The No-Dans Club - Server Configuration

How to get Oracle 8i to Start on Windows XP

Thu, 14 Jun 2012 07:47:00 -0700

Oracle Error - Oracle Not Available

I'm working on a client project that uses an Oracle 8i database. We'll eventually convert this database to another platform at some point, but for now, we need to make some much needed changes to the existing platform.

Oracle 8i doesn't seem to run on modern Windows Operating Systems so I installed it on Windows XP. This worked fine until I restarted the machine. Upon restart, the once functioning database service would not open. Connecting to the database gave the error "Oracle not available".

It turns out, this is a common issue and after researching and exploring various options, I finally got the database to start up with a series of steps.

Here's what to do:

Since this process involves starting services in a particular order, we need to change the 5 Oracle services below to start up manually: (Administrative Tools > Services )

OracleOraHome81TNSListener
OracleOraHome81DataGatherer
OracleOraHome81ClientCache
OracleOraHome81Agent
OracleWebAssistant0

While you are in there, change the name of your particular database service "OracleServiceWhateverYourServiceNameIs" to Manual also.

After a reboot, start all 5 services in the order listed above. Once all services are up and running, start your database service: "OracleServiceWhateverYourServiceNameIs"

It'll probably complain with an error afterwards, but that's ok.

Go to Task Manager and kill the ORACLE.exe process running and restart the service for your database instance: "OracleServiceWhateverYourServiceNameIs".

Try to connect to the database. Sometimes the service will be up and ready for service after these steps. If it is not, perform the following steps:

Open the Database Configuration Assistant ( start>Programs>Oracle-oraHome8i>database administration> database configuration assistant )
Choose "Change Database Configuration"
After pressing Next, choose the instance you want to connect to.
Press next 2 more times and the database will be ready for service then

At this point, you should be able to connect to your database with SQLPlus, or any other preconfigured connection. I hope this works as well for you as it worked for me.

How to solve error: [Oracle JDBC Driver]Transliteration failed, reason: invalid UTF8 data

Wed, 06 Jun 2012 11:07:00 -0700

I got a strange error "[Oracle JDBC Driver]Transliteration failed, reason: invalid UTF8 data" while working on a client system. I spent a reasonable amount of time trying to work out what caused this.

The Oracle database was a restore of an Oracle 8.1.6 system onto the new Oracle XE 11.2. During the import, the character sets changed.

export client uses WE8ISO8859P1 character set (possible charset conversion)
export server uses WE8ISO8859P1 NCHAR character set (possible ncharset conversion)
import done in WE8MSWIN1252 character set and AL16UTF16 NCHAR character set
import server uses AL32UTF8 character set (possible charset conversion)

So, I'm guessing since the new database did a conversion of NCHARSET from WE8ISO8859P1 to AL16UTF16, the size of the characters threw off something. Thus, there were problems and none of the queries on certain tables worked.

The Solution

The DataDirect Oracle Driver that ships with ColdFusion 9 has an error in it. It appears the error is fixed and if you have an agreement with the provider, you can download an update. However, I don't have an agreement so I downloaded fresh Oracle JDBC Drivers to fix the problem. Here's what I did:

Download the drivers here: http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html
I used the ojdbc6.jar one.
Copy the ojdbc6.jar file to /JRun4/lib (or, if you wanna be fancy, put it somewhere else and update the class path in the jvm.config pertaining to the instance you want to update)
Restart ColdFusion
Enter the following in the JDBC URL field: jdbc:oracle:thin:username/password@IP.Address.Of.Database.Server:PortOfDatabaseServer:OracleSID
Enter the following in the Driver Class field: oracle.jdbc.driver.OracleDriver
Add the user name and password in the appropriate boxes
Save the datasource. It should verify if you did everything correctly.

If you got an error, remember these things:

Usernames, passwords and seemingly the Oracle SID are case sensitive
The JDBC Url Field is particular and must be exactly right.
The default port for Oracle is 1521

How to resolve svn: Error setting property 'log':

Tue, 29 Sep 2009 07:31:00 -0700

I was trying to check in some changes on the Model-Glue framework and kept getting this error:


update D:/webroot/ModelGlueTrunk/ModelGlue/gesture -r HEAD --force
    At revision 184.
commit -m "Removed potential recursion in this functionality..." D:/webroot/ModelGlueTrunk/ModelGlue/gesture/helper/HelperInjector.cfc D:/webroot/ModelGlueTrunk/ModelGlue/gesture/helper/IncludeHelperShell.cfc
    Failed to execute WebDAV PROPPATCH
svn: Commit failed (details follow):
svn: At least one property change failed; repository is unchanged
RA layer request failed
svn: Error setting property 'log': 
Could not execute PROPPATCH.

I updated from SVN, thinking it to be a synchronization error, but I still got the same error. I used the 'cleanup' or SVN:clean functionality to maybe get the .svn files and such back in to the right condition, but that didn't help either. The original SVN Comment I used was:


Removed potential recursion in this functionality
Also removed useless cfdump when a helper is attempted to be included but doesn't have a cfc or cfm extension

Can you spot the issue? I can't either. What fixed the error:


    Failed to execute WebDAV PROPPATCH
svn: Commit failed (details follow):
svn: At least one property change failed; repository is unchanged
RA layer request failed
svn: Error setting property 'log': 
Could not execute PROPPATCH.

Was changing the multi-line comment to a single line comment. Once the comment was a single line, there was no issue checking it in. I'm not sure what I learned here, but I hope SVN doesn't REALLY have a problem with multi-line comments, after all, we need those to keep details on what changed!

ColdFusion 7 error 500 Null with Custom Tags

Wed, 14 May 2008 18:09:00 -0700

I spent a couple hours diagnosing a 500 Null error. There was little information to go on and 500 Null errors are hard to figure out in general. Let's hope someone is helped by this.

The error resulted on a Linux Machine using CF7.02 with no updaters. The code in question was a set of nested custom tags all linked together using cfassociate. I dug through the code looking for any such potential null reference evaluations and chopped out large blocks of code at a time to try get the error to go away. If I took out enough CFML code, the error went away. It really didn't matter at all WHICH code I took out, just that I took out some mysterious amount.

The total lines of code in the custom tagset was less than 500 with no loops or anything that would jack up the lines of code when evaluated so this REALLY threw me for a loop.

Eventually, I updated to the latest updator for CF7 and the error went away. Strangely, there was no mention in the list of updater fixes, but trust me, the error went away. If you are having a similar problem, use ColdFusion MX 7.02 Cumulative Hot Fix 3 or later.

If you similar stuff going on in your applications, there is a good chance the ColdFusion MX 7.02 Cumulative Hot Fix 3 will sort it out for you.

Fix for Filezilla Failing to Retrieve Directory Listing

Thu, 24 Apr 2008 21:28:00 -0700

I use Filezilla FTP client to manage files on many servers. I had a specific Filezilla client that refused to retrieve a directory listing. Other computers could connect to the same server just fine. Thusly I knew it was a client configuration problem.

I ended up with messages like this:

Response:	200 PORT command successful. Consider using PASV.
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing

I ran the Filezilla configuration wizard to diagnose the problem. The configuration wizard utility ran for a while reporting success until the very end. After timing out, I received the following messages:

Response: 200 PORT command successful
LIST
Response: 150 opening data connection
Response: 503 Failure of data connection.
Server sent invalid reply.
Connection closed

Searching the Internet led to not so helpful posts such as "Please read the Network Configuration guide.". After analyzing the situation, it turns out the solution isn't so obvious. My Client had the default setting of Connection -> FTP -> Active Mode: Get External IP Address From This URL. Which pointed to http://ip.filezilla-project.org/ip.php . This is the source of the problem. If you go to that URL, you will probably get a result of 127.0.0.1. If the Filezilla client needs the external address, and is given 127.0.0.1, then there will be problems indeed!

If you have a similar problem with Filezilla, and the problem persists even when the Windows Firewall is disabled, here is what you need to do:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Press OK.

Try connecting to your FTP site once again. Works!

Update: In some cases, and for reasons unknown, Filezilla just won't work. I have found that coreFTP is a nice FTP program that is free Windows software which includes the client FTP features you need. Features like SFTP (SSH), SSL, TLS, IDN, browser integration, site to site transfers, FTP transfer resume, drag and drop support, file viewing & editing, firewall support, custom commands, FTP URL parsing, command line transfers, filters, and much, much more!

If Filezilla still does not work for you after you follow the steps above, then install coreFTP and it will work just fine.

Diagnosing Server Issues

Mon, 28 Jan 2008 06:13:00 -0700

I've had the pleasure of working for many diverse employers and clients. A number of times I've been on a team working to resolve misbehaving software/servers. Part of the job is digging through logs. Another part is load testing specific workflows looking for knots or bottlenecks in the process. Still another part is analyzing each query for suboptimal performance.

There can be many factors that contribute to performance problems. Mike Brunt, Systems Guru at Alagad, has the skills to quickly analyze an application and tune it for proper efficiency. Mike has been posting on the Alagad blog for some time now. I find his posts to be informative and to show an uncommon depth on complex topics. Mike has an ability to simply explain tough subjects.

After reading his latest post, I was struck by how much I do not know. I understand, at a base level, how the JVM allocates memory and that changing the allocated memory can improve application performance. I don't pretend to have the experience needed to diagnose problems and fix them by providing more appropriate settings.

Organizations that rely on critical web applications should pay attention to server performance. While performance problems can be mitigated, to an extent, by increasing the hardware running the system, adding hardware brings additional expenses in the form of hardware, software licenses, maintenance efforts, increased power consumption and less available room in the server racks.

If you run into server performance issues, keep in mind the professionals in our community that specialize in diagnosing and repairing server performance. There is more to server performance than code and database queries!

Flash Security with Off-Root CrossDomain.xml files

Fri, 04 Jan 2008 08:13:00 -0700

Bruce Phillips (You should check out his interesting Flex posts) let me know that my Surfing Stats data didn't load when the swf was located off my http://www.nodans.com domain. I want others to take the code and do with it as they please so I need to make the data available across domains. This is done through the use of a crossdomain.xml file. The file I used looks like this:

This is a very promiscuous file. It allows anyone anywhere to load any data in the containing directory and all subdirectories. Such a promiscuous file also opens up security vectors. In the words of Lucas Adamski on DevNet:

As an example, a user is logged in to an e-commerce site that uses cookies for authentication. On the site is a user account settings page where you can see information such as your mailing address and other personally identifiable information. If this site has an overly permissive cross-domain policy file like *, a SWF file that is hosted on another domain could silently load the account settings data and send it elsewhere. This is because the browser appends the cookies for the e-commerce site to the request from Flash Player.

By default, the SWF looks for the crossdomain.xml file in the root of the website but with a little code, you can put it anywhere you please. I used this command to tell the SWF where to find the crossdomain.xml file: Security.loadPolicyFile("http://www.nodans.com/custom/surfingstats/crossdomain.xml");

Now, only the directory containing SurfingStats is enabled, reducing the surface area of attack. If you want to read more on the security issues with crossdomain.xml files, check out these links:
Poking new holes with Flash Crossdomain Policy Files
Cross-domain policy file usage recommendations for Flash Player
The Dangers of Cross-Domain Ajax with Flash

XP Drivers for Toshiba A215 - S7428

Fri, 09 Nov 2007 13:44:00 -0700

Recently I removed Windows Vista and installed Windows XP on the Toshiba A215-S7428. The Windows XP installation is complete and functioning properly. Due to the driver incompatibilities, this process was much more annoying than I thought it ever could be.

To get this to work, you have to pretty much forget the Toshiba site. It is mostly unhelpful and will send you over the edge. Instead, one must dig down deep into the operating system. One must manually edit driver inf files. One must deal with trying to find a driver for "Unknown System Device".

Fortunately, some unnamed kind soul has done all the hard work for you. I have been asked by unnamed kind soul to say the following: [More]

Toshiba Satellite A215-S7428 on Windows XP

Mon, 29 Oct 2007 12:07:00 -0700

I recently purchased a Toshiba Satellite A215-S7428. This well-equipped notebook computer comes with Windows Vista Home Premium. I planned to remove Vista Home Premium and replace it with the venerable and less annoying Windows XP. Let this post serve as a warning to others with similar ideas.

Removing Vista was easy enough. Installing Windows XP was easy enough. Finding and installing drivers has been the bane of my existence.

Update: This has been solved. See: XP Drivers for Toshiba A215 - S7428

Predictably, the Toshiba site was no help. I understand they shipped the computer with Vista Home Premium, and likely feel their support obligations only extend to OEM configurations. However, I lost confidence in Toshiba when I read the following on their Detailed Specs for the Toshiba Satellite A215-S7428: "This product specification is variable and subject to change prior to product launch."

If anyone sees Toshiba, please remind them the product Toshiba Satellite A215-S7428 has launched.

A few of the problems I am currently working through:

Realtek allegedly provided the WLAN component. The driver listed at The Realtek WLAN RTL8187B Support Section is not recognized by Windows XP as a valid driver. RTL8187B is listed by the Windows XP device Manager.

The Display Driver listed by the Detailed Specs for the Toshiba Satellite A215-S7428 is ATI Radeon X1200M. This is not even an option at the ATI driver download site. I tried the Radeon X1200 driver (in the Windows XP > Professional/Home > Integrated/Motherboard > Radeon X1200 but the install aborted when it found no compatible hardware. I guess the 'M' in ATI Radeon X1200M makes a HUGE difference.

As a consolation prize, there is no driver listed for the ATI Radeon X1200M in the Windows Vista section either.

Network and Display adapters are KEY. I haven't even tried to figure out what Base System Device is, or PCI Device....

Final Thoughts

I've swapped OS versions in the past and do not recall these types of issues. If I am overlooking something, please point it out to me. Meanwhile, I issue a word of caution for those who plan to purchase the Toshiba Satellite A215-S7428.

While this notebook comes well equipped on the hardware side, it is severely lacking for those who wish to swap Operating Systems. Think twice if you choose to go this route. There are plenty of computers that will still ship with Windows XP. Choose one of those.

Update: In case you missed the inline announcement, this has been solved. See: XP Drivers for Toshiba A215 - S7428

Anatomy of an SQL Injection Attack

Tue, 05 Jun 2007 08:22:00 -0700

Security is everyone's problem. It is important to be aware of issues that can foster security violations in software. Buffer Overflows, a common software security hole, arise from the length of input not being checked. When the input is larger than the memory allocated, the input data can spill over into unintended memory addresses. By appending a command with the correct offset, it is quite possible to push the command into memory space with high level privileges and execute.

In a buffer overflow attack, often the application accepting the input is running under reduced privileges. Because the input overflows the given memory address, it matters not that the input originated from a low privilege application, but rather the actual memory address where the command is stored and executed.

SQL injection is another type of attack and shares a common root with Buffer Overflow attacks. When input is not properly evaluated and filtered, bad things can happen. In an SQL injection attack, the attacker appends SQL statements to input. Here is a simple query:


SELECT userID, username, password
FROM Users
WHERE UserID = 1

Here is an example of appending a command to an SQL statement.


SELECT userID, username, password
FROM Users
WHERE UserID = 1; DROP Users;

In the last example, an SQL command to drop the users table was added. Imagine for a moment the URL to access a user profile. http://someserver/index.cfm?userID=1 The userID is appended to the URL and is undoubtedly passed to a query in the application that returns the profile associated with UserID 1.

To create an SQL Injection attack with the URL above, we could simply try the following URL: http://someserver/index.cfm?userID=1;drop users When the application substitutes the userID value of 1;drop users in the query, there are actually two statements to be executed. Firstly, the command to return the data from the users table associated with userID 1. Secondly, the command to drop the whole users table.

Pragmatically speaking, there would be little to gain by dropping the users table apart from vandalism. That being said, there are thousands of 5kr1pt k1dd135 whom would be delighted in dropping your users table for you and then bragging to their little wanker friends about how they trashed your server. Still, not much of a security risk? Let us try another angle.

Suppose for a moment a site that charged a lot of money for access to data. Users periodically purchased subscriptions and your organization was making millions. Inside the database was a users table with the field of 'ExpirationDate' representing the date the subscription would need renewal. Shall we form an attack to give us a 20 year subscription?

This is the SQL we wish to execute


SELECT userID, username, password
FROM Users
WHERE UserID = 1; update Users set ExpirationDate = '5/5/2027';

Can you guess what the URL string would look like?

If you guessed: http://someserver/index.cfm?userID=1;update users set expirationdate = '5/5/2027'

Then you are close. We may need to massage the url a little, or find a text input to put our command if the spaces and quotes are not respected.

So we can bump our subscription up 20 years or so. What else can we do? Let us try to add a user.

This is the SQL we wish to execute


SELECT userID, username, password
FROM Users
WHERE UserID = 1; insert into Users (username, password, expirationdate) values ('imahaxor','inyourbox','5/5/2027');

http://someserver/index.cfm?userID=1;insert into Users (username, password,expirationdate) values ('imahaxor','inyourbox','5/5/2027');

Now in place of just extending a subscription, the attacker has a new account that won't expire for a while yet. Not a pretty picture is it?

How can you defend against SQL injection attacks, you ask? There are some best practices you may follow to reduce your attack surface. Let us look at a few:

Reduce the privileges given to the SQL user of your application. If the application never needs to insert into a particular table, then remove that privilege.
Check your input values. If you are expecting a number, add val() around the value. In the case above, a simple val() statement turns a malicious statement into a simple 0. We all like 0, right?
Use prepared statements. Adding cfqueryparam values to your dynamic query values adds great protection. Apart from escaping malicious characters, the prepared statement treats the value as a value, not a string of text to be executed by the SQL engine.

While software is extremely difficult to secure completely you can remove a giant risk by gaining understanding of SQL Injection Attacks and using the techniques above.

Below are some examples of a recent attempt to use SQL Injection on my blog. This attack was not very sophisticated, but could have disrupted the services of this blog.

Invalid data FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and 1=2 value exceeds MAXLENGTH setting 35.. This was a fingerprinting attack. If the attacker retrieved a page, then the input mechanism would allow sanitized input. If the attacker received an error message, then perhaps important information about the server configuration would be revealed.

Invalid data FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and char(124)+user+char(124)=0 value exceeds MAXLENGTH setting 35.. This string evaluates to FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and |user|=0.

Invalid data FDEB2819-9F27-DDC8-3C7C7A4B29BC8149' and char(124)+user+char(124)=0 and '%'=' value exceeds MAXLENGTH setting 35.. This string evaluates to FDEB2819-9F27-DDC8-3C7C7A4B29BC8149 and |user|=0 and '%'='

Google for Domains and MX Records of Death

Wed, 11 Apr 2007 07:43:00 -0700

I set up Gmail for domains the other day. Part of the configuration involves 'Claiming' your domain. This is a simple process. All you have to do is copy a string, save it to a specially named file and add it to the webroot for the domain.

The next part involves setting your MX Records. This means changing the current DNS MX records and adding in the ones provided by Google. Below is the configuration:

[More]