Preventing XSS in ColdFusion

How to prevent cross site scripting in ColdFusion. Useful page from The Dev Shack:
http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/

Essentially:

1. Enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc.
2. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings check Enable Global Script Protection.
3. Use HTMLEditFormat around ANY variables that contain user submitted input.
4. Search and replace any maliciuous data. Replace script tags, etc… with nothing.
5. Validate user submitted input on the server side. Check data types and lengths.

Cross site scripting (XSS) links to information

Useful resources explaining Cross Site Scripting (XSS) and how to code/guard against it.

CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html

Cross-site Scripting (XSS)
http://www.owasp.org/index.php/Cross-site_scripting

Data Validation
http://www.owasp.org/index.php/Data_Validation

Reviewing Code for Cross-site scripting
http://www.owasp.org/index.php/Review_Code_for_Cross-site_scripting

XSS (Cross Site Scripting) Prevention Cheat Sheet
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

OWASP Enterprise Security API
"OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. "
http://www.owasp.org/index.php/ESAPI

MS AntiXSS
"AntiXSS 3.0 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. Working with customer and partner feedback, AntiXSS 3.0 incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack."
http://www.codeplex.com/AntiXSS

PCI Compliance - ColdFusion Debug Information

It should be blocked anyway but it is a common problem when undergoing PCI Compliance that ColdFusion debug information may be displayed by appending mode=debug to any CF URL. To prevent this limit the IPs that can access the debug information, preferably limit this to 127.0.0.1:

• Open CF administrator


• Select "Debugging Ips"


• Add 127.0.0.1


• Remove all other IPs

Mouse position on screen .NET

Use:

System.Windows.Forms.Cursor.Position

Very helpful network utilities including SuperScan port scanner

More a note to myself! Free tools from FoundStone (a McAffee company) including port scanning, vulnerability scanning and stress testing:

http://www.foundstone.com/us/resources-free-tools.asp

SQL Server Network Utility Path

As I can never remember. Path to the SQL Server network utility:

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SVRNETCN.exe

Too many backup devices specified for backup or restore; only 64 are allowed

When you try to restore a database backup, the restore operation may fail. You may receive an error message that is similar to the following:

Server: Msg 3205, Level 16, State 2, Line 1
Too many backup devices specified for backup or restore; only 64 are allowed.
Server: Msg 3013, Level 16, State 1, Line 1
RESTORE DATABASE is terminating abnormally.

The message doesn't necessarily mean what it says. The following are possible causes:

• You want to restore a database backup that spans across multiple backup devices, and you have not specified more than 64 backup devices.


• You created the database backup on a computer that is running SQL Server 2000 Service Pack 3 (SP3) (Build 2000.80.869.0) or a later build of SQL Server 2000 SP3.


• You try to restore the database backup on a computer that is running a build of SQL Server 2000 SP3 that is earlier than 2000.80.869.0.


• You are trying to restore a database created in SQL Server 2005 or SQL Server 2008 to an instance of SQL Server 2000 - not mentioned on Microsoft's support site but this was my problem!!

Change IDENTITY SEED using T-SQL

DBCC CHECKIDENT ({{TABLENAME}}, RESEED, {{NEW SEED}})

Be VERY careful to check the results of this command, it is possible to set the seed lower than the current maximum value of the identity column. If this is not checked and more records are inserted then you can run into serious trouble!

Converting Excel date format into System.DateTime

public static DateTime ConvertToDateTime(double excelDate)
{
if (excelDate < 1)
{
throw new ArgumentException("Excel dates cannot be smaller than 0.");
}
DateTime dateOfReference = new DateTime(1900, 1, 1);
if (excelDate > 60d)
{
excelDate = excelDate - 2;
}
else
{
excelDate = excelDate - 1;
}
return dateOfReference.AddDays(excelDate);
}

http://www.clear-lines.com/blog/post/Converting-Excel-date-format-to-SystemDateTime.aspx

SAGE Line 50 2009 Install Problems With 'manager' login

A few of our clients have experienced problems with fresh installs of SAGE Line 50 where they have completed a clean install and they cannot login to the application using the default user "manager" and a blank password - this applies to both the new company data and the demo data. In each case the problem has been caused by either denied access on the MS MachineKeys folder and/or a corrupt company setup file.

First try the following:
1. Browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
2. Right-click the MachineKeys folder and select Properties.
3. Select the Security tab
4. Ensure your user has at least Modify permissions on the folder.
5. Click Advanced
6. Tick the box for "Replace permission entries on all child objects…"
7. Select the Owner tab.
8. Ensure the owner is either your user or a group your user belongs to.
9. Click OK
10. Try to login to SAGE.

If the above fails:
1. Browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
2. Locate a key file with a name beginning 333
3. Right-click the file and select Properties.
4. Select the Security tab.
5. Ensure your user has at least Modify permissions on the file.
6. Click Advanced
7. Select the Owner tab.
8. Ensure the owner is either your user or a group your user belongs to.
9. Click OK
10. Try to login to SAGE

We have seen a case where before attempting the above steps there is a long delay whilst SAGE checks the login details but after completing the above steps SAGE almost immediately returns with a denied access message. If this happens it is likely you have resolved the permissions issues but now have a corrupt company setup file. If this is the case and if (ONLY IF!) you have not entered any information in the company file that you would like to keep:

1. Browse to C:\Documents and Settings\All Users\Application Data\Sage\Accounts\2009\Company.000
2. Rename the AccData folder as old_AccData
3. Create a new folder named AccData
4. Launch SAGE
5. The application will start with the option to setup a new company. Complete the wizard.
6. You will now be presented with a login prompt. Login with username "manager" and a blank password, you should be able to access the application.

How to loop through all files in a folder or directory tree

The code is fairly self explanatory:

/// sourceDir = directory to scan, scanLvl = current scan level, maxLvl = how deep to scan, searchPattern files to match

public static void ProcessFiles(string sourceDir, int scanLvl, int maxLvl, string searchPattern)
{
if (scanLvl<=maxLvl)
{
string [] fileEntries = Directory.GetFiles(sourceDir, searchPattern);
foreach(string fileName in fileEntries)
{
// do something with file
}

// Recurse into subdirectories
string [] subdirEntries = Directory.GetDirectories(sourceDir);
foreach(string subdir in subdirEntries)
if ((File.GetAttributes(subdir) &
FileAttributes.ReparsePoint) !=
FileAttributes.ReparsePoint)

ProcessDir(subdir, scanLvl+1, maxLvl, searchPattern);
}
}

Thanks to Ohad for the starting point for this one.