1QueryParam Scanner v0.7.5
2 3 4DESCRIPTION
5===========
6 7QueryParam Scanner (qpScanner) is a tool designed to identify possible SQL
8injection risks in CFML queries, by highlighting instances of unparameterised
9variables.
10 11 12 13STATUS
14======
15 16Version: v0.7.5
17Released: 2013-01-08
18 19To check latest release, visit http://sorcerersisle.com/projects:qpscanner.html
20 21 22 23REQUIREMENTS
24============
25 26qpScanner can scan code written for any CFML engine, but itself requires
27at least ColdFusion 9 or Railo 3.x to run.
28 29To run qpScanner on older CFML engines, try v0.7.3 instead - this is available
30on branch 0.7.3 or for download from https://github.com/boughtonp/qpscanner/tags
31 32 33 34INSTALLATION
35============
36 37Extract all files to a directory in your webroot, then access that directory in
38a browser.
39 40Everything required is contained within the zip file; no mappings nor
41datasources need to be setup.
42 43 44 45ECLIPSE PLUGIN INSTALLATION
46===========================
47 48There is a separately available plugin for the Eclipse IDE, allowing qpScanner
49to be executed against specific files or directories.
50 51For more details on this plugin, check the info provided at:
52 53 http://sorcerersisle.com/projects:qpscanner.html#EclipsePlugin
54 55 56 57USAGE
58=====
59 60Upon accessing qpScanner you will see a Quick Start form:
61 62 Select Config
63 This allows you to choose between "default" or "paranoid" configs.
64 The default config should be fine for most people.
65 66 Starting Directory
67 Where you put the location of the project(s) you wish to scan.
68 This can be either an absolute path or a mapping.
69 70 Recursive
71 Indicates if you want qpScanner to look inside directories, or remain
72 at the current directory level.
73 74 75Once these are set as appropriate, press Scan and qpScanner will get to work.
76 77As it finds queries with CF variables (ie: `#values_in_hashes#`) that are not
78inside a cfqueryparam tag, it will list that file. The positions of the queries
79are displayed when clicking on a file, and clicking on each of those reveals the
80actual contents of the query.
81 82When complete, it will list how many were found out of how many total queries.
83 84 85NOTE: QueryParam Scanner should be used *only* in your development environment,
86not on a live/public box. In addition to the security risks, it might have an
87adverse affect on performance.
88 89 90 91KNOWN ISSUES
92============
93 94There is one known issue with this release:
95 96* qpScanner does not work with queries in cfscript. For more details see:
97 https://github.com/boughtonp/qpscanner/issues/7#issuecomment-11916582
98 99Visit the Issue Tracker for details of any issues that might since have been
100raised, to report any issues that you find, or to request new functionality:
101102 https://github.com/boughtonp/qpscanner/issues
103104105106CREDITS, VERSIONS & LICENSING
107=============================
108109QueryParam Scanner is a project created and maintained by Peter Boughton,
110licensed under the GPLv3 (read gpl-license.txt for details).
111112The project gratefully makes use of the third-party software detailed below,
113each available individually under their respective licenses.
114115cfRegex v0.1.003-qp (http://cfregex.net)
116* Source: https://github.com/boughtonp/qpscanner
117* License: GPLv3 or LGPLv3
118* Files: cfcs/cfregex.cfc
119120jQuery v1.2.6 (http://jquery.com)
121* Source: https://github.com/jquery/jquery
122* License: GPLv2 or MIT (See http://jquery.org/license)
123* Files: resources/scripts/jquery-1.2.6.min.js
124125Fusebox v5.5.1 (http://fusebox.org)
126* Source: https://github.com/fusebox-framework/Fusebox-ColdFusion
127* License: Apache v2.0 (http://www.apache.org/licenses/LICENSE-2.0)
128* Files: fusebox5/*
129130131/eof