Last night my wife and I attended an early evening bash thrown by the local chamber of commerce. These shindigs are usually pretty good with door prizes and drinks and fancy-pants hors d'oeuvres. I was milling about feeling uncomfortable as I often do in a "non technology" crowd. I'm a talker by nature but in these crowds the conversation usually goes something like this:
Anyway, yesterday I was sort of not in a mood to mingle. Ann and I were in a line for some little mini roast beef sandwiches (thank you Brandeis catering) and we were chatting to ourselves waiting for the door prize drawings. A man who was working the room came up to me and said, "How are you this evening?" I turned and said fine and shook his hand and said "I'm Mark Kruger". He shook my hand with a practiced grip and said, "Nice to meet you I'm Jim Suttle". I nodded and made a comment about the food and then turned away.
Something was tickling the back of my mind... nagging at me like bad mayonnaise in the back of the fridge. Finally I got it (Ann's poking me helped a little too). Jim Suttle is Omaha's new mayor. I turned back and said "I'm sorry I guess I didn't put two and two together. It's really nice to meet you Mr. Mayor." He laughed and I laughed and Ann laughed and the waiter (a charming fellow with half an ounce of gold in his mouth) laughed. I could think of little else to say other than "You are shorter in person than on TV" - which I thankfully kept to myself. Anyway, it was an awkward moment for me and funny for everyone else. Sometimes I wonder about the Muse... I have no lack of confidence yet I seem so inattentive at times. I wish I had brought my good friend Tom Long with me. He's got a sales radar like an Ageis cruiser. I bet he could have held the mayor's attention for 5 minutes or more. Anyway, now that the mayor and I are on speaking terms I'll have to invite him to one of my candelight suppers.
Muse Reader Brian Asks:
Do you know of any way to SQL inject the following if the backend is MSSQL Server
Occasionally someone asks me this question about CFQUERYPARAM. "Must I use it here or there? In a boat? With a goat?" Yes Sam-I-Am you should make it a habit to use it everywhere. It should be a common part of your best practice guidelines. There are even reasons to use it that go beyond security. Do a quick search for CFQUERYPARAM on this blog and you will find all sorts of information about why to use it and the very rare exceptions (FYI in case you missed the tone here, there is rarely a good reason not to use it).
As for your specific question, I can think of no way to inject the query above. If you moved the query to a MySQL server you might run afoul of the alternate way of escaping single quotes, but on an MSSQL server the query above is safe as far as I know. Just remember, right now some clever hacker in Elbonia is experimenting with ancient character sets, time travel, and a dead cat which he swings over his head while chanting "...one ring to rule them all..." - all in an effort to try and crack into a query like the one above. So I reiterate, there is no way as far as I know. It's what I don't know that keeps me up at night. You really should just use the tag as a matter of course and stop looking for places to not use it. Let me illustrate with a little story my Dad used to tell me.
Read More
If you read my post on the script injection attack that has been going around you will note that I suggest four solutions or remedies to protect your server (upload off the web root, use cfcontent, disable script and execute permissions on certain directories, and remove superfluous handlers). A fifth solution was pointed out to me that is somewhat related to uploading off of the web root.
The idea would be to create a subdomain just for user resources. So, for example, you could have "www.ilovemoles.com" and "pics.ilovemoles.com". User uploads would go the share for the "pics" subdomain and be served from there. You would still vet the content to make sure it was ok, but the "pics" domain would not allow ColdFusion (or PHP or ASP or any scripts or executable at all). I can see some issues that you might run into - chiefly that you are not really "securing" the content from unauthorized access. I believe that still makes it suitable for public resources, but not able to be fully integrated into an application without a lot of run around. Still it seems an elegant solution.
Many of you may know there is a web server attack going on in the wild that involves appending a JS script to all the htm, php, cfm, js, jsp files found on a server. If you are unfamiliar with this attack see some of my previous posts like this one for more of an explanation. While I have found the script that actually does this dirty deed and I have combated this issue on numerous servers by now, I have never really been confident that I have discovered where the attack actually begins (i.e. how this file gets on the server to begin with). Yesterday I was made aware of a technique that might be the smoking gun. It has been tested by some folks I trust and I want to give a full explanation here to assist all those Muse readers who battle the bad guys at the server level.
If you are a technician or network operations professional who is trying to scan your way out of this attack, I'm afraid you are probably out of luck (but keep reading anyway). This attack specifically targets application code - not just CF but ASP, JSP, PHP and any others. All of them can be subject to this problem because it has to do with insecure coding, not specific platform vulnerabilities. I would add that if you find your code vulnerable don't feel too bad. This exploit is clever enough to get by code that seems secure as we shall see. If you are a web developer of any stripe you should definitely read this post. The examples are in ColdFusion, but you will be able to extrapolate for your own language or technology pretty easily.
Read More
I like to say Omaha is a great place to live but you wouldn't want to visit there. Unless you are a College World Series fan or a Berkshire Hathaway shareholder there is little reason to choose Omaha as a destination for a vacation (or... let's be honest... even a weekend). Someday it might be known as the home of the Muse but for now it remains a hidden gem on the prairie. Folks around here are mighty friendly (if I could channel Buddy Epson for a moment). In contrast folks in truly recognizable "big" cities (NY, LA, Chicago et al) have a reputation for... well, let's just say impatience. I go most days in Omaha without ever hearing a horn honk, but it's hard to go a few minutes without hearing a horn in NY or Boston. I used to think this impatient, slightly rude state of mind was simply cultural, but my recent trip to the big city changed my mind.
Read More
I stumbled across this typewritten letter on the documents page of famed computer scientist Edsger W. Dijkstra. The letter, written in 1965 is a basic request for a quote for a "general purpose digital computer" for the Technological University at Eindhoven (in the Netherlands). What is notable is the specifications and price:
In 1965, what is the expected price of a machine as quoted above with less power than the music player in those annoying musical Hallmark cards? Dr. Dijkstra indicates to his prospective vendors:
"A million dollars is the upper limit. One or two years after the delivery we might be able to spend a quarter of a million to extend the installation if desired"
Isn't it amazing how far we have come? Here's a shout out to Dijkstra and all the other largely unheralded pioneers who slogged in the trenches so we can have I-phones, Macs, Netbooks and PCs today. Thanks guys! (We'll talk to you later about those musical cards - talk about the law of unexpected consequences...).
Here's an interesting problem we had to solve recently. A customer came to us with a suite of ecommerce sites on a single server. The sites were set structurally with a core set of code that supported all the sites and then individual templates that handled the layout and design. This is actually pretty common. The folder structure allowed for site specific stuff to go in the site folder while all the common stuff (everything but specific images and layout stuff) went into the site folders.
The application file specific to each site set up the variables needed for that site, then all of the heavy lifting code was called from the "core" folder using includes, custom tags or CFCs. The idea here is to be able to affect the application code of all 50 sites on the server with a single deployment. This is an idea I endorse although there are other ways of doing it. For the scope of this suite of sites it seemed an acceptable solution.
The problem came when we wanted to run code directly from outside the application (meaning the core) without first running it through the application.
Read More
As we have discussed in our earlier posts on the Business of Web Development inexperienced customers (ones who have never done an IT project) are often surprised at the cost associated with a project. This is partially the result of the reputation that the web has for being cheap. Customers look at services like godaddy.com for example, and they see that they can register and host a site for the cost of skipping a couple of frappuccinos a month. While this is true, it is really not the same as professional design and development services and high performing, scalable, redundant, mission critical hosting services.
In fact, if I could digress to hosting for a moment, customers often fail to see the cost benefit of a more complete "managed" hosting setup. They spend thousands on development and then try to save a few hundred dollars a year on hosting. Having settled on hosting "on the cheap" they often have to pay someone a high hourly rate to do things like troubleshoot an underperforming server or handle DNS settings or figure out their mail services for them, or (worst of all) alter their code to conform to a changing server environment - like when a host recently disabled createobject() on a server causing an application to fail for someone who is now our customer. Any savings they might have gained is eaten up in support costs and they are actually losing money on the deal. In the words of Jesus they "strain out a gnat and swallow a camel" (email me if you don't know exactly what that means - I'll enlighten you).
Of course when it comes to development costs there are other things that mystify customers. As we have discussed before, customers often only account for the visual "up-front" items of a web application. They see forms, lists, charts and displays when the reality is that the bulk of the work on many complicated projects goes into coding, revisions, Q/A and Project Management. Here are a few fallacies that range from the hair-brained to flights of fancy:
Read More