of them for conversation:

  1. Never run ColdFusion, the webserver and your DB under the system account... always create separate accounts for each and restrict them to groups, roles and permissions appropriate for the activities they will undertake.
  2. If you have access to do so, create a SQL Server user specifically for your ColdFusion DSN and restrict it to only the activities required for the application.
  3. Failing that, use the settings in the CF admin to (or ask your hosting provider to) revoke privs for things like CREATE and GRANT
  4. Whenever possible, in a production environment, run your database server and your web/application server on separate hardware.
  5. Always shut off robust exceptions on production boxes... as the article says: it screams PLEASE HACK ME to someone with even a little skill.

While I'm sure this is by no means a comprehensive list, and I'm sure that most folks already know and do these things, it's just some "Cliff's Notes" that come to mind. While none of these things will prevent SQL injection, they can help minimize the impact of an attack should one sneak thru. The only way to really prevent SQL injection is to cfqueryparam your code religiously and validate the inputs from your form fields.

On another note, I'm curious about the MySQL comments made in the 0x000000 article... I wanna know if MySQL really is not protected because of the way cfqueryparam works? If that's the case then Adobe need to get on a fix ASAP because... well... think about it.

[NOTE: MySQL is protected by using cfqueryparam. The article refers to the fact that ColdFusion will automatically protect any text datatypes (like varchar) that are used within a cfquery tag in the format '#varName#' by escaping single quotes for you. The problem is that MySQL can escape single quotes using a backslash character (\) as well, but ColdFusion doesn't handle this automatically, giving hackers a way to embed a single quote that's actually successful at injecting SQL. Using bind variables (ala cfqueryparam) prevents this entirely, tho', and prevents SQL injection at all.]

That's BAD!!

Laterz...

Posted At : 2:38 AM. | Posted By : Jared | Link | CF, Programming | Comments (4)
July 23, 2008 - back to top
VERY cool photographs of Mars
This isn't exactly ColdFusion-related, nor Flex, nor AIR, nor anything else... but it's geeky and cool:

The European Space Agency's Mars Express probe has sent back photographs of a very VERY large system of canyons and valleys called Echus Chasma that reminds me of the Grand Canyon area in the US. Apparently it's one of the "largest water source regions on the Red Planet."

Mars Express looks cool, too! Check it out here. It was named Mars Express because it was built very quickly and one of it's primary mission objectives is to image the entire surface of Mars at 10 meters per pixel resolution and some areas at 2 meters per pixel. That means that a 100 pixel line will cover 1 kilometer, so an area approximately 150x150 pixels will cover 1 square mile. Contrast this with Google Maps that has an average resolution of 15 meters per pixel and you get an idea of how excellent this aerial mapping of mars will be!

Someday, maybe, I'll be able to see my car, parked in my driveway, somewhere on the Red Planet! ;)

Laterz!

Posted At : 4:36 PM. | Posted By : Jared | Link | General Interest | Comments (3)
Comcast Woes: Too far from the POLE?
Today was an interesting day for me. "Why?", you ask? Well, I'm glad you asked... let me tell you:

It was an interesting day because from about 10:30AM till about 3:00PM, I was without internet access. It was truly horrible... compounded by the fact that I kept coming up with ways to rectify the situation only to realize that I needed more information and couldn't get it because, well, I had no internet access. My one cell phone that works reliably as a modem was dead and I couldn't find the charger... the other phone I use simply refused to perform as a modem.

[More]

Posted At : 4:04 PM. | Posted By : Jared | Link | Hardware, General Interest | Comments (5)
Use CFQUERYPARAM!!
This just in from 0x000000 # The Hacker Webzine via Ben Forta's blog: an article that is both called and about Attacking ColdFusion.

I find this to be very significant on several points:

  • Even according to the hackers, dilligent use of cfqueryparam makes SQL injection largely impossible
  • The only real hacking info is about SQL Injection, most critically IIS (because apparently with IIS you can use SQL injection to launch the CMD shell!)
  • The other thing that's noted is some of the CFIDE stuff, like the component explorer
  • They do mention that raw error messages expose a great deal of information that can be used to attack your application.
  • Simply the fact that they noticed CF is pretty big news, IMO... it's like a Mac hack: so far it just hasn't been mainstream enough to bother. In a way, we've arrived.

So what did we learn from their article? A few more bullets are in order:

  • Use CFQUERYPARAM religiously or be sorry.
  • IIS has some inherent (and scary) vulnerabilities via SQL injection, so it's not just your DB at risk.
  • Never, ever, EVER leave the ColdFusion Aministrator or component explorer available on a production server
  • ColdFusion, because of it's J2EE roots and it's design, is a stable, secure platform without a great number of significant vulnerabilities... and the ones that are there are mostly the fault of the application developer misusing the platform, not ColdFusion itself
  • Due to the massive spate of SQL injection attacks on ColdFusion applications in the last 2 weeks, people are paying attention to us...

Well folks, this is good news and bad news. The bad news is that we're no longer invisible, so we're going to have to be better at our jobs and follow best practices dilligently. The good news, though, is that we're actually gaining ground in terms of marketshare and attention. When hackers start paying attention, the rest of the world tends to take notice as well!

Or at least that's how I see it...

Laterz!

Posted At : 3:49 PM. | Posted By : Jared | Link | Programming | Comments (4)



Aura skin for Raymond Camden's BlogCFC provided by Joe Rinehart.