I suppose I will go ahead and post the complete code for my SQL Attack page. I posted the first bit yesterday afternoon, but I have added in some other details.

For a sample of the output you can see my SQL Attacks page

[More]

It would appear GA works almost too well sometimes. I have noticed WhosOnCFC getting reset quite often. Since I generally come up with outlandish URL parameters to reset WhosOnCFC the chances of someone actually guessing the URL string is very slim. Half the time I do not remember it myself. You can imagine my surprise seeing it reset.

Well, GA did not have to worry about guessing it since it was tracking activity on the site as well. Every time I passed a new URL param, it would see it and then send out a crawler every so often, hence my (or our) problem.

There are several ways to address the problem, but I decided on just making a plain page and deleting the object like so:

Now when I need to reset, I just go directly to that page and the component will be reinitialized the next time a regular page is loaded. Also, I removed the URL parameter from application.cfm so no more errant bots could reset the component.

On a slightly related note, the code on RIAForge has been updated to include the fix for the issue I reported last week.

Okay, I suppose it happens to the best of us every now, but it happens to me quite a bit. I noticed a bit of a snag with the way WhosOnCFC was handling user authentication.

[More]

Well, I promised Brian Rinaldi I would quit spamming out updates, but he does do a rather good job of keeping up.  This will be my last one for a while, I promise! :)

As I posted about yesterday, there was a potential way for WhosOnCFC to be exploited that I have never seen but that is not to say it could never happen.  The method in question involves someone replacing the user-agent sent by the browser to a potentially malicious Javascript code that would execute when the client information is rendered.  I tested this on a CF8 server with script protection enabled and it threw an exception.  I do not have access to prior versions of ColdFusion, but for arguments sake I now scrub all potential HTML and Javascript tags from the user-agent string.

One user asked for the ability to ignore hits by a specific IP address and that has been addressed in this version.  I added the ignoreIPs option to the configuration attribute collection.  This is just a CSV list of the full IP address(es) that you do not wish to be tracked.

One final note, the total time to track active user sessions and bot sessions (if the showBots=true setting is enabled) can now be set in the configuration attribute collection as well.  Again, I had a user that said memory usage on their server jumped up when WhosOnCFC was installed which was one of the main reasons for being able to adjust the tracking time.  I do not have access to a profiler, but I have spent quite a bit of time trying to make sure WhosOnCFC has the smallest memory footprint possible.  This was a web site that was making quite a few asynchronous calls so another good way to cut down on the memory usage would be to adjust the amount of time to store page history down.  But in the interest of full disclosure, I think I would be doing everyone a huge disservice if I kept that to myself.

I updated the documentation to reflect the current changes.  Questions, comments, or even complaints are welcome, as always.

Well, it would seem the new release of WhosOnCFC has went off without a hitch.  I have not had a torrent of bug reports coming in so I assume the code is fairly stable.

With the flood of SQL injection attacks aimed at ColdFusion recently, security has been a major concern of mine.  I have had several voice concerns of not using CFQueryParam in the component.  Since WhosOnCFC runs completely independent of databases I do not see this being a huge issue.  The core of the component is an array of structures which has a function to convert the stored information into a query on the fly.

I was speaking to Joshua about security concerns this morning and he did bring up one possible exploit that could be used, but it is something I have never seen before.  I intend on getting this patched up quickly and I will release the details once it is done.

Well, I had intended on getting WhosOnCFC and documentation uploaded to RIAForge yesterday.  Unfortunately, torrential down pours and lightning storms were playing havoc with my internet connection which is spotty at best even on an ideal day.  Needless to say, it never got done yesterday, but I did get it knocked out this afternoon.

I tried to make sure to cover all the topics in the documentation that I knew to be potential problems such as configuring the component, getting it setup to actually track sessions, and finally getting the utility applications working if moved from their default locations.  Really the CF8 viewer utility was my main concern since the timeline utility will work no matter where it falls under your web root.

I am working on a guide for inserting custom fields in case you have site specific information you would like it to track.  It is pretty simple to do, but then again I wrote the component so my opinion may be a little biased.  I will update the docs as soon as I get it all worked out.

I finally got around to writing the documentation for the new release. I will get the finalized package zipped up and uploaded to RIAForge after church this afternoon, but if anyone is interested in the mean time, I will attach it to this post.

Hope everyone is having a great weekend.

I was planning on releasing WhosOnCFC 2.2.0 later on today, but I have not had a chance to finish up the documentation.  The way my schedule is shaping up, the chances are slim of that happening today.  If there are a few brave souls out there who would like to tinker around with the pre-release you can find it in my downloads section here: http://www.kisdigital.com/downloads/.  As soon as the docs are finished I will upload the release version to RIAForge, but the code should be stable.

If anyone encounters and problems please let me know.

Well, it has been an extremely busy blogging day for me.  Four posts in one day...  unheard of.

At any rate, instead of banging out an update every day or every other day, I have spent quite a bit of time to make sure I have all my ducks in a row before I publicly release this version.  There have been quite a few changes made in this version.  Some of the changes you can expect:

[More]

Okay, we all know the best way to secure a query is the use of a CFQueryParam statement.  I sent off a quick IM to a friend of mine today telling him I had a few attacks on my site and it would behoove him to make sure he battens down all the hatches.  I know he has quite a few sites and as he was in a panic attack I looked around to help him find a quick solution.

After reading Mark Kruger's article SQL Injection Part II (Make Sure You Are Sitting Down) I came up with something quick that is inelegant, but it works for this attack method.

Just add the following code to the top of your application.cfm file (or the appropriate section in application.cfc).

<cfif len(CGI.QUERY_STRING) AND findNoCase("declare",CGI.QUERY_STRING)>
-Insert some cheeky comments here-
<cfabort />
</cfif>

I DO NOT suggest using this for very long, but it could buy you some time if you need to update some queries.