Passionate about Software

Something that has been on my mind for a long time is the concept of being passionate about software. I often use this to measure how good software is before I buy it. If a company is not passionate about their software (according to a few metrics I've come up with), then I don't want to use their product. So how do I know if they are passionate? Here are a few things I look for:

[More]

CartWeaver SQL Injection holes

The ColdFusion version of CartWeaver has some security vulnerabilities that were discovered. French security company FrSIRT has released an announcement about the holes, also stating that there are no known vendor patches available. Apparently CartWeaver v. version 2.16.11 and prior are affected (2.16.11 is the latest version). These are SQL injection holes, and it looks like they didn't use cfQueryParam.

This brings back the discussion that occurred in the comments of one of my recent posts. A couple of SQL server fans were telling me that you don't really have to worry about SQL injection problems in SQL server, because "if your code is susceptible to SQL injection you're screwed no matter what." Well, what if you purchase a third party product like CartWeaver? Are you going to feel safe trusting their code, when SQL Server allows SQL injection of the multiple-queries-in-one-statement type? This is why Oracle, DB2 and others don't allow multiple queries in one cfquery tag.