IntegraXor 3.6.4000.5 Change Log – 12Jan11

  1. + Added SQL Database Authentication with Read/Write level control.
  2. ^ Tag Watch List can be saved across session.
  3. ^ Server stability improvement.
  4. * Debugging message in status output window will be hidden when debug mode is turned off.

Project Editor Database Configuration

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

SQL Authentication Vulnerability

IntegraXor 3.6.4000.5 is now added with Read and Write level column to database table which allows user to configure security level for individual database entry. Now only user with security level higher than or equal to the read level can browse for trend and alarm data, and user with security level higher than or equal to the write level can acknowledge alarm. The credit for finding this vulnerability goes to Security Researcher from Virtual Security Research who has reported to ICS-CERT at 22nd December 2010.

Project Editor Database Configuration

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

Along with this SQL authentication feature, we have also fit in the improvement done for Watch List – Now Watch Window could save user defined list created across session. And also server stability improvement. Lastly, debugging messages in status output will be hidden when debug mode is turned off.

Summary of Event
  • 22-Dec-2010: ICS CERT Contacted IntegraXor support team. Technical report for the vulnerability is received.
  • 27-Dec-2010: IntegraXor development team acknowledged the vulnerability.
  • 11-Jan-2011: Security fixed is issued as official release for general download.
  • 11-Jan-2011: Public announcement is made by IntegraXor support team.

Crossing 2011 seems to be quite challenging for IntegraXor team in handling security issues. However we are very glad that several security researcher are helping us in finding security vulnerability and even help us to verify the patched release when the loophole is fixed. We wish to thank them and also Kevin, Kathy & Bryan from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) who have been very helpful and responsible in verifying and coordinating.

In fact it was our original idea to invite white hat hackers to find any vulnerability in IntegraXor SCADA, as we don’t believe security in obscurity. Now that so many excellence security researchers come by and we truly welcome them, and we are very pleased that we could response and patch the vulnerability within very fast time frame. Thanks to the development team who have carefully designed the well structured architecture that could be easily improved and maintained.

SCADA Vulnerability Alerts

Having done and said that, we do not always response fast to security issues that we may otherwise judge not severe, especially some vulnerability issues that required physical present of the attacker. Some security issues will also take us longer time to fix when it involves different GUI design as we concern a lot on user friendliness. Also we will have concern on compatibility impact as we wish to ensure previously developed project can be easily upgraded to latest release so that the attacker will not be interested to develop any malware targeting older versions of IntegraXor.

We wish to thank everyone again in making IntegraXor Web SCADA to become more secure than ever.

Further to our earlier security note about buffer over flow, it seems the publication has drawn more interest from security researchers, Industrial Control System Cyber Emergency Team (ICS-CERT) has again contacted us on Directory Traversal attack. This vulnerability can be exploit by attacker to download files from the SCADA server. However, attack by deleting file is not possible, but we still took immediate action to patch this security issue with our latest official release 3.6.4000.1. It can be obtained from our download link at We urge our user especially who open their SCADA for Internet access to upgrade to this latest version. And mean time please move any sensitive or confidential files away from the said SCADA server.

We take this opportunity to wish everyone Merry Christmas and Happy New Year!

Summary of Event
  • 22-Dec-2010: ICS CERT Contacted IntegraXor support team.
  • 22-Dec-2010: Technical report for the vulnerability is received.
  • 22-Dec-2010: Security fixed is issued as official release for general download.
  • 24-Dec-2010: Public announcement is made by IntegraXor support team.
  • 24-Dec-2010: Security researcher Luigi Auriemma confirmed the vulnerability issue has been fixed.
  1. + Added most waited innovative report module, allowing one time layout configuration for both display and printout at one go.
  2. + Added setSql() and getSql() for more convenient database interactions.
  3. + Added table import/export function for faster data entry work.
  4. + Added OPC server into standard release.
  5. ^ PE save tables based on proper dependency order.
  6. ^ PE file view auto refresh.
  7. ^ PE text editor supports code folding for html and script files.
  8. ^ PE fix problem openning projects from MRU when there is 1 or more table already opened.
  9. ^ Server GUI port monitor splitter pane is now resizable.
  10. ^ Support system tags as alarm and script trigger.
  11. ^ Server script won’t cause stack overflow when the script calls itself.
  12. ^ Improved comm. establishment for OPC driver connection.
  13. ^ Improved system stability.
  14. * Driver treats connection as disconnected only if timeout.
  15. * Fixed varios PE project saving bugs.
  16. * Fixed alarm task bugs.

3 steps report creation

A Simple Report Layout with Automated Archiving Interface Buttons

Earlier this October, the Industrial Control System Cyber Emergency Team (ICS-CERT), managed and operated by the United States Department of Homeland Security Control Systems Security Program, has received a report from an independent security researcher of a vulnerability in IntegraXor. ICS-CERT works in coordination with US-CERT, with a focus on control systems cyber security. Below is the contact details for additional information.
US CERT Contact Info

The independent security researcher, Jeremy Brown has indicated that previous versions (before 3.53900.10) of IntegraXor have a security vulnerability whereby an attacker may exploit the system on the SCADA server machine by using malware, badware or any type of viruses that specifically target IntegraXor. IntegraXor development team has immediately acknowledged and fixed the loophole, and the patched version has been released as “igsetup-3.5.3900.10.msi” and there after. Note that this security vulnerability has no impact on the client machine or Internet access.

As part of the procedure, we are making this public announcement on this vulnerability; however, before that we have requested a grace period from ICS-CERT and security researcher to announce this vulnerability by the end of 2010 so that our existing registered users can upgrade their previous version accordingly. We urge our existing registered users who are still using any version earlier than 3.5.3900.10 to download the latest version from our download page and migrate their existing project to the latest version ASAP so their SCADA system will not be exposed to this vulnerability. Meanwhile, please ensure that the SCADA machine is protected by an anti-virus system upgraded with latest virus pattern. We are truly sorry for the inconvenience caused and will support our users in migrating old project to current version of IntegraXor. Please contact [email protected] for any support issue.

Summary of Event
  • 06-Oct-2010: ICS CERT Contacted IntegraXor support team.
  • 07-Oct-2010: Technical report for the vulnerability is received.
  • 08-Oct-2010: Security fixed is issued as Release Candidate for inspection.
  • 14-Oct-2010: Security fixed is issued as official release for general download.
  • 15-Oct-2010: Security researcher confirmed the vulnerability issue has been fixed. Grace period of two month before public announcement is started.
  • 15-Dec-2010: Public announcement is made by IntegraXor support team.

It has been quite a while that we hold IntegraXor users to work on Inkscape 0.46. Finally our SAGE developer Teow has managed to spend some times to migrate SAGE to the latest version of Inkscape 0.48.

Spray is not the only feature that added into Inkscape 0.48 release, there are a lot more to discover, but if you think you have had enough tool to draw a SCADA mimic, then you will still be able to enjoy more stability. Anyhow, as it turns out and we discovered, many users do not just use Inkscape SAGE for SCADA, so just download this latest version of Inkscape and start spraying some snowflakes now!

Season's Greetings


Snowflakes drawn by: molumen.
Snowman drawn by: TheresaKnott.

S.I. engineers need to be conservative, below are some best practices.

  1. Backup and Write Changelog

    Needless to say, creating backup is a very basic surviving skill in project life. Not only you should create a backup before leaving site. You should also create a backup upon arrival, before making any changes, while the work reaching one stage, despite still more to go. Create a “version.txt” or “changelog.txt” in your project directory. Name your backup file with date:

  2. Proper Naming and Documentation

    This sounds so easy yet so little people doing it right. Proper naming is needed in all aspects, from tagname, filename, directory name, project name to everything. To understand proper naming, look at some keywords in bad naming examples: “new”, “old”, “latest”, “test”. These types of description only relevant for few days, it will become confusing after that.

    Additional project documentation is not “allowed” in most conditions, so you need to create the tag name in a descriptive manner. Add in description wherever possible, as if you are trying to explain the system flow to your colleague, whoever takeover will appreciate it. And you will love it when you need to revisit the site 3~4 years later.

  3. Restrict Operator Access

    Plant operator working life can be boring at times, especially when working at night shift. The SCADA system that sitting idle can be very tempting for them to use it as game console, movie player or use it to print some documents since SCADA system normally equipped with a report printer. We don’t really mind they leave the SCADA system running at the background, but what we dislike is they insert a USB drive which infected with malware or any type of virus into the system and mess up the SCADA before the end of warranty period.

    Running the SCADA with fullscreen mimic will not work, you will need sometimes to acquire the skill to restrict the operator access. Learn How To Use the Group Policy Editor to Manage Local Computer Policy in Windows XP.

  4. Install Antivirus Software

    No project budget? “Proven antivirus protection for free? that’s what I need.” Microsoft has released a free antivirus software, Security Essentials. S.I. Engineer should install it and at least patch it with the latest virus pattern before shipping the system to site. Project development stage and commissioning stage is the time that the system will exposed to most threats, this is the time you need the protection most.

    Most of the time the end user may not want to connect the server to the internet to avoid any misuse. As such the Antivirus software may no longer be up to date after a while. However, this is still better than nothing and very likely it’s recent enough to sustain for one year to block most threats. You don’t want to receive call because of virus/malware slow down the system or hogging the network during the warranty period.

  5. Backup Disk Image

    Backing data and Restricting user’s access do not guarantee that the system will not corrupt. Reinstalling the OS, patching security fixes, setting up programs, tools, database are tedious, time consuming and totally no fun, and you can’t be sure you or your colleague can restore the system to the original working state, after leaving the site for a year or even more.

    In order to ensure the original working condition can be restored, you will need to save the drive partition image, this is the best way to put things back to exactly how it was left. This Taiwanese made tood is our favorite: Clonezilla, however, be aware this is Linux based program and you may need some times to learn up. Otherwise, go for commercial package.

  6. Split System and Data Partition

    Operating System and Program Files is always good to be stored separately from Data Files. Data Files can be stored in a separated partition or simply another disk. So that when the the operating system corrupted or behaved strangely, S.I. engineers can simply restore the System partition without worrying of data, and it’s normally more convenient to do it before rather than after the problem has occurred. For instance, you can easily restore previously backup Drive partition into the System partition without overwritting the accumulating data.

    A newly purchased PC do not normally split into two partition in advance. So you will need a good tool to “Make your life easy!” Check out EASEUS Partition Master.

  7. Avoid Changes at Site

    The rule of thumb is “If it doesn’t break, don’t fix it.”, this sounds like the SI engineer is incapable of handling the work. However, the fact is human make mistake, especially in the rush, under pressure, in unfamiliar working environment, noisy site etc.

    Any single minor or major changes must be tested in its functionality. For instance, if your change a report layout, although just a title, just print it before you leave. Who knows if you accidentally disturbed the structure of the report and break the entire report generation?

    If the customer do not mind to pay for you to standby for monitoring one more day at site, do it. Otherwise, try to convince your boss to allow you to check in hotel and stay till check out time. Stay one more night is normally cheaper than traveling back to site. Prepare yourself with book, video or anything to fill up your time like preparing claim form. This will give more buffer for the operator to test run the system after your site service. Give a call to control room before you check out hotel, they will appreciate it. And because you know you will be eating your own dog food, this will force yourself to carefully do an extremely great job when you are at site.

  8. Use Remote Access Program

    If the site has Internet connection, train the site operator to start up TeamViewer. Otherwise, spend a little budget to insall a modem at site so you can call operator to plug in the phone line and dial in to check what’s going on at site. This is far cheaper than traveling to site.

  9. Don’t trust site personnel completely

    When you have to talk to operator either at site or over the phone, do your own judgment. Use system event log to track what had happened. You can’t expect the operator who has messed up the system to tell you the truth. Firstly s(he) doesn’t want to be scolded by boss, secondly they don’t want to void the warranty.

    And when you have to ask question, especially over the phone, ensure you ask Open Question. Don’t ask “can you see the button on the top right corner?”, a better question is: “What can you see on the top right corner?”. If the operator answer a Blue Tank, then you know he could be on the wrong screen.

  10. Stick Name Card on Site PC

    Do not try to avoid calls from customer, this is like avoid to face the problem if any. What a good engineer should do is to stick his/her business namecard onto the site PC to make him/herself very accessible to customer. This is a simple good marketing channel and you will gain good reputation by doing this. And the best way to avoid the customer to call you for problem is to do a good job.

Disclaimer: All listed methods or tools are not associated with nor warrantied by ECAVA or IntegraXor. You shall take your very own full responsibility for using anyone of them.

256 colors are not necessary required in most cases. Enter 6 digits (256bit) color code and check out the outcome in 3 digits (16bit). If the difference is acceptable, you can save 3 characters every time a color is used.

Type Code Preview
256 bit Color #

16 bit Color #

Below are steps to create IntegraXor database in Microsoft SQL Server Express 2008, replace “project_id” with desired name in the steps:

  1. Create a folder for database storage, for instance “c:\ecava\database\project_id”.
  2. Execute the following script in SQL Server Management Studio to create the database:

    USE [master]
    ( NAME = N'project_id', FILENAME = N'C:\Ecava\Database\project_id\project_id.mdf' , SIZE = 266240KB , MAXSIZE = UNLIMITED, FILEGROWTH = 1024KB )
    LOG ON
    ( NAME = N'project_id_log', FILENAME = N'C:\Ecava\Database\project_id\project_id.ldf' , SIZE = 219264KB , MAXSIZE = 2048GB , FILEGROWTH = 10%)
    COLLATE SQL_Latin1_General_CP1_CI_AS

  3. Lastly execute the following script to create the needed tables:

    -- table

    --drop table alarm;
    CREATE TABLE alarm (
    time_stamp datetime NOT NULL,
    event_id int NOT NULL,
    tag_id int NOT NULL,
    tag_name varchar(64),
    group_name varchar(64),
    description varchar(255),
    state int,
    data_type int,
    nvalue float,
    old_nvalue float,
    svalue varchar(255),
    old_svalue varchar(255),
    [message] varchar(255),
    inactive_timestamp datetime,
    ack_timestamp datetime,
    ack_user varchar(64),
    constraint alarm_pk PRIMARY KEY (time_stamp, event_id, tag_id)

    CREATE INDEX all_alarm ON alarm (state, ack_timestamp);
    CREATE INDEX updated_alarm ON alarm (state, ack_timestamp, time_stamp, inactive_timestamp);
    create index purge_alarm on alarm (time_stamp);

    --drop table audit;
    CREATE TABLE audit (
    time_stamp datetime NOT NULL,
    event_id int NOT NULL,
    tag_id int NOT NULL,
    tag_name varchar(64),
    group_name varchar(64),
    description varchar(255),
    state int,
    data_type int,
    nvalue float,
    old_nvalue float,
    svalue varchar(255),
    old_svalue varchar(255),
    [message] varchar(255),
    inactive_timestamp datetime,
    ack_timestamp datetime,
    ack_user varchar(64),
    constraint audit_pk PRIMARY KEY (time_stamp, event_id, tag_id)

    CREATE INDEX all_audit ON audit (state, ack_timestamp);
    CREATE INDEX updated_audit ON audit (state, ack_timestamp, time_stamp, inactive_timestamp);
    create index purge_audit on audit (time_stamp);

    --drop table [log];
    CREATE TABLE [log] (
    time_stamp datetime NOT NULL,
    tag_name varchar(64) NOT NULL,
    tag_id int,
    state int,
    data_type int,
    nvalue float,
    svalue varchar(255),
    unit varchar(16),
    constraint log_pk PRIMARY KEY (time_stamp, tag_name)

    CREATE INDEX trend ON [log] (nvalue, state, time_stamp, tag_name);
    create index purge_log on [log] (time_stamp);

    --drop table persistence;
    CREATE TABLE persistence (
    time_stamp datetime NOT NULL,
    tag_name varchar(64) NOT NULL,
    tag_id int,
    state int,
    data_type int,
    nvalue float,
    svalue varchar(255),
    unit varchar(16),
    constraint persistence_pk PRIMARY KEY (time_stamp, tag_name)

    CREATE INDEX tag_name ON persistence (tag_name);

    --drop table userdata;
    CREATE TABLE userdata (
    [name] varchar(128) NOT NULL,
    data_type int,
    nvalue float,
    svalue text,
    constraint userdata_pk PRIMARY KEY ([name])
    CREATE INDEX UDIndex ON [userdata] ([name]);

  • Updated front-end Alarm Viewer for faster loading over slow Internet connection.
  • Updated minor section of documentation.
  • Fixed stability issue for specific add-in module.

Recently we found that Firefox has changed the type of object of a function. Below is the test code:

<html xmlns="">
    <title>FX function status test</title>
    <script type="text/javascript">
        function hello() {
            this.hello = "hello";
   = "world";
            this.status = "status";
            var txt = this.constructor;
            txt += this.hello + " " + + " " + this.status;
            document.getElementsByTagName('body')[0].innerHTML = txt;

This test attempted to show what type of constructor the function ‘hello’ is on browser, and also the properties ‘hello’, ‘world’ and ‘status’. As the screen shot shown, different browser treats the function object differently, especially Firefox. Latest Firefox (in this case, version 4 beta 6) treated it as an Object. but previous version of Firefox (3.6.3 or older) treated it as an object Window and note that ‘status’ is missing from Firefox’s output as compare to other browsers. This mean Firefox prohibited the usage of property name of “status”. A property name that called “status” can only be used when it is in a Javascript class.

result in various browsers

On the other hand, one foolproof practice is to convert a function object into a new Javascript class like below:

function myFunc() {
    if (!(this instanceof Object)) {
        return new myFunc();
    this.hello = "hello"; = "world";
    this.status = "status";
    return this;

This code will fail since Firefox 3.6.8+ updated its instance to Object (as shown in screen shot). As a result, developer need to remove this interlocking code as it’s no longer useful, but the workaround is to call it as a new function class when using it.

  • Added find and replace.
  • Added always on top option.
  • Added email output support, which allows alarm to be sent via email.
  • Added Modbus driver string data type support and fixed ASCII mode bug.
  • Added interval timer support, configured via Timer table.
  • Added tooltip help for each column header in all table grid.
  • Added configuration for all drivers within PE.
  • Added right click on grid row header while no row selected will select the entire row.
  • Added reloading persist tag upon database reconnect when tag not in memory.
  • Added web server retry during startup.
  • Removed millisecond support for schedule timer (replaced by new Interval Timer).
  • Removed or hided lengthy alarm statuses.
  • Fixed opc driver async configuration mixed up.
  • Fixed opc driver async mode reading.
  • Fixed timer issue with millisecond only contain a single number.
  • Fixed PE crash when trying to retrieve OPC servers list.
  • Fixed printer output issue.
  • Fixed front-end user login issue.
  • Fixed unnecessary alarm logging during project startup.
  • Improved OPC server DCOM setting not removed after OPC server is closed.
  • Improved OPC server does not overwrite existing DCOM setting if the setting already exist.
  • Improved output task so it shall close faster if printer output is invalid.

Nowadays many gurus and web developers are so obsessed with fast performance web site. One of the common techniques used is to compress almost everything that will deliver through the Internet connections. Other than multimedia data, Internet data is still very much ASCII or text oriented, so it’s very much about shortening the string when come to compression. We are also concerned about separating static content as cookiesless domain. After looking into all these techniques, the name of the items involved seems to start by letter ‘s’. To prevent wasting any single byte for naming, it make sense to name everything as ‘s’ but leave the extension to differentiate them.

Item Name Description
script s.js JavaScript files need to be compressed and combined into one, the name is shorten as s.js, whereby ‘s’ stands for script.
style s.css CSS files need to be compressed and combined into one, so the name also shorten as s whereby ‘s’ stands for style.
shortcut icon s.ico In order to make favicon.ico cacheable, we can’t just name it as favicon.ico and leave it in the root directory, we will also need to shorten the name to s.ico and store it in the static domain, where by ‘s’ stands for ‘shortcut icon’.
static In order to create a cookiesless domain, a static directory needs to be created for storing the above contents and also screens or images. So we might as well create a subdomain as, and put almost everything except html files into this directory. ‘s’ is for static, ‘s’ is for screens, ‘s’ is a sum for all.
Note: This article is meant for IGX system that didn’t use Internet Gateway module. Internet Gateway will completely remove all described cumbersome steps. Write to technical support to learn how!

IntegraXor web server was designed to be accessible via Internet despite it was used in Intranet basis or simply desktop application in most cases. This article will walk you through the step by step guide on how to setup the broadband network for operator to access the SCADA remotely without having the needs of fixed IP, just like how our LIVE DEMO page being done.

There are two essential works need to be done before being able to access to the IntegraXor web server, they are port forwarding configuration; and host name registration.

Port Forwarding

IntegraXor uses a distinctive port number which is 7131 in avoiding clashing with any other application. Normally, routers blocked most of the network ports by default for security reason. Therefore user will need to configure the router, to redirect all the connections from a specific port to the PC with IntegraXor Server. This step is call port forwarding. Below are the steps of port forwarding for a router.

  1. First of all, to change the router configuration, open a web browser and enter the standard IP address in the address bar. This is usually or If you are not sure about this, you can open a command prompt and enter ipconfig and look for Default Gateway.

  2. Router program shall prompt a security window, enter username and password to login. Refer to router’s user guide for default UID and PWD if the default setting is being used especially when the router is new.
  3. Look for menu or link to port forwarding (some routers called it virtual server). This may vary, depending on type of router you use. If you couldn’t find the port forward or virtual server in your router, check out This website compiles screenshots of common routers in market.
  4. Then enter the IP address of the IntegraXor server in LAN and port 7131 into the respective columns. Below is a sample screen shot on a Buffalo brand router.

  5. Depending on your routher, ensure you press the ‘save’ or ‘add’ button to save the port forwarding configuration.
  6. As an additional step, below are some hints on confirming if the port forwarding has done correctly. Use
    to check if the port has been forwarded. This tool will help you to check whether the port is forwarded to the local server PC.

    • Enter the port 7131 in the port box and then click ‘check’ button. A message will be shown on below to tell you the test result.

    • If this message shows, obviously it means your port 7131 is not forwarded. You need go back to your router and check the port configuration.
    • Otherwise, voila! Port is forwarded!

Note: You may not be able to access the server locally using WAN IP. In another word, you may not be able to use any of the PC connecting to the same router. You might need some help from your external colleagues or friends who are using separate ISP link to test it out for you. So it’s best to have two ISP links while setting up port forwarding.

Host name registration

This registration is optional but most of the time required, as the purpose is to replace the IP address with a easy to remember and constant URL for operator or end users. In this section, we will be using No-IP as our example. Below is the steps on creating a free host name using

    1. Download the No-IP client and install it into the same PC where IntegraXor is installed.
    2. Register an account with Once registered, the activation mail will be sent to the registered email and ask for activation.
    3. Once the account is activated, key in the email and password to log into the No-IP account.

    1. Click the Hosts/Redirects link to host name configuration.
    2. Enter your desired host name in the host name box. Then click the “Create Host” button at the bottom to complete the host name creation.
    3. Run No-IP client on the server PC to link with the host name which created in the previous step. This client will automatically update your IP address to No-IP server, thus redirect the internet users to your IntegraXor server. You may want to keep this client running in case of disconnection, and put it into auto start up upon Windows restart.

You may try to access using this host name at this stage. Just replace the IP address with the host name. For example, , should be replaced with by now. As mentioned above, you may need to use another internet connection to access.

Note: This article is meant for IGX system that didn’t opt for Internet Gateway module. Internet Gateway will completely remove all described cumbersome steps. Grab a free download of latest version to learn how!