Re: PHP MD5 Crypt equivalent in CF?
On Fri, Jul 3, 2009 at 3:12 PM, Oli Rosenbladt wrote: On original input in the PHP system, the salt is generated by a unique, 8-digit user code, prepended by $1$ and appended with $ for the 12 digits necessary for MD5 encryption. There is no requirement for a salt being 12 byte. What you are really seeing is the algorithm identifier being prepended and a separator appended per the Modular Crypt Format. The length of the hash is most likely caused by using a base64 representation with the trailing = dropped. Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324221 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
If you mean your FCKEditor is accessed in a secure area, I don't think that matters. It's whether or not certain scripts can be accessed at yourdomain.com/cfide/scripts/bla/bla/eek.cfm. Someone correct me if this isn't the case... Adrian -Original Message- From: Matt Robertson [mailto:websitema...@gmail.com] Sent: 04 July 2009 05:01 To: cf-talk Subject: Re: New CF8 vulnerability Supposedly on July 6 a new version will be released that is at least better, if not 'fixed'. Kind of glad I put mine behind logins from the get-go. I am guessing that this affects all FCKEditor installations and not just CF8's cftextarea. Way back when, an earlier cf connector was so full of holes I wound up rewriting it with another developer's help and posting it on their forum. Guess that since then its code got a lot more complex but not a lot better. -- -...@robertson-- Janitor, The Robertson Team mysecretbase.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324222 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: New CF8 vulnerability
That is my understanding as well. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Adrian Lynch cont...@adrianlynch.co.uk Sent: Sunday, 05 July, 2009 06:42 To: cf-talk cf-talk@houseoffusion.com Subject: RE: New CF8 vulnerability If you mean your FCKEditor is accessed in a secure area, I don't think that matters. It's whether or not certain scripts can be accessed at yourdomain.com/cfide/scripts/bla/bla/eek.cfm. Someone correct me if this isn't the case... Adrian -Original Message- From: Matt Robertson [mailto:websitema...@gmail.com] Sent: 04 July 2009 05:01 To: cf-talk Subject: Re: New CF8 vulnerability Supposedly on July 6 a new version will be released that is at least better, if not 'fixed'. Kind of glad I put mine behind logins from the get-go. I am guessing that this affects all FCKEditor installations and not just CF8's cftextarea. Way back when, an earlier cf connector was so full of holes I wound up rewriting it with another developer's help and posting it on their forum. Guess that since then its code got a lot more complex but not a lot better. -- -...@robertson-- Janitor, The Robertson Team mysecretbase.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324223 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
There's nothing OS-specific about the vulnerability, as far as I can see. I'm sure it more about a location that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324224 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Easily Scan uploaded files with Coldfusion and ClamAv
I didn't have much time to do this but seemed important to do right now so I slapped together a lil diddy on doing a quick file upload virus check with cfm clamav. It's not much more than the code to invoke clamav but it is simple enough that we all should be doing it, well those who aren't on shared servers. http://www.deliciouscoding.com/post.cfm?entry=easily-scan-uploaded-files-with-coldfusion-and-clamav-1 ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324225 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: How to clean out HTML from a CFDIV?
did you try
document.getElementById(whatever).innerHTML=;
I have a CFDIV which is filled up with an error message issued by an
Ajax routine.
The only problem is that under certain circumstances, when I open the
window that it appears on, the leftover error message from the last
invocation is still sitting there.
Much of what I am doing is initiated thru Javascript, so I need to
find a way to clean out the message from Javascript too (if the
message exists).
The cfdiv looks like this: cfdiv ID=UserNameDiv
bind=url:CheckUserName.
cfm?NewUserName={oUserName}OldUserName={OldUserName} /
The following result code is placed into the cfdiv when the error
occurs: div style=color:red; Your Preferred UserName is already
in use. Please choose another./div
Can anyone suggest how I can clear this out, using Javascript, before
I start up?
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324226
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
ssot: Ext window management question
sorry sort of ot. Ext gurus, Cutter? How do I reload a child window with URL param or FORM elements within the context of Ext? That is, upon click or other event trigger at the child window, it would reload the child window with either some URL params or form submission data. too bad haven't got the problem resolved with ext forum... Many thanks. Don ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324227 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ssot: Ext window management question
Have you tried the load() method? mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/6 Don L do...@yahoo.com: sorry sort of ot. Ext gurus, Cutter? How do I reload a child window with URL param or FORM elements within the context of Ext? That is, upon click or other event trigger at the child window, it would reload the child window with either some URL params or form submission data. too bad haven't got the problem resolved with ext forum... Many thanks. Don ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324228 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
If there's a default web accessible URL path for uploaded files, , and that directory is configured to execute CF files, an attacker can simply upload a .cfm file, and run it to do anything CF can do: CFEXECUTE, access databases, connect to outbound FTP servers, etc. You may not allow the first of those, but it's far less likely you're blocking the others. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 09:46 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability There's nothing OS-specific about the vulnerability, as far as I can see. I'm sure it more about a location that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ssot: Ext window management question
Good input, but load() method seems for panel only, it made me think of render and renderto... Have you tried the load() method? mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324230 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
If there's a default web accessible URL path for uploaded files Well that's why you don't do it. I have done it but I don't anymore. That's true with any server, any platform, any scripting language, I don't know why they are making this out to be a cf only issue. I have 3 hd's, #1 is the os and apps, #2 is partitioned with 99.9% of it beingbu stuff and the rest is just few folders that the uploads go into and run thru doing what needs to be done with them. #3 is web server. So cfm files an only be run out of the #3 hd. So if I upload the files to an isolated partition with min permissions how who they run that cf file? That drive isn't accessible from the web I have no ftps or any incoming connections to that drive. They could of course hack into the server itself and then move the file manually to the web server drive then go get it ;) If there's a default web accessible URL path for uploaded files, , and that directory is configured to execute CF files, an attacker can simply upload a .cfm file, and run it to do anything CF can do: CFEXECUTE, access databases, connect to outbound FTP servers, etc. You may not allow the first of those, but it's far less likely you're blocking the others. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 09:46 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability There's nothing OS-specific about the vulnerability, as far as I can see. I'm sure it more about a location that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
It's not a CF-only issue. However, CF comes bundled with FCKEditor and other scripting languages don't. If you don't allow uploads to web accessible directories, you don't have anything to worry about. However, the default install of CF 8.0.1 on Windows does allow uploads to web accessible directories. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 13:37 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability If there's a default web accessible URL path for uploaded files Well that's why you don't do it. I have done it but I don't anymore. That's true with any server, any platform, any scripting language, I don't know why they are making this out to be a cf only issue. I have 3 hd's, #1 is the os and apps, #2 is partitioned with 99.9% of it beingbu stuff and the rest is just few folders that the uploads go into and run thru doing what needs to be done with them. #3 is web server. So cfm files an only be run out of the #3 hd. So if I upload the files to an isolated partition with min permissions how who they run that cf file? That drive isn't accessible from the web I have no ftps or any incoming connections to that drive. They could of course hack into the server itself and then move the file manually to the web server drive then go get it ;) If there's a default web accessible URL path for uploaded files, , and that directory is configured to execute CF files, an attacker can simply upload a .cfm file, and run it to do anything CF can do: CFEXECUTE, access databases, connect to outbound FTP servers, etc. You may not allow the first of those, but it's far less likely you're blocking the others. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Dave l cfl...@jamwerx.com Sent: Sunday, 05 July, 2009 09:46 To: cf-talk cf-talk@houseoffusion.com Subject: Re: New CF8 vulnerability There's nothing OS-specific about the vulnerability, as far as I can see. I'm sure it more about a location that is easy to guess.. maybe the default fk one. Although them exe's are gunna have a bitch of a time running on a lt 1gb sectioned partition with no rights on my xserver. To many people probably upload to /uploads (i'm guilty) so it shouldn't be to difficult. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324232 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: ssot: Ext window management question
You're aware that a window is a type of panel, right? mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/6 Don L do...@yahoo.com: Good input, but load() method seems for panel only, it made me think of render and renderto... Have you tried the load() method? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324233 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
