In Flow: The Mura Blog

Security Update, Var Scoping, and More

What a week!

It's been a very busy week here at Sava CMS. After putting out our press release about launching Sava, we were mentioned on Ben Forta's blog (and a few others), had a couple of security holes pointed out (which we fixed), and had Ray Camden also point out a couple of code-related issues (which we also addressed).

We quietly launched the Sava site in April, and have been doing various site and Sava code updates since then. While it's tempting to continually put off publicizing your project (there's always something that needs to be done first!), we decided to bite the bullet and put out the press release this week. And what a week it turned out to be.

As we hoped, traffic to the site really started to take off. We were mentioned on several blog posts, most notably Brian Meloche's, Gary Gilbert's and ColdFusion heavyweight Ben Forta (thanks to all). We had downloads from all over the world (hello to our visitors from Nigeria, Brazil, Romania and other places very far from Sacramento, California). We've gotten lots of great feedback, and some, um, interesting comments. We've even had some script-kiddie style attacks on our site (that's always nice to deal with).

Russ McRee, an Information Security specialist dropped us a note about a couple security issues with the Sava codebase. So that was a quick fire drill to get those patched - Russ was kind enough to test the updated code and validate the patches with us. Russ seems like a stand up guy, and his site is full of good info - you can check out his blog at

We also heard from Ray Camden, who we have a lot of respect for (we're using Ray's Galleon Forums code in the Support section of the website, for example). Turns out we had neglected to give him credit for some of his code that's included in some geo-locating functionality in the Sava codebase. Of course, we've corrected that - Ray's great, and contributes an awful lot to the CFML community, and it's important for us that he get the props due to him.

Ray also pointed out that we had neglected to scope some of our variables in the codebase. While this doesn't result in any obvious problems, it's something we definitely needed to address. So we spent a few hours scouring and updating the code today with the help of the VarScope tool on RiaForge (, which helped immensely.

So it's been quite a busy but very productive week. Thanks to everyone for their kind feedback - we're very interested in hearing how Sava CMS is working out for the people downloading it. Please drop a comment on this blog, or in the Forum - we want to know what you like, and what you think could be improved.

- Malcolm O'Keeffe, Partner
Blue RIver Interactive Group