Var scope checker revised and has a new home.

Jim Collins added a file browser to the Var Scope Checker originally authored by Seth Petry-Johnson. The code is now on Google Code, since Seth's website is REALLY down now.

Get it while it's hot!

New Scorpio/CF8 Yahoo Pipe

I am still wading through all of the new Scorpio/CF8 information. There is a lot of it and in order to get a better handle on all the topics and postings, I created a new Yahoo Pipe. The full URL is:

I picked the top 8 blogs for Scorpio news based on an unscientific cruise through the ColdFusion Yahoo Pipe from Brian Rinaldi. There are blogs I have missed so if you know of a good resource for Scorpio/CF8 postings, please leave the feed URL in a comment.

I want to be strict on this one and keep a valuable signal to noise ratio. My own blog is not included in this feed yet, because I haven't posted anything significant on Scorpio/CF8.

So let us make this Scorpio specific please. If you have a Scorpio feed, please submit that one rather than your generic feed URL.

Think you are having a bad day, read this!

PAW PAW, Mich. - A man was taken on a wild ride when his wheelchair became lodged in the grille of a semitrailer and was accidentally pushed down a highway for four miles at about 50 mph, authorities said.

The police statement:

view plain print about
1"The man spilled his soda pop, but he wasn't upset," said Sgt. Kathy Morton of the Michigan State Police.

If this was me, the police would have said: "The man was visibly upset and needed several changes of shorts"

You can read the rest of the story for a picture and more details.

Scorpio Beta works with Apache 2.2.4.

Just a quick note to say I was able to get CF 8 working on a fresh install of Apache version 2.2.4.

A few quick observations:

  1. During the CF install, I got a nice message reminding me to stop ColdFusion MX 7 Search Server
  2. After CF finished, I had to run the Web Server Configuration Tool again for everything to work
  3. I also had to open Port 51800 on my local firewall. I suspect this is JNDI.

My initial impressions? The installation process handled the above issues gracefully. This doesn't feel much like beta software... Remind me to tell you about an experience I had with a SQL Studio Express CTP beta once.

Editors note: I suppose I will never be hired by microsoft if I keep making these sorts of comments

Secret 1337 Trick - Undo Close Tab in Firefox

I just found an interesting feature in Firefox 2. If you have an open tab, then close it, you can right-click the tabs and choose 'Undo Close Tab' and the banished tab will return.


Jim Priest, who turned me on to the Microsoft Update Reboot Fix points out that the following key combos work:
CTRL+T = new tab
CTRL+SHIFT+T = restore last closed tab

I've use CTRL+T countless times. It never dawned on me to try CTRL+SHIFT+T. Thanks again Jim!

Wishlists come true. Thanks Adobe!

Does anyone remember my posting a while ago about Adobe purchasing Flex books from Amazon Wishlists? I remember quite a few people doubting it was true. When I originally heard the news, I immediately set up a wishlist and added every Flex resource I didn't already have.

After my nice long vacation in the Florida Keys, I came home to a nice surprise! A package from Amazon containing the Lynda videos for Flex!

So, yes it is true. Adobe isn't just going Mad Hatter, of course. I imagine they have a budget and they dole out some books from time to time. I am very happy to be the recipient.

Turns out I already have the Lynda Videos. I was slow in removing them from the wishlist. The only proper thing for me to do was give them to some other deserving soul. Sean has agreed to host a 1,000,000 hits contest for the Videos. You can find details of the contest at Sean's blog.

A big thank you to Mike Potter and the team for their continued community support.

6663 Views Print Print Comments (0) Flex

Anatomy of an SQL Injection Attack

Security is everyone's problem. It is important to be aware of issues that can foster security violations in software. Buffer Overflows, a common software security hole, arise from the length of input not being checked. When the input is larger than the memory allocated, the input data can spill over into unintended memory addresses. By appending a command with the correct offset, it is quite possible to push the command into memory space with high level privileges and execute.

In a buffer overflow attack, often the application accepting the input is running under reduced privileges. Because the input overflows the given memory address, it matters not that the input originated from a low privilege application, but rather the actual memory address where the command is stored and executed.

SQL injection is another type of attack and shares a common root with Buffer Overflow attacks. When input is not properly evaluated and filtered, bad things can happen. In an SQL injection attack, the attacker appends SQL statements to input. Here is a simple query:

view plain print about
1SELECT userID, username, password
2FROM Users
3WHERE UserID = 1

Here is an example of appending a command to an SQL statement.

view plain print about
1SELECT userID, username, password
2FROM Users
3WHERE UserID = 1; DROP Users;

In the last example, an SQL command to drop the users table was added. Imagine for a moment the URL to access a user profile. http://someserver/index.cfm?userID=1 The userID is appended to the URL and is undoubtedly passed to a query in the application that returns the profile associated with UserID 1.

To create an SQL Injection attack with the URL above, we could simply try the following URL: http://someserver/index.cfm?userID=1;drop users When the application substitutes the userID value of 1;drop users in the query, there are actually two statements to be executed. Firstly, the command to return the data from the users table associated with userID 1. Secondly, the command to drop the whole users table.

Pragmatically speaking, there would be little to gain by dropping the users table apart from vandalism. That being said, there are thousands of 5kr1pt k1dd135 whom would be delighted in dropping your users table for you and then bragging to their little wanker friends about how they trashed your server. Still, not much of a security risk? Let us try another angle.

Suppose for a moment a site that charged a lot of money for access to data. Users periodically purchased subscriptions and your organization was making millions. Inside the database was a users table with the field of 'ExpirationDate' representing the date the subscription would need renewal. Shall we form an attack to give us a 20 year subscription?

This is the SQL we wish to execute

view plain print about
1SELECT userID, username, password
2FROM Users
3WHERE UserID = 1; update Users set ExpirationDate = '5/5/2027';

Can you guess what the URL string would look like?

If you guessed: http://someserver/index.cfm?userID=1;update users set expirationdate = '5/5/2027'

Then you are close. We may need to massage the url a little, or find a text input to put our command if the spaces and quotes are not respected.

So we can bump our subscription up 20 years or so. What else can we do? Let us try to add a user.

This is the SQL we wish to execute

view plain print about
1SELECT userID, username, password
2FROM Users
3WHERE UserID = 1; insert into Users (username, password, expirationdate) values ('imahaxor','inyourbox','5/5/2027');

http://someserver/index.cfm?userID=1;insert into Users (username, password,expirationdate) values ('imahaxor','inyourbox','5/5/2027');

Now in place of just extending a subscription, the attacker has a new account that won't expire for a while yet. Not a pretty picture is it?

How can you defend against SQL injection attacks, you ask? There are some best practices you may follow to reduce your attack surface. Let us look at a few:

  1. Reduce the privileges given to the SQL user of your application. If the application never needs to insert into a particular table, then remove that privilege.
  2. Check your input values. If you are expecting a number, add val() around the value. In the case above, a simple val() statement turns a malicious statement into a simple 0. We all like 0, right?
  3. Use prepared statements. Adding cfqueryparam values to your dynamic query values adds great protection. Apart from escaping malicious characters, the prepared statement treats the value as a value, not a string of text to be executed by the SQL engine.

While software is extremely difficult to secure completely you can remove a giant risk by gaining understanding of SQL Injection Attacks and using the techniques above.

Below are some examples of a recent attempt to use SQL Injection on my blog. This attack was not very sophisticated, but could have disrupted the services of this blog.

view plain print about
1Invalid data FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and 1=2 value exceeds MAXLENGTH setting 35..
This was a fingerprinting attack. If the attacker retrieved a page, then the input mechanism would allow sanitized input. If the attacker received an error message, then perhaps important information about the server configuration would be revealed.

view plain print about
1Invalid data FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and char(124)+user+char(124)=0 value exceeds MAXLENGTH setting 35..
This string evaluates to FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and |user|=0.

view plain print about
1Invalid data FDEB2819-9F27-DDC8-3C7C7A4B29BC8149' and char(124)+user+char(124)=0 and '%'=' value exceeds MAXLENGTH setting 35..
This string evaluates to FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and |user|=0 and '%'='

WOT - Florida Keys Pictures on Flickr

I put a few pictures on Flickr from my recent Florida Keys Vacation. If any one would like to chip in $700k I'll be happy to buy a house and a boat and take care of them both. I cook some mean Quesadillas and Fish Tacos.

Bears in the neighborhood.

At the moment, I live in New Jersey, right where the suburbs of the 'city' meet the countryside. New Jersey is remarkable for a lot of reasons. Today, let us talk of my favorite topic, Bears.

Not the Chicago Bears, mind you, I mean the black fuzzy bears that look so cute you want to reach out and pet them. Of course, you need to have a friend along. Afterwards someone will be transporting parts of your carcass to the hospital. Who better than a friend, right? I digress, Death and Dismemberment notwithstanding, the bears are seriously cute.

For some reason, I seem to attract bears. Maybe I need to change my hair care products, or finally cease wearing the sneakers I've had for 4 years. Regardless, I have 6 bear sightings in less than a year.

I have seen 6 wild bears. 3 I saw on foot. 3, I just saw in my neighborhood as I was leaving for a sandwich.

Professional Bearologists will tell you to leave the bears alone. They say do not follow the bears, stay far away. This is precisely what I did not do.

I followed the bears (doing 1MPH in my car with the window open) across three lots trying to take a sensible picture with my camera phone. I was sure they would jump through the window and start mauling at any second. The thought of getting up close pictures was worth the risk.

As you can tell from the stellar image quality, it was not worth the risk. I should have left the phone in my pocket and just watched the bears.

So now, in place of getting a new MacBook, I am looking for a new cellphone/pda with an excellent camera. I am leaning towards the Blackberry Pearl

Any recommendations, suggestions, personal anectdotes?

Using Closures in Javascript

Closures in JavaScript are a very important tool. The ability to control the execution contexts of variables and functions gives a lot of power. In some cases, closures aren't only handy and powerful, they are necessary. For example, in the process of wrapping up a JavaScript AutoSave, I ran into a bit of a scoping problem with setTimeout().

As you know, setTimeout hangs off of the 'window' scope. The fully qualified call is window.setTimeout(). Inside of my javascript object I created a setTimeout command to run the doSave() function. The setTimeout() function takes two arguments:

  1. The Code to execute on completion
  2. The number of milliseconds before executing Arg1
Since I was several layers inside the AutoSave object, I addressed the function as this.doSave(). The problem arose that the execution context of setTimeout means that 'this' will not resolve into my handy doSave function. I could have addressed the function by the global variable containing my AutoSave object, but that would reduce the reusability of my JavaScript object.

What I needed was a way to maintain the variables from one scope into another scope and that is where the closure came in.

view plain print about
1startTimer : function(){
2    if (! _timerRunning){
3         var _OnTimeoutEnd = this.doSave;
4     _timer = setTimeout ( function(){ _OnTimeoutEnd()}, _SaveCycleLength );
5        _timerRunning = true;
6    }

This piece is specifically the closure.

view plain print about
1function(){ _OnTimeoutEnd()}

Notice above how I get a reference to the function doSave from the this scope. Inside the AutoSave object, 'this' points to the AutoSave object. Then I set this.doSave to a new variable which I then put inside the first argument of setTimeout.

When this code executes, _OnTimeoutEnd correctly resolves to the AutoSave.doSave function and the save is completed.

JavaScript closures are very powerful and should become a part of your toolbox as well. If you would like to read more about Closures in JavaScript, I suggest Javascript Closures

by Richard Cornford.