Aug
17
Application Penetration Test - Call to CF community for help!
Posted in ColdFusion, SQL, Servers, Application Security

So next week an "Information Security and Compliance Company" is doing a 16 hour "Application Penetration Test" on an application we developed. It's on a dedicated server with all the latest patches and is on lock down with IP address validation through the firewall. We have made sure every query is protected from SQL injection attacks and made sure any file uploaded to the application is uploaded outside the root and can not be called from a URL. We think we have covered all the bases, here is a list of what the application will go through.
 

Input Validation

Buffer Overflow

Cross Site Scripting

URL Manipulation

SQL Injection

Hidden Variable Manipulation

Cookie Modification

Authentication Bypass

Code Execution
 

Now some of these are basic security 101, and ColdFusion has lots of tools to address the attacks. Has anyone ever gone through this? If so what type of things were found? Can anyone give me any suggestion of things to check?

Posted: Aug 17, 2010 at 9:07:PM by John Ramon | [3] Comments | Print | Views: 4171

Aug
13
Connecting to SQL Server 2008 from OS X
Posted in ColdFusion, SQL, Servers

If your one of the cools kids and have a Mac (sorry windows guys) and you need to connect your development environment to a MSSQL server it's really easy. There are lots of guides out there on connecting ColdFusion to MSSQL but if your connecting from OS X server to Windows server there are 2 settings you need to check.

First once you log in to your development server under Object Explorer right click on the server name and click Properties. Under Security make sure "SQL Server and Windows authentication mode" is checked. Next click Connections and make sure "Allow remote connections to this server". If you setup you users and DB correctly you should be able to connect.

Two times this year I have wiped windows box and 2 times I wasted hours connecting to MSSQL from my iMac. I'm going to be adding more tips to help me and anyone else in the future.

Posted: Aug 13, 2010 at 1:54:PM by John Ramon | [0] Comments | Print | Views: 4079
Aug
10
Cached errors using CFQueryParam
Posted in ColdFusion, SQL

I was working on a project today and ran into this error

[Macromedia][SQLServer JDBC Driver]Value can not be converted to requested type

I did a quick search found a lot of theories on why and how it was caused. So it turns out it's a caching error, by default ColdFusion data sources pool 1000 statements, but how to fix. Almost all suggested restarting CF, which I cannot do, change the dsn name open page to error and then change back, or my favorite: "When in doubt kick it in the guts (restart JRUN)". They all work but not the best way to handle the error.

Easiest and best way to get rid of this error is to log in to CF Admin, click Data Sources, find your data source and click it then click Show Advanced Settings. Update "Max Pooled Statements" to zero, click submit, then run page. Now you can change it back. This removes the cached SQL select statements with out resetting connections to users.

Posted: Aug 10, 2010 at 10:25:AM by John Ramon | [3] Comments | Print | Views: 3384

Latest via Twitter

Find me on: Twitter - Facebook


Categories

Recent Comments

Kiri3sora
Posted: Dec 30, 2011
This is a feature that should be incorporated into the WordPress core. Glad to see someone came up with a solution to the problem in the... read »
ctcpitt
Posted: Dec 29, 2011
This is a feature that should be incorporated into the WordPress core. Glad to see someone came up with a solution to the problem in the... read »
Etty
Posted: Dec 06, 2011
Stands back from the keyabord in amazement! Thanks!... read »
Mira
Posted: Dec 06, 2011
Ya learn sometnhig new everyday. It's true I guess!... read »
ugninypll
Posted: Dec 05, 2011
LM6mlp xakdrbwkhhid... read »

Links