August 11, 2008 at 3:17 pm
· Filed under Programming
As of this writing, a particularly virulent SQL injection spider attack is largely targeting sites running ColdFusion.
Here’s how the attack appears in server logs:
The code creates a cursor of all the user tables and all the character columns in the database. It then appends a string to each of the columns, making an ungodly mess.
Mark Kruger’s post goes into a great deal of helpful detail about how this spider operates. If you do a Google search on this attack, you will quickly get a feeling for how widespread this is.
If your site is getting hammered, and you need to buy time while you fix vulnerable code, there are scripts such as this one posted in ColdFusion Developer’s Journal on August 8, 2008, which can be modified to thwart this most recent attack thus.
Be aware that this only buys time. The most effective course is to make sure your queries are protected with cfqueryparam. Ben Forta’s primer on cfqueryparam provides a very good start on protecting code from SQL injection scripts. While you’re fixing your queries, don’t forget the ORDER BY clause, another frequently overlooked vulnerability.
It can be time consuming checking all your queries if you have a large amount of ColdFusion code to wade through, not to mention nerve-racking if you are doing so while the attacks are rolling in. Fortunately there are tools such as QueryParam Scanner that will peruse your code and return a list of any unprotected queries. Unzip this application and place it in a directory in the Web root of your development server. Go to the application in a Web browser, follow its directions, and you will quickly have a report of any vulnerable queries.
Permalink
June 27, 2008 at 12:00 pm
· Filed under Web Standards, Web Content Management, Usability
What does it take to be successful on the Web? The answer to that is simple and yet not so simple: Provide relevant information. Make it easy to discover… >>> Read the rest of this guest article on Dr. Terry Etherton’s blog at
blogs.das.psu.edu/tetherton.
Permalink
June 17, 2008 at 2:05 pm
· Filed under Web Content Management
The following presentation, “Migrating Your Site to Plone” was given at the Penn State Web Conference on June 9, 2008. You may view a screencast of the presentation slides accompanied by audio of the speakers, or just listen to the audio.
play screencast
listen to podcast
subscribe
Permalink
May 30, 2008 at 2:35 pm
· Filed under Web Content Management
This proposal is loosely based on what I wrote for my own shop. However, I am fortunate to work in a
highly clueful department. Making the case for adopting an open-source enterprise-level content management system was not an arduous task.
Frequently, potential adopters of Plone at universities tell me that they have a difficult time convincing administration within their organizations that Plone — or any open-source content management system, for that matter — is worth the investment of time and effort. Or in the case of Penn State’s WebLion services, any consulting fees that may be involved.
With that in mind, I’m sharing the following example proposal for adopting Plone at the university department level. If you are striving to convince your organization to adopt Plone, feel free to make use of any part of this material for your own justification.
Read the rest of this entry »
Permalink
February 19, 2008 at 2:35 pm
· Filed under Web Standards, Web Content Management, Web Design, Usability
Aside from the usual reasons why it’s silly to duplicate static content from Web page to Web page, here is yet another: Read the rest of this entry »
Permalink
January 5, 2008 at 12:26 pm
· Filed under Web Standards, Web Design, Usability
Soliciting Web site user feedback. Posting online surveys. E-mailing listservs. Pulling together focus groups. Is this the long and the short of the plan for guaging the effectiveness of your Web site?
If so, you will be rewarded with a wide scattershot of commentary, much of which is neither accurate nor usable. Read the rest of this entry »
Permalink
October 12, 2007 at 3:04 pm
· Filed under Web Standards, Usability
While usability testing lab software and equipment is great if you have it, screen-capture software can take you pretty far in recording usability test data and sharing it with others. Read the rest of this entry »
Permalink
October 5, 2007 at 8:42 am
· Filed under Linux
Following is an excellent article on configuring Ubuntu as a VMWare host:
Permalink
October 5, 2007 at 8:13 am
· Filed under Podcasting, Social Networking
I gave a workshop on using Audacity sound editing software for creating podcasts in Penn State’s College of Agricultural Sciences on September 12. This way to my presentation materials.
And this way to some excellent tutorial videos on using Audacity, by Jason Van Orden. These videos provided all the information I needed to get started with Audacity. While GarageBand is my preferred tool for podcasting and informal music recording, Audacity is a respectable open-source alternative.
Permalink
September 12, 2007 at 7:48 am
· Filed under Web Standards
The following series of videos are of an informal usability study that I conducted using plone.org as the subject. These videos were captured using Camtasia screen recorder…
Read the rest of this entry »
Permalink
