I spent a couple hours diagnosing a 500 Null error. There was little information to go on and 500 Null errors are hard to figure out in general. Let's hope someone is helped by this.

The error resulted on a Linux Machine using CF7.02 with no updaters. The code in question was a set of nested custom tags all linked together using cfassociate. I dug through the code looking for any such potential null reference evaluations and chopped out large blocks of code at a time to try get the error to go away. If I took out enough CFML code, the error went away. It really didn't matter at all WHICH code I took out, just that I took out some mysterious amount.

The total lines of code in the custom tagset was less than 500 with no loops or anything that would jack up the lines of code when evaluated so this REALLY threw me for a loop.

Eventually, I updated to the latest updator for CF7 and the error went away. Strangely, there was no mention in the list of updater fixes, but trust me, the error went away. If you are having a similar problem, use ColdFusion MX 7.02 Cumulative Hot Fix 3 or later.

If you similar stuff going on in your applications, there is a good chance the ColdFusion MX 7.02 Cumulative Hot Fix 3 will sort it out for you.

I use Filezilla FTP client to manage files on many servers. I had a specific Filezilla client that refused to retrieve a directory listing. Other computers could connect to the same server just fine. Thusly I knew it was a client configuration problem.

I ended up with messages like this:

Response:	200 PORT command successful. Consider using PASV.
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing

I ran the Filezilla configuration wizard to diagnose the problem. The configuration wizard utility ran for a while reporting success until the very end. After timing out, I received the following messages:

Response: 200 PORT command successful
LIST
Response: 150 opening data connection
Response: 503 Failure of data connection.
Server sent invalid reply.
Connection closed

Searching the Internet led to not so helpful posts such as "Please read the Network Configuration guide.". After analyzing the situation, it turns out the solution isn't so obvious. My Client had the default setting of Connection -> FTP -> Active Mode: Get External IP Address From This URL. Which pointed to http://ip.filezilla-project.org/ip.php . This is the source of the problem. If you go to that URL, you will probably get a result of 127.0.0.1. If the Filezilla client needs the external address, and is given 127.0.0.1, then there will be problems indeed!

If you have a similar problem with Filezilla, and the problem persists even when the Windows Firewall is disabled, here is what you need to do:

• Open Filezilla, go to Edit -> Settings
• Click on Connection -> FTP: Choose Active
• Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
• Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
• Press OK.

Try connecting to your FTP site once again. Works!

I've had the pleasure of working for many diverse employers and clients. A number of times I've been on a team working to resolve misbehaving software/servers. Part of the job is digging through logs. Another part is load testing specific workflows looking for knots or bottlenecks in the process. Still another part is analyzing each query for suboptimal performance.

There can be many factors that contribute to performance problems. Mike Brunt, Systems Guru at Alagad, has the skills to quickly analyze an application and tune it for proper efficiency. Mike has been posting on the Alagad blog for some time now. I find his posts to be informative and to show an uncommon depth on complex topics. Mike has an ability to simply explain tough subjects.

After reading his latest post, I was struck by how much I do not know. I understand, at a base level, how the JVM allocates memory and that changing the allocated memory can improve application performance. I don't pretend to have the experience needed to diagnose problems and fix them by providing more appropriate settings.

Organizations that rely on critical web applications should pay attention to server performance. While performance problems can be mitigated, to an extent, by increasing the hardware running the system, adding hardware brings additional expenses in the form of hardware, software licenses, maintenance efforts, increased power consumption and less available room in the server racks.

If you run into server performance issues, keep in mind the professionals in our community that specialize in diagnosing and repairing server performance. There is more to server performance than code and database queries!

Bruce Phillips (You should check out his interesting Flex posts) let me know that my Surfing Stats data didn't load when the swf was located off my http://www.nodans.com domain. I want others to take the code and do with it as they please so I need to make the data available across domains. This is done through the use of a crossdomain.xml file. The file I used looks like this:

This is a very promiscuous file. It allows anyone anywhere to load any data in the containing directory and all subdirectories. Such a promiscuous file also opens up security vectors. In the words of Lucas Adamski on DevNet:

As an example, a user is logged in to an e-commerce site that uses cookies for authentication. On the site is a user account settings page where you can see information such as your mailing address and other personally identifiable information. If this site has an overly permissive cross-domain policy file like *, a SWF file that is hosted on another domain could silently load the account settings data and send it elsewhere. This is because the browser appends the cookies for the e-commerce site to the request from Flash Player.

By default, the SWF looks for the crossdomain.xml file in the root of the website but with a little code, you can put it anywhere you please. I used this command to tell the SWF where to find the crossdomain.xml file:

Now, only the directory containing SurfingStats is enabled, reducing the surface area of attack. If you want to read more on the security issues with crossdomain.xml files, check out these links:

Poking new holes with Flash Crossdomain Policy Files
Cross-domain policy file usage recommendations for Flash Player
The Dangers of Cross-Domain Ajax with Flash

Recently I removed Windows Vista and installed Windows XP on the Toshiba A215-S7428. The Windows XP installation is complete and functioning properly. Due to the driver incompatibilities, this process was much more annoying than I thought it ever could be.

To get this to work, you have to pretty much forget the Toshiba site. It is mostly unhelpful and will send you over the edge. Instead, one must dig down deep into the operating system. One must manually edit driver inf files. One must deal with trying to find a driver for "Unknown System Device".

Fortunately, some unnamed kind soul has done all the hard work for you. I have been asked by unnamed kind soul to say the following:

[More]

I recently purchased a Toshiba Satellite A215-S7428. This well-equipped notebook computer comes with Windows Vista Home Premium. I planned to remove Vista Home Premium and replace it with the venerable and less annoying Windows XP. Let this post serve as a warning to others with similar ideas.

Removing Vista was easy enough. Installing Windows XP was easy enough. Finding and installing drivers has been the bane of my existence.

Update: This has been solved. See: XP Drivers for Toshiba A215 - S7428

Predictably, the Toshiba site was no help. I understand they shipped the computer with Vista Home Premium, and likely feel their support obligations only extend to OEM configurations. However, I lost confidence in Toshiba when I read the following on their Detailed Specs for the Toshiba Satellite A215-S7428: "This product specification is variable and subject to change prior to product launch."

If anyone sees Toshiba, please remind them the product Toshiba Satellite A215-S7428 has launched.

A few of the problems I am currently working through:

Realtek allegedly provided the WLAN component. The driver listed at The Realtek WLAN RTL8187B Support Section is not recognized by Windows XP as a valid driver. RTL8187B is listed by the Windows XP device Manager.

The Display Driver listed by the Detailed Specs for the Toshiba Satellite A215-S7428 is ATI Radeon X1200M. This is not even an option at the ATI driver download site. I tried the Radeon X1200 driver (in the Windows XP > Professional/Home > Integrated/Motherboard > Radeon X1200 but the install aborted when it found no compatible hardware. I guess the 'M' in ATI Radeon X1200M makes a HUGE difference.

As a consolation prize, there is no driver listed for the ATI Radeon X1200M in the Windows Vista section either.

Network and Display adapters are KEY. I haven't even tried to figure out what Base System Device is, or PCI Device....

Final Thoughts

I've swapped OS versions in the past and do not recall these types of issues. If I am overlooking something, please point it out to me. Meanwhile, I issue a word of caution for those who plan to purchase the Toshiba Satellite A215-S7428.

While this notebook comes well equipped on the hardware side, it is severely lacking for those who wish to swap Operating Systems. Think twice if you choose to go this route. There are plenty of computers that will still ship with Windows XP. Choose one of those.

Update: In case you missed the inline announcement, this has been solved. See: XP Drivers for Toshiba A215 - S7428

Security is everyone's problem. It is important to be aware of issues that can foster security violations in software. Buffer Overflows, a common software security hole, arise from the length of input not being checked. When the input is larger than the memory allocated, the input data can spill over into unintended memory addresses. By appending a command with the correct offset, it is quite possible to push the command into memory space with high level privileges and execute.

In a buffer overflow attack, often the application accepting the input is running under reduced privileges. Because the input overflows the given memory address, it matters not that the input originated from a low privilege application, but rather the actual memory address where the command is stored and executed.

SQL injection is another type of attack and shares a common root with Buffer Overflow attacks. When input is not properly evaluated and filtered, bad things can happen. In an SQL injection attack, the attacker appends SQL statements to input. Here is a simple query:

Here is an example of appending a command to an SQL statement.

In the last example, an SQL command to drop the users table was added. Imagine for a moment the URL to access a user profile. http://someserver/index.cfm?userID=1 The userID is appended to the URL and is undoubtedly passed to a query in the application that returns the profile associated with UserID 1.

To create an SQL Injection attack with the URL above, we could simply try the following URL: http://someserver/index.cfm?userID=1;drop users When the application substitutes the userID value of 1;drop users in the query, there are actually two statements to be executed. Firstly, the command to return the data from the users table associated with userID 1. Secondly, the command to drop the whole users table.

Pragmatically speaking, there would be little to gain by dropping the users table apart from vandalism. That being said, there are thousands of 5kr1pt k1dd135 whom would be delighted in dropping your users table for you and then bragging to their little wanker friends about how they trashed your server. Still, not much of a security risk? Let us try another angle.

Suppose for a moment a site that charged a lot of money for access to data. Users periodically purchased subscriptions and your organization was making millions. Inside the database was a users table with the field of 'ExpirationDate' representing the date the subscription would need renewal. Shall we form an attack to give us a 20 year subscription?

This is the SQL we wish to execute

Can you guess what the URL string would look like?

If you guessed: http://someserver/index.cfm?userID=1;update users set expirationdate = '5/5/2027'

Then you are close. We may need to massage the url a little, or find a text input to put our command if the spaces and quotes are not respected.

So we can bump our subscription up 20 years or so. What else can we do? Let us try to add a user.

This is the SQL we wish to execute

http://someserver/index.cfm?userID=1;insert into Users (username, password,expirationdate) values ('imahaxor','inyourbox','5/5/2027');

Now in place of just extending a subscription, the attacker has a new account that won't expire for a while yet. Not a pretty picture is it?

How can you defend against SQL injection attacks, you ask? There are some best practices you may follow to reduce your attack surface. Let us look at a few:

1. Reduce the privileges given to the SQL user of your application. If the application never needs to insert into a particular table, then remove that privilege.
2. Check your input values. If you are expecting a number, add val() around the value. In the case above, a simple val() statement turns a malicious statement into a simple 0. We all like 0, right?
3. Use prepared statements. Adding cfqueryparam values to your dynamic query values adds great protection. Apart from escaping malicious characters, the prepared statement treats the value as a value, not a string of text to be executed by the SQL engine.

While software is extremely difficult to secure completely you can remove a giant risk by gaining understanding of SQL Injection Attacks and using the techniques above.

Below are some examples of a recent attempt to use SQL Injection on my blog. This attack was not very sophisticated, but could have disrupted the services of this blog.

This was a fingerprinting attack. If the attacker retrieved a page, then the input mechanism would allow sanitized input. If the attacker received an error message, then perhaps important information about the server configuration would be revealed.

This string evaluates to FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and |user|=0.

This string evaluates to FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and |user|=0 and '%'='