Wednesday, December 03, 2008    
Home My Books Blog ColdFusion About Me Back    

Calendar
<< Jul 2008 >>
S M T W T F S
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Search

Categories
 • Acrobat (2) [RSS]
 • Adobe (71) [RSS]
 • AdobeMAX06 (45) [RSS]
 • AdobeMAX07 (59) [RSS]
 • AdobeMAX08 (57) [RSS]
 • AdobeMAX09 (1) [RSS]
 • AIR (148) [RSS]
 • Appearances (140) [RSS]
 • Books (69) [RSS]
 • CFEclipse (14) [RSS]
 • ColdFusion (1179) [RSS]
 • Data Services (20) [RSS]
 • Fish Tank (2) [RSS]
 • Flash (112) [RSS]
 • Flex (385) [RSS]
 • Home Automation (3) [RSS]
 • Jobs (101) [RSS]
 • JRun (13) [RSS]
 • Labs (29) [RSS]
 • LiveCycle (23) [RSS]
 • MAX (189) [RSS]
 • Regular Expressions (15) [RSS]
 • RIA (13) [RSS]
 • SQL (38) [RSS]
 • Stuff (506) [RSS]
 • Tips (CF Studio) (80) [RSS]
 • Tips (CF) (795) [RSS]
 • Tips (Dreamweaver) (91) [RSS]
 • Tips (Flex Builder) (2) [RSS]
 • Using CF (140) [RSS]
 • Wireless (100) [RSS]

Other BLOGs
 • Charlie Arehart
 • Lee Brimelow
 • Ray Camden
 • Christophe Coenraets
 • Sean Corfield
 • Mihai Corlan
 • Cornel Creanga
 • John Dowdell
 • Danny Dura
 • Enrique Duvos
 • Steven Erat
 • Kevin Hoyt
 • Serge Jespers
 • Adam Lehman
 • Duane Nickull
 • Miti Pricope
 • Andrew Shorten
 • Ryan Stewart
 • James Ward
 • Greg Wilson
 • Full As A Goog

RSS Feeds
 • Feed
 • Subscribe

Join my mailing list and find out about new books and other topics of interest.
Thoughts, ideas, tips, musings, and pontifications (not necessarily in that order) by Ben Forta ...
NOTE: This is my personal blog, and the opinions and statements voiced here are my own.

Viewing By Day : July 23, 2008 / Main
July 23, 2008

Lynda.com Releases New AIR For Flex Developers Course

Posted At : 3:16 PM
Related Categories: AIR, Flex
Lynda.com has released a new course by David Gassner entitled AIR for Flex Developers. This course looks at how Flex Builder 3 and the Flex 3 framework can be used to build cross-system desktop applications with Adobe AIR, and covers every point of integration with the host operating system, including working with the local file system, creating and maintaining local databases, and managing native windows and menus.

Comments (1) | Trackbacks (0) | Send | del.icio.us | Linking Blogs

Hacker Webzine Recommends Use Of CFQUERYPARAM

Posted At : 2:01 PM
Related Categories: ColdFusion
I've been debating posting this for the past few days. But, as it does not really disclose anything more than has been publicly discussed as of late (on this blog and elsewhere), and as it actually makes useful suggestions pertaining to securing ColdFusion (specifically from SQL injection attacks), here goes ...

Last week 0x000000 # The Hacker Webzine posted an entry entitled Attacking ColdFusion. The post primarily describes SQL injection attacks, and explains the danger inherent in not using <CFQUERYPARAM>, and also shows the right way to use the tag. It also notes:

The cfqueryparam is generally secure because it utilizes a prepared statement, that is always binded as a string, which in term is nearly not exploitable. But, many ColdFusion applications do not use the cfqueryparam mainly because developers do not know about this, and also because this feature came only in to being, with later versions of ColdFusion.

I strongly recommend that you read this post, if for no other reason then to reinforce the reality that this risk is publicly known and being exploited, and to remind yourself (and your managers, coworkers, clients, etc.) that you must address this potential vulnerability immediately!

The 0x000000 post was also referred to yesterday by ScanSafe STAT Blog in an entry which notes that monitoring in recent days indicates that ColdFusion is now the target of an attack that had been previously targeting SQL Server powered ASP sites.

Comments (25) | Trackbacks (0) | Send | del.icio.us | Linking Blogs

  © Copyright 1997-2008 Ben Forta, All Rights Reserved