Skip to main content

Posts

Showing posts from May, 2009

Preventing XSS in ColdFusion

How to prevent cross site scripting in ColdFusion. Useful page from The Dev Shack:
http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/

Essentially:
Enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings check Enable Global Script Protection.Use HTMLEditFormat around ANY variables that contain user submitted input.Search and replace any maliciuous data. Replace script tags, etc… with nothing.Validate user submitted input on the server side. Check data types and lengths.

Cross site scripting (XSS) links to information

Useful resources explaining Cross Site Scripting (XSS) and how to code/guard against it.

CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html

Cross-site Scripting (XSS)
http://www.owasp.org/index.php/Cross-site_scripting

Data Validation
http://www.owasp.org/index.php/Data_Validation

Reviewing Code for Cross-site scripting
http://www.owasp.org/index.php/Review_Code_for_Cross-site_scripting

XSS (Cross Site Scripting) Prevention Cheat Sheet
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

OWASP Enterprise Security API
"OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications …

PCI Compliance - ColdFusion Debug Information

It should be blocked anyway but it is a common problem when undergoing PCI Compliance that ColdFusion debug information may be displayed by appending mode=debug to any CF URL. To prevent this limit the IPs that can access the debug information, preferably limit this to 127.0.0.1:

Open CF administrator
Select "Debugging Ips"
Add 127.0.0.1
Remove all other IPs

Too many backup devices specified for backup or restore; only 64 are allowed

When you try to restore a database backup, the restore operation may fail. You may receive an error message that is similar to the following:

Server: Msg 3205, Level 16, State 2, Line 1
Too many backup devices specified for backup or restore; only 64 are allowed.
Server: Msg 3013, Level 16, State 1, Line 1
RESTORE DATABASE is terminating abnormally.

The message doesn't necessarily mean what it says. The following are possible causes:

You want to restore a database backup that spans across multiple backup devices, and you have not specified more than 64 backup devices.
You created the database backup on a computer that is running SQL Server 2000 Service Pack 3 (SP3) (Build 2000.80.869.0) or a later build of SQL Server 2000 SP3.
You try to restore the database backup on a computer that is running a build of SQL Server 2000 SP3 that is earlier than 2000.80.869.0.
You are trying to restore a database created in SQL Server 2005 or SQL Server 2008 to an instance of SQL Server 2000 - not mentione…

Change IDENTITY SEED using T-SQL

DBCC CHECKIDENT ({{TABLENAME}}, RESEED, {{NEW SEED}})Be VERY careful to check the results of this command, it is possible to set the seed lower than the current maximum value of the identity column. If this is not checked and more records are inserted then you can run into serious trouble!

Converting Excel date format into System.DateTime

public static DateTime ConvertToDateTime(double excelDate)
{
if (excelDate < 1)
{
throw new ArgumentException("Excel dates cannot be smaller than 0.");
}
DateTime dateOfReference = new DateTime(1900, 1, 1);
if (excelDate > 60d)
{
excelDate = excelDate - 2;
}
else
{
excelDate = excelDate - 1;
}
return dateOfReference.AddDays(excelDate);
}

http://www.clear-lines.com/blog/post/Converting-Excel-date-format-to-SystemDateTime.aspx

SAGE Line 50 2009 Install Problems With 'manager' login

A few of our clients have experienced problems with fresh installs of SAGE Line 50 where they have completed a clean install and they cannot login to the application using the default user "manager" and a blank password - this applies to both the new company data and the demo data. In each case the problem has been caused by either denied access on the MS MachineKeys folder and/or a corrupt company setup file.

First try the following:
1. Browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
2. Right-click the MachineKeys folder and select Properties.
3. Select the Security tab
4. Ensure your user has at least Modify permissions on the folder.
5. Click Advanced
6. Tick the box for "Replace permission entries on all child objects…"
7. Select the Owner tab.
8. Ensure the owner is either your user or a group your user belongs to.
9. Click OK
10. Try to login to SAGE.

If the above fails:
1. Browse to C:\Documents and Settings\All Users\Application Dat…

How to loop through all files in a folder or directory tree

The code is fairly self explanatory:

/// sourceDir = directory to scan, scanLvl = current scan level, maxLvl = how deep to scan, searchPattern files to match

public staticvoid ProcessFiles(string sourceDir, int scanLvl, int maxLvl, string searchPattern)
{
if (scanLvl<=maxLvl)
{
string [] fileEntries = Directory.GetFiles(sourceDir, searchPattern);
foreach(string fileName in fileEntries)
{
// do something with file
}

// Recurse into subdirectories
string [] subdirEntries = Directory.GetDirectories(sourceDir);
foreach(string subdir in subdirEntries)
if ((File.GetAttributes(subdir) &
FileAttributes.ReparsePoint) !=
FileAttributes.ReparsePoint)
ProcessDir(subdir, scanLvl+1, maxLvl, searchPattern);
}
}
Thanks to Ohad for the starting point for this one.