CF Express for simple intranet/extranet app?
I manage a very small non-profit organization. I am working on an app for internal use and am using CF. Are there limitations to CF Express that would prevent me from running this as an intranet/extranet application? Does it use IIS as a web server like other versions, or does it use the internal web server? Can I access it from an address other than localhost? Thanks, Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360226 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ckeditor in CF 11?
CKeditor is not included in CF11. CF8-11 includes FCKeditor, which is the predecessor to CKeditor. To answer question 3 in the context of FCKeditor, yes your updates to it could potentially be overwritten by the updater. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Jan 16, 2015 at 10:30 AM, Nick Gleason n.glea...@citysoft.com wrote: Hi Folks, I have a question about ckeditor. We use it in our CMS, but have not used the version bundled with CF before. I have a couple of questions that I am hoping folks here can answer: 1. Is ckeditor included in CF 11? 2. If so, have people had good experiences with it (we've used it for a while - but not the CF bundled version - and have generally liked it)? 3. If the CF bundled version is customized / forked, are there then risks of the forks being over-written in the context of an upgrade? 4. Are there licensing issues with the CF bundled version? In other words, if you use the free version from cksource in a commercial product, there is typically a license fee. If you use the CF bundled version in a commercial product, is there still a licensing fee? Or is that waived in the context of using CF server? Thanks in advance for your thoughts. Best, Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359985 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sending SMS
I've worked quite a bit with Twilio for sending and receiving text messages in CF: https://www.twilio.com/ they have a REST api, that is pretty easy to use: https://www.twilio.com/docs/api/rest/sending-messages -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Nov 18, 2014 at 6:09 PM, Rick Sanders r...@webenergy.ca wrote: Hey guys, Does anyone know a service I can use for sending sms messages from cold fusion? I want to make an app that notifies someone by sms when their product is ready. Kind Regards, Rick Sanders Canada: USA: 171 Main St 1205 N. Second Ave Dartmouth, NS Siler City, NC T: 902-401-7689 T: 919-799-9076 W: www.webenergy.cahttp://www.webenergy.ca/ W: www.webenergyusa.comhttp://www.webenergyusa.com/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359676 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9.02 administrator hack
Most likely a virus / malware on your computer, not the server: https://www.google.com/search?q= Your+Java+version+is+outdated%2C+have+security+risks -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Nov 12, 2014 at 11:39 AM, Tom McNeer tmcn...@gmail.com wrote: Hi, I've just discovered that one of my servers, running 9.02, has been hacked. I'm not sure of the update level, because the hack is visible in the administrator and prevents its use. It's not the old h.cfm hack. I haven't been able to find any references to what I'm seeing, but I hope someone else knows what's up. I have not seen any obvious problems caused in the sites delivered from the server. It became evident when I tried to log in to the admin today to check on something. The immediate symptoms are that an ad appears in an iframe below the CF Admin login inputs; the username input label has been restyled and appears to have a link behind it. A recurring popup says The page at b1.zcxbtm.com says: WARNING, Your Java version is outdated, have security risks, Please update now. Naturally, none of this is visible in View Source. No reference to other files and scripts. The View Source is identical to one on a non-hacked server. The CF Admin is not publicly accessible - at least not normally. I can see that a site was added and used temporarily which had a virtual directory pointing to the admin, most likely one created by running the config tool. That site is dead now, but it could easily have been a vector at one time. The CF service _is_ running under the System account. I know this is bad practice, but I didn't set up the server. Any suggestions for troubleshooting this would be greatly appreciated. And I'll certainly be happy provide any other details I can. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359635 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
cfqueryparam and EncodeForHTML are used to prevent two different types of attack. cfqueryparam is for SQL injection attacks, as Byron explained. EncodeForHTML is used to prevent cross site scripting attacks (it does not prevent/escape sql injection), which exist when the attacker can execute arbitrary client side code (such as javascript). Suppose we specified companyName=Johnson Johnson'sscript src=//hackers.r.us/badstuff.js If you inserted that value into the db everyone who views that record in the DB may potentially execute the hackers javascript file which can do lots of things, potentially on behalf of the currently authenticated user. You don't necessarily need to run EncodeForHTML before inserting the data into the database, you just need to make sure that you call EncodeForHTML every time you output the variable. The reason for this is that you can end up double encoding when you edit the record, or maybe you want to output the value in another context such as a HTML attribute, then you want to use EncodeForHTMLAttribute on the raw value instead. In some apps though it can be a much easier solution to just encode it before inserting the data if it is output in a million places. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 3, 2014 at 3:41 PM, Stephens, Larry V steph...@iu.edu wrote: Text input field Entry is Johnson Johnson's I store it in a table using cfqueryparam. All is good. Let's say the hacked entry is Johnson Johnson's;delete * (or something akin to that - you get the drift) I use cfqueryparam but it won't catch the hack; it's still just a string. At some point, before storing or after retrieval, I use EncodeForHTML to make that safe. Now I have either Johnson amp; Johnson#x27;s or Johnson amp; Johnson#x27;s#x3b;delete #x2a; Supposedly, that's safe. Regex could strip out the delete or kill the thing when I tried to save the data in the first place, but I tried several examples and none seemed to work. The thing is, Johnson amp; Johnson#x27;s may display correctly on the screen but it's not good for a search function, particularly if I have a legacy database. To parody a commercial for a different product, what are you using for protection? Larry V. Stephen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359562 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
The SSL handshake handled by the JVM (though there might be some config that takes place in the CF engine, not sure), Java 6 supports only TLS 1.0, java 7 adds support for TLS 1.1 and 1.2. The actual crypto parts of it is handled by the JCE (java cryptography engine) which if you are running Enterprise is RSA Bafe CryptoJ. That other thing that comes into play is the SSL cipher suite support, so it is possible that the JVM and the server cant' find a protocol and cipher suite that they both support. There are also some JVM arguments you can use to tell the JVM which protocols to use, here is the reference doc for Java7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization you might try setting -Dhttps.protocols=TLSv1 not sure if that will help, I think the CF engine *may* overrides the property (in some versions of CF). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 30, 2014 at 9:07 PM, Michael Grant mgr...@modus.bz wrote: I'll try that with them, thank you SO much. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359548 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: HMAC Algorithms and Encoding?
Try HMACSHA256 for the algorithm see http://cfdocs.org/hmac -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Sep 9, 2014 at 11:22 AM, Sandra Clark sclarkli...@gmail.com wrote: Thanks I'm trying to encrypt payment information for a group using CyberSource. I found documentation on encrypt() that specified using HMAC-SHAx (where x could be 256). Got the same error. http://help.adobe.com/livedocs/coldfusion/8/htmldocs/help.html?content=funct ions_e-g_01.html. CF10 documentation for encrypt is not as useful Since I don't have time to try every iteration that it could possibly be, I finally gave up, found Ben Nadel's Crypto library and it worked out of the box. But really, Adobe do the documentation correctly. HMAC Creates Hash-based Message Authentication Code for the given string based on the algorithm and encoding. Hash-based Message Authentication Code (HMAC) is used to verify the data integrity and authenticity of a message transmitted. It involves a cryptographic hash function in combination with a secret key. The cryptographic hash function can be Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and so on. See also SessionInvalidate, Session Rotate. Example h2HMAC Test/h2 cfset x=hmac(Hi There,key1,HMACRIPEMD160) cfoutput#x#/cfoutput None of this tells me anything. Especially since I can't find any reference to HMACRIPEMD160 (hoping that would lead me to something) other than that HMAC documentation or some PDF's that are generated from the Wiki Pages and the above mentioned CF8 page, which again lists HMAC-SHA256. -Original Message- From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Tuesday, September 9, 2014 11:01 AM To: cf-talk Subject: Re: HMAC Algorithms and Encoding? Sandy, Looking at the example in the HMAC() docs, they prefixed the algorithm type with HMAC. Maybe if you try HMACSHA-256, to see if it works? On Tue, Sep 9, 2014 at 10:46 AM, Sandra Clark sclarkli...@gmail.com wrote: Tried that, I am now getting an error telling me that An error occurred while generating HMAC. Error: Algorithm SHA-256 not available. HASH() documentation is showing SHA-256 *sigh* -Original Message- From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Tuesday, September 9, 2014 9:53 AM To: cf-talk Subject: Re: HMAC Algorithms and Encoding? Sandy, I do believe that you can use any algorithm that the hash function supports. Take a look at the documentation for hash and you will see what options you have. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Moving part of my hosting business - thoughts about my plan please ...
On Fri, Mar 28, 2014 at 5:21 AM, Mike K afpwebwo...@gmail.com wrote: Are there any other 'gotchas' moving from windows to linux? I did a presentation on Linux for CF users at cf.Objective() this year, my slides are here: http://slides.com/petefreitag/cf-on-linux#/ Is there any benefit of one flavour of Linux over another? Yes, if you pick an obscure distribution intended for hardcore linux users (for example Gentoo linux) you will have a hard time as a newbie. Pick one that is commonly used such as Redhat Enterprise Linux / CentOS or Ubuntu. I like RHEL/CentOS because they are pretty stable and they don't do bleeding edge, main bug/security fixes, you have to upgrade to the next major release to upgrade major versions of many packages. This has downsides too, for example RHEL/CentOS 6.x will only support Apache 2.2.x if you want Apache 2.4 you have to install it manually or wait for RHEL7. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358706 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Printing barcode labels from CF
Followup, here's what I used to print to an HP m251w. Works great printing to Avery 5520 3x10 labels. Set margin to 0 when printing from within Chrome: cfsetting showdebugoutput=No enablecfoutputonly=Yes!--- --- cfimport taglib=/extensions/custom_tags/ prefix=ct ct:security allow=board,admin!--- --- cfparam name=url.memberFamilyID default=0 cfquery name=getRecord datasource=#request.datasource# [redacted] /cfquery cfoutput html head meta name=google value=notranslate meta http-equiv=content-language content=en script type=text/javascript src= http://barcode-coder.com/js/jquery-1.3.2.min.js;/script script type=text/javascript src= http://barcode-coder.com/js/jquery-ui-1.7.custom.min.js;/script script type=text/javascript src= http://barcode-coder.com/js/jquery-barcode-last.min.js;/script script language=JavaScript function bc() { cfloop query=getRecord$('##bcTarget#getRecord.memberID#').barcode('#getRecord.memberID#', 'code128', {barHeight:50, barWidth:1, showHRI:true, fontSize: 11}); /cfloop } /script style @media print { div.row {page-break-after: auto;} div.spacer {height: 90px;} } body {text-align: center; font-family: arial; font-size: 11px; margin-left: 0px; margin-right: 0px; margin-top: 45px; margin-bottom: 48px;} div.spacer {height: 90px; clear: both; border: 0px solid blue;} div.row {margin: 0px; padding: 0px; page-break-after: auto;} div.label {width: 232px; height: 83px; margin-left: 13px; border: 1px solid white; float: left; padding-top: 5px;} /style /head body onLoad=bc(); div class=row cfloop query=getRecord div class=label align=centerdiv class=bc id=bcTarget#getRecord.memberID#/div #getrecord.memberfirstname# #getrecord.memberLastName# #getrecord.memberNameSuffix# (DOB: #dateFormat(getRecord.memberDOB, MM/DD/)#)/divcfif getrecord.currentrow MOD 3 EQ 0/div cfif getrecord.currentrow MOD 30 EQ 0 div class=spacernbsp;/div /cfif div class=row/cfif /cfloop /div /body /html /cfoutput On Tue, Mar 25, 2014 at 7:48 PM, Pete Ruckelshaus pruckelsh...@gmail.comwrote: Thanks. I think I'm going to try using CSS and print as an HTML file first, and if I run into issues, I'll go with cfdocument. On Tue, Mar 25, 2014 at 3:35 PM, Akos Fortagh akos.fort...@yahoo.comwrote: Sorry if I misunderstand the issue. I've used cfbarbecue http://cfbarbecue.riaforge.org/ in a number of apps with no problems. It simply uses cfimage to print the barcode to the screen. I opened that document in a small window and sent it to label printer using JS window.print(). Then using any label printer I have been able to print the barcode perfectly. HTH ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358680 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: httponly and cookie-secure
On Mon, May 19, 2014 at 9:45 AM, brad f b...@ciswired.com wrote: Not sure what I am missing here. We are running Coldfusion 9.0.2 in a clustered environment. I added the -Dcoldfusion.sessioncookie.httponly=true to the jvm.config file. I restart the coldfusion instances. Run an application scan and it still says the y are not httponly I think that setting only applies to CFID/CFTOKEN cookies, not the jsessionid cookie. You can try this trick: http://www.petefreitag.com/item/740.cfm or use your web server to append httponly to the cookies for you. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358677 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
cfajaxproxy problem
It's been a long time since I've done any real front end development. I'm working on a site now and want to use cfajaxproxy to call a CFC that sends an email. I'm using this tutorial as a guide http://tutorial13.learncf.com/ The calling page (the one that contains the cfajaxproxy tag) is in the root directory of the site. The cfc is located at /extensions/cfc/proxy.cfc The specific function being called within the cfc is called sendPicInstructions My cfajaxproxy is called thusly: cfajaxproxy cfc=#expandPath(/extensions/cfc/proxy.cfc)# jsclassname=proxy / My JavaScript: script function sendEmail() { var instance = new proxy(); instance.setCallbackHandler(emailSuccess); instance.sendPicInstructions(#getFamilyInfo.memberFamilyID#); } function emailSuccess(result) { document.getElementById('output').innerHTML = result; } /script All of my other little HTML bits are correct. However, I am getting this error, even after trying any number of things up to and including typing the exact physical file path. The file path mentioned in the error message is where the CFC is located: The specified CFC C:/inetpub/wwwroot/nineoaks_members/extensions/cfc/proxy.cfc could not be found. The path to the CFC must be specified as a full path, or as a relative path from the current template, without the use of mappings. Any idea of what I'm missing here? I can easily do this without using cfajax, but wanted to try something new and now it's bugging me. Thanks, Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358545 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfajaxproxy problem
Which approach would you suggest using? On Fri, May 2, 2014 at 6:27 PM, Matt Quackenbush quackfu...@gmail.comwrote: On May 2, 2014 4:07 PM, Pete Ruckelshaus pruckelsh...@gmail.com wrote: Any idea of what I'm missing here? I can easily do this without using cfajax, but wanted to try something new and now it's bugging me. Thanks, Pete There's your answer. Seriously, one should never use any of the CF UI tags. They render horrific JavaScript and are terrible for one's own skill development. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358549 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Patch/update 9.0 help
Yeah, I was able to restore the VM backup that was made earlier in the day. On Mon, Mar 24, 2014 at 12:33 PM, Carl Von Stetten vonner.li...@vonner.netwrote: Did you do a backup of your computer before the upgrade so you can revert? If so, take a look at the Unofficial Updater 2 http://www.uu-2.info/ to make the patching process a bit easier. -Carl V. On 3/21/2014 4:49 PM, Pete Ruckelshaus wrote: Awesome. Ran the 9.01 updater and the CF service won't restart now. This is why I don't update unless I have to. On Fri, Mar 21, 2014 at 6:56 PM, Russ Michaels r...@michaels.me.uk wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358076 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Printing barcode labels from CF
I'm building a membership system where I will need to print barcode labels (Code128) from a CF app. I've got the barcode creation down (using a JQuery plugin), but haven't started the label creation piece. I was thinking of using CSS + cfdocument, but am concerned that PDF's crappy support of CSS will cause me trouble. Has anyone else done something like this? What do I need to look out for? Thanks Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358077 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Printing barcode labels from CF
Thanks. I think I'm going to try using CSS and print as an HTML file first, and if I run into issues, I'll go with cfdocument. On Tue, Mar 25, 2014 at 3:35 PM, Akos Fortagh akos.fort...@yahoo.comwrote: Sorry if I misunderstand the issue. I've used cfbarbecue http://cfbarbecue.riaforge.org/ in a number of apps with no problems. It simply uses cfimage to print the barcode to the screen. I opened that document in a small window and sent it to label printer using JS window.print(). Then using any label printer I have been able to print the barcode perfectly. HTH ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358082 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Patch/update 9.0 help
The recent issues with security have led me to abandon my previous psychology of if it ain't broke, don't fix it. I'm running CF 9.0, is there a single patch/installer that I can run to bring my installation up to date, or do I need to update from 9.0 to 9.01 and then from 9.01 to 9.02? I'm just trying to determine whether the hotfixes are cumulative withing minor version, or inclusive of all versions, and I don't want to risk borking my install. Thanks, Pete Ruckelshaus ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358063 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Patch/update 9.0 help
Awesome. Ran the 9.01 updater and the CF service won't restart now. This is why I don't update unless I have to. On Fri, Mar 21, 2014 at 6:56 PM, Russ Michaels r...@michaels.me.uk wrote: You need to update to 9.0.1 and then inststall the 901 patches. 9.0.2 is not and update it is a separate version without verity which is no longer supported. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 21 Mar 2014 22:42, Pete Ruckelshaus pruckelsh...@gmail.com wrote: The recent issues with security have led me to abandon my previous psychology of if it ain't broke, don't fix it. I'm running CF 9.0, is there a single patch/installer that I can run to bring my installation up to date, or do I need to update from 9.0 to 9.01 and then from 9.01 to 9.02? I'm just trying to determine whether the hotfixes are cumulative withing minor version, or inclusive of all versions, and I don't want to risk borking my install. Thanks, Pete Ruckelshaus ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358065 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Wed, Mar 5, 2014 at 11:16 AM, Nick Gleason n.glea...@citysoft.comwrote: Hi Pete, I've been researching CSP and it sounds like a pretty cool option. But, I just wanted to follow up on this comment that you made below:-- it will also block inline scripts and style elements-- Are you saying that even if you have the self or default values in place, it will block a regular old script in your page? For instance, if you just have something like this:scriptCODE HERE/scriptThat will be a problem? Why? Hi Nick, Yes if you have the following: Content-Security-Policy: default-src 'self'; It will block any scriptcode here/script tags in your page, you can only use script src=/some/uri/script This is a recognized problem in CSP1.0 and CSP 1.1 is currently in development right now with two solutions for this use case, you can specify a nonce in the header, so you would do something like this: Content-Security-Policy: script-src 'self' 'nonce-random_string_123'; Then you can do this: script nonce=random_string_123code here/script You can do the same for inline style tags. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#nonce-usage-for-script-elements The second option in CSP1.1 is hash whitelisting, where you compute a hash of the script contents and put that in the header. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#hash-usage-for-script-elements -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357861 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Mon, Mar 3, 2014 at 5:11 PM, Nick Gleason n.glea...@citysoft.com wrote: Pete, Much appreciated. I guess where I'm being a bit of a dunce is that in your example, if a malicious url.query variable was passed in by a hacker, wouldn't the display only be available on that single request? And if I come to the same search form 2 minutes later and do a normal search, won't it be clean? I guess that, assuming we have no sql injection to the db, I don't see how that attack stays persistent (as it would possibly for a comment or forum post). Sorry to be over-simple on this. Hi Nick, It is not a persistent attack unless it gets saved to a DB somewhere, etc. But it is still considered harmful, for example if I send you a link that uses javascript to write a login form on the page that submits to my server... then that is not a good thing. Normal visitors can't parse a query string to recognize that it is rewriting the DOM, especially when they see HTTPS they expect that everything on the page is as you intended it. Or the attacker might simply grab cookies and use them to hijack the victim's session. These examples are a bit more targeted, they will probably effect every user of the site but the attacker can use the hole to eventually get the info they are after. Re: the content security policy, that looks very interesting. Watching a presentation on it now. One quick question. If we are using that on a site and then an admin comes in and uses an iframe widget from youtube to display a video on a page in the site, does that get filtered by CSP (and require an exception for youtube)? I gather that would need to be excepted in the frame-src header, right? Yes you would have to allow the youtube.com domain in your CSP header, eg: Content-Security-Policy: default-src 'self'; frame-src 'self' youtube.com; One thing to keep in mind with Content-Security-Policy is that when you enable it, it will also block inline scripts and style elements, you can override that using unsalfe-inline but then you also loose a lot of the benefits of CSP. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357846 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Sun, Mar 2, 2014 at 11:21 PM, Nick Gleason n.glea...@citysoft.comwrote: Hi guys, Following up on this thread I have a related question - what are some examples of XSS scenarios other than comments and forum posts. Any other prominent risk scenarios for XSS? There are a lot of scenarios, essentially anywhere you output a variable that originated in some part from an external source. So for example, let's say you have a search form for your site with some code like this: cfoutputYour search for #url.query# returned #search.recordcount# results/cfoutput There is an XSS risk there because someone could create a link to /search.cfm?query=scriptalert('xss')/script (now if you try that example in a modern browser you will find that it might not actually work due to the builtin XSS protection in browsers, but the hole is there and there are ways to bypass the browsers xss protection). So basically any time you take a variable that comes from the user or some other untrusted source and output it, you have the potential for an XSS hole. Also you should checkout Content-Security-Policy headers this can help reduce XSS risks significantly on browsers that support it. See: http://content-security-policy.com/ for more info or come to my cf.Objective(2014) presentation :) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357812 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Versions of Apache Supported on CF10 Linux?
On Tue, Feb 25, 2014 at 8:32 PM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: It does support Apache on 64-bit Windows, just not 64-bit Apache. I would not be surprised if the Linux stuff is the same. 64 bit Apache on Linux does work with CF10 and CF9 for that matter, I've set it up on several servers with out any issues. No building from source necessary. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357794 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP SSL call returns Peer Not Authenticated
Is the server using a 2048 bit or higher key? I had a client with some issues connecting to twitter after they upgraded their SSL to 2048 bit, and the issue was resolved in this case by updating the CF9 server with the latest hotfixes (9.0.1 Cumulative Hotfix 4). I know you are on CF8, but you might still want to make sure you have applied all the hotfixes for CF8, and also update the JVM to the latest 1.6.x (since you are on CF8 you can't upgrade to java 1.7) you can find (sometimes SSL issues are bound to the jvm as well). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 24, 2014 at 12:58 PM, David Phelan dphe...@emerginghealthit.com wrote: I have written a page that makes an SSL web service call using CFHTTP but I cannot seem to get the service to respond with anything other than Peer Not Authenticated. I have imported the certificates for the servers into the CF keystore and restarted the CF services. I found a post relating to a similar issue, but it is an issue in CF9 Enterprise only. I tried the workaround anyway to no avail. The call is being initiated by our servers in our DMZ to servers in our internal network for which we added a permanent route to our server. I can ping the server and get the replies. I can get the WSDL from the host server through the browser on the client server, but the call through CF fail. Any help would be appreciated. We are using CF8 on a win2k8 R2 server. David Phelan Web Developer IT Security Web Technologies Montefiore IT 3 Odell Plaza, Yonkers, NY 10701 914-457-6465 Office 862-234-9109 Cell dphe...@emerginghealthit.commailto:dphe...@emerginghealthit.com www.emerginghealthit.comhttp://www.emerginghealthit.com/ www.montefiore.orghttp://www.montefiore.org/ [Description: Montefiore IT logo] http://www.emerginghealthit.com/default.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357747 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Versions of Apache Supported on CF10 Linux?
On Tue, Feb 25, 2014 at 10:42 AM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: 64-bit Apache is not officially supported. I don't think that is true, perhaps with Apache on Windows? But not with linux. The support matrix lists Apache support for both 32 and 64 bit on all platforms: http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/coldfusion10-support-matrix.pdffor what its worth. If you are on RHEL then make sure you update httpd using yum to the latest... Note that with RHEL the apache version number may not change, but RH will apply security patches or bug fixes as needed. More on that here: http://www.petefreitag.com/item/826.cfm What version of RHEL are you running? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357754 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Richard, Normally you can switch between J2EE and CFID/CFTOKEN cookies without problem unless something in your application code is relying on one or the other. It may be easy to change that or it may be quite involved, it depends quite a bit on how your application is coded. If you want to use J2EE sessions then you have to edit the jrun-web.xml file http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet13.htm#1154030but this is server wide so it will be the same for all sites / applications on the server. Another option would be to use the web server to add the appropriate flags to the web server, here's an example of how you do this on IIS7+ using the IIS rewrite module: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 2:39 PM, Richard White rich...@re-base.net wrote: Hi Pete, yes although if i disable this my login stops working and appears the session variables that i use throughout the application cease to function. Thanks, Richard Hi Richard, do you have Use J2EE session variables checked in the CF administrator? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 5:41 AM, Richard White rich...@re-base.net wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357724 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Moving from CF8 tp CF10 - Session Issues
Hi Les, Here is a place to start for you: http://www.petefreitag.com/item/815.cfm Use Chrome Developer tools to look at the session cookies, see if they are changing from request to request. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 6:04 PM, Les Mizzell lesm...@bellsouth.net wrote: Got a site currently running on CF8 that we're migrating to a completely new server with a fresh CF10 install. There's an informal members only section with user/pass login that we're having trouble with. No code changes - no problems on the CF8 server. But, in various browsers, it seems the logged-in session var isn't holding and the second you log in, it just kicks you back out. CF8 version - all browsers stay logged in with no problems. CF10 version - Chrome kicks you right back out. IE works great (??) So ... pretty simple stuff. If the username/pass matches: cfif qVerify.RecordCount !--- This user has logged in correctly, change the value of the session.allowin value --- cfset session.allowin = True / cfset session.user_id = qVerify.uniqID / /cfif ... and there you go.. Application file settings: cfapplication name=MyMemberSection clientmanagement=yes sessionmanagement=yes setclientcookies=yes setdomaincookies=yes sessiontimeout=#CreateTimeSpan(0,8,00,0)# applicationtimeout=#CreateTimeSpan(0,8,00,0)# clientstorage=cookie So the question is - what's different between CF8 and CF10 that I need to be looking for? I'm not even sure where to start looking at the moment. Ideas? Tearing my hair out so far. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357725 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Richard, do you have Use J2EE session variables checked in the CF administrator? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 5:41 AM, Richard White rich...@re-base.net wrote: Thanks Pete, this does seem to work by adding it to the application.cfc. However, when i first open the browser and go to the site it shows an error that the session.cfide does not exist. The culprit is in the onSessionStart method as shown below. If I reload the window then its all fine as I suppose at this point the session.cfide has been created. Would you know how to resolve this? cffunction name=onSessionStart cfcookie name=CFID value=#session.cfid# httponly=true secure=yes cfcookie name=CFTOKEN value=#session.cftoken# httponly=true secure=yes /cffunction Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357714 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Hi Nick, It is tricky to handle HTML content while avoiding XSS, there are a two tools I'm aware of that can help you here: 1) scrubHTML() - This is one I built in pure CFML and I think it is pretty easy to build a whitelist of allowed html using it: https://github.com/foundeo/cfml-security it will use your whitelist and only allow HTML tags and attributes that you allow to come out the other end, anything not matching the whitelist is removed. 2) AntiSamy - written in java, widely used, but its policy files can be tricky to work with, example using it with CFML: http://www.petefreitag.com/item/760.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Feb 19, 2014 at 11:08 PM, Nick Gleason n.glea...@citysoft.comwrote: Hi All, I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. Thanks in advance! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Richard, You can use the technique here: http://www.petefreitag.com/item/764.cfm it doesn't set path, domain, or secure but you can just add that to the cfcookie tag in the CF9 example. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Feb 18, 2014 at 1:36 PM, Richard White rich...@re-base.net wrote: Hi, Is there a way to set the secure, domain and path values for session CFID and CFTOKEN cookies in the application.cfc page of CF9? I have done some searches but cannot seem to find an answer. Many thanks, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357709 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: introspect Java process OSX to determine Coldfusion Run Status?
Maybe, but you would probably get a more useful result by working from within the JVM to get the info you are after. I'd start with a thread dump: http://helpx.adobe.com/experience-manager/kb/TakeThreadDump.html -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Jan 22, 2014 at 3:49 AM, Don danfar...@hotmail.com wrote: Was wondering if the above was possible. Seems I can retrieve a list of running processes. Of course since CF runs in Java, its impossible to determine what exactly is running in Java. Which is the data I am looking for. I fear that I'm going to be blocked by Java security at this point. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357578 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
On Fri, Dec 6, 2013 at 2:52 PM, Wil Genovese jugg...@trunkful.com wrote: Iè´e seen people request this before due to a PCI security audit. Usually the best solution, depending on the code, is to switch to J2EE session variables. Instead of physical cookies the session cookies are true session cookies in browser memory. This would eliminate the secure cookies issue. I think? You can create a browser session cookie for CFID/CFTOKEN cookies as well, you just have to write the cookies manually. But what Robert was asking about was the secure flag on the cookie, which indicates that the user agent should only send the cookie over a secure connection (eg HTTPS), again you have to do this by writing the cookies manually in CF9 and lower, here's an example showing how to do this: http://www.petefreitag.com/item/764.cfm For CF10 it is easy you just specify in your Application.cfc this.sessioncookie.secure = true Also with CF10 (or Tomcat rather) it will automatically add the secure flag to your JSESSIONID cookie on HTTPS requests, this causes your HTTP and HTTPS requests to be on different sessions, which for security is a good thing, but can lead to issues if you have coded your apps to expect otherwise. More info on that here: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357316 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Cumulative Hotfix 3 4
Hi Nick, If you install CHF4 it will include CHF3 and prior ones, but any security hotfix released AFTER CHF4 will need to be reapplied, HackMyCF will tell you that as well once you install it, but just wanted to give you a heads up -- those hotfixes are APSB13-10 APSB13-13 and APSB13-19 -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Oct 4, 2013 at 12:18 PM, Nick Gleason n.glea...@citysoft.comwrote: Thanks guys. We use Hackmysite and love it. we've got all the security hotfixes patched, so we're good on that. I'm assuming, but want to get your take, that installing the cumulative hotfixes will not over-write previously installed hotfixes. that would seem to be an obvious thing to avoid, but just want to make sure. Nick Return-Path: listmas...@houseoffusion.com Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Fri, 4 Oct 2013 09:30:55 -0400 To: cf-talk cf-talk@houseoffusion.com Message-ID: cakuzz-_hr7ndchjj4i-e0het_u+ogas-orwsjdzn8eexbnh...@mail.gmail.com Subject: Re: Cumulative Hotfix 3 4 References: ce7431ca.4fc97%bo...@acoderslife.com Date: Fri, 4 Oct 2013 14:30:45 +0100 Precedence: bulk Reply-To: cf-talk@houseoffusion.com From: Russ Michaels r...@michaels.me.uk MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Rcpt-To: n.glea...@citysoft.com X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 I would also suggest hackmycf to keep your patches up to daye Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 4 Oct 2013 13:53, Bobby wrote: Right, cumalative would mean that 4 includes 3 (and previous). Russ is right, there are plenty of security patches that are NOT in the cumulative hotfix. I do believe the unofficial updater has many of them included though so you might consider that if you are looking for more than what is in the cumulative hotfix. On 10/4/13 4:01 AM, Russ Michaels wrote: yes each CHF includes all fixes from previous ones. You should however be sure to check carefully on their site what is NOT included, often security fixes are not included. On Fri, Oct 4, 2013 at 8:06 AM, Nick Gleason wrote: Hi All, A quick question. I need to install Cumulative Hotfix 3 and 4 on a server. If I install 4, will that include 3 (as the word cumulative seems to imply)? Or do I need to install CH 3 first and then install CH 4? Thanks! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356880 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hacking?
Yes, it certainly can be used by hackers. It can be used to manipulate the file system, upload files, execute exe's, and run database queries against your datasources. This file is most commonly found via the adminapi Hack widely exploited in Dec/Jan 2012 (eg /CFIDE/h.cfm, etc), but I've also seen this particular file on hacked servers sprinkled through the file system (eg 20-30 instances, using random file names). Also I've found in many cases that a server had patched the adminapi issue and blocked /CFIDE/adminapi but never cleaned up files that attackers placed, so they keep getting hit. You will want to take a close look at the server, and consider moving to a fresh server after you have cleaned up. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Sep 6, 2013 at 9:32 AM, Robert Harrison rob...@austin-williams.comwrote: Is anyone familiar with this code: http://pastebin.com/2v3PMx4M We found this in one of our sites which has been getting hacked lately. We also found a few other infected files which we've cleaned, but this on in particular was somehow injected into one of our sites. Anyone know what this does and if it could be used as a hacking aid? Thanks Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356714 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Good jvm ram settings for 64 bit ColdFusion
On Tue, Sep 3, 2013 at 9:08 AM, Mark A Kruger mkru...@cfwebtools.comwrote: In 32 bit addressing each memory address takes up 4 bytes (4 x 8 bits) but a 64 bit address space is wider (as in 8 x 8 bits). So for example, if you store an integer - say 14 - on a 32 bit system, it will take 4 bytes to do it ( 1110). That is correct about the addressing being larger on 64 bit, but it still uses 32 bits to store an int (in Java at least, this may differ if you are doing c/c++, etc), but it's address is twice as big. So what accounts for the extra heap usage is that when you have an object reference (or a pointer) to another object or primitive within an object instead of taking 32 bits per reference it takes 64 bits. Also Michael - 2gb perm size seams rather large generally speaking (unless you have tons of cfm/cfc files). Further if your server has 8GB of ram, and you are setting 6GB max heap and 2GB max perm size then you are not leaving any room for the OS to operate when things get full. The perm size does not usually change much once the application is fully loaded and all possible logic routes have executed at least once (unless you have some sort of dynamic cfml generating going on) so you should be able to see how much you are actually using at runtime by running this code: http://www.petefreitag.com/item/821.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356698 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 4:29 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Pete, So is that the purpose of the !3000 then? Got it! That's correct Mark, you got it. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. It is a MySQL version specific comment so if MySQL version is greater than version 3.0 in this case it would execute, all other DB engines would treat as a comment. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How to Change the User Name field in CF Administrator's Info Page
That means you are running CF under the system account, you can create a dedicated windows user account, and change the ColdFusion service logon identity to be that new account. You will also need to make sure this new user has the appropriate NTFS permissions, see the CF9 lockdown guide for more info on that: http://bit.ly/cf9lockdown -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Jul 2, 2013 at 3:51 PM, Eugene Colucci ecolu...@buffalo.edu wrote: I currently use ColdFusion 9,0,1,274733 Standard, stand-alone edition on Windows Server 2008 R2 on a machine that was cloned from another computer. After I log into the ColdFusion Administrator and select the (System) Information page, I scroll to the User Name field and see ABCserver$ (not the real name), which is the same as the User Name on the machine that was cloned. According to CF Administrator Help, the User Name field is The account that runs the ColdFusion service. However, the User Name field value actually seems to be the computer name--in my case the computer name of the original server. I checked this field on our other CF servers, and the names in each case matched the correct computer name--even on our other cloned computers. However for some reason on one particular machine, the User Name field still retains the value of the original computer name. Does someone know a way to change this value manually? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How to Address Prompts for Java Updates
Java 1.6.0_17 has several of security issues, so you probably do want to update java, BUT you need to make sure you have applied the latest ColdFusion hotfixes first because Java 1.7 support was only added a few months ago via hotfixes. You don't want to overwrite the C:\ColdFusion\runtime\jre JVM, you want to install the jvm in its own place, and then update the JVM path in your ColdFusion administrator or jvm.config file. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Jul 2, 2013 at 3:41 PM, Eugene Colucci ecolu...@buffalo.edu wrote: I currently use ColdFusion 9,0,1,274733 Standard, stand-alone edition on Windows Server 2008 R2 with Java Version 1.6.0_17 from Java Vendor Sun Microsystems Inc. with Java Home located at C:\ColdFusion\runtime\jre. I am receiving prompts to update the installed version of Java on my servers to 1.7.whatever. WITH REGARD TO COLDFUSION'S PROPER FUNCTIONING, should I install the Java updates when prompted? If so, should I install the updates in C:\ColdFusion\runtime\jre overwriting what already is there so that my CF Server recognizes the updated Java version, install the Java updates elsewhere on my computer where there is no impact on my CF Server, or ignore the prompts to update my Java installations? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356109 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Issue instantiating java on CF10
Hi Edward, You are trying to invoke the java class application.TextExtractor which is not part of the standard java class library (those all start with java.something or javax.something typically). The only other possibility is that this class is included as part of CF8, as a sanity check I tested a CF8 server with your code and got: Object Instantiation Exception. Class not found: application.TextExtractor as expected. So you MUST have at some point put a jar file or some .class files into your classpath on the CF8 server. Even if your Java class path entry is empty in the CF administrator you still could have put the class or jar files in some locations such as WEB-INF/lib or WEB-INF/classes which would cause them to be picked up automatically by the classloader. Do a double check on your CF8 server and I think you will find the java code you are missing. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Apr 26, 2013 at 5:25 AM, Edward Chanter firew...@cc.uk.com wrote: Dear Java Gurus, I'm using some java to do text extraction, it was built on CF8 running on linux but we recently moved to a new CF10 server running on windows. The code doesn't work and I can't work out why. It's not using any custom jar files and I was able to port the same code from one CF8 linux server to another without a problem. Move it to CF10 windows (64bit) and I start getting instantiation errors. I realise it's a whole different operating system and 2 versions of CF so maybe my hope that it would just work was misguided. Just wondering if anyone with cf/java expertise had any ideas. My code looks like this: this.tweeturl = http://thefinanser.co.uk/fsclub/2013/04/why-all-banks-will-change-core-systems.html?utm_source=twitterfeedutm_medium=twitter ; myExtractor = CreateObject( java, application.TextExtractor).init(); myExtractor.extract( this.tweeturl ); params.description = myExtractor.getExtractedText(); The error: Object Instantiation Exception. Class not found: application.TextExtractor Simple case of a class not found I hear you say! Except I never installed any classes for it. I just wrote the code on CF8 and it worked. If anyone has any ideas I'd be most grateful. -= Ed ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355608 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Zero budget, student-friendly CF/HTML/CSS editor?
I teach web design, web programming (JavaScript, some JS libraries, SQL, and CF), and computer science at a public high school that has zero budget for software for my classes. We have a license for Homesite, but it doesn't play well with our environment and is no longer worth the hassle. I've tried Aptana, but feel that it's too complex for teaching beginners web design. What's more, I really don't like the requirement that Eclipse-based editors have for working in a project paradigm on web files. I use Netbeans for CompSci, which IS project-oriented, but that makes a lot more sense given the language. So, what are the free (as in, free) options out there that support HTML/CSS/JS/CF that are at least reasonably user-friendly? Thanks, Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355362 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Zero budget, student-friendly CF/HTML/CSS editor?
I wasn't able to find it on the Adobe web site. Do you have a link? On Thu, Apr 11, 2013 at 1:36 PM, Raymond Camden raymondcam...@gmail.comwrote: CFBuilder 2 has a free edition. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355381 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: postParametersLimit in CHF4
Just to give you an idea with 80,000 post params that caused a hash collision it took my quad core desktop 31 minutes to respond to the request, sending a larger number of post params 120,000 that did not have a collision executed in 3 seconds. So what is safe really depends on your tolerance and CPU processing power. With 1000 colliding params you can probably cause a few seconds of processing time on the server. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 4:57 PM, Chris 0404tow...@gmail.com wrote: How many is too many post parameters? We've had a few applications fail with the new postParametersLimit in CHF4 (the included Security Hotfix APSB12-06, http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ) Even increasing postParametersLimit from 100 to 200 isn't enough -- one application uses 1006 post parameters ( !! ) So given that this is a denial of service attack prevention, how risky is it letting 1100 post parameters go through with every request? I'm figuring a real DoS attack would have a lot more than 1100 parameters, but setting post parameters for 11 times the security update value sounds like poor practice. thank you, Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: postParametersLimit in CHF4
The vulnerability is caused by hash collisions, so if two strings hash to the same value, for example the result of java's hashCode() function on the name of a form field, then the hash table data structure becomes very inefficient. ColdFusion uses some sort of hash table algorithm to store the form fields (as well as url fields, cookies, etc but these are typically limited in size which makes them less of a target for this attack). CF was not the only technology to get hit by this issue many others including ASP.NET, node.js, j2ee/Tomcat, etc. Typically a hash table algorithm will account for collisions by putting all objects with the same hash code in a bucket, and then does a comparison of each value in the bucket to fetch the correct one, or to see if it is a duplicate when adding a new entry. You can see how the bucket could get very big, and operations on it get slower and slower with each collision added to the bucket if an attacker crafts a request with thousands of input variables whose names all collide to the same hash code. Under normal circumstances having 1000 form fields will not cause any collisions at all, and hash table lookups are quite fast. You may still want to limit the overall size of a request, but the HashDOS can be relatively small (eg 1-2mb) so that is why limiting the number of fields is considered the best protection. I wrote a blog entry on this a while back that also explains it as well: http://www.petefreitag.com/item/808.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 5:23 PM, Russ Michaels r...@michaels.me.uk wrote: So what actually causes the collision? Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 4, 2013 10:10 PM, Pete Freitag p...@foundeo.com wrote: Just to give you an idea with 80,000 post params that caused a hash collision it took my quad core desktop 31 minutes to respond to the request, sending a larger number of post params 120,000 that did not have a collision executed in 3 seconds. So what is safe really depends on your tolerance and CPU processing power. With 1000 colliding params you can probably cause a few seconds of processing time on the server. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 4:57 PM, Chris 0404tow...@gmail.com wrote: How many is too many post parameters? We've had a few applications fail with the new postParametersLimit in CHF4 (the included Security Hotfix APSB12-06, http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ) Even increasing postParametersLimit from 100 to 200 isn't enough -- one application uses 1006 post parameters ( !! ) So given that this is a denial of service attack prevention, how risky is it letting 1100 post parameters go through with every request? I'm figuring a real DoS attack would have a lot more than 1100 parameters, but setting post parameters for 11 times the security update value sounds like poor practice. thank you, Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it is actually more than just a UUID in modern versions of ColdFusion, for example it might look like this: 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 ^ (Random) ^ (UUID) Which contains a random value (which I believe is also generated using a secure random generator like the jsessionid) concatenated with a UUID. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 lockdown question
Hi Larry, There has been a LOT of attacks targeting ColdFusion lately, it's time for us all to step up our security practices. There is a lot you can do to harden your server installation, and your application code beyond what you have mentioned. Security is one of those things that you can never say ok, everything is secure I can check that off my list and move on, it is a constant ongoing thing you need to always be working on. Some things to get started: 1) Follow the CF10 lockdown guide: https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf 2) If you can remove your need for /CFIDE this can make lockdown easier because you can just block it 3) Another very important thing to check besides that your queries have been cfqueryparamed is to check all your file operations for vulnerabilities. Here are some tips for file uploads: http://www.petefreitag.com/item/701.cfm you should also make check any file operation that uses variables that can be tainted by the requester, for example cfinclude template=static/#url.path#.html could be used to download any file CF has access to (not just html files). 4) Leverage some of the new session functions in CF10 like SessionRotate (after a successful login), SessionInvalidate (on logout). 5) Employ redundant layers of security (defense in depth), for example using a web application firewall, such as the one my company makes http://fuseguard.com/ there are other ones that are non specific to CF as well. 6) Use security monitoring and scanning tools, such as a PCI scanner, and http://hackmycf.com/ (note HackMyCF is not a PCI scanner, you should still use a PCI scanner in addition to HackMyCF, which is highly CF specific). 7) I could go on and on, so go and register for cf.Objective() where you can hear a several presentations on CF security given by David Epler, Phil Duba, Bilal Soylu, and myself: http://www.cfobjective.com/sessions/ you can find some of my past presentations here: http://www.petefreitag.com/tag/security which also give a lot more detail than we can get into on this thread. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Mar 5, 2013 at 9:03 AM, Stephens, Larry V steph...@iu.edu wrote: Our webserver utilizing CF8 was hacked. We're not sure how (in what manner), at least at this point, but I am in the process of moving all CF stuff to a new server using CF10. I am checking all #variables# used in queries to be sure cfqueryparam is used. We are moving everything from MS Access to SQL Server. I am shedding all cfajaximport's and using jQuery ajax calls. While I don't *think* this is security related, I am also eliminating all cfform's (but, see below). Q1: By eliminating cfajaximport does the public need access to CFIDE or can I lock that down to my access, only? I recall having an issue with validation in cfform that had to do with not finding CFIDE (but I'm eliminating that issue). Q2: As far as CF goes, anything we're missing? Thanks. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354854 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Issues after applying Coldfusion patches
Double check that you are installing the hotfix for the correct version of CF, eg that they are not installing a CF9 patch on CF8. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Feb 13, 2013 at 2:36 PM, funand learning funandlrnn...@gmail.comwrote: All - Our admins have been applying patches to our Coldfusion servers (version 8). They said most of the patches affect coldfusion admin. During testing coldfusion administrator after applying patches, I found that verifying databases would throw this error There was an error accessing this page. Check logs for more details..The log file just has this error *There was an error while verifying the token. Either the session timed out or un-authenticated access is suspected.* * * Any suggestions on this? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354496 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFEXECTE with multiple arguments
Hello, I can't get OpenSSL to run with CFEXECUTE. I've tried different attempts at the following but it doesn't work: cfexecute name = C:\Program Files (x86)\GnuWin32\bin\openssl arguments = aes-256-cbc -a -salt -in C:\Users\Dev2\Documents\My Stuff\OpenSSL\secrets.txt -out C:\Users\Dev2\Documents\My Stuff\OpenSSL\secrets2.txt variable = result timeout = 5 /cfexecute cfdump var=#result# But then I'll run CFEXECUTE with OpenSSL, and just one argument, version for example, and it runs fine. Is there a way to do CFEXECUTE with multiple arguments? Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
Hi Robert, CFChart relies on the URI /CFIDE/GraphData.cfm so if you block /CFIDE then cfchart also stops working, there is no way I'm aware of to tell CFChart to use a different URI (I wish there was!). This also adds confusing for some because the file /CFIDE/GraphData.cfm does not exist in your /CFIDE folder, but there is a servlet mapping in ColdFusion's web.xml file that allows it to handle this request. So you have to keep that URI open if you want to use cfchart, but you will still want to block the rest of /CFIDE. If you are on IIS7 one way to do this is using Request filtering, you will want to add a Deny URI Sequence for every folder in /CFIDE -- do this at the IIS level applicable to all sites. Unfortunately you can't say Deny /CFIDE and Allow /CFIDE/GraphData it will still block it. This is all covered in the CF9/10 lockdown guides. Another possible solution might be to rewrite the HTML generated by CFChart to use a different URI and then setup a virtual directory mapping on the web server (or alter the servlet mapping in web.xml). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 4:03 PM, Robert Harrison rob...@austin-williams.comwrote: Thanks everyone for the help. Many had some very useful advice and were dead on about the files and issues with mapping and /CFIDE. Yes, the culprit files were in CFIDE/adminapi/customtags, but we found a curious commonality in all the sites that were affected. Every site affected used CFChart. I remember our server guy had to set-up some special mapping to CFIDE and allow files to be written there because of some sort of temp file CFChart uses when creating a .jpg. Now that it's been locked down again, CFCHART no longer displays the image. What should we do to allow CFChart to function without opening a security hole? Thanks, Robert ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
Hi Paul, That approach may work in some cases, but there are cases where /CFIDE/administrator/index.cfm may still resolve even if there is no folder there (or no virtual directory). We often receive reports saying that hackmycf.com is incorrectly reporting CF administrator open because /CFIDE/administrator/ returns a 404, but if you add index.cfm to the end it will infact resolve CF administrator. That's why it is so important to put explicit blocks to /CFIDE uri's in place on your web server. In addition, the administrator is not the only folder to be worried about under /CFIDE several other folders have had exploits including adminapi, componentutils, wizards, scripts, and perhaps others. In short, you should block as much of the /CFIDE is you possibly can. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 4:29 PM, Paul Vernon paul.ver...@web-architect.co.uk wrote: What should we do to allow CFChart to function without opening a security hole? What we do is this. 1. Duplicate the CFIDE directory in full. 2. In the duplicate, remove the administration folders altogether. 3. In all but the CFAdmin site itself on the server (which should really not be accessible over the web), map the CFIDE to the version that no longer contains the admin folder. This stops no end of possible security threats before they can start and if this had been implemented on your server would probably have stopped the hack from being successful. Paul ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
Paul, Sorry to clarify if the folder is gone 100% from the server it will not work, but if you kept it in the default install location, eg c:\inetpub\wwwroot or c:\coldfusion9\wwwroot\CFIDE and even though there is no website that points to that on the webserver it can still resolve. So in that case CF will intercept the request and serve it from the default installed location. There are a few other settings that might need to into play for that to work but it does happen quite frequently from what I have seen. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 6:13 PM, Paul Vernon paul.ver...@web-architect.co.uk wrote: Pete, That approach may work in some cases, but there are cases where /CFIDE/administrator/index.cfm may still resolve even if there is no folder there (or no virtual directory). You're going to have to explain how /CFIDE/administrator/index.cfm could resolve when the CFIDE mapping is pointing to a directory that is a duplicate CFIDE with *all* the administrator folders removed. I must be missing something here but how can it resolve when there is definitely no file or folder and the mappings in CF and the web server all point at the duplicate? Has CF got some special code that I should know about that breaks the rules as to how web servers work? I've been working with CF since 4.0 and never seen it serve a page that does not exist... Paul ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354291 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
On Wed, Jan 23, 2013 at 12:57 PM, Rob Voyle robvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Keep in mind that vulnerabilites can come from any input that the attacker can manipulate, eg form, url, cgi, cookie variables are all game. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Debug output displaying behind page
I am having a problem with debug output and cf error messages displaying behind the content of my page. I'm using Twitter Bootstrap for CSS, and I'm using the old fashioned debug output (which I want to display while developing). Is there an easy fix for this? Thanks Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353797 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure Image Uploads
From a security perspective you don't want to skip the file extension test(s) - that is critical. Also make sure you upload to a directory outside of the webroot, then perform your validation. Only move it under the webroot if you are sure it is a valid image and has an approved file extension. Finally use your web server and/or CF sandbox security to prevent execution on the image upload folder. I also wrote a blog entry a while with some tips for secure file uploads: http://www.petefreitag.com/item/701.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Dec 18, 2012 at 10:35 PM, Dan Baughman dan.baugh...@gmail.comwrote: skip all the nonsense and just try to resize the image. If that fails its either a color pallete java can't handle or it isn't an image. - Dan On Tue, Dec 18, 2012 at 8:12 PM, Terry Troxel terry.tro...@gmail.com wrote: I am looking for a safe and secure way to put an example page on my site that will allow a potential client to upload a JPG in order to see an example of a responsive photo gallery he can create using my new responsive web template I am in the process of building. Here is what I am considering in the upload process: 1...JPG extension only 2...file size limit 3...remove exif data if it exists 4...Convert file to PNG and save after doing the resizing, etc. that I need to. I would like some opinions, suggestions, etc. to tell me if I am missing something or there is any other avenues I can persue to accomplish my goal to stop anyone from using this to hack my site. Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF8 - sending mail via exchange?
Do I need to do anything special or use any of the cfexchange tags in order to send email via a MS Exchange server? Thanks Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353337 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
On Mon, Nov 19, 2012 at 1:48 PM, Jamie Bowers jamiembow...@netscape.netwrote: Somewhat related, how do I determine that any hot-fix or security patch I may download and install is indeed installed? Jamie, one thing I'd like to point out is that if your are using CF7 then you have unpatched vulnerabilities on the server, CF7 has been End of Life for a while and has not received any security updates in a couple years - so even if your code is secured your server platform is likely not. You will also need to make sure your JVM is patched, which again might be a challenge since CF7 doesn't run on Java 1.6 (without appropriate JVM patches an attacker can simply send a magic number to your server and cause it to hang, among other possibilities). To answer your question here about how do you know what patches are installed: plugI created a service http://hackmycf.com specifically for that reason - you can scan your domain for free but we also offer paid services that can find more details./plug You can also try using the ColdFusion administrator to see what the update level is but that is not a great solution, see http://www.carehart.org/blog/client/index.cfm/2012/6/18/what_hotfixes_have_been_applied for more info. Finally I also wanted to point out that XmlFormat is not a stopgap for XSS either, for example if you have this: cfoutput script var id = #XmlFormat(url.id)#; /script /cfoutput You are not at all protected from XSS - so XSS protection really depends on where the variable is output, it could be in a tag, javascript, css, a url, a tag attribute, all have their own encoding rules that must be applied to properly prevent the attack. Hope that helps. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Multiple application in webroot with different sessions
You will need to make sure each of the session cookies specify a path attribute otherwise the user will loose sessions when going from app to app (if you have the session fixation patch enabled). This will also allow you to have unique session ids for each app. You can do this by writing the CFID/CFTOKEN cookies yourself in onSessionStart (example: http://www.petefreitag.com/item/764.cfm) or if you are on CF10 you could try this.sessioncookie.path (but that may not work, looks like they may not allow you to set the path this way). The session timeout is internal to CF so even if the session cookies are not expired it doesn't mean that the session is still valid. So even without all of the path attribute set you can still have unique timeouts, but the session can only be valid for one app at a time. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Nov 20, 2012 at 12:25 PM, Uday Patel udayjpatel2...@gmail.comwrote: Did you assign different names to the two applications? On Mon, Nov 19, 2012 at 9:48 PM, Uday Patel udayjpatel2...@gmail.com wrote: yes the application names are different for all sites ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353267 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Anyone using Twitter Bootstrap with CF?
OK, new (but related) problem. I'm using a modal window to edit records. When I click to edit the first record, it loads the edit window with that records data. Cool. Close the window, click on the second record, and the data for the first record is still in the form and remains there until I refresh the page. I am using this method to call the edit window: a href=#CGI.script_name#?a=editassetid=#getassets.assetid# data-toggle=modal data-target=##editmodal role=button class=btn btn-small pull-rightEdit/a I tried some of the no-cache tricks, thinking it might be a caching issue, but that caused no content to be loaded in the body of the modal window. Is there a solution to this? Thanks Pete On Wed, Nov 14, 2012 at 1:33 PM, Cameron Childress camer...@gmail.comwrote: On Wed, Nov 14, 2012 at 1:13 PM, Pete Ruckelshaus pruckelsh...@gmail.com wrote: Yeah, that's what I get for just glancing at the docs. This a data-toggle=modal href=remote.html data-target=#modalclick me/a worked like a charm. Great! Next up, is there a way to submit a form within the same modal window? Sorry for the questions, I've been doing almost entirely server-side stuff for the past few years. You can actually have someone submit the form in the modal just like any other page. Then it will make a round trip tot he server and refresh the underlying page (the one that opened the modal). Alternately, you can have a button in the modal make a javascript call and do a jQuery AJAX call to submit the data, without causing the underlying page to refresh. You can then close the modal using some of the code you should be able to find in the documentation. There are a bunch of ways you can solve the problem, but I'd read up on the whole she-bang a bit before trying to cut/paste anything from Stack Overflow (or this list) to solve your problem. I'd put down the IDE for a bit, get a coffee and take a long read in the jQuery docs around the AJAX methods. http://api.jquery.com/category/ajax/ You should be able to chain those calls along with the Bootstrap modal stuff to get where you want to be. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL Express and CF
Works just like the full version, and it's what I use on my VPS. On Thu, Nov 15, 2012 at 5:23 AM, Kevin Parker tras...@internode.on.netwrote: Are there any issues using Express versions of SQL Server for development? Thank you ++ Kevin Parker M: 0418 815 527 ++ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353196 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Anyone using Twitter Bootstrap with CF?
I'm playing around with Twitter Bootstrap as a UI solution because, well, my design skills are lacking. I like it so far, but I want to use their modal windows (not CF's) for forms that I use to add or edit records. The problem is, how do I pass dynamic variables (i.e. the ID of the record that I want to edit) into what is essentially a static modal window that isn't accessed via URL? Thanks, Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353161 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Anyone using Twitter Bootstrap with CF?
Yeah, that's what I get for just glancing at the docs. This a data-toggle=modal href=remote.html data-target=#modalclick me/a worked like a charm. Next up, is there a way to submit a form within the same modal window? Sorry for the questions, I've been doing almost entirely server-side stuff for the past few years. Thanks Pete On Wed, Nov 14, 2012 at 10:48 AM, Cameron Childress camer...@gmail.comwrote: Look in the Bootstrap Modal docs under Via Javascript. Specifically I've used the remote option to accomplish this. That way you can just pull the modal content off the server on-demand instead of using a static modal. http://twitter.github.com/bootstrap/javascript.html#modals -Cameron On Wed, Nov 14, 2012 at 10:37 AM, Pete Ruckelshaus pruckelsh...@gmail.comwrote: I'm playing around with Twitter Bootstrap as a UI solution because, well, my design skills are lacking. I like it so far, but I want to use their modal windows (not CF's) for forms that I use to add or edit records. The problem is, how do I pass dynamic variables (i.e. the ID of the record that I want to edit) into what is essentially a static modal window that isn't accessed via URL -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353166 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
You left out the algorithm: AES in your encrypt() call this time - also since you have the unlimited strength policy files you might consider generating a 256 bit key instead of the default 128, by doing: GenerateSecretKey(AES, 256) I have not found that I need the unlimited strength jurisdiction policy on CF9 standard when using the default 128 bit AES encryption, only when going up to 256 bit keys. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 5, 2012 at 7:15 PM, Eric Bourland e...@ebwebwork.com wrote: Hi, Wil, I read up on the generateSecretKey function, both in your very helpful example page, and on adobe: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-6e72.html I am having a little trouble with syntax. Here is my insert statement: !--- provide default value for form.AES --- cfparam name=form.AES default= !--- insert statement uses encrypt function to place in the database an encrypted value for CreditCardNumber --- CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,generateSecretKey(form.AES),UU)#, This insert statement returns the error: The '' algorithm is not supported by the Security Provider you have chosen. (I am also not clear why the encryption method, AES, needs to be defined in the scope of FORM.) I was wondering if I could do the generateSecretKey function, and store the result in a variable (as you did, I think, in your example on trunkful.com ). But again I get confused. Doesn't the key have to be a constant value? And stored in a constant place? It seems like the generateSecretKey function generates a new key every time the form is processed. Sorry to drag on with this question. I am still reading up in the documentation to see if I can construct a working insert statement. Thank you all again for your time and advice. Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353068 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 9 Updates
Hi Steve, 9.0.1 Cumulative hotfix 2 does not include all the security patches, it is missing APSB11-29, APSB12-06, APSB12-15 and APSB12-21. 9.0.2 it is only missing security hotfix APSB12-21 See this page for more info: http://www.petefreitag.com/item/804.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Oct 19, 2012 at 3:59 PM, Steve LaBadie slaba...@po-box.esu.eduwrote: Hey Pete, Will uploading update 2 take care of everything? Steve LaBadie, Web Manager East Stroudsburg University 570-422-3999 slaba...@esu.edu -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, October 18, 2012 3:49 PM To: cf-talk Subject: Re: CF 9 Updates The hotfixes and updates will fix many more issues than they will create. The only issue that seams to bite some folks is the session fixation patch, which should only cause a problem if you have multiple CF applications running on the same domain with different application names and using sessions. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 18, 2012 at 3:17 PM, Steve LaBadie slaba...@po-box.esu.edu wrote: I have installed CF 9 version 9,0,0,251028 standard on a windows 2008 with IIS 7. Are there any none issues with updates 1 and 2 and hotfixes and patches? Steve LaBadie, Web Manager East Stroudsburg University 570-422-3999 slaba...@esu.edumailto:slaba...@esu.edu [facebook-16x16]http://www.facebook.com/eaststroudsburguniversity [twitter-16x16] http://twitter.com/esuniversity [youtube-16x16] http://www.youtube.com/user/esuedu ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352962 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 9 Updates
The hotfixes and updates will fix many more issues than they will create. The only issue that seams to bite some folks is the session fixation patch, which should only cause a problem if you have multiple CF applications running on the same domain with different application names and using sessions. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 18, 2012 at 3:17 PM, Steve LaBadie slaba...@po-box.esu.eduwrote: I have installed CF 9 version 9,0,0,251028 standard on a windows 2008 with IIS 7. Are there any none issues with updates 1 and 2 and hotfixes and patches? Steve LaBadie, Web Manager East Stroudsburg University 570-422-3999 slaba...@esu.edumailto:slaba...@esu.edu [facebook-16x16]http://www.facebook.com/eaststroudsburguniversity [twitter-16x16] http://twitter.com/esuniversity [youtube-16x16] http://www.youtube.com/user/esuedu ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352950 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Resolving security vulnerability
If you are doing something like this: input type=hidden name=ip value=#cgi.remote_addr# / and cgi.remote_addr is resolving to an internal IP such as 10.x.x.x or 192.168.x.x due to a proxy or load balancer then you are disclosing the internal IP of a computer on your network. Thus your PCI scan is saying you are leaking that info. In most cases the value you want is the actual remote user's IP address, then the proxy or load balancer will send that along in the X-Forwarded-For header (Which you can access as GetHttpRequestData().headers[X-Forwarded-For]). If you really want to pass that info, you could also encrypt it and pass that value, just be sure to validate and sanitize it as well. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Oct 4, 2012 at 9:57 AM, fun and learning funandlrnn...@gmail.comwrote: Hi All, I am using input hidden fields for some CGI variables. The security scan has issued 'information leakage' threat. These variables are defined in a file and the file is included in various places. What is the best way to resolve this vulnerability? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352857 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFMX 9 - Spell Check
Foundeo Spell Checker can work on cftextarea when format=html, here's an example with a button outside of the toolbar: http://foundeo.com/spell-checker/fckeditor.cfm I know we have some code for adding it to ckEditor toolbar as well, would probably not be too difficult to add to the toolbar. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Oct 3, 2012 at 1:40 PM, ColdFusion Developer cfdev2...@gmail.comwrote: Does anyone know a means to implement Spell Check functionality into the CFTEXTAREAs toolbar? I don't think CFMX 9 has a SpellCheck engine so I have to find an alternative. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352843 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
My Guess is that this has something to do with the RSA BSafe crypto-j security provider that CF Enterprise ships with. This API was upgraded in CF10, so you could try that as an option. When you run Java from the command line, you are not using Crypto-J, when you run java within CF you are. Another thing to try would be CF Standard since CF standard uses the default Java security provider. You might also be able to have CF9 Ent run with the default security provider via some JVM options. Also can you post the full stack trace for the error you are getting in CF? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Oct 2, 2012 at 11:01 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Thanks Dave, You just pass the location of the key file as a string so I'm just passing in C:\wamp\.\ClientKey.pem both in CF and Java class. I've tried using Wireshark as well to look at the packets being sent. From Java the request is fine, from CF the remote URL never gets called at all so it's not even getting to the bit where it makes the request. What I don't understand is why it's throwing the same error when I use a wrapper java class that then invokes the SDK. Even if I hard code the paths to the files in the java wrapper class and all CF does is call the wrapper class I get the same error. I'm thinking it may be some sort of permission issue why it can't read the key file but I can't figure out what to change. CF and Java and Apache all have full permissions on the directories. Donnie Bachan This returns an error: Cannot get key bytes, not PKCS#8 encoded. If, however, I wrap this in a java class and execute from command line it works just fine. It just refuses to work when called from ColdFusion. How are you providing the key file to the Java class from within CF? Are you just reading it via CFFILE? I suspect that's the problem, although I don't know what the solution would be exactly. When you execute the Java class from the command line, how are you providing the file in that case? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352811 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9 enterprise runs on 64-bit Red Hat 6?
Dan, I'm pretty sure it is not a supported OS for CF9. I do recall some folks running into issues getting it to run on RHEL 6, but I think you can workaround it, I have not tried personally. I have used CF10 on RHEL 6 and it works well. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Oct 2, 2012 at 6:57 PM, Dan LeGate d...@legeek.com wrote: I'm trying to find the equivalent ColdFusion 9 page to this CF10 page: http://www.adobe.com/products/coldfusion-enterprise/tech-specs.html trying to answer thee question Will ColdFusion 9 Enterprise run on 64-bit Red Hat 6? Any information is greatly appreciated! Dan ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352835 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF DDos update released
On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.comwrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF DDos update released
Yes don't forget to count hidden form fields as well :) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 13, 2012 at 12:51 PM, Patti, Michael mpa...@sherwood-group.comwrote: I just read Pete's post about the HashDos vulnerability ( http://www.petefreitag.com/item/808.cfm) and then went back to the adobe bulletin about this ( http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html). After adding var name='postParametersLimit'number500.0/number/var and restarting CF, I'm now able to submit that form successfully. Thanks in helping me to resolve this situation! -Michael -Original Message- From: Patti, Michael Sent: Thursday, September 13, 2012 11:28 AM To: cf-talk Subject: RE: CF DDos update released I have the ability to change security groups for my profile within eSeries, and when I do that, it lowers the number of fields displayed on the profile edit screen to 38. When I submit the form, it's still throwing the same error, so I think Brian and Pete are correct that this isn't about a limit to the number of fields submitted. I'm honestly not sure where I'd change the default for number of fields that can be submitted, but I'm fairly certain that can be ruled out as a cause. I'm still stumped as to why this particular form refuses to submit. It definitely has something to do with one of the recent hotfixes. Before last night, I had only applied hf901-3.jar (on CF 9.0.1 standard), so I was a few behind when I installed hf901-6.jar. I followed the instructions in Section 2 of http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.htmlto the letter, and given that every other form submission I've tested works fine, I don't think this is a case of a corrupted install. I'm poking around the source code of the form submission script to see if something in there might be causing it to stop; but does anyone know whether what I'm seeing (the HTTP Error 500) is the expected behavior when CF intercepts what it deems to be a CSRF attack? Thanks again for your help. -Michael -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, September 13, 2012 10:53 AM To: cf-talk Subject: Re: CF DDos update released On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.com wrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352595 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Denial of Service bug?
On Mon, Sep 10, 2012 at 1:28 PM, Tony F tnorther...@gmail.com wrote: Does 9.0.2 have any fixes not included in 9.0.1 Cumulative Hot Fix 2? There are 3 security hotfixes APSB11-29, APSB12-15 and APSB12-06 that were released after 9.0.1 Cumulative Hotfix 2 (which includes all 9.0.1 Security hotfixes prior to and including APSB11-14 for 9.0.1). Those security hotfixes are included in 9.0.2. Some more info here: http://www.petefreitag.com/item/804.cfm The APSB12-06 hotfix is a DOS vulnerability, the HashDos vulnerability but the attack vector for that does not coincide with what you posted. More on HashDos here: http://www.petefreitag.com/tag/hashdos I tested your example and was able to produce the original error but did not see subsequent requests failing even when running through a load tool 2000 requests / 20 concurrent. Not to say the issue doesn't exist in your setup, it could be specific to your setup or common to other - it sound like it would be worth further investigation. You can pass the issue along to Adobe PSIRT http://www.adobe.com/support/security/alertus.html for proper handling, but make sure you have applied all the security hotfixes first. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Getting thread name via CF
Yes the java.lang.Thread class has a static method you can call currentThread() which gives you the current thread, just call getName() on it, eg: cfset currentThread = CreateObject(java, java.lang.Thread).currentThread() cfoutputCurrent Thread: #currentThread.getName()#/cfoutput -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 6, 2012 at 3:28 PM, Rick Root rick.r...@gmail.com wrote: Hi, I have a process that runs using an event gateway. Sometimes, I'd like to be able to look in FusionReactor and see what it is currently doing, if anything. But I don't alwaysk now what thread to look at, and I don't want to have to look and every thread to find it. I know that if I do a cflog statement, it will log the thread name... I wondered if there's a way I can access the current java thread name from within the CF code itself. Thanks. Rick -- *The beatings will continue until morale improves.* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352443 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: turning of port 3306
Hi Rob, You need to setup your network and/or OS firewall to block port 3306, and then if MySQL is on the same box as CF, just use 127.0.0.1 and port 3306 to connect to the DB. If CF and the DB are on different machines then configure the firewall such that only the CF server's IP can access port 3306 on the DB server. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 6, 2012 at 11:54 PM, Rob Voyle robvo...@voyle.com wrote: Hi Brian Its for PCI compliance for doing credit card transctions. control scan keeps reporting Port 3306 being open to the internet. I just need coldfusion to access Mysql. I used FreeSShd to create a ssh tunnel which I can access on port 22 from Navicat on my desktop, So I can administer the Mysql data base. But I can't get coldfusion to access the port 22. Rob On 6 Sep 2012 at 22:25, Brian Thornton wrote: Or use a DMZ port forwarding method based on the packet header... Is this for SOX compliance? On Sep 6, 2012 10:00 PM, Scott Slone ssl...@rubbergumball.net wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352444 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for Homesite+
FYI Just saw, this if you go here: http://www.adobe.com/cfusion/tdrc/index.cfm?product=jrunloc=en_us you can download Homesite 5.5 -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 16, 2012 at 3:17 PM, wrote: I just need to update the tag definitions to the latest version of CFM. However, what is the last supported CF version and where are the updates available ? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Modern (and free) html/cf editor that is similar to Homesite?
I teach web design and web programming at a public high school. I have been using homesite for my classes, but it doesn't play well in our environment (locked down C drive, network drives...trust me, it has issues). Are there any current text editors that play well with HTML, CSS, JavaScript, and CF, that are also free? It doesn't need to be a super heavy duty app like Eclipse, in fact, I tried that with my web design class and it was a nightmare because of its complexity. Platform is WinXP. Thanks for any suggestions, Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hashing in CF9
The result of Hash using SHA-512 will always be 128 character hex string no matter what the input it will always be that length. You can simply append or prepend the salt to the value you are hashing, eg: #Hash(password salt, SHA-512)# You don't need to Encrypt your password if you are hashing it, and your salt should be different for every user, something like a UUID or GenerateSecretKey(AES) is what i use. You can store the salt in another column in your user table. I typically generate a new salt every time the user changes password. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, May 14, 2012 at 8:58 AM, Brian Thornton br...@cfdeveloper.comwrote: Docs are at: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c2f.html My client is moving from cf MX to cf 9 and I find this could be handled better.. I am used to a 512 character to be created. In CF 9 cfset passwordHash = Encrypt(password,SHA-512) / is generating a 11 character sized text. cfset passwordHash = Hash(Encrypt(password,SHA-512)) / will get me 512 but is this duplicitous? cfset password = myP@ssw0rd / cfset salt = foo cfset passwordHash = Hash(Encrypt(password,SHA-512)) / Where is the salt handled? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351135 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
You need to use a feedback mode other than ECB (the default when you omit it from the algorithm) to use an IV, try using AES/CBC/PKCS5Padding for your algorithm. This KB article has a lot of info about this stuff: http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, May 10, 2012 at 2:52 PM, Carol Knapp c...@kargo.net wrote: Here's the test code. I'll take AES or DESEDE or better. Running cf enterprise. !--- testenc.cfm ** Purpose:test encryption --- html headtitleTest ENC/title/head body style=margin:20px; font-family:Arial, Helvetica, sans-serif; font-size:12px; background-color:#f2f0db; h3Test ENC/h3 !--- Do the following if the form has been submitted. --- cfif IsDefined(Form.myString) cfscript theKey=generateSecretKey(Form.myAlgorithm); anotherKey=generateSecretKey(Form.myAlgorithm); useasiv = encryptBinary(anotherkey,theKey,Form.myAlgorithm,Form.myEncoding); //Encrypt the string. encrypted=encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding); IVencrypted = encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding,useasiv); //Decrypt it. decrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding); IVdecrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding,useasiv); /cfscript !--- Display the values and the results. --- cfoutput bThe algorithm:/b #Form.myAlgorithm#br br bThe key:nbsp;nbsp;/B #theKey#br br bThe string:/b #Form.myString# br br bEncrypted:nbsp;nbsp;nbsp;/b #encrypted#br bIVencrypted:/b #IVencrypted#br br bDecrypted:/b #decrypted#br bIVecrypted:/b #ivdecrypted#br brbr /cfoutput /cfif cfparam name=myEncoding default= cfparam name=myAlgorithm default= !--- The input form. --- form action=cfoutput#CGI.SCRIPT_NAME#/cfoutput method=post input type=hidden name=onetimeid value=cfoutput#onetimeid#/cfoutput bSelect the encoding/bbr select size=1 name=myEncoding option cfif myEncoding IS UUselected/cfifUU/option option cfif myEncoding IS Base64selected/cfifBase64/option option cfif myEncoding IS Hexselected/cfifHex/option /selectbr br bSelect the algorithm/bbr select size=1 name=myAlgorithm option cfif myAlgorithm IS AESselected/cfifAES/option option cfif myAlgorithm IS DESselected/cfifDES/option option cfif myAlgorithm IS DESEDEselected/cfifDESEDE/option /selectbr br bEnter string to encrypt/bbr textArea name = myString cols = 40 rows = 2 WRAP = VIRTUAL1234567890123456/textArea input type = Submit value = Encrypt my String /form ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Blank page with no HTML tags
Try this: cfcontent reset=true type=text/plaincfabort That should be blank in all browsers, and will reset the output buffer from any whitespace that might have been caused by code running prior to that or in your Application.cfc/cfc -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Fri, Mar 9, 2012 at 12:40 PM, Chad Baloga cbal...@gmail.com wrote: Thanks for the ideas.. I'll give them a try ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350327 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Hi Robert, You are caught in a bit of a catch 22 here. If you want to set the secure attribute on session cookies delivered over SSL, but also have it use the same cookie values over non-ssl - then that defeats the purpose of adding the secure attribute. If you want to do that you can't use the secure attribute on the cookies. The secure attribute says only send this cookie over SSL, so when you make a request to a non-ssl url the browser will not send the cookie, this causes ColdFusion to issue a new session. The best solution is to run all on SSL as Cameron suggested, here's a good read on the performance of SSL and TLS: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html the main point being that SSL is not as computationally expensive as you may think. If that's not going to fly then you need to build something to share data between the sessions, while making sure that the non-ssl data is not privileged - it can get complicated to ensure that your not opening yourself up to security issues over non-ssl. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes rrhode...@gmail.com wrote: So a site that I built failed PCI compliance testing because the jsessionid cookie is not set securely. I found this post http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/ that shows how to force jrun to do always set the session cookies securely, but the user loses their session state when they move between secure and non-secure pages (the jsessionid is different for secure pages). This is obviously a big problem, since we can't have the entire user session running under ssl. Any ideas on how to get the jsessionid to be the same on secure and non-secure pages? I am a little lost here. I am running cf9.01, with the app set to sessionmanagement=yes and setclientcookies=no. In the administrator, I have Cookie set as my default client storage storage mechanism, and J2EE session variables enabled. I also have use UUID for cftoken enabled, but since I have setclientcookies set to no, I don't think that matters. *-RR* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350275 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF attack on a buddies server
On Thu, Feb 23, 2012 at 7:39 PM, James Holmes james.hol...@gmail.comwrote: This would confirm which patches are missing: http://www.hackmycf.com/ James - it will let you know to the best of its abilities, but there are certain factors that might cause it to not detect a missing patch (eg perhaps something is not there on one virtual host that is on another, and some patches we could detect remotely but would cause your server to crash so we don't do those tests ofcourse). For paid subscribers we (full disclosure I own the company that sells the service) have a cfm file that you can place on your server that we call the probe. The probe.cfm file allows hackmycf.com and your server to communicate (encrypted with AES and you can also layer SSL on top of that) additional info that yields a more reliable result than the free version. The probe sends back Java Version information, a list jar of file names in the lib/updates directory, and we are also able to request a md5 checksum of certain files. Here's a screenshot that shows the additional info you can get on a CF9.0.1 server: https://foundeo.com/hack-my-cf/images/6-reasons.png I hope that answers your question feel free to contact me directly, and you all can use discount code 543m to get $5 off your first 3 months (new accounts only, expires 3/1/12). -pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350087 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Application Mappings RE: Ram Disk problem under load
Do you have code that calls ApplicationStop() on error or something I wonder if that might cause the application scoped mappings to be undefined for a split second while the application is reloading? Just a guess. On Thu, Feb 23, 2012 at 1:10 PM, Brook Davies cft...@logiforms.com wrote: So we ran a load test last night with 100 concurrent users. Everything went fine *except* this ram disk problem and another problem with a missing template include. Looking at it closer, both errors Could not find the included template used application mappings to do the include. These are defined in the application.cfc: cfcomponent output=false extends=coldfireApplication cfset this.name= 'YourMama' cfset this.mappings[ /publicroot ] = webroot 'web\public\' / cfset this.mappings[ /ram ] = ram:// / /cfcomponent Cf 8.01 had a hotfix that was supposed to fix custom tag path mappings acting up under load: http://kb2.adobe.com/cps/529/cpsid_52915.html 73761 Fix for the error Cannot find CFML template for custom tag thrown under load when using THIS.customtagpath in application.cfc and enable per app settings is enabled. But I am running CF 9.01 with all the hotfixes. BTW, I dumped the ram disk after some failed includes and the file *did exist* on the ram disk. -- I just did another load test this morning, however this time the load was all done on a single application testing a form submission process (this is where the include error was generated). No errors this time. The difference between this test and the last test that generated lots of errors is that this test did not run concurrent load on the other side of this application which uses an application.cfc that extends the main application.cfc via applicationProxy.cfc. Its a child application that shares the main applications name and scope but also enables client variables and does some other stuff (pseudo code below) cfcomponent output=false extends=ApplicationProxy cfset this.clientManagement= true cfset this.setClientCookies= true cfset this.setDomainCookies= true cfset this.clientStorage= 'LF-CLIENTVARS' !--- NO MAPPINGS HERE LIKE IN THE MAIN APPLICATION.CFC. COULD THAT BE THE PROBLEM?? --- cffunction name=onRequestStart returnType=boolean output=false cfargument name=thePage type=string required=true cfset super.onRequestStart(arguments.thePage) cfreturn true /cffunction /cfcomponent --- So my guess is that because it doesn't include the application mappings that it is somehow overwriting them when two requests run at the same time. Strange I know, but thats the best I can figure. I am gonna run another load test tomorrow night, and try adding the mappings into the child application and see if that helps. Brook -Original Message- From: Brook Davies [mailto:cft...@logiforms.com] Sent: February-22-12 12:30 PM To: cf-talk Subject: RE: Ram Disk problem under load Hi Raymond, I don't see your reply actually... oh here it is in my junk folder...g... Tonight when the load test is running, I'll pause midway and swap in a real file path and see how that runs. The only other thing I can think is that there is a name collision and the file is deleted by another thread who was using the same filename. But the filename variable IS var scoped (FYI, this IS inside an application scoped CFC). Brook -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: February-22-12 11:38 AM To: cf-talk Subject: Re: Ram Disk problem under load Noticed you didn't reply to my idea... can you also ensure that it really is a VFS issue by simply switching to a real folder - just for testing? On Wed, Feb 22, 2012 at 12:05 PM, Brook Davies cft...@logiforms.com wrote: Good idea, I'll check the contents of the ram disk after any failures... Brook -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: February-22-12 9:58 AM To: cf-talk Subject: Re: Ram Disk problem under load Hi Brook, Certainly you will want to have a try / catch around that, you could put the delete of the ram file in a cffinally tag to ensure it runs, otherwise if an error is thrown in the cfinclude the file never gets deleted and stays in ram. Also to answer your question about the garbage collection, I don't think that would be the issue, the garbage collector only removes objects that have a reference count of zero, I would assume that when you have a file on the ram disk ColdFusion maintains a reference to it, when you delete the file CF will delete the reference and allow the GC to cleanup. I don't think reducing the size of your ram disk will make the problem go away. What you might want to do is run this after you run your load test to see
Re: CF attack on a buddies server
On Wed, Feb 22, 2012 at 7:55 PM, Ras Tafari rastaf...@gmail.com wrote: any idea how they were able to get the file that ran into the cfide directory? and what might prevent that part? that's the most haunting part to him. i said it was probably a windows exploit first... not sure tho. If they are running CF8 without security hotfixes then there is a really good chance that it was the FCKeditor vulnerability: http://www.adobe.com/support/security/bulletins/apsb09-09.html But there are also so many other things ways they could have done it. The bottom line is you want to make sure you have all security hotfixes in place, and then make sure everything is running with the least possible privilege. Otherwise its pretty easy to take control of your server! -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350075 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Ram Disk problem under load
Another thing to consider is that the Ram disk has a size limit specified in the ColdFusion administrator. Is it possible that the write failed (perhaps silently) because the ram disk was full. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 3:12 AM, Brook Davies cft...@logiforms.com wrote: Hey everyone, Did some very light pre-load testing yesterday in preparation for a larger test tomorrow. This limited load threw some errors. I'm writing to the in memory file system some CFML code, that I then cfinclude to execute it. Its pretty straight forward code, and this was under very little load (10 concurrent users only). Note: I have an application mapping for the ram disk in application.cfc: cfset this.mappings[ /ram ] = ram:// / And then in the problem code: - !--- set the filename to a unique name --- cfset filename = 'wildcardparsing-#createUUID()#.cfm' !--- write the file --- cffile action=write output=#cfml# file=ram://#filename#/ !--- include and execute the cfml --- cfinclude template=/ram/#filename# / !--- clean up --- cffile action=delete file=ram://#filename#/ - The error I got was: Could not find the included template /ram/wildcardparsing-66031760-EEDC-69FB-8F2EFEC77564096A.cfm. I got a similar error in another template on a different execution that uses similar code to generate the CFML for a CFDOCUMENT tag and then writes it to ram disk and includes. I have never seen this error in development it only started happening under a wee bit of load. What could be the problem? The In memory file system is set to 500 megs in the cfadmin (which is probably overkill..). Would a garbage collection before the include had been completed cause this to happen? Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350030 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF attack on a buddies server
I have seen variants of that script before, it is published in several places. In addition to what has already been mentioned, here are some steps you can take to make sure these types of attacks fail (obviously though the more critical issue is how did the attacker get the file there in the first place, probably though a file upload vulnerability, or a path traversal that exposed a password they could then use to upload) 1) Change the default encryption seed in CF administrator (this is for CF9 only) 2) Check Disable access to internal ColdFusion Java components in the CF Admin to prevent access to the service factory 3) Setup a sandbox (and Yes you can still setup a sandbox on Standard edition, you are just limited to one set of sandbox settings for the entire server, instead of being able to create multiple sandboxes) to block cfexecute, and more if possible. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 11:31 AM, Ras Tafari rastaf...@gmail.com wrote: here's the code again incase pastebin killed that link http://pastebin.com/qvBTEP50 On Wed, Feb 22, 2012 at 11:12 AM, Dave Watts dwa...@figleaf.com wrote: this code was somehow dropped into my friends cfide directory and ran, did lots of bad things, stole db passwords, changed his cf code, etc. http://pastebin.com/Jg2Cs0ch any idea how to protect from this kinda attack? thanks! I would recommend that you read the CF 9 Server Lockdown Guide: http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf In this specific case, you shouldn't allow CF to write to any web content directories by default, and you shouldn't allow file uploads to any web content directories. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Ram Disk problem under load
Hi Brook, Certainly you will want to have a try / catch around that, you could put the delete of the ram file in a cffinally tag to ensure it runs, otherwise if an error is thrown in the cfinclude the file never gets deleted and stays in ram. Also to answer your question about the garbage collection, I don't think that would be the issue, the garbage collector only removes objects that have a reference count of zero, I would assume that when you have a file on the ram disk ColdFusion maintains a reference to it, when you delete the file CF will delete the reference and allow the GC to cleanup. I don't think reducing the size of your ram disk will make the problem go away. What you might want to do is run this after you run your load test to see whats in there: cfdirectory directory=ram:// action=list recurse=true name=dir cfdump variable=#dir# -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 12:44 PM, Brook Davies cft...@logiforms.com wrote: Hi Pete, I don't think its possible because the ram disk size is set to 500 megs, and this was only 10 concurrent users! I have another test with 100 cuncurrent users running tonight and I guess we'll see what happens though I am sure this is going to be an issue. I added a try/catch around the write/read and am them attempting to do it again, so I guess we'll see what happens. Maybe I should reduce the size allocated to the ram disk? Brook -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: February-22-12 9:35 AM To: cf-talk Subject: Re: Ram Disk problem under load Another thing to consider is that the Ram disk has a size limit specified in the ColdFusion administrator. Is it possible that the write failed (perhaps silently) because the ram disk was full. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 3:12 AM, Brook Davies cft...@logiforms.com wrote: Hey everyone, Did some very light pre-load testing yesterday in preparation for a larger test tomorrow. This limited load threw some errors. I'm writing to the in memory file system some CFML code, that I then cfinclude to execute it. Its pretty straight forward code, and this was under very little load (10 concurrent users only). Note: I have an application mapping for the ram disk in application.cfc: cfset this.mappings[ /ram ] = ram:// / And then in the problem code: - !--- set the filename to a unique name --- cfset filename = 'wildcardparsing-#createUUID()#.cfm' !--- write the file --- cffile action=write output=#cfml# file=ram://#filename#/ !--- include and execute the cfml --- cfinclude template=/ram/#filename# / !--- clean up --- cffile action=delete file=ram://#filename#/ - The error I got was: Could not find the included template /ram/wildcardparsing-66031760-EEDC-69FB-8F2EFEC77564096A.cfm. I got a similar error in another template on a different execution that uses similar code to generate the CFML for a CFDOCUMENT tag and then writes it to ram disk and includes. I have never seen this error in development it only started happening under a wee bit of load. What could be the problem? The In memory file system is set to 500 megs in the cfadmin (which is probably overkill..). Would a garbage collection before the include had been completed cause this to happen? Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350033 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Required folders under CFIDE
Pradeep, I would not suggest copying the /CFIDE/ scripts folder into every site root. This can become a nightmare to manage when you need to update with patches or new versions. Instead you should create a virtual directory. I do recommend you setup a virtual host just for ColdFusion administrator, this makes it easy to restrict, log, etc. Some use the built-in JRun web server for this purpose and that also works well in many scenarios. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 2:37 PM, Pradeep Rajasekaran pradeepviswanatha...@gmail.com wrote: Pete, Sorry on the delayed response. Thank you for the extra tips. I am planning to setup the servers with 1 web server but with individual virtual hosts for every CF Applications and ColdFusion Administrator. The CFIDE folder containing just the scripts and other required stuff to be copied under every virtual host. The other option i have is to have 2 web servers on the same box. One for the ColdFusion Administrator and the other for CF Applications. Again all apps will have individual virtual hosts . Guess sounds a bit crazy, but please let me know your comments on this. Pradeep, There are also some other internal mappings that fall under /CFIDE that you should be aware of if you are using Flash Forms or cfchart (RDS also has a mapping under /CFIDE but hopefully you have disabled that on production). The /CFIDE/scripts/ folder can be moved somewhere else, see: http://www.petefreitag.com/item/774.cfm if you are not using cfform, cffileupload, cfmediaplayer then it is probably not needed, though keep in mind that ColdFusion administrator does use cfform. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 8, 2012 at 10:04 AM, IT (Pradeep Viswanathan) prade...@emiratesnbd.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350039 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFScript Book
For what its worth I have a cfscript cheatsheet here: http://www.petefreitag.com/cheatsheets/coldfusion/cfscript/ It lists much but certainly not all of what you need to know to use cfscript. Feedback, suggestions welcome. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, Feb 20, 2012 at 12:25 PM, Cameron Childress camer...@gmail.comwrote: On Mon, Feb 20, 2012 at 10:48 AM, Robert Rhodes rrhode...@gmail.com wrote: Are there any CFScript books out there? I ordered this onw but it was a complete joke. A total waste of money: http://www.barnesandnoble.com/w/cfscript-lambert-m-surhone/1026883099. Is there a reason you want to only learn CFScript? The CFML language has so many tags and many ways of doing things. Learning only CFScript may not serve you well. Attempting to use all tags or all script is probably not the best goal IMHO. Having said that, the Adobe docs are a good starting point for learning CFScript, but if you want more than that I'd look at a regular ole CF Book like CFWACK, and then look for a CFScript equivalent for what you're doing if you really need/want one. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349969 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Required folders under CFIDE
Pradeep, There are also some other internal mappings that fall under /CFIDE that you should be aware of if you are using Flash Forms or cfchart (RDS also has a mapping under /CFIDE but hopefully you have disabled that on production). The /CFIDE/scripts/ folder can be moved somewhere else, see: http://www.petefreitag.com/item/774.cfm if you are not using cfform, cffileupload, cfmediaplayer then it is probably not needed, though keep in mind that ColdFusion administrator does use cfform. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 8, 2012 at 10:04 AM, IT (Pradeep Viswanathan) prade...@emiratesnbd.com wrote: I am currently setting up a new server where my CFIDE is compeletely not exposed - it actually runs on a different web server/port. I would want to copy the folders that are essential from the CFIDE folder to make the AJAX /others cftags to work, can someone please tell me what folders will be required. I see that scripts folder is required? Thx rgds, Pradeep Viswanathan R DISCLAIMER: This e-mail message including any of its attachments is intended solely for the addressee(s) and may contain privileged information. If you are not the addressee or you have received this email message in error, please notify the sender who will remove your details from its database. You are not authorized to read, copy, disseminate, distribute or use this e-mail message or any attachment to it in any manner and must delete the email and destroy any hard copies of it. This e-mail message does not contain financial instructions or commitments of any kind. Any views expressed in this message are those of the individual sender and do not necessarily reflect the views of Emirates NBD PJSC, or any other related subsidiaries, entities or persons. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349873 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sending an email by fax solution
I use interfax.net they also have an api you can use in addition to sending email. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Jan 25, 2012 at 1:05 PM, Terry Troxel terry.tro...@gmail.comwrote: Any suggestions as to a good solution to have an email sent to a fax service from my website in CF? Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349628 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How many of the CF-Talk regulars blog?
Here's mine: http://www.petefreitag.com/rss/ -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Jan 12, 2012 at 10:31 AM, DURETTE, STEVEN J sd1...@att.com wrote: Hey All, I was just updating the RSS feeds for the blogs that I read, and I was wondering how many of the regulars here on CF-Talk blog. I mean there are a lot of people who, I have come to really respect on this list and I like reading their opinions, answers, etc (Dave Watts, Jochem, plus so many others) and if they have blogs I would really like to read them. If you blog please reply and include the link to the blog. I really don't know what I would have done starting out in ColdFusion if it hadn't been for this list and all the people on it! Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Bryan, Are these apps running on the same domain or different domains, if they are on the same domain then you will need to specify the path in your session cookies so they don't invalidate each other (this relatively new behavior due to the session fixation security hotfix APSB11-04 released in Feb). Also if you are experiencing a cookie problem on one browser but not another make sure you have cleared cookies first. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson br...@electricedgesystems.com wrote: Hey All, Can't say that I've bumped into this before. 1) 2 apps are involved and both use SESSION vars to store user details once they login. 2) Both apps are set to setClientCookies in CFAPPLICATION 3) App 1 uses a standard login form where credentials are verified and the SESSION vars are set if successful 4) App 2 uses Windows Integrated Authentication to grab the user's ID off the network and use that as part of the authentication process - when successful...SESSION vars are set as in app 1 5) Both apps have a different name in CFAPPLICATION ;-) 6) both apps reside on the same server running CF 8 against Oracle 10G Here's what happens on WinXP Pre SP 3 with IE 7: 1) Open new IE7 window and log in to app1 2) Open new IE7 window and log in to app 2 3) Go back to the browser with app 1 and try to navigate through app - get kicked to session expired screen This was tested by another user on XP with IE8 and the issue did not occur. So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things to checkany ideas? TIA Cheers -- Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: br...@electricedgesystems.com web: www.electricedgesystems.com Notice: This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. Please consider the environment before printing this e-mail ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349171 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Weird attack
On Thu, Nov 24, 2011 at 9:41 AM, Matt Blatchley m...@bridgeleaf.com wrote: I've never used Fuseguard before, looks pretty good though. Any experience with the customizations? It says fully customizable, but is it all done via code, or a GUI? Hi Matt, Just wanted to provide some more details on how customizing FuseGuard - it is customized a CFC file called a Configurator. You can use one configurator for all your sites, or create customized configurators for each site / application. When you add FuseGuard to your Application.cfc/cfm you simply tell it which Configurtor CFC to use for the given application. The Configurator tells FuseGuard which filters (filters inspect the request and give it a threat level, they do not modify the input as that can lead to hard to debug issues), loggers (log to db, email, files, etc), and block listeners (api hook that runs if FuseGuard is configured to block a request, and a request is blocked) to run, along with a few other FuseGuard instance specific settings. You can find the Install / Config Docs here: http://foundeo.com/security/fuseguard/docs/2.0/ and the CFC api reference here: http://foundeo.com/security/fuseguard/docs/2.0/reference/ or if you prefer here's a 10 min video on installing / configuring FuseGuard: http://www.youtube.com/watch?v=ubESB87vl5U Feel free to contact me directly if you want. Thanks. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secu ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348902 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FCKEditor.. XML Request error: Access denied (403)
This is disabled by default, you need to enable it via a Java System Property, see details here: http://www.petefreitag.com/item/718.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Nov 2, 2011 at 7:40 PM, Terry Troxel terry.tro...@gmail.com wrote: Coldfusion 9, just started has been working fine on all the websites until today when using FCKEditor to browse server for an image. Any Ideas? Java recently Updated. Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348521 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Images stored in a database...
On Wed, Oct 19, 2011 at 10:52 PM, Gerald Guido gerald.gu...@gmail.com wrote: Awesome find Pete. Thanx for Sharing! You're welcome Gerald. One thing I forgot to mention about the IIS version (from Helicon) is that it requires CF 9.0.1 running the native IIS7 connector - it doesn't work in IIS6 compatibility mode. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Images stored in a database...
Another solution to consider for this besides a third party CDN is installing mod_xsendfile (you can get this for both Apache and IIS 7 via Helicon Ape). With mod_xsendfile on your server you simply write a X-Sendfile: c:\path\to\file.jpg in your getImage.cfm file (you don't need to serve it with cfcontent, which frees up CF to do other things). This allows you to keep the files outside of the web root (protected) and still allow you to run your security code in CF. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Oct 19, 2011 at 8:25 PM, Al Musella, DPM muse...@virtualtrials.comwrote: You may get to a point where there is so much traffic in the SQL server that the rest of the website slows down or stops responding. I would use a cdn or set up a separate server to serve the static images. Note that google recommends using a different domain name for images (like images.mydomain.com) so you don't send the cookies that are sent with the requests to the main domain, and your browser can retrieve them in parallel with the web content. At 08:41 AM 10/19/2011, you wrote: Can anyone shed some light on this issue for me? I was originally storing some images in a database, but then I convinced myself that it wasn't the most efficient way to deliver the images, so I switched my solution to static files. In general, can someone walk me through the pros and cons of placing images that will be accessed heavily in a database versus keeping them in static files? What I'm most curious about is: 1) When I use a .cfm page in the image tag ( img src='getImage.cfm?id=282828'/ ), is it cached within browsers just like a static file? 2) Is it too much strain on the database to be constantly requesting 5k - 60k blobs? Maybe I should just punt and start using Amazon S3? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: JVM Heap Size
On Wed, Oct 5, 2011 at 11:36 AM, John M Bliss bliss.j...@gmail.com wrote: Related: I just tried to upgrade to Java version 1.6.0_27 but CF failed to start after I did so. Know what the max Java version 1.6.0_* usable with ACF 8 is? The latest version of the JVM that Adobe has certified and supports for ColdFusion 8 (and CF9 for that matter) is 1.6.0_24 (see: http://kb2.adobe.com/cps/894/cpsid_89440.html), but more current versions should still work fine generally speaking. The error you experienced may just have been due to a file path typo, or something like that. In case you are not aware versions less than 1.6.0_24 have a DOS vulnerability that is fairly easy to exploit, so you will want to make sure you have upgraded your JVM to at least 1.6.0_24. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347982 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Can JS read CGI Environmental Variables?
You can't access CGI environment variables in javascript, but you can access some variables in javascript that the browser sends which are part of http request headers and then placed in the cgi scope, including the referrer. Try using document.referrer in JavaScript to get what you are looking for. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 29, 2011 at 1:30 PM, Rick Faircloth r...@whitestonemedia.comwrote: Ok... I'm tired of searching. Can JS read CGI variables? e.g. var referer = cgi.http_referer.slice('/').pop(); if ( referer === 'index.cfm' ) etc. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347909 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfquickdocs.com down?
On Tue, Sep 27, 2011 at 9:58 PM, Larry Lyons larrycly...@gmail.com wrote: Bookmarked already Peter. It looks very nice. A couple of comments though. I looked at a random set of tags and one thing that made things a bit difficult what the lack of differentiation in the attributes tables. How about adding some striping there if possible, or at least use a border. Also one thing I've found very useful with cfquickdocs was the cfquickdocs search widget you could add to firefox. (the search field in teh upper right corner). If you could set something like that up cfdocs would really kick butt. Otherwise its looks great. Many thanks, Hi Larry, Thanks for the feedback! I have updated the table CSS and there is actually a firefox search plugin already, which you can install from here: http://www.petefreitag.com/searchlets/ Enjoy, -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347767 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Paypal integration
You can specify notify_url as a hidden form element: Here's the docs on the form elements that you can use: https://cms.paypal.com/us/cgi-bin/?cmd=_render-contentcontent_ID=developer/e_howto_html_Appx_websitestandard_htmlvariables Keep in mind that the hidden fields could be modified by the user, that's why using the paypal button api, or the paypal website are the best solutions, but depending on what you are doing you might be able to do sufficient validation in the IPN. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Sep 27, 2011 at 11:44 AM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Buy now button (form submission). Does anyone know if it is possible to use the form to specify a different IPN url? I'm currently using the URL specified in the Merchant Services section of the customer's account, but it would save me a lot of time if I could specify it using the form instead. Thanks in advance, Jenny Gavin-Wear Fast Track Online Tel: 01262 602013 http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 3037 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347749 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfquickdocs.com down?
Hi Guys, Several years ago I created http://cfdocs.org which had CF 5,6,7 docs - I just updated the site with CF9 docs, I'm also testing out hosting it on Amazon CloudFront CDN to provide even faster response times for all of you, but I have a few kinks to iron out before I flip the switch on that. The main reason I created the site back in the day was so you could do a url shortcut like http://cfdocs.org/cfqueryparam to get to the cfqueryparam docs. You can do this with any tag or function, and here are a few other handy shortcuts: http://cfdocs.org/tags - all tags http://cfdocs.org/functions - functions by category http://cfdocs.org/application-cfc - Application.cfc reference Let me know if you find any problems with the new site. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, Sep 26, 2011 at 6:09 PM, Alan Rother alan.rot...@gmail.com wrote: If you guys ever get hold of him, I'd be happy to act as a mirror. It would be nice to have a few of those out there... =] On Mon, Sep 26, 2011 at 3:03 PM, Josh Nathanson joshnathan...@gmail.com wrote: Through some digging I was able to connect it to Jacob Munson, who I believe is on this list, or at least was at one time. Jake you out there?? We need CFQuickDocs! -- Josh On Mon, Sep 26, 2011 at 11:36 AM, Kumar Shah shahku...@gmail.com wrote: http://cfquickdocs.com/ seems to be down (since yesterday) I believe. Anybody know who maintained this/can reach out to them? Has proved to be really useful for looking things up. Thanks -- Kumar Shah http://www.coldfusion-ria.com/Blog/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347757 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP Connection Failure on SSL
On Tue, Sep 6, 2011 at 3:27 PM, webmas...@pegweb.com wrote: Nope I tried a restart of the service and it still says connection failure. Says I am using JVM 1.6.0_14 What is the latest supported JVM? The latest *supported* JVM for CF 8 and CF 9 is 1.6.0_24 (see http://kb2.adobe.com/cps/894/cpsid_89440.html). Note that more current versions typically work just fine, but are not officially supported by Adobe. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347255 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm