Viewing Category: Windows
[
clear category selection]
Many people, right or wrong, deploy CFML applications to the web server by performing a checkout a source code control system, such as Subversion or Git. This has the effect of placing repository information in directories with the rest of the files; ${APPROOT}/**/.svn and ${APPROOT}/.git, for example. It's possible that this repository information (containing the code in plain-text and configuration files) will be exposed by the web server. That would be bad.
Whether the repository data is visible to an HTTP client depends on several factors: the OS, the web server and configuration, the directory and file permissions and OS- and filesystem-specific attributes. Probably the two most common environments are Windows with IIS and Linux with Apache. In the first case, IIS by default is configured to hide files and directories with the NTFS hidden attribute. Since both Subversion and Git create their repository directories with this flag enabled, the default scenario on Windows/IIS is safe. However, the same is not true for Linux/Apache (or Apache on Windows, for that matter).
Apache has always shipped, to the best of my knowledge, with a server-wide directive to prevent disclosing .htaccess and .htpasswd files:
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
It's not enough, I'm afraid, to remove the "ht" from the regex. To properly secure the SCCS artifacts, I like to use the trusty mod_rewrite module:
RewriteRule /(\.svn|\.git)/.* - [L,F]
And while I'm on the topic of using mod_rewrite to secure an application, here are some rules I use to prevent any similar shenanigans:
RewriteRule ^/app/(config|filters|listeners|plugins|properties|views)/.* - [L,F]
RewriteRule ^/(MachII|MachIIDashboard|coldspring|transfer|cfpayment)/.* - [L,F]
RewriteRule ^/(db|gen|model|taglib)/.* - [L,F]
Please feel free to comment. Oh wait, I'm lame and haven't enable comments on this blog. I suppose you could send them to @jlamoree instead.
Last week I wrote a Perl script called listening.pl that displays the executable filename of every process listening for, or with active, TCP connections. It turns out that when a process has been terminated, there can be a bit of time before the socket is cleaned up. In this situation, netstat will show that that process number zero created the socket. Doing a lookup on PID 0 returned unexpected data. I just checked in a version of the script that correctly handles stale sockets.
Perl,
Windows
|
Posted
10/12/09
@ 9:59 AM
by Joseph Lamoree
Many years ago, I used a terminal application on Windows (I believe it was Windows NT 4.0) called SecureCRT. That worked very well to connect to all my FreeBSD/Linux/Sun boxes over SSH. I've used PuTTY before too, and it's a fine application. However, neither of these provide a good command line environment (shell) on the local machine; I still used C:\WINNT\system32\cmd.exe. I had forgotten until just a moment ago (when @stevenerat asked about it, and @carehart replied), but there is a property called "Quick Edit Mode" that will change the behavior of selecting text in the console window. That's good, but there are two way better fixes that can be applied to Windows for people that love the command line.
First, do yourself a favor and install Cygwin if you haven't already.
Console2 - This open source project provides a very clean wrapper for the standard Windows shell, or the Cygwin version of Bash. It support tabbed windows with a mixture of different configuration settings. Its default for selecting and copying text from the console is left-shift and left-mouse click and drag; pressing enter copies to the clipboard. It's very lightweight and only requires dropping a single directory to the system. There is no installer to run. The current version is only a few months old. Download the binary distribution from SourceForge: Console2
Ponderosa - This is also an open source project, however it doesn't seem that any work has been done since 2006. Still, it functions well and has lots of configuration options. The default copy/paste keystrokes are ALT + C/V, which will feel more familiar to Mac users. It's based on .NET 2.0, which may or may not be appealing you. It supports plugins, although I haven't looked to see what is available. The English version of their website is en.ponderosa.org.
While trying to get the line debugger in ColdFusion Builder to work with an installation of ColdFusion 9, I wanted to verify which processes were listening for TCP connections on my Windows XP workstation. I started by using the netstat utility in C:\WINDOWS\system32\ to show the IP and port of each connected endpoint, and the local process identifier. This is useful, but somewhat cumbersome to translate into recognizable application names. Here's a sample of its output:
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 3772
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1988
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1117 127.0.0.1:4331 ESTABLISHED 3980
TCP 127.0.0.1:1130 0.0.0.0:0 LISTENING 1264
TCP 127.0.0.1:1208 127.0.0.1:20345 ESTABLISHED 640
TCP 127.0.0.1:1217 127.0.0.1:20345 ESTABLISHED 3000
TCP 127.0.0.1:4331 0.0.0.0:0 LISTENING 504
Using the process utility from Cygwin, it's possible to list all of the running processes. It has some quirks when showing Windows information, but it works. Here's a sample of that information:
PID TTY STIME COMMAND
4 ? Apr 22 *** unknown ***
1412 ? 09:03:14 \SystemRoot\System32\smss.exe
1528 ? 09:03:17 \??\C:\WINDOWS\system32\csrss.exe
1552 ? 09:03:22 \??\C:\WINDOWS\system32\winlogon.exe
1600 ? 09:03:24 C:\WINDOWS\system32\services.exe
1612 ? 09:03:24 C:\WINDOWS\system32\lsass.exe
1812 ? 09:03:25 C:\WINDOWS\system32\nvsvc32.exe
1152 ? 09:03:28 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
1908 ? 09:03:32 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
752 ? 09:03:33 C:\WINDOWS\system32\spoolsv.exe
1860 ? 09:03:42 C:\WINDOWS\system32\svchost.exe
1320 ? 09:03:43 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
I needed to merge the two sources of information together. I started in the shell by chaining a few tools together, but it became awkward and inefficient. I switched to Perl, and hacked together a script that produces output like this:
Connections: 25
3772: 0.0.0.0:80 0.0.0.0:0 C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
1988: 0.0.0.0:135 0.0.0.0:0 C:\WINDOWS\system32\svchost.exe
4: 0.0.0.0:445 0.0.0.0:0 Windows System Process
3748: 10.0.1.169:1402 74.125.19.147:80 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
3464: 10.0.1.169:1520 204.2.160.49:80 c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
3316: 10.0.1.169:1538 10.0.1.2:1025 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
652: 10.0.1.169:1828 205.188.1.113:5190 C:\Program Files\Pidgin\pidgin.exe
Don't overlook how beautifully the IP and port are aligned. :) The source is available in my Subversion repository as listening.pl.
In the virtual machine running Windows XP on my Mac Pro, the update mechanism stopped working after performing the Windows XP SP3 install. I tried all sorts of things to get it working again. Finally, I hit a solution in Microsoft KB #943144. Registering the DLL manually did the trick. Now I can test sites with MSIE 7.x. I doubt my blog will be picked up by search engines to help anybody else, but it's worth a shot.
Windows
|
Posted
8/9/08
@ 1:56 AM
by Joseph Lamoree
