SQL Injection can damage your website’s data and spread to other sites in your organization. This article explains how it works and how you can prevent it.

Exploited vulnerabilities:

A SQL Injection attack relies on the someone sending an HTTP request (web site visitor) being able to add SQL commands to a URL or form variable, and have it sent in a SQL query so that the SQL Server runs it as another SQL command. Any text passed along in URL or form variables can be modified by the user, or automated. URL/Form variables should only be treated as data, and never trusted.  (See http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored for a quick description). If text entered in the URL can get run on the database server as a SQL command, then a malicious user can pass any SQL commands that that SQL login has access to, including making malicious edits, reading from system tables for the database, bypassing site login code, or possibly (if the SQL login has permissions) creating or deleting tables. 

Over the past few months (since about May 2008) there’s been an automated SQL Injection attack running against first just ASP sites, then others, and now ColdFusion sites (searching for URLs containing “.cfm” files). It tries to pass a SQL script in a URL variable to each page, on the hope that at least some pages will pass it directly to the database in a way that the database server will execute them. (See http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII for details on how this SQL works.) 

The malicious SQL script used in this attack loops over system tables (sysobjects, syscolumns) to find character fields in all user tables, and append an HTML string to all character fields, assuming that at least some of those columns will be output directly on some other web page. This HTML string includes a JavaScript block, which will get the browser to download and run that JavaScript URL. (This JS URL will probably change quite often, but will be available enough to be downloaded.) Apparently, this script then turns the browser hitting the page displaying that data into a “bot” to hit other servers, and can do anything that Javascript in the browser can do, especially exploiting browser vulnerabilities.

It only requires successfully hitting one page on one site to get into that database, then the HTML would be displayed on whatever site uses those tables and columns.

The best way to prevent, is to make sure any data passed to SQL queries is only treated as data. All CF Queries should be parameterized (use CFQueryparam to pass the values in).

Action taken for containment:

The best permanent fix is for each and every query to be parameterized, so that no user-supplied text is passed to the database directly.   

There are some ways to block some of the SQL keywords in URL and form variables; this is not guaranteed to match, and may have some false positives, but will buy time to protect all queries. 

We set up some CF code on most public sites, set up in Application.cfm (runs at beginning of each request) to search for these SQL keywords in the URL and then abort the page.

Action taken for resolution and recovery:

The best permanent fix is for each and every query to be parameterized, so that no user-supplied text is passed to the database directly.   

In the meantime, block those SQL keywords either through CF code (we put on most public sites) or through rewrite rules. 

To repair the infected database, we are running a SQL script similar to the injected SQL to remove the appended HTML from those columns it was added to.

Further recommendations:

• Have daily backups of all databases.
• Regular backups of code.
• Do a security audit on your site (TeraTech can do this)
• Better CF regex filtering of url/form variables at application level
  • May block this set of attacks enough to buy time.
  • Not a replacement for parameterizing all queries.
• Blocking on webserver level, using rewrite rules. We haven’t quite found a set of rules that work reliably, but will keep looking.
  • May block this set of attacks enough to buy time.
  • Not a replacement for parameterizing all queries.
  • open-source Ionics ISAPI rewrite filter http://www.codeplex.com/IIRF/
    • Filter requires a copy of the DLL and INI file in separate folder for each site, then point each site to that DLL
  • Helicon ISAPI Rewrite (commercial): http://www.isapirewrite.com/
  • Backup the rule configuration files
• Optionally, look at an application firewall that can block certain types of requests. Rules are options. Not guaranteed to block everything, and can have false positives, but protects the whole server and individual sites, and is highly configurable. Again, not a replacement for parameterizing all queries.
  • Applicure dotDefender; $4000 for a server
    • http://www.applicure.com/
• Each and every query should pass variables to database using CFQueryParam. Use QueryParam scanner (http://qpscanner.riaforge.org/) on source folders to find queries that might be missing.
• Any code that uses URL or Form-supplied values to determine SQL columns or sort order, should check against a list of valid columns etc. Don’t use those values directly in the query without checking.
• If you have cached queries that get user-entered values, CF before 8.01 doesn’t allow caching queries that use cfqueryparam. Consider other options, like caching the query without that WHERE clause and then doing a query on that query.
• Validate form fields; check values of ID fields entered in URL before getting to query, then display nicer message to user and don’t need to send an error message.

Resources: 

CF-Talk discussions on the issue:

http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221

http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241

http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:310594

Good description on how this attack works:

http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII

on Ben Forta’s blog:

http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored

http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already

http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARAM

QueryParam scanner (search CF code for queries that are probably missing cfqueryparam):

http://qpscanner.riaforge.org/

HP Scrawlr: finds web pages vulnerable to SQL injection attacks on your own sites.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

ColdFusion 9 will not be coming out until 2009, but we thought it might be exciting to hear some of the things coming up in the latest version of ColdFusion, Codename: Centaur.  First of all, ColdFusion will now be FREE for academic use.  The details aren’t completely hatched out, but it seems as though anyone in the education field will receive CF9 for nada!  There will now be the ability to code User Defined Functions and ColdFusion Components in CFScript.

  In addition, there will be an explicit local scope that doesn’t require local variables to be declared at the top of the function and tighter integration with Adobe Air.  Also there will be a new CFFinally tag for exception handling syntax and CFContinue tag for control flow.  

MDCFUG lunch is working splendidly.  Because people have told me how much they like having it at Union Station, and at least partially because Union Station just celebrated its 100^th birthday, we will hold it there again.  November 17^th at 1:30 PM, I will be waiting in the Corner Bakery with my green CFUnited shirt on. Can’t wait to see you all there, and if you get the chance, wish Union Station a happy belated.

Like our monthly MDCFUG meetings at TeraTech’s Rockville headquarters, lunch is a great way to connect with other people working in ColdFusion and to discuss related issues in an informal setting.  Also like our monthly MDCFUG meetings, the MDCFUG lunch will be completely free, with exception to the price of your own food. 

If you are interested in having a lunch, but are not close to the location we chose, please let us know.  All questions, comments, concerns and suggestions should likewise be directed to me, Matt Weiss, Matt (at) teratech.com.  Also, please contact me if you plan on coming so I can provide a contact number for the day of the event.  I will send out an email the morning of the lunch to remind people. Hope to see you all there!

This happens to me all the time.  I try to do SO many things at once none of them get done at all.  Sure there are some people who talk on the phone, send an email, write a report and eat lunch all at the same time, but that doesn't make them more efficient.  On the contrary, if you're the person on the other line of the phone with that multitasking maven, you'll probably notice that you don't have their full attention.  The email being sent by the diligent do-gooder may be filled with typos, or they'd have to go back over it again to make sure it wasn't, which pretty much cancels out the time saved multitasking in the first place. 

It is almost counterintuitive, but the best way to get things done is to do them thoroughly one at a time, without any interuptions.  If you try to do two things at once, at best you'll end doing both quickly, but probably not very well.  Miki Saxon's blog, which always has great information and insight, gave me some clues about how this works.  Read her blog by clicking here.  

MDCFUG’s monthly lunch has definitely been picking up speed.  People have been contacting us every month to come meet new people in the industry and make contacts and see what other people are doing with ColdFusion.  This idea has grown so much and been so successful that we plan on holding an MDCFUG Happy Hour in the very near future.  Until that happens, we are going to be having another MDCFUG meeting in October to tide you over.  (The August one was postponed to September.)  October’s lunch will be held at Union Station on Monday October 6^th at 1 pm, so everyone can come despite preference or dietary needs since there are so many restaurants there.

Like our monthly MDCFUG meetings at TeraTech’s Rockville headquarters, lunch is a great way to connect with other people working in ColdFusion and to discuss related issues in an informal setting.  Also like our monthly MDCFUG meetings, the MDCFUG lunch will be completely free, with exception to the price of your own food. 

If you are interested in having a lunch, but are not close to the location we chose, please let us know.  All questions, comments, concerns and suggestions should likewise be directed to me, Matt Weiss, Matt (at) teratech.com.  Also, please contact me if you plan on coming so I can provide a contact number for the day of the event.  I will send out an email the morning of the lunch to remind people. Hope to see you all there!

Adobe Audition is the latest in sound editing.  The newest interface matches the rest of the Adobe Video Collection package (along with Premiere Pro, Encore DVD, and After Effects) to a T.  While most full service Digital Audio Workstations (DAW) run almost exclusively on Mac’s, Audition only works on Windows, which may make shortcuts a little difficult to get used to.  But the program is absolutely complete for use of tracking, editing, mixing and mastering on a professional level even as far as the pitch shifting/time-stretching Radius, made by iZotope, the same algorithm used by industry trademarks like Cakewalk and Digidesign. 

The new design of the frequency editor makes it much easier to pin-point selections and change them around to your setting.  With this you can even take selections, put them into Photoshop, and change them that way.  One of the best updates with the new version is the increased latency when recording.  This seemed to be one of the biggest drawbacks of the older version and Adobe definitely corrected it.  The Guitar Suite-effects sound awesome, mimicking analog guitar sounds to affect any track with wah, distortion and compressor.  This really is a wonderful DAW where the limits of what you can do truly end with your imagination. 

Think you can solve common Adobe AIR related coding problems? Then you qualify for the Adobe AIR Cookbook Cook-off contest sponsored by O'Reilly Media to celebrate the upcoming publication of the Adobe AIRCookbook <http://oreilly.com/catalog/9780596522506/>.

During this contest, we invite you to submit your best solutions to common AIR coding challenges for a chance to win some great prizes.


Who: RIA developers who are legal residents only of the United States

What: Solution to a common Adobe AIR related coding problem

Where: Adobe AIR cookbook website at
<http://www.adobe.com/go/air_cookbook>

When: Entries accepted between August 11 and September 26, 2008

Why: To have a chance at winning one of four great prizes—as well as helping others in the community build better AIR apps

Four winners will be chosen during the contest period. They will be awarded one of the following prizes:

Grand prize--One pass to the Adobe MAX 2008 conference in San Francisco, California (November 16–19)--valued at US$1,695--and also US$500 in O'Reilly Media books

Second prize--Every English-language Adobe Developer Library (ADL) book published by O'Reilly Media prior to September 1, 2008 


Third prize--Five O'Reilly Media books of the winner's choice

Community choice award: US$350 in O'Reilly Media books to the winner of the top-rated recipe during the contest period. For details on how to enter the contest, go to:
<http://www.adobe.com/devnet/logged_in/mkoch_aircookoff.html>

Entries will be judged by a committee of experts from the RIA developer community and Adobe based on user experience, implementation, creativity, relevance, and (for lack of a better word) "AIR-ness." Winners will be notified by e-mail or letter by October 15, 2008.

For more details on the terms and conditions of the contest, please visit the AIR Cookbook Cook-off Rules and Regulations page on InsideRIA:
<http://www.insideria.com/air-cookbook-rules.html>

Miki Saxon is quite a perceptive woman.  Virtually every month we feature a new article of her's in our newsletter, and for good reason.  They are interesting, well written, and have different takes on virtually every aspect of corporate life.

Her latest entry is about how encouraging people to think "outside the box" as people say, is futile.  Everyone has a box in which their imagination is contained.  Trying to think outside of it is against the purpose of these boxes.  Saxon feels that the way we come up with new ideas is to recognize the size of your box and try to expand upon it. 

Obviously, those who are very creative and have built their lives on their creativity have much bigger boxes.  The objective is to expand our boxes so that our creativity increases.  But everytime we "think outside the box" a new box is created around it, thus we always have a box.  But if we keep expanding, the sky is the limit.  You can read all of Miki's article HERE.

TeraTech welcomes our newest salesperson, Kathleen Herrington, to the team!

A Maryland native, Kathleen Herrington main area of expertise is in sales and marketing.  After studying Psychology and Business Administration at University of Maryland, Baltimore County she began her career at NationsBanc Mortgage and in that industry she stayed for over 15 years.  She is excited to learn more about web application development. She decided to come to TeraTech “because of the people and TeraTech’s philosophy towards its own people.  Michael [Smith] has an open-door attitude that everyone has something to contribute.” 

That she has lived in Montgomery County in Silver Spring and Rockville her whole life, it makes sense that she’s made a home for herself in Gaithersburg with her “husband and assorted children and pets,” she says.  Welcome Kathleen!

Today Sean Corfield passed the torch of Fusebox core development to Adam Haskell (see Fusebox site for more details on Adam's vision for Fusebox core development). I appreciate Sean for the Olympic improvements he has made to Fusebox over the years - getting the source into a public Trac repository (with Sim's help), rewriting the core into CFCs and adding many useful features over the years. And consider that when Sean first came across Fusebox he argued against it - but after trying it out he liked it so much that he helped out on the core files and help to steer Fusebox to where it is today! I will miss his lively input at Team Fusebox meetings too.

And I am looking forward to Adam taking Fusebox to the next level. When we discussed his ideas for the core at CFUnited he showed both the experience and passion to improve things a lot. And I think from his message that he is interesting in hearing from the Fusebox community too.