Re: PCI-Compliance Ding for Non-Random CFID's
On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it is actually more than just a UUID in modern versions of ColdFusion, for example it might look like this: 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 ^ (Random) ^ (UUID) Which contains a random value (which I believe is also generated using a secure random generator like the jsessionid) concatenated with a UUID. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: PCI-Compliance Ding for Non-Random CFID's
Thanks for the info, Pete. That should satisfy the compliance company that ColdFusion'scombination of CFID and CF-Token are, indeed, truly randomand meets their requirements. Rick To: cf-talk@houseoffusion.com Subject: Re: PCI-Compliance Ding for Non-Random CFID's Date: Mon, 1 Apr 2013 11:34:55 -0400 From: p...@foundeo.com On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it is actually more than just a UUID in modern versions of ColdFusion, for example it might look like this: 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 ^ (Random) ^ (UUID) Which contains a random value (which I believe is also generated using a secure random generator like the jsessionid) concatenated with a UUID. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355212 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
How can I view arguments in a CFC on-screen?
I wouldn't think this would be that difficult! Normally, I would include variables in a struct (when I'm using AJAX, whichis almost always) and view the variables when they're returned to the calling page. However, there are times, like right now, when I just want to have a look at allthe argument variables that a CFC is receiving and verify their accuracy. Isn't there an easy way to do this? I'm using CF 9. Thanks! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355213 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Has anyone dealing with PCI-Compliance seem this?
I've been trying to deal with security scans and getting my serverup to PCI-Compliance standards. One ding that has been an issue from the start has involvedwhat the scan refers to as dced. The first support tech at the scanning company didn't know whatit was. I can't find out very much from searching, either. (I've foundthe acronym has a lot to do with certain state agencies, however!) Here's the text from the security scan: Title: possible vulnerability in HP dcedImpact: A remote attacker could execute arbitrary commands with root privileges. Resolution: Apply patch PHSS_29963 for HP-UX 11.00, PHSS_29964 for HP-UX 11.11, or PHSS_29966 for HP-UX 11.23. HP-UX patches are available from the [http://itrc.hp.com] HP Resource Center. Patch information for Tru64 users is available from [http://support.entegrity.com/private/patches/dce/ssrt4741.asp] Entegrity. Patch information for OpenVMS is available from [http://www.securityfocus.com/archive/1/368882] SSRT 4741. This may have something to do with virtualization from what I've gathered.I'm on a Virtual Private Server, at this point. So, that would make some sense.There's no program or port referenced by the scanning results, either. Clues and advice anyone? Thanks! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355214 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How can I view arguments in a CFC on-screen?
Sure cfdump var=#arguments# output=c:/temp.html format=html / That will throw all the arguments into an html file on the c drive. Cheers, Rob On 2013-04-01 1:36 PM, Rick Faircloth r...@whitestonemedia.com wrote: I wouldn't think this would be that difficult! Normally, I would include variables in a struct (when I'm using AJAX, whichis almost always) and view the variables when they're returned to the calling page. However, there are times, like right now, when I just want to have a look at allthe argument variables that a CFC is receiving and verify their accuracy. Isn't there an easy way to do this? I'm using CF 9. Thanks! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355215 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How can I view arguments in a CFC on-screen?
Dump them all to a file, then view the file. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 1, 2013 6:36 PM, Rick Faircloth r...@whitestonemedia.com wrote: I wouldn't think this would be that difficult! Normally, I would include variables in a struct (when I'm using AJAX, whichis almost always) and view the variables when they're returned to the calling page. However, there are times, like right now, when I just want to have a look at allthe argument variables that a CFC is receiving and verify their accuracy. Isn't there an easy way to do this? I'm using CF 9. Thanks! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355216 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Has anyone dealing with PCI-Compliance seem this?
I have vague memories of that being an issue with HP buffer overflow, but it has been years. Google of HP dced says problems on port 135, but again this is really old. http://www.securityfocus.com/archive/1/369697 On Mon, Apr 1, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: I've been trying to deal with security scans and getting my serverup to PCI-Compliance standards. One ding that has been an issue from the start has involvedwhat the scan refers to as dced. The first support tech at the scanning company didn't know whatit was. I can't find out very much from searching, either. (I've foundthe acronym has a lot to do with certain state agencies, however!) Here's the text from the security scan: Title: possible vulnerability in HP dced Impact: A remote attacker could execute arbitrary commands with root privileges. Resolution: Apply patch PHSS_29963 for HP-UX 11.00, PHSS_29964 for HP-UX 11.11, or PHSS_29966 for HP-UX 11.23. HP-UX patches are available from the [http://itrc.hp.com] HP Resource Center. Patch information for Tru64 users is available from [ http://support.entegrity.com/private/patches/dce/ssrt4741.asp] Entegrity. Patch information for OpenVMS is available from [ http://www.securityfocus.com/archive/1/368882] SSRT 4741. This may have something to do with virtualization from what I've gathered.I'm on a Virtual Private Server, at this point. So, that would make some sense.There's no program or port referenced by the scanning results, either. Clues and advice anyone? Thanks! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355217 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Has anyone dealing with PCI-Compliance seem this?
I've been trying to deal with security scans and getting my serverup to PCI-Compliance standards. One ding that has been an issue from the start has involvedwhat the scan refers to as dced. The first support tech at the scanning company didn't know what it was. I can't find out very much from searching, either. (I've foundthe acronym has a lot to do with certain state agencies, however!) Here's the text from the security scan: Title: possible vulnerability in HP dced Impact: A remote attacker could execute arbitrary commands with root privileges. Resolution: Apply patch PHSS_29963 for HP-UX 11.00, PHSS_29964 for HP-UX 11.11, or PHSS_29966 for HP-UX 11.23. HP-UX patches are available from the [http://itrc.hp.com] HP Resource Center. Patch information for Tru64 users is available from [http://support.entegrity.com/private/patches/dce/ssrt4741.asp] Entegrity. Patch information for OpenVMS is available from [http://www.securityfocus.com/archive/1/368882] SSRT 4741. This may have something to do with virtualization from what I've gathered.I'm on a Virtual Private Server, at this point. So, that would make some sense.There's no program or port referenced by the scanning results, either. Clues and advice anyone? Thanks! Rick This (dced) is a program found on HP-UX. Are you running on HP-UX, Tru64 or OpenVMS? (My guess is no.) If you're not, you should go back to the scanning vendor and tell them that you're not running an OS with that vulnerability. I'm not that familiar with scanning specifically for PCI compliance, but aren't they scanning the interface from a public network? If so, you should have a very small number of listening ports. Maybe just two: TCP/80 and TCP/443. There is no reason why you'd expose TCP/135 to a public network (especially if you're running Windows). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355218 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Has anyone dealing with PCI-Compliance seem this?
but aren't they scanning the interface from a public network? If so, you should have a very small number of listening ports. Maybe just two: TCP/80 and TCP/443. There is no reason why you'd expose TCP/135 to a public network (especially if you're running Windows). Good advice; in my experience the scan vendors require you to open your firewall to their scanner IPs so they can get a more complete picture of vulnerabilities that may be lurking behind it. One of my clients ran into problems with this a while back because while 80/443 were the only things open to the public, they had an older version of Veritas Backup Exec running on the network which had known vulnerabilities that the QSA complained about. PCI is a pain in the arse. I generally refer people to use Stripe or Braintree Payments for processing for just these reasons. The extra per-transaction costs are usually less than the costs of dealing with all the network/server security and maintenance required to satisfy the compliance requirements. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355219 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
SOLR Search
Just started looking into SOLR search in CF10. Is it possible to do a search on a document for example of 30 pages of ppt document and be able to return the page where your search criteria exists, e.g. Your search for blah is on page 10 of file.pptx or on pages 10, 15 and 20 of file.pptx. Thanks, Matt. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355220 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How can I view arguments in a CFC on-screen?
Use the step debugger. On Monday, April 1, 2013, Russ Michaels wrote: Dump them all to a file, then view the file. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 1, 2013 6:36 PM, Rick Faircloth r...@whitestonemedia.comjavascript:; wrote: I wouldn't think this would be that difficult! Normally, I would include variables in a struct (when I'm using AJAX, whichis almost always) and view the variables when they're returned to the calling page. However, there are times, like right now, when I just want to have a look at allthe argument variables that a CFC is receiving and verify their accuracy. Isn't there an easy way to do this? I'm using CF 9. Thanks! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355221 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
