Skip to main content

Posts

Showing posts from May, 2009

Preventing XSS in ColdFusion

How to prevent cross site scripting in ColdFusion. Useful page from The Dev Shack: http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/ Essentially: Enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings check Enable Global Script Protection. Use HTMLEditFormat around ANY variables that contain user submitted input. Search and replace any maliciuous data. Replace script tags, etc… with nothing. Validate user submitted input on the server side. Check data types and lengths.

Cross site scripting (XSS) links to information

Useful resources explaining Cross Site Scripting (XSS) and how to code/guard against it. CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html Cross-site Scripting (XSS) http://www.owasp.org/index.php/Cross-site_scripting Data Validation http://www.owasp.org/index.php/Data_Validation Reviewing Code for Cross-site scripting http://www.owasp.org/index.php/Review_Code_for_Cross-site_scripting XSS (Cross Site Scripting) Prevention Cheat Sheet http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet OWASP Enterprise Security API "OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable ap

PCI Compliance - ColdFusion Debug Information

It should be blocked anyway but it is a common problem when undergoing PCI Compliance that ColdFusion debug information may be displayed by appending mode=debug to any CF URL. To prevent this limit the IPs that can access the debug information, preferably limit this to 127.0.0.1: Open CF administrator Select "Debugging Ips" Add 127.0.0.1 Remove all other IPs

Too many backup devices specified for backup or restore; only 64 are allowed

When you try to restore a database backup, the restore operation may fail. You may receive an error message that is similar to the following: Server: Msg 3205, Level 16, State 2, Line 1 Too many backup devices specified for backup or restore; only 64 are allowed. Server: Msg 3013, Level 16, State 1, Line 1 RESTORE DATABASE is terminating abnormally. The message doesn't necessarily mean what it says. The following are possible causes: You want to restore a database backup that spans across multiple backup devices, and you have not specified more than 64 backup devices. You created the database backup on a computer that is running SQL Server 2000 Service Pack 3 (SP3) (Build 2000.80.869.0) or a later build of SQL Server 2000 SP3. You try to restore the database backup on a computer that is running a build of SQL Server 2000 SP3 that is earlier than 2000.80.869.0. You are trying to restore a database created in SQL Server 2005 or SQL Server 2008 to an instance of SQL Server 200

Change IDENTITY SEED using T-SQL

DBCC CHECKIDENT ({{TABLENAME}}, RESEED, {{NEW SEED}}) Be VERY careful to check the results of this command, it is possible to set the seed lower than the current maximum value of the identity column. If this is not checked and more records are inserted then you can run into serious trouble!

Converting Excel date format into System.DateTime

public static DateTime ConvertToDateTime(double excelDate) { if (excelDate < 1) { throw new ArgumentException("Excel dates cannot be smaller than 0."); } DateTime dateOfReference = new DateTime(1900, 1, 1); if (excelDate > 60d) { excelDate = excelDate - 2; } else { excelDate = excelDate - 1; } return dateOfReference.AddDays(excelDate); } http://www.clear-lines.com/blog/post/Converting-Excel-date-format-to-SystemDateTime.aspx

SAGE Line 50 2009 Install Problems With 'manager' login

A few of our clients have experienced problems with fresh installs of SAGE Line 50 where they have completed a clean install and they cannot login to the application using the default user "manager" and a blank password - this applies to both the new company data and the demo data. In each case the problem has been caused by either denied access on the MS MachineKeys folder and/or a corrupt company setup file. First try the following: 1. Browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 2. Right-click the MachineKeys folder and select Properties. 3. Select the Security tab 4. Ensure your user has at least Modify permissions on the folder. 5. Click Advanced 6. Tick the box for "Replace permission entries on all child objects…" 7. Select the Owner tab. 8. Ensure the owner is either your user or a group your user belongs to. 9. Click OK 10. Try to login to SAGE. If the above fails: 1. Browse to C:\Documents and Settings\All Users\Appli

How to loop through all files in a folder or directory tree

The code is fairly self explanatory: /// sourceDir = directory to scan, scanLvl = current scan level, maxLvl = how deep to scan, searchPattern files to match public static void ProcessFiles( string sourceDir, int scanLvl, int maxLvl, string searchPattern) { if ( scanLvl <= maxLvl ) { string [] fileEntries = Directory.GetFiles(sourceDir, searchPattern ); foreach ( string fileName in fileEntries) { // do something with file } // Recurse into subdirectories string [] subdirEntries = Directory.GetDirectories(sourceDir); foreach ( string subdir in subdirEntries) if ((File.GetAttributes(subdir) & FileAttributes.ReparsePoint) != FileAttributes.ReparsePoint) ProcessDir(subdir, scanLvl +1, maxLvl, searchPattern ); } } Thanks to Ohad for the starting point for this one.