Coder's Revolution - Security

PCI DSS Compliance Part 2 - Weak SSL And Ciphers

Fri, 29 Jan 2010 23:44:28 -0500

The next stop on our PCI DSS Compliance tour is disabling weak SSL versions and encryption ciphers. If your site is handling credit card payments, it is undoubtedly using HTTPS for at least the pages that collect payment information. I thought I had already taken care of this item, but I was apparently mistaken. Fortunately, this is pretty easy to fix and if you're on Windows I've even cooked up a quick and easy registry file for you to use. [More]

PCI DSS Compliance Part 1 - Predictable Session ID Vulnerability

Thu, 28 Jan 2010 22:24:00 -0500

As a web developer you have your share of demons you have to face. If your company processes credit cards, chances are your yearly PCI DSS compliance scan is one of those demons. I thought I would do a short series on a few security items I tightened down as a result of our last PCI scan. This is by no means a comprehensive list of everything needed to pass a PCI scan. If you want to know that and have time to read a 74 page PDF you can get a copy of the Spec at www.pcisecuritystandards.org. [More]

Two Tips For Making Sure Your Mail Gets Sent

Mon, 07 Dec 2009 22:31:00 -0500

A lot of you have web servers that double as mail servers to relay out mail from your ColdFusion applications. Even if you have a separate server that handles your mail relay, this post should still be helpful. The more and more that spam proliferates on the Internet, the more antsy ISPs get about blocking mail. There are a litany of reasons an ISP might reject mail from your server. GoDaddy has been one of the most annoying companies to deal with. There are two things I had to fix on my mail server before they would accept mail from my server. Reverse DNS and Helo host name. [More]

BlogCFC Code Formatting Not Thread Safe (With Example)

Thu, 03 Dec 2009 16:58:00 -0500

I found an interesting little bug in the BlogCFC implementation of ColdFISH today. ColdFISH is a ColdFusion code formatting component that is instantiated once and cached as a singleton in the application scope in BlogCFC. The problem is, ColdFISH looks like it wasn't intended to be used as a singleton. It makes use of the variables scope to store the Java StringBuffer class it uses to gather up your formatted code as well as a number of other variables used to parse the code it is formatting. This means when two or more people hit a BlogCFC entry with larger code samples, race conditions exists. [More]

When GoDaddy Becomes NoDaddy

Sun, 08 Nov 2009 01:52:00 -0500

Some time ago GoDaddy manged to get the IP address of my VPS in their little black book and began refusing to receive any mail which originated from it. Unfortunately for me, I use GoDaddy for my E-mail hosting and that meant I stopped getting all E-mails that were sent from my server. A couple weeks ago I got around to calling them to see just what was going on. I would rather mud-wrestle a large sea-sick crocodile before repeating this tedious conversation with their bumbling excuse for tech support. Here are the details of my correspondence with them. [More]

Sequoia Voting System Witch Hunt, err... Study Project

Wed, 21 Oct 2009 01:15:00 -0500

Matt Woodward pointed out this Slash Dot article today about the accidental release of code from the Sequoia Voting Systems and a web site dedicated to studying that code. Apparently the Election Defense Alliance obtained a copy of the election data for Riverside County, California. It came in the form of a Microsoft SQL Server backup that was SUPPOSED to have all the code such as stored procs and triggers redacted. I wandered over to the "Sequoia Voting System Study Project" and scored me a copy of the data. [More]

Server Hardening: What Ports Do I Have Open?

Mon, 21 Sep 2009 23:52:00 -0500

When you think of your production servers, you need to imagine them as your car sporting a new stereo in a parking lot with a bunch of would-be burglars milling around outside constantly checking each window and door to make sure you locked it tightly the last time you had it open. Every door, window, or keyless entry system is a potential point of invasion that can fail you. Why do you think those brinks trucks have no windows and the only way in the back is a single, beefy, padlocked door. A Brinks truck may not be convenient to access, but that isn't their goal. You need to control the ways into your server with the same gusto. [More]

Add Your Own Custom Tools To CF Administrator- How Did I Miss This?

Sat, 21 Mar 2009 11:58:00 -0500

This is a really cool feature of ColdFusion 8 that I had totally missed but I stumbled across an article on Ray Camden's blog today. (Thanks Ray!) Basically, you can modify your ColdFusion Administrator menus to include custom tools of your own choosing. Several pre-built ones out there including SpoolMail, a nifty util to re-copy your undeliverable mail back into the spool folder; and Cache Clearer, an easy way to clear out specific folders of trusted cache. [More]

ColdFusion Administrator: Why Can't I Browse The Server?

Thu, 19 Mar 2009 13:03:00 -0500

I went to add a custom tag path onto my dev server this morning. Feeling a little lazy and not wanting to type in the full path by hand, I clicked the "Browse Server" button. There are similar buttons for adding ColdFusion mappings and searching for file-based databases while adding data sources. The Browse Server page uses an applet to let you choose directories or files off your server. I was greeted with an error message:
Server Error
IO error on server communication [More]

View Services/Manage Your Servers Without Ever Remoting In (Second Try)

Thu, 12 Feb 2009 01:54:00 -0500

I feel like a dork. I posted a tip last night on remotely managing services on your Windows servers. I wondered why it didn't get many hits, and I finally realized tonight that an inadvertent change in my server's time this morning effectively unpublished the post so no one could get to it. Doh. You can read it here now: http://www.codersrevolution.com/index.cfm/2009/2/11/View-ServicesManage-Your-Servers-Without-Ever-Remoting-In

View Services/Manage Your Servers Without Ever Remoting In

Wed, 11 Feb 2009 15:08:00 -0500

If you are using Windows, chances are you find yourself remoting into one server or another on a regular basis to start and stop services or to take a gander at the event logs to figure out why the box mysteriously rebooted the other day at 2 am. You may not realize it, but you can access anything in the Computer Management console for your servers without ever remoting into them. This includes, users/groups, IIS, SQL Server, and device manager. [More]

Can you hack your own server?

Thu, 11 Sep 2008 15:41:00 -0500

I am not just a programmer, but to some extent a sys admin. Because of that responsibility (and the fact I have had servers compromised before) I am always interested in security. I think to stop crackers; you've got to think like them. When was the last time you tried to hack into your own server? If you don't know what your vulnerabilities are, how can you close them? [More]

How to axe your transaction log

Fri, 05 Sep 2008 17:36:00 -0500

If you are using MS SQL Server and ever want to just obliterate your transaction log, you can use the following SQL (where your database name is "foo"):

BACKUP LOG foo WITH TRUNCATE_ONLY
DBCC SHRINKFILE(foo_log,2)

Don't ever do this to a database you care about like, say, production. I wanted this because I am screwing around creating rainbow tables of SHA-1 hashes. The Cartesian product of joining a table to itself on 1=1 is very handy for producing all possible combinations of a set of characters. Inserting a few million records can put a lot of crap in your transaction log though.

Disabling MySQL's Backslash Escaping Per Data Source

Sun, 17 Aug 2008 01:05:00 -0500

It has been mentioned in several places that MySQL 5.0.1 has a NO_BACKSLASH_ESCAPES mode it can be run in to prevent backslashes from being an escape character. Thanks to Azadi Saryev for pointing it out on my blog and Mark Krugers as well. Jake Munson even posted instructions for applying the setting to your SQL server at startup. For the record, you can also use this setting on a specific data source. [More]

SQLi Is Back With A Small TwIST

Sat, 16 Aug 2008 12:40:00 -0500

Well, after a brief hiatus, the SQL Injection attacks have reconvened with a small change. They have modified the capitalization of a couple words in the URL. "DECLARE" has become "DeCLARE", and "EXEC" has become "ExEC". This is obviously to get around people who employed case-sensitive filtering mechanisms. [More]