Sid's FishNet

Adding a Twitter Feed To Your Site

sidfishes — Fri, 29 May 2009 19:50:16 +0000

With CF8 and the cffeed it’s easy to add a feed of your tweets to your site. I’ve found this is a really good way of getting followers on Twitter. I’ve used cfpod and cffeed below

I like to style my cfpod’s but IE (at least to IE7 and as per usual) has “issues” so i just do a browser sniff and use a couple of variables to make the pod look the same in all browsers

#dateformat(listfirst(feeditems.publisheddate,”T”), “mm/dd/yy :hh:mm”)#

#REReplaceNoCase(feeditems.Content, “<[^>]*>”, “”, “All”)#

Subscribe To My Twitter Feed

My twitter account is a corporate presence so I don’t want other people’s tweets showing on my site. If you were just to set your feed url to

http://search.twitter.com/search.atom?q=yourTwitterName

you would get all hits for yourTwitterName, even those posts from others who are @replying to you. This might not be an issue for some I want to make sure only -my- tweets show up in the feed. Just add

-@yourTwitterName

to the search.atom criteria and this will exclude any @yourTwitterName search results

One other thing you may notice is that I’ve added a html stripping rereplace funciton.

#REReplaceNoCase(feeditems.Content, “<[^>]*>”, “”, “All”)#

This is a good idea for feeds and any source for which you have no control over. I don’t want visitors to my site to have any issues with potential attacks propagated through Twitter (or any other service). We’ve already seen a couple of Twitter “worms” and I don’t need a potential XSS vulnerability introduced on my site. (paranoid..yes but that’s a -good- thing)

Protect your admin interface.

sidfishes — Tue, 26 May 2009 17:08:23 +0000

Just a quickie today.

Many websites require an admin interface to handle the public facing areas of the site. While these can and should be protected with -strong- passwords, as a web developer we always want to provide an attacker with the smallest possible “attack surface”. What an attacker can’t access, they can’t hack*.

You can make a simple change to the application.cfm/cfc file of your admin interface to provide a greater level of security.

– all your application.cfm code –

This limits access to your admin site to a single IP address. You could hard code this if it’s your site or you could make it a variable and read from an ini file where a client sets the value.

If you want to allow access from multiple IPs just create a list

123.45.67.89, 123.45.65.90” delimiters=”,”>

To use this in application.cfc, just add the code to onRequestStart

* It’s important to note that this is -not- foolproof since cgi variables -can- be spoofed. There is some debate on whether remote_addr can be spoofed but since security best practice -always- assumes the worst, make sure you’ve got a nice, strong password to protect your admin interface.

Extra tip:

Use a strong -Username- as well as a strong password. It’s an awful lot harder to brute force attack a website with a username that won’t likley be found in a dictionary or by social engineering/target research

If your name is Frank make your username Fr4an8k . This way an attacker has to figure our what the Uname is before even starting on the pwd. Most will simply move on. (and never, ever use a username such as “admin”)

CF, XSS & SQLi – Keeping Your Users Safe

sidfishes — Tue, 17 Mar 2009 20:20:30 +0000

I’ve recently been thinking a lot (more) about web security, specifically XSS (Cross Site Scripting) and SQLi (SQL injection). Coldfusion is one of, if not the easiest, web scripting language to code securely. Straight out of the box, it’s harder to run an SQLi attack against than most. (please… I said harder, not impossible)

here’s a pretty good discussion about this with several of the top CF “experts” at EE

Bottom line for a CF coder is that using cfqueryparam will eliminate your SQLi risk. It’s an Adobe recommended best practice

Adobe recommends that you use the cfqueryparam tag within every cfquery tag, to help secure your databases from unauthorized users. For more information, see Security Bulletin ASB99-04, “Multiple SQL Statements in Dynamic Queries,” in the Security Zone, www.adobe.com/devnet/security/security_zone/asb99-04.html, and “Accessing and Retrieving Data” in the ColdFusion Developer’s Guide.

From LiveDocs

and you’re crazy not to use it.

You may actually see a performance boost using it as well.

If the DBMS doesn’t have to parse, analyze, and validate as much text, it’ll be able to respond to requests quicker and more efficiently

Faster and Safer Queries Using The cfqueryparam tag

However, just because you use cfqueryparam don’t get smug. You still may be vulnerable to exploits. XSS is harder to deal with and while CF does have some built in protection you can enable, it doesn’t protect you in all cases.

In CF8 (and maybe CF7..I can’t remember) CFadmin has a Server Settings > Settings > Enable Global Script Protection.

This is to “Specify whether to protect Form, URL, CGI, and Cookie scope variables from cross-site scripting attacks”. Sounds great. Check that box and your done. Safe and sound? Not so much.

Submit the following form with Global Script Protection (GSP) disabled. You should see an alert box which means you’re hax0red. Enable GSP and you won’t get the alert and you’re safe. However, while GSP is good for protecting against js hacks like alert(‘Gotcha?’) it -won’t- do anything to protect you against an iFrame attack. I’ve simulated one here using a visible iFrame, an actual iFrame used in an attack would be hidden. You’ll notice that the injected iFrame shows up whether GSP is enabled or not. This is because an iFrame is not actually a “script” so it’s not filtered. To fix this we need to strip html tags from input (which you should never allow to be submitted in any case) by using reReplaceNoCase and the regex <[^>]*>

As you can see, this eliminates the iFrame issue. This also defeats the JS inject issue as well even without GSP enabled.

Did you see the JS Alert???

#form.f1#

]*>”, “”, “All”)>

#myvar#

I’m an injected iframe

#form.f3#

That’s bad ;(

]*>”, “”, “All”)>

No iframe here
#myvar#

XSS Demo

I’ve got a couple of free tools to recommend as well.

SQL Injection Blocker v.3 by Mary Jo Sminkey

This is a “blacklist” tag which looks at common CGI variables and checks them for common SQLi keywords like insert|delete|select|update etc and for other nasty bits which don’t belong in form submits. You just cfinclude it in application.cfm or cfc and it should head off most attacks. Note:this is -not- meant as a replacement for everything I’ve outlined above. It’s an added layer.

I figure it’s a good idea to find out if a site is under attack ASAP so I customized blocker.cfm by adding a log variable to each cgi variable section
ie:
log =url;
log =form;
etc

and then output the log as well as a cgi.remote_addr (attacker IP) in a cfmail which gets sent to me via SMS when blocker intercepts a hack attempt. This gives me the time, remote ip and details of the hack.

Another set of tools I just came across and really like are the ExploitMe plugins for firefox from Security Compass They do SQLi, XSS and Access Control Checking

You can also use HP Lab’s scrawlr for SQLi

If you have already been hacked with a SQLi attack you can use scrubbr from OWASP.org to help sanitize your db.

Take Out? Always use cfqueryparam, always use rereplacenocase to remove html and test, test, test.

Creating User Feedback With CFWindow

sidfishes — Thu, 12 Feb 2009 17:14:38 +0000

I hate javascript alert(‘boxes’). They’re boring, ugly and a lousy way to do user feedback. I recently put together the following demonstration of a more elegant system to present error message and feedback to user based on the coldfusion CFWindow tag. If you’ve never used CFwindow before, this tag automagically creates a div which can be populated with pretty much anything; dynamic data, images, even flash.

One thing to note about this code is that nowhere in the code will you actually see which is the tag built-in to Coldfusion. the CFWindow tag is very simple to use but in order to make your app really stand out, we need to get into the API which is built from the amazing EXT javascript library This allows us to dynamically set the window size, change the header style of the window and much more.

Have a look at the code. I’ve commented a lot (for me anyways) throughout the code so it should be fairly straightforward.

One note of warning. WordPress likes to mess with some of the text in and especially ” quotes even using the code tag so this may require a bit of cleaning up after you cut and paste.
#url.msg#


Both files must be in the same directory.
Description

java_script alert() messages are so turn of the century. This tutorial uses CFwindow to create custom error and informational messages. The main function is showMsg() which creates the window and takes several parameters to set up how it looks and what messages are displayed. Unlike basic usage of the cfwindow tag, this uses the Coldfusion AJAX API (via cfajaximport) to create windows at runtime (so you don't have to know how they're going to look or  what they'll contain in advance)
We also take advantage of changing styles of the cf window (didn't know you could do that?) to provide appropriate visual cues for the user.
Since we are creating the window at runtime, it gives us the opportunity to automagically resize the window to fit our message text. This is something you can't do with the simple cfwindow tag as you have to hard code the window size in advance and it can look a bit clunky as a one size fits all message box.
The simplest usage of this function is
function sayHello(){

var d = new Date();

var msg = 'Hello World';

var wid = d.getMinutes()+d.getSeconds();

showMsg(wid, 'Message',msg, 75,400);

}
You can use this on any page to call a window. You can put pretty much anything in the message including html

--->


















function sayHello(){

var d = new Date();

var msg = 'Hello World';

var wid = d.getMinutes()+d.getSeconds();

showMsg(wid, 'Message',msg, 75,400);

}

Modifying IIS 6 to allow subdomains using a wildcard ssl certificate to use port 443

sidfishes — Fri, 23 Jan 2009 15:23:00 +0000

History: By default, IIS websites cannot use the same SSL port (443) for a site using the same IP address. Websites with different IPs can all use port 443. This situation is typical of a standard SSL certificate which is issued to a single host header (ie: secure.website.com). Any other attempt to connect to a site via https through a different host header (ie: www.website.com) causes a certificate error (this is by design).

This becomes an issue when trying to install a wildcard SSL certificate. Wildcard certificates provide the ability to secure all subdomains on the root domain using a single certificate. (*.website.com) examples:

root domain – website.com

subdomains -admin.website.com, shop.website.com,etc

However, after you’ve installed a wildcard certificate and try to set up the subdomain to use SSL port 443, you will receive a Port In Use error. You will not be able to start the subdomain websites with the port set to 443. The IIS MMC (inetmgr.mmc) does not provide a method of resolving this so you must use the command line. (Start -> Run -> cmd)

You need to determine the site identifier of the subdomain you wish to modify. To determine Open IIS MMC, click on Web Sites and view the Identifier number next to the subdomain website. In the following script, replace with the number shown in the IIS MMC and change subdomain.website.com to the subdomain you wish to modify. Run the script with the modifications and you should now be able to browse to https://subdomain.website.com with no error.

cscript.exe c:\inetpub\adminscripts\adsutil.vbs set /w3svc//SecureBindings “:443:subdomain.website.com”

if you have multiple subdomains, you could create a batch file to run the scripts.

A Coldfusion Who’s Online Widget

sidfishes — Fri, 09 Jan 2009 18:52:42 +0000

Last week I set up Ray Camden’s Lighthouse Pro , a open source issue/bug tracking Coldfusion application. We are going to use this internally for project and bug tracking. One bit of functionality I wanted that wasn’t included was a Who’s Online function so everyone could see who was using the site at any given time. This gives me to opportunity to “gently” prod folks who are resistant to using the new program that “it’s the way we now do things”. Change is hard you know.

This code is not specifically tied to any app and can be dropped in any system using application.cfc. It would be good for forums, intranets or any other “social web” app where knowing who’s online may be a benefit.

The first bit is to define the struct we are going to use to store the information and to populate it with the newly logged in user.

On thing to note here is that I’m using a combination of CFID and Username to give me my user_cfid which is the key we are looking for. The reason for this is that we want to be able to allow multiple users with the same name to use the application. If we just keyed on username, the system couldn’t tell there were more than one and we could see name overlap problems. Because CFID is set with the session, it’s “reasonably” unique, especially when combined with username. For greater overlap prevention or for systems which only use jsessionid’s, you could use createuuid() intead of CFID.

Application.cfc onRequest in your successful login section
—————————————-

the second bit does the updating and checking of user activity and either updates or deletes the user from the tracking struct

Application.cfc onRequest
—————————————-

set to 0 will check on each page load and will cause list to change a lot as people “timeout”
while viewing or working on pages
set to 10 minutes will give a more general idea of activity.
remember that activity timeout and session timeout may be different.
—>

this would be due to having an activity online timeout which is shorter than
your session timeout. —>

and delete them as their timeout period will have expired. —>

This last bit is the display section which you can place on any page you want the widget to appear.

whosOnFirst.cfm
———————————————-

Users Online : #StructCount(Application.UsersInfo)#

#listlast(UCASE(Uname))#

#listlast(UCASE(Uname))#

Last Activity : #timeformat(structfind(Application.UsersInfo,uname), “hh:mm:ss”)#

For apps that allow both registered users and guests, you could add an additional logic section to onRequestStart which determines if a user is browser as a guest and then set user_cfid as

Since CFID is “unique-ish” we can combine it with multiple Guests and not have overlap. For larger volume sites which could have many guests, I’d recommend using the createUUID() as recommend above.

Word of warning: I’m not sure what performance implications there would be on a heavily visited forum site. You would also want to either limit the number of users displayed by the collection cfloop, or add some css to allow for scrolling of the div so you didn’t have a list that had 300-400 visible users.

Have Fun.

Foxpro, Coldfusion File Read Error

sidfishes — Fri, 19 Dec 2008 19:10:03 +0000

I’m right in the middle of final testing for my UPSConnect/Coldfusion app and I started to see a bunch of errors popping up in my logs and my app stopped working.

The specific error was

[ODBC Visual FoxPro Driver]Error reading file

Hmm. I verified that the remote folder was accessible and the datasource verified in CFAdmin. Still no go. Couldn’t even perform a simple select on any of the dbf files

One thing is different today is I’m testing after UPS End of Day procedure has been run. This procedure “archives” the days shipments by copying them into new tables and emptying the working tables. So I thought maybe there might be an issue with the driver accessing empty tables (although I was 99.9% sure that I had selected on empty table before)

Then I had a thought. Uncheck good old ” Maintain connections across client requests” in CFadmin>Datasources>Advanced Settings

Sure enough, that fixed the problem. I can select on my tables again.

Now I’m not sure -why- my datasource would work for 2 months with this setting enabled and then -not- but at least it’s working.

Calculating a UPS Shipment Number From a Tracking Number

sidfishes — Wed, 19 Nov 2008 22:18:47 +0000

I may be the only person who ever needs to calculate a UPS Shipment Number. The project I’m working on requires me to create this value for a custom commerical invoice.

The format of the shipment number is

123X59M7CH

and the tracking number format is

1Z 123X56 66 2075 4864

Sort of the same … but not. The first part of the shipment number is your account number. That was -easy-. Second part, a bit more involved. Turns out, that this number is generated using base26 encoding. Base26 is rarely used but it is here. I’ve put together a custom tag which does the conversion for you. Just pass it a tracking number.

ShipmentNumber:#shipNum#

——save code below as base26Encoder.cfm ——

:
Attribute trackingNum not found’>

:
Attribute trackingNum can not be empty’>

1st 2 digits – Lead numbers
next 5 – Acct Number
next 2 – service class
next 7 tracking number
last digit – check digit
—>

//remove any spaces
tN1 = replace(attributes.trackingNUm,” “, “”,”all”);
//get the tracking number and check digit
tN = right(tN1,8);
//strip the check digit
tN = left(tN,7);
//get the account number
aNum = replace(replace(left(tN1,7), tN, “”),”1Z”, “”);
//do the base26 calculations based on UPS requirements
//discard remainders so use int()
p1 = int(tN/26^4);
p2 = int((tN-(p1*26^4))/26^3);
p3 = int((tN-(p1*26^4)-(p2*26^3))/26^2);
p4 = int((tN-(p1*26^4)-(p2*26^3)-(p3*26^2))/26);
p5 = int((tN-(p1*26^4)-(p2*26^3)-(p3*26^2)-(p4*26)));
//set up conversion lists
l1 = “0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25″;
l2 = “3,4,7,8,9,B,C,D,F,G,H,J,K,L,M,N,P,Q,R,S,T,V,W,X,Y,Z”;
l3 = p1 & “,” & p2 & “,” & p3 & “,” & p4 & “,” & p5;

Hope someone else finds this useful.

Newspaper Columns Using CFscript and CSS

sidfishes — Tue, 11 Nov 2008 23:16:30 +0000

Someone asked me how to break up a text block into 3 columns (like a newspaper). While this isn’t necessarily the best way to format a webpage (scroll down, scroll up, scroll down ), it is a familiar format.

Thanks to a neat little cfscript function from theLazyCoder, it turns out to be fairly simple.

The code takes a block of text courtesy the Lore Ipsum Generator and chops it up into 3 sections for your page. You could simply use left mid and right but you would get words that were cut off in the middle. Using the fullLeft function we get the closest full word to the end of each column and then we just subtract the previous section using replace. For the third column, we replace both the first and second column text.

For a 7 in tall page using default font size, 950 characters seems to fit about right.

col1 = fullLeft(mytext,950); //get the full word closest to 950 chars
col2 = fullleft(replace(mytext,col1,”"),950); //get the full word closest to 950 chars – the chars in col1
col3 = fullleft(replace(mytext,col1 & col2,”"),950); //get the full word closest to 950 chars – the chars in col1 and col2

Once we’ve broken it up this way we can simply apply a little newspaper-ish CSS and you’ve got 3 columns justified with gutters.

Limitations:

Doesn’t deal with multiple pages

Doesn’t allow for handling characters when there are more than the 3 columns allow

The Code

Curabitur leo sem, tincidunt sed, suscipit eu, congue eu, sem. Mauris tincidunt nisl sed leo. Nullam eget dolor non mi feugiat vestibulum. Pellentesque orci. Sed purus. Vestibulum tempus, ante pellentesque dapibus blandit, quam felis hendrerit enim, egestas molestie elit magna ut pede. Cras in quam non nulla lobortis rutrum. Nam sollicitudin adipiscing risus. Etiam quis urna. Ut et orci. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Aenean arcu mi, aliquam sed, laoreet in, vulputate sed, ante. Suspendisse sagittis ipsum rutrum ipsum. Quisque urna. Maecenas id lectus.
Suspendisse lobortis lacus ut tortor. Quisque tincidunt mauris et arcu. Morbi justo nunc, malesuada ac, suscipit in, convallis at, nibh. Morbi accumsan erat ac urna. Sed gravida. Phasellus tristique. Donec volutpat dictum turpis. Nam vel ante. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Sed eu odio facilisis mi ornare interdum. Curabitur quam mauris, cursus sed, ultrices a, tincidunt eget, enim. Morbi in nunc sed ipsum sagittis commodo. Curabitur augue. In mattis nibh eu arcu. Donec mattis metus non tortor. Nulla et erat. Ut tempor. Aliquam tincidunt urna porttitor augue. Ut elit augue, suscipit a, pulvinar et, porta et, lacus.
Proin felis purus, ornare nec, auctor vel, adipiscing ac, ligula. Nam faucibus tristique justo. Nunc tristique metus vel quam. Vestibulum ultrices massa a sapien. Praesent sit amet diam vitae elit vestibulum facilisis. Maecenas pretium massa a sem. Vestibulum lobortis. Nulla arcu arcu, laoreet eget, scelerisque non, dapibus vitae, sem. Sed tempus, sapien id consectetuer lacinia, dolor elit aliquet diam, in malesuada nulla lacus eget erat. Vestibulum consectetuer sapien a felis. Curabitur et erat a neque laoreet rutrum. Curabitur ac leo ut purus dapibus dignissim. Ut tincidunt, urna eget interdum ultrices, enim urna sollicitudin leo, nec tincidunt ligula mi sed ipsum. Maecenas imperdiet massa quis neque. Ut vel lectus id magna malesuada imperdiet. Ut nec quam. Aliquam enim lorem, luctus at, fermentum et, tempor at, neque. Integer in enim sit amet lorem auctor viverra.
Etiam vitae elit. Integer bibendum augue tincidunt dui. Sed semper consectetuer dui. Pellentesque volutpat egestas nunc. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas.
“>

col1 = fullLeft(mytext,950);
col2 = fullleft(replace(mytext,col1,”"),950);
col3 = fullleft(replace(mytext,col1 & col2,”"),950);

//fullLeft function from: http://thelazycoder.com/1/2007/07/53.Full-Left-Word-Count-with-Whole-Words.cfm
function fullLeft(str, count) {
if (not refind(“[[:space:]]”, str) or (count gte len(str)))
return Left(str, count);
else if(reFind(“[[:space:]]”,mid(str,count+1,1))) {
return left(str,count);
} else {
if(count-refind(“[[:space:]]”, reverse(mid(str,1,count)))) return Left(str, (count-refind(“[[:space:]]”, reverse(mid(str,1,count)))));
else return(left(str,1));
}
}

#col1#

#col2#

#col3#

Port Panic

sidfishes — Thu, 30 Oct 2008 23:13:50 +0000

Today was one of those days. The network was down when I got to work, so even before my first cup of coffee I was fielding “I can’t..” and “It doesn’t…” We’ve been having some issues with one of our older 3com switches and that was my first thought. I did a reboot of that switch but that didn’t clear things up. It did bring back internet but my fileserver was still offline (ping-able) but nobody could connect. I did a reboot of that server and while I was waiting for it to come back up I had a look at the last vulnerability scan for our AD/DNS server. This scan is done by eEye software’s Blink which is built on the highly regarded Retina vulnerability scanner. I hadn’t checked the scan results for a while (bad me, I know… but at least I AM scanning. Are you??) And the thing that immediately caught my attention was a HUGE number of open UDP ports. (in the thousands!!) The port numbers range from 49157 to 65529.

Immediately I’m thinking I’ve either been hacked or someone has set up some P2P on our network. I was pretty sure it wasn’t someone internal so I immediately went into intrusion event management mode. Checking logs, current firewall traffic, A/V scans and then a bunch of malware scans. Blink is has a good set of tools for this and it was coming up empty. I went to my next line of defense which is good old Spybot. Again the system came up clean. I also used a tool from eSet (makers of NOD32 A/V) called SysInspector. This is a useful utility I found on a sans.org diary posting. Nothing out of the ordinary there either. Lastly, I did a scan with RootKit Revealer from sysinternals err Microsoft. Again, nothing.

I should point out that by this time everything is working fine for all my users. You might be thinking that by this time, I’m feeling a bit better about things. Nope. In fact I’m even more worried as I’ve got a ton of open UDP ports and I can’t find a reason why. My next move is to create a custom rule for the Blink software firewall, blocking the open UDP ports and log the results. All of a sudden, the Blink service goes to 100% cpu and I’m getting a -lot- of denied log entries for all of these various ports. Each of these ports seems to be trying to contact a different external IP. Now I’m thinking I’m really screwed. Someone is operating some kind of server on my -clean- system!

But then… I get a call. “I just lost my internet”, then another. Then -I- can’t browse to some sites. Hmmm. DNS? I did an ipconfig /flushdns /registerdns on my workstation and now I have no name resolution. Ok. It’s DNS related for sure. I go back to my AD/DNS server and remove my newly created rule repeat the ipconfig and viola… the internets are back.

So, I did a google search for UDP 49157 to 65529 and didn’t really turn up anything. But I did finally come up with a mention of them being part of the dynamic or emphemeral port range. Once I found that out I found the wikipedia entry which gave my the entire range of these ports (49152–65535). With that and a quick search, I was finally led to an article on TechTarget which has an explanation.

“This security update also introduces a new default for DNS port settings for Windows Server 2000 and Windows Server 2003 — dynamic default socket port ranges have changed from 1025 through 5000, to the new range of 49152 through 65535. We encourage you to review the firewall settings in your environment to ensure that traffic between servers in the dynamic port range of 49152 through 65535 is allowed. Windows Vista and Windows Server 2008 already have the default port range of 49152 to 65535. For additional information, please review the MS08-037 bulletin.”

Lightbulb moment. All those open ports are supposed to be there. They are the ports which are used by the new DNS patch to avoid the DNS cache vulnerability of July 2008. Sigh. I probably could have stopped after rebooting the fileserver (oh, about 6 hours ago)

I don’t feel that it was a wasted day for a couple of reasons. Firstly, like most other short handed IT folks, I never make the time to do incident response simulations. This was a good -simulation-. Secondly, I’m pretty confident that my various levels of security, patching and updating are doing their jobs. Lastly, I’m happy to report a clean bill of health for my server room.

It’s too late for that cup of coffee, but it’s just the right time for a drink,