I spent yesterday cleaning and inoculating another server infected with SQL Injection. Unless you have been living in a cave you know that SQL injection (SQLi) is the most common vulnerability of web based application. This is due to 2 factors - 1) almost all databases use numeric fields and B) web applications by nature pass user input into queries. Of course I could throw in there that web developers are often lax about inoculating their code. There is also the problem of legacy code - code that has been around since the dark ages of the late 90's. Of course SQLi has been around that long as well, but it is surprising how much legacy code chugs along for a decade or more with no problem in spite of the vulnerability.

Anyway, here's the skinny on the latest attack I found. It uses our old friend "Cast" in conjunction with the char() function of MS SQL. Note, this is not a new attack on the web - it's only new to me in that I've never battled this particular attack before.

[More]

In this post I'm going to claim that part of the official documentation is wrong. Whenever I do this sort of thing I always think of the movie "The Princess Bride" when Enigo says "You kep using that word... I do na think it means what you think it means". Be that as it may, I think the docs in this case are ambiguous at best and at worse downright misleading. There's an obscure little tag called cfobjectcache that's available in ColdFusion server. Although it was a part of ColdFusion 5, I first became aware of this tag in Cf 8. You can find Adobe's documentation for the tag here. If you read the documentation (always a good idea - the muse is great but he doesn't write about everything) you may get the wrong idea about this tag. At the top of the documentation it says (and I quote), "Description: Flushes query cache". Well that's straightforward enough isn't it? This tag is designed to flush the cache of queries on the server. It's easy to use:

...poof - your query cache is back to square one. Well not so fast my friend...

[More]

Client Variables and the Registry

Ask any experienced ColdFusion troubleshooter and he will tell you the same thing, "Don't store client variables in the registry." In fact, when examining a sick server one this is one of the first items I look at. If the customer says "It seems like the server stops about every hour" it's a safe bet that the default storage is set to Registry and the default purge interval has been left alone at 1 hour and 7 minutes (which is kind of an odd interval - probably some Adobe employee's anniversary in binary).

In many cases this is a "hidden" problem waiting to burst onto the scenes and bite some poor site owner in his nether regions. The owner launches his or her site and begins to gather traffic with the default settings for client variables. By default ColdFusion stores 90 days worth of client variables in the Registry - so the site can actually perform well for a few months. But then, out of no where, the server starts to drag and even stop every hour or so. Under the hood the purge operation is starting to find client vars that are 90 days old or more and it is taking quite a long time to delete them. The OS sees the registry keys being deleted and (sometimes) attempts to shrink the registry size. This affects a sort of "locking" on the registry where new keys are not being written - meaning requests are queuing and the server is slowing to a crawl. Now you might think that fixing this is as easy as switching from the registry to a datasource or cookie storage as the default, but there are some nuances to this fix that bear mentioning.

[More]

Occasionally someone asks me this question about CFQUERYPARAM. "Must I use it here or there? In a boat? With a goat?" Yes Sam-I-Am you should make it a habit to use it everywhere. It should be a common part of your best practice guidelines. There are even reasons to use it that go beyond security. Do a quick search for CFQUERYPARAM on this blog and you will find all sorts of information about why to use it and the very rare exceptions (FYI in case you missed the tone here, there is rarely a good reason not to use it).

As for your specific question, I can think of no way to inject the query above. If you moved the query to a MySQL server you might run afoul of the alternate way of escaping single quotes, but on an MSSQL server the query above is safe as far as I know. Just remember, right now some clever hacker in Elbonia is experimenting with ancient character sets, time travel, and a dead cat which he swings over his head while chanting "...one ring to rule them all..." - all in an effort to try and crack into a query like the one above. So I reiterate, there is no way as far as I know. It's what I don't know that keeps me up at night. You really should just use the tag as a matter of course and stop looking for places to not use it. Let me illustrate with a little story my Dad used to tell me.

[More]

Here's an interesting problem we had to solve recently. A customer came to us with a suite of ecommerce sites on a single server. The sites were set structurally with a core set of code that supported all the sites and then individual templates that handled the layout and design. This is actually pretty common. The folder structure allowed for site specific stuff to go in the site folder while all the common stuff (everything but specific images and layout stuff) went into the site folders.

The application file specific to each site set up the variables needed for that site, then all of the heavy lifting code was called from the "core" folder using includes, custom tags or CFCs. The idea here is to be able to affect the application code of all 50 sites on the server with a single deployment. This is an idea I endorse although there are other ways of doing it. For the scope of this suite of sites it seemed an acceptable solution.

The problem came when we wanted to run code directly from outside the application (meaning the core) without first running it through the application.

[More]

While I'm not certain I have enough information be sure I'm answering your question, I can tell you that implementing an array of objects is pretty easy if you are using ColdFusion 8. Check this out:

Howard, you sound like you already know a good bit of this, but for the rest of you out there I believe this is usually refered to as an "implicit" object constuctor - meaning the type of object created is assumed due to the way the values are arranged in the code. It is a common feature of most languages - including PHP. It is something of a late comer to ColdFusion, but better late than never. Rather than bore you with my own inimitable style I will refer you to the excellent writing and analysis of ColdFusion Guru and all around smarty pants Ben Nadel. See his post on Implicit Struct and Array Creation.

While perusing one of my email lists I stumbled onto a behavior of the "isDefined()" function that bears repeating. This function is commonly used in most ColdFusion applications. In fact, I would put it in the top 10 of functions used (perhaps the top 5), so any bug or interesting behavior related to isDefined( ) should warrant some notice. The short description of the problem is that isDefined() may throw an exception during a lengthy request. The conditions have to be just right.

If you are wondering if this behavior is related to an error you are experiencing, one clue is in the exception information. If you are seeing something like "error Error while reading header [VARNAME]" in conjunction with a socket write error (connection reset by peer: socket write error) then you should probably take a closer look at this post.

But before we discuss the behavior, it's important to understand how "isDefined()" works. As you know everything in ColdFusion belongs to some scope or is a member of some object. So ColdFusion has to work it's way down an order of precedence when trying to figure out if something is defined or not. Something like this.

[More]

Starting with CF 6, most scopes became structures - objects with members - but in the pre Java days of ColdFusion there were a good many differences in how various scopes behaved. Few things were objects or structures. All those neat little structure functions that are so darn useful when dealing with a scope were not invented yet. Instead we had famously ugly, workaround code with loops using lists and evaluate( ). You might remember the good old CF 4.x days when, in order to loop through form variables, you used the "special" form variable called fieldnames which contained all the form field names. Remember this code?

[More]

ColdFusion guru and all around fabulous guy Brian Rinaldi has put together what promises to be an outstanding conference called RIA Unleased in the Boston area. The one day event is available for only 30 dollars for early bird registrations - that's unbeatable. The list of speakers includes notables like Jeff Tapper, Adam Lehman, Jason Delmore etc. - the "who's who" of the ColdFusion world (and no doubt dedicated Muse readers :). The even has 3 trackes, Flex and Air, Coldfusion and one focused on overall web development. Knowing Brian it will be an excellent event and well worth the effort. If you have the date free (November 13th from 8 am to 5:30 pm) you should consider attending. You can also follow RIA unleased on twitter at @riaunleased.

I had a question from a reader who was having trouble with his client variables database. You don't have to be using ColdFusion for long before you learn (or are told) that if you are going to use Client variables it is important to use a database and not the registry. This goes back to the old CF 5 days when client vars could cause the registry to grow to astronomic proportions before anyone would notice.

The solution to Client variable performance has always been to move them to a data source on an RDBMS (MySQL, MSSQL, Oracle etc). The process is all done using the ColdFusion Administrator. It is a bit involved but not difficult.

• Add a datasource with create, update, insert and delete permissions.
• On the "client variables" page, select the DSN from the drop down and click "add". Follow the instructions to set up the DSN. I always check the box to "disable" global variables because I never use them (things like "hitcount").
• When you submit, the tables will be created and the DSN will be listed under the curiously named "Actions Storage Name Description" section where the registry and cookies are also choices.

Once your DSN is on the list it can be used to store variables - either by selecting as the "Default" storage location in CF administrator or specifying it in your Cfapplication tag.

Meanwhile, having explained the rudimentary steps for adding a client variable DSN my reader is impatience to hear his problem explained - so here goes. He created a DSN named "coldfusion" and used the steps above to insure that it was specified as the client variable DSN. He noticed immediately that the "global" variables were created, but no actual "client" variables were created. In other words, when he did something like "cfset client.user = 'bob'" it had no effect. Subsequent requests indicated that client.user did not even exist. Clearly the records were not being written to the DB.

The Fix

After some trial and error I suggested that perhaps the datasource name of "coldfusion" was the problem. Why you ask? As a rule I never use what could be a reserve word as a variable or datasource name. I surmised that "coldfusion" seemed to fit that standard so I suggested he create a new alias and try again. As soon as he did the tables began to update. The moral of the story - don't use reserve words for things like variable names or DSN's. Meanwhile, if by some confluence of events and aligning of the stars you have chosen to name your datasource for client variables "coldfusion" and you are scratching your head to figure out why it isn't working - try renaming the DSN.

You may or may not know that the Muse' company, CF Webtools, sponsors the Nebraska ColdFusion User's Group (NE CFUG). Actually all the real work is done by our ColdFusion and Linux Guru, Ryan Stille who's energy keeps ColdFusion thriving here in the heartland. Last night we heard a presentation by the affable and knowledgeable (and really really tall) Kevin Hoyt. He spent about 2 hours both in presentation and chatting with us afterward. He was pretty cool and called his presentation a "slide deck" and talked about how the "newbies" put in too many "transitions". Oh you Adobe people and your fancy pants lingo. What will you think of next.

Now in the interest of full disclosure, I'm a ColdFusion zealot. I know that's not news to my regular readers, but it bears mentioning in case I slip up and say something negative. All in all the Muse has been thrilled with each release of ColdFusion and I have waited with bated (or is it baited) breath for each Beta (or is it Baita) version. When CF 8 came out I rewrote our entire tracking and project management system to take advantage of the new UI features. I'm an early adopter and a CF enthusiast. Also I should note that, although I have the beta version of CF 9, I will only be talking about what was in the presentation. Here's my take.

[More]

Regular readers know I'm always on the lookout for interesting issues regarding SQL Injection and ColdFusion. This year has been a banner year for injection on ColdFusion sites and if you are not on the Cfqueryparam bandwagon yet I have one more example of a code that might seem to be inoculated but is not. It has to do with the use of val( )....

[More]

I'm glad you asked this question because it reminds me that I sometimes give advice without any follow through - which is the same problem I have with my 8 iron. Upgrading the JVM on a windows installation is pretty easy. Just remember that you will need the correct Java Runtime for your platform and ColdFusion version. Rob specified Win2k3 x64 so I assume he means he is running ColdFusion 8 enterprise 64 bit - in which case the target version is 1.6 update 14 (or 1.6.0_14). I usually start at the Sun Java download page. Once you have the right version in hand the rest is easy.

[More]

This issue was brought to my attention by Adrian Lynch on CF-Talk. It seems that if you use the new image functions in ColdFusion 8 against certain kinds of JPG images you can actually cause your JVM to crash. If you have code that uses the latest image functions to handle uploaded images you should definitely take note of this post. I cannot yet see how a user might take advantage of this bug to penetrate your server, but a malicious (or even non-malicious) user could easily perform a denial of service attack and cause your CF server to go up and down like Jack LaLanne doing jumping jacks. So if you fit into that category (handling uploaded images using CF 8 image functionality) here's the scoop.

[More]