Hi Folks,
I have a question about ckeditor. We use it in our CMS, but have not used
the version bundled with CF before.
I have a couple of questions that I am hoping folks here can answer:
1. Is ckeditor included in CF 11?
2. If so, have people had good experiences with it (we've used it for
We finally resolved this issue.
First, a big thanks as always to everyone who commented and helped us along
on this thread.
Second, here is the resolution. In our case, the problem was some enhanced
security filters that we put place recently. One of the scopes being
scanned was the cookie
Hi there,
Thanks for your follow up post. It definitely seems that we have something
similar going on. We have switched some features to be less dependent on
sessions and more on other scopes. That has worked ok but longer term we
want sessions to work consistently.
It's been very difficult
Hi All,
I was just about to post on a very similar problem when I saw this thread.
We've just had this come up in the last couple of weeks and it happens
sporadically. A few quick points:- the problem is that sessions restart
with each request- the problem happens sporadically- the problem
Hi Dave,
I may be getting a bit over my head here, but here is an example of what
our session dump looks like:sessionid: 84303380daf164aedda3456e2d1856513d2e
urltoken:
CFID=83197727CFTOKEN=9af68af80f73df3-F872B04C-CA42-C7AB-D8FB410E558AEEE5js
Thanks Dave,
I'm not really the developer here but I think that we may have client
variables enabled and my recollection was that client variables may require
cfid and cftoken.
It's been running pretty smoothly for a while until this very recent
issue.
Nick
Thanks Russ,
With client variables (we're phasing them out) in place as well as the more
secure j2ee session variables, we seem to have all in use at the moment.
But, I think that has been a pretty stable configuration for us for some
time.
Nick
One really interesting behavior here, which may point us in the direction
of a better solution, is that when this problem with session.jsessionid
happens (it resets ever page request), cookie.jsessionid remains
persistent.
I don't know enough about the linkage there to know if that is expected
Hi Pete,
I've been researching CSP and it sounds like a pretty cool option. But, I
just wanted to follow up on this comment that you made
below:-- it will also block inline
scripts and style elements--
Are you
Pete,
Much appreciated. I guess where I'm being a bit of a dunce is that in your
example, if a malicious url.query variable was passed in by a hacker,
wouldn't the display only be available on that single request? And if I
come to the same search form 2 minutes later and do a normal search,
Hi Russ,
This is very interesting. In this case, we limit failed logins to a fairly
small number before the login is disabled so in theory that would prevent
dictionary style attacks, even against fairly weak logins. If you think
that is flawed, let me know.
We've discussed adding an IP
Hi Guys, thanks for all the responses - much appreciated.
Dave, this is an interesting idea which we haven't pursued yet. I don't
have a clear sense of how the server configuration would work here. Would
you have two separate db servers (one for authored content and one for
published content)
Hi Russ,
Yes, we can definitely turn these tags on and off. The challenge is that if
we follow OWASP closely, then we shut off tags that clients genuinely need
(e.g. iframe for youtube content). So, we're trying to figure out how to
give clients adequate features without opening up too much
Right now we are using a combination of portcullis plus home grown filters
within the application as well within the web server (which we control).
We would definitely consider looking at Fuseguard as well (but haven't yet).
N
-Original Message-
From: Adam Cameron
Hi Adam,
Can you tell me a little more about what you mean by coding in order to
prevent posting directly to a form and bypassing validation?
Nick
-Original Message-
From: Adam Cameron [mailto:dacc...@gmail.com]
Sent: Friday, February 28, 2014 10:56 AM
To: cf-talk
Subject: Re: Best
Hi guys,
Following up on this thread I have a related question - what are some
examples of XSS scenarios other than comments and forum posts. As I have
researched the topic, it seems like a lot of the XSS examples given relate
to users posting to comments and forums. That's good to understand
Thanks very much Pete.
We have implemented Portcullis among other things and that will also block
tags like the ones mentioned. I think that may be similar to the ones that
you mention. I expect that Fuseguard has something similar.
I guess my follow up question may have to be with what
Hi All,
I'm very interested in your feedback on best practices when 1) trying to
mitigate risk of XSS and other hacks while 2) providing CMS functionality
that includes a web editor that clients use to publish web pages.
For example, there are many tags like style, iframe, and embed that
are
i had that problem too. sent in new thread via email last thursday - came
through yesterday (monday).
Nick
Return-Path: listmas...@houseoffusion.com
Received: from mail.houseoffusion.com [64.118.74.225] by
mail67.safesecureweb.com with SMTP;
Tue, 3
Hi All,
First, happy thanksgiving to everyone (who is celebrating that holiday).
Second, a quick question. We're developing a basic certificates feature in
our event tool. The idea is that you register for an event, attend the
event, and then get a certificate (most likely pdf) for the event.
Hi All,
A quick question. I need to install Cumulative Hotfix 3 and 4 on a server.
If I install 4, will that include 3 (as the word cumulative seems to
imply)? Or do I need to install CH 3 first and then install CH 4?
Thanks!
Nick
security fixes are not included.
On Fri, Oct 4, 2013 at 8:06 AM, Nick Gleason
wrote:
Hi All,
A quick question. I need to install Cumulative Hotfix 3 and 4 on a
server.
If I install 4, will that include 3 (as the word cumulative seems to
imply)? Or do I need to install CH 3 first
thanks guys. great advice.
N
.
Nick Gleason | CitySoft, Inc. | http://www.citysoft.com
Direct: (617) 899-5395 | Fax: (617) 507-0444
Spend Less Do More - Community Enterprise combines great features
Very distressing but I guess the positive way to look at it is a belated
open source strategy.
;-)
Nick
~|
Order the Adobe Coldfusion Anthology now!
Russ,
This looks promising. Many, many thanks.
Nick
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
Hi all,
We're using CF 9.0.1 (fully patched) on IIS 7.5 and sometime yesterday all
our solr collections disappeared on a particular server. This happened a
while back on another server (which was older and not much used) so I
didn't spend a lot of time investigating then.
It seems that our
Hi Folks,
We are wrestling with a tricky problem here and I thought I would try to
get some input on it.
We run a copy of the Fusetalk forum product (Professional Edition v 4.0) on
our own servers using CF 9.0.1. All patches are up to date. A Fusetalk
admin feature uses a tabbed cflayout and
Hi Dave (or anyone),
Another quick follow up (about clustered vs nonclustered indexes) indexing
the CDATA table.
You mentioned creating an index on CDATA like the following (ie a clustered
index).CREATE UNIQUE CLUSTERED INDEX idxCDATA
ON cdata (cfid, app)
It turns out that in some cases we
Hi folks,
We're doing some load testing on our application - particularly focused on
a registration process.
We're monitoring the test with a number of tools, including FusionReactor.
As the test progresses, it's pretty easy to see the Memory Used statistic
climbing. That's expected but we'd
Hi Dave,
Yes, we are on 64 bit with CF9 and a pretty good amount of memory allocated
to the jvm (I'd have to check to find out exactly how much).
As our load test progresses, the memory used stat in FusionReactor got as
high as 75% for a little while. CF / Garbage collection seems pretty good
Hi Folks,
We use client variables in our client databases and I've seen some
information that you can get better performance by creating indexes on
those tables. For instance this page
(http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=sharedVar
s_08.html) says the
Thanks Dave.
A quick follow up. We are only keeping data in these tables for 1-3 days,
and it's obviously changing a lot as the site is used. So, does that mean
that once the indexes are created, they should be re-indexed / rebuilt
frequently (because of the frequent changes in the data)?
http://www.smh.com.au/it-pro/security-it/experts-urge-pc-users-to-disable-ja
va-cite-security-flaw-20130111-2ckog.html
Hi folks,
I've been hearing a bit about this recommendation by the US government and
others to disable or remove java in browsers. Does this have any impact on
CF in general?
Many thanks for the clarification Dave.
Nick
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
Hi Folks,
We're getting ready to implement some ajax code in our application to enable
queries (esp inserts and updates) to run without having to do a full page
refresh (the main goal being to just improve page load performance).
There's obviously a lot of info out there on this topic and I'm
guess here: The file in question is being d and the
variables it is setting are getting set into the Application.cfc's
variables scope, and therefore unavailable elsewhere.
On Mon, Nov 5, 2012 at 2:19 PM, Nick Gleason wrote:
Hi folks,
Bit of a head scratcher here which I'm hoping may be obvious
.
On Mon, Nov 5, 2012 at 2:19 PM, Nick Gleason wrote:
Hi folks,
Bit of a head scratcher here which I'm hoping may be obvious to you all.
We've got a Fusebox 3 application which we have recently converted from
application.cfm to application.cfc.
One puzzling result has been that during a single
I know this has been discussed before but I'm not finding a clear answer
online to the question of whether it is possible to use flash on a site
where the script protect / invalidtag feature has been turned on.
We would like to keep this security feature turned on generally, but if
that means
Hi Dave,
Many thanks for the response. In our case, we have portcullis and some
other filters built into the system, so my hope is that we are secure.
Perhaps script protect is not adding a lot. Since we user a web editor in
a number of places in our system, my ideal scenario would probably
Hi folks,
Bit of a head scratcher here which I'm hoping may be obvious to you all.
We've got a Fusebox 3 application which we have recently converted from
application.cfm to application.cfc.
One puzzling result has been that during a single page request, an
attributes variable that is set in a
.
N
.
Nick Gleason | CitySoft, Inc. | http://www.citysoft.com
Direct: (617) 899-5395 | Fax: (617) 507-0444
Spend Less Do More - Community Enterprise combines great features with
an affordable price
about the hash function in your example. Why would that be
necessary here? I'm not storing this in a database at this point so I'm
not sure if it's still necessary.
Thoughts?
Best,
Nick
.
Nick Gleason | CitySoft
like?
Or is there a better way?
I expect that Mura, Coldbox, etc. have done this well but I haven't tracked
that down.
Thanks in advance,
Nick
.
Nick Gleason | CitySoft, Inc. | http://www.citysoft.com
Many thanks Mike and Dave. Sounds like we're in the ball park. If anyone
else has different ways of doing it, let me know.
Best,
Nick
Return-Path: listmas...@houseoffusion.com
Received: from mail.houseoffusion.com [64.118.74.225] by
Hi Folks,
We're moving from application.cfm to application.cfc and I had a question
regarding best practices.
We re-use our base code and in the past, we have used a settings page that
is external from the base code and unique per client to set the
applicationname variable (and other
Many thanks for the responses! It sounds like upgrading should be pretty
smooth.
Last question. If there is some sort of problem that emerges as a result
of upgrading the JDK, how easy / hard would it be to re-install an earlier
version? Can you go back or does that present additional
Hi folks,
A question about what is considered the appropriate version of Java for use
with CF 9.
As I understand it _24 is the last version officially suggested by Adobe.
But that is susceptible to this exploit:
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.htm
l
requesting us to up the
maximum
to days, no so good :-)
Byron Mann
Lead Engineer and Architect
Hostmysite.com
On May 15, 2012 2:44 PM, Nick Gleason wrote:
~|
Order the Adobe Coldfusion Anthology now!
http
Hey there. Many thanks on these great responses. This is very helpful as
we think this through. May have some follow up thoughts / questions as we
go.
Nick
~|
Order the Adobe Coldfusion Anthology now!
Hi folks,
With our CMS / CRM application, we are looking at moving from a reliance on
client variables towards more reliance on session variables, including as it
relates to logins. One challenging scenario happens when a client is using
SSL for ecommerce transactions. If a user logs in,
Hi Russ,
Thanks for the follow up. Cfthread is very cool for this sort of thing -
we've been using it. But, we would eventually like to offer an open source
version and don't want to force people to use enterprise for this to work
well.
Best,
Nick
Hi Dave. Many thanks for your reply. We'll give this some thought. I'm
not sure how cfflush comes into play but we'll dig into it a bit.
N
..
CitySoft, Inc. | http://www.citysoft.com
Phone: (866) 751-1992 |
Yes, that would be great. it's just a matter of time and resources at this
point, but over time would love to see how it does on railo.
Nick
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: Monday, April 16, 2012 1:33 PM
To: cf-talk
Subject: Re: Fire and
We're trying to determine what would be the most effective way to do fire
and forget logging in our CMS / CRM system. The goal is to improve
performance by not having the page loads have to wait for the logging
portion of the code. We would like it to be a usable solution on CF
Standard 9 (and
Hi there. So, I took the plunge and upgraded to Windows 7 and got IIS
installed. So far so good. I've set up a web site in IIS to use for this
purpose, but the tricky part has been getting it to display through a
browser. When we user our remote servers, we assign a site to an IP and add
one
to *:80. That should work as well.
On Mon, Mar 26, 2012 at 4:52 PM, Nick Gleason n.glea...@citysoft.com
wrote:
Hi there. So, I took the plunge and upgraded to Windows 7 and got
IIS installed. So far so good. I've set up a web site in IIS to
use for
this
purpose
Thanks guys. I do have some remote servers which I can use, but my sense
from CF Builder is that to use their debugging tools it's easier / better to
have the whole installation on the same machine as CF Builder. If you think
that's not really true, let me know. In the mean time, I'll look into
Hi folks,
Kind of a noob question here. I'm setting up our application to run locally
on my laptop so I can use the debugger in CF Builder 2. I'm running CF9 and
SQL Server 2008 R2. I've managed to get the site to display locally in a
web browser using the built in web server. I get it to
+1 on the hackmycf paid service. It's been a good investment.
..
CitySoft, Inc. | http://www.citysoft.com
Phone: (866) 751-1992 | Direct: (617) 899-5395 | Fax: (617) 507-0444
Spend Less Do More - Community
+1 for FusionReactor. We've got but have not yet installed Fusion
Analytics. But we're looking forward to that addition as well.
Nick
PS - also no affiliation with them.
..
CitySoft, Inc. | http://www.citysoft.com
We'd be interested in doing some analysis of the country of origin for IPs
of requests that we see on some of our sites / servers. We have the IPs in
a db and could create a script to check those IPs against a database that
provides the country of origin information.
So, the question is
Thanks Alan (and Nathan)! In this case, Google Analytics is probably not
going to work that well. These IPs are from many different client sites and
we don't have access to all of their GA accounts and many of them may not
have GA accounts to begin with. We do have request IPs in the various
Hi there. We've had the same experience as others. We use it for HTML
editing but haven't tried it for CF code. My assumption has always been
that it would not accept scripting language directly, but that may be wrong.
If you are frustrated about it changing around your HTML or not following
PS - There are multiple a few cfapplication tags in our system. However, it
uses FuseBox 3 and my understanding was that this could be done in
sub-folders / circuits without confusion. For instance, we use the CFFM
file manager with CKEditor in the cms and that has an application.cfm file
with
Mike,
To answer your question, it seems to be tied to a particular browser (IE 7
or 8) on a particular computer (ie IE 7, 8 work for most users).
Also, re: session variables, looking in CF Admin, it looks like we have Use
J2EE Session Variables as well as Enable Application Variables and
Enable
Hi Mike,
Thanks for the follow up. It seems to only happen with certain computers
and only with IE (FF and Chrome work great).
Since we can't re-create it here, it's hard to test, but I have seen at
least one example with a user where the cfid and cftoken changed on every
request.
There is
Hi Folks,
This sounds a little like a sporadic but very frustrating issue that we have
experienced. It is IE only and only with some users (we haven't been able
to re-create it in house). We host multiple stand alone versions of our CMS
/ CRM application per server using CF 9 Professional
Hi there. I haven't had that exact problem, but we have used verity a lot
over the years. One thing that is typically helpful is looking at the
various log files. Verity seems to have a lot of log files but here are
some that I have noted over the years (note - these paths are from CF7 but
Anyone? Anyone? Bueller?
Hello there.
We're researching the feasibility of integrating our CF based CMS / CRM
application with MS Word and I want to get a sense of how easy / hard
this
might be.
An example of the kind of thing that we would want to achieve would be
to
allow a
Hi Folks,
We're doing some research on Facebook integration with our CMS / CRM
application and I wanted to run a question by you all.
A client of ours wants to know the feasibility of having the contact info of
their members update automatically in our application when those members
update
Hello there.
We're researching the feasibility of integrating our CF based CMS / CRM
application with MS Word and I want to get a sense of how easy / hard this
might be.
An example of the kind of thing that we would want to achieve would be to
allow a client to use a web editor (e.g. CKEditor)
Hi folks,
We've implemented the portcullis xss filter with success but we are coming
across some false positives that I wanted to run by the big brains on this
list.
One example is the word exec as in marketing exec which is getting
filtered when it shouldn't be.
The developer on our end in
We had a similar scenario recently - first installed 9.0 on 64bit / iis 7,
then had to upgrade to 9.01 (which I think has been out since July). This
was complicated by the question of how to handle the IIS 7 connection. CF 9
has the IIS 6 compatibility tool, as I recall, but 9.01 can use that or
Hi Mike,
This sounds like something we dealt with a while back with some help from
Mark Kruger and the folks at CFDynamics. You can see the relevant posts
here:
http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164
Hi there. Codesion (used to be cvs dude) has worked well for us over the
years.
Nick
-Original Message-
From: John M Bliss [mailto:bliss.j...@gmail.com]
Sent: Wednesday, October 13, 2010 12:22 PM
To: cf-talk
Subject: Re: Subversion Software
+1 VisualSVN
On Wed, Oct 13,
Hi folks,
We need to create a search feature that includes a zip code locator such
that the searcher can enter their zip code and then get search results
within a certain radius (e.g. within 20 miles, etc.).
This has no doubt been done many times. Is there a best practice for doing
this
Hi Michael,
We user Codesign (formerly CVS dude). There are several different pricing
levels but they are all pretty affordable. We've had a very good experience
with them. When there was a small billing mix up a while back, the CEO
himself got involved and straightened it out. I was
.
Nick Gleason | CitySoft, Inc. | http://www.citysoft.com
Direct: (617) 899-5395 | Fax: (617) 507-0444
Spend Less Do More - Community Enterprise
combines great features with an affordable price
Hi there. We're doing some debugging in a log file and are finding a number
of records with some unfamiliar syntax. We're assuming that this is java,
but have not been able to track it down. The syntax is as follows:
[jail][Thu Jul 15 16:15:35 EDT 2009]q:2345 fm:319893464/7625912896 th:40
Fusetalk is great. But, it's not free.
Nick
-Original Message-
From: Paul Henderson [mailto:pa...@d2phosting.com]
Sent: Wednesday, July 15, 2009 10:04 PM
To: cf-talk
Subject: CF based forums ap?
I'm trying to find a CF based forums ap, open source
preferred but not
, but the scenarios
that you describe below are pretty well covered. Feel free to contact me
off list for more info.
Nick
.
Nick Gleason | CitySoft, Inc. | http://www.citysoft.com
Direct: (617) 899-5395 | Fax: (617) 507-0444
Hey folks,
We are planning some enhancements on a cart / ecommerce system for a store
and other online purchases. I think we have a pretty good idea of the
direction to go in, but I think it would be a good idea to review any other
technical best practices for building cart or store systems.
Donnie, Mark,
Our research so far seems to support marks's analysis of this problem.
There are still some unknowns here so that may change. But, changing your
FTP accounts and setting your FTP server to ban IPs after a certain number
of failed login attempts will prevent most brute force
Nathan,
Thank you for contributing to this thread. It reminds me to add a bit of
our research on this issue as well. A couple of posts which seem very on
point are here:
http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/
http://www.abuse.ch/?p=737
We don't think that this is
Hi there. We've just seen a hack attempt that we haven't seen before and I
wanted to get feedback.
The symptom is that some script code is inserted at the bottom of certain
pages (e.g. index.cfm). The script (which has been scrubbed) looks like
this:
script!--
var applstrna0 = if;
a queryparam scanner,
change your SQL Server login passwords, and read up on SQL
injection attacks. Update your database to remove the
malicious values.
~Brad
Original Message
Subject: Question about hack
From: Nick Gleason n.glea...@citysoft.com
Date: Mon, April 06
...@seiter.com]
Sent: Monday, April 06, 2009 3:50 PM
To: cf-talk
Subject: RE: Question about hack
Do a search on this list for 'exec('
There was a big todo about this last summer. Probably in
your database
-Original Message-
From: Nick Gleason n.glea...@citysoft.com
Sent
Dick,
I think that may have been my post a few months back and we didn't get much
more information on this issue then. We ended up doing the work around that
you describe, which has been OK. But, it would be nice to learn more about
EOF issue in general.
Nick
-Original Message-
Hi there. We have built a desktop utility that integrates transactions from
within our online application into QuickBooks (although not QuickBooks
online) with a click of the mouse. This utility is somewhat specific to our
application, but it might have some general applicability. You are more
,
Is that for the desktop version then? What is the utility written in?
Dan
--
Dan O'Keefe
On Thu, Nov 13, 2008 at 3:47 PM, Nick Gleason
[EMAIL PROTECTED]wrote:
Hi there. We have built a desktop utility that integrates
transactions from within our online application
Thanks bobby!
Nick
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
to the
problem, or see what is in the undeliverable folder.
Rob
On Tue, Nov 4, 2008 at 7:56 PM, Nick Gleason
[EMAIL PROTECTED] wrote:
Hey there - another cfmail related question. A client is having
problems sending out an email through our application using
cfmail.
We are seeing
of lets say 100 emails in the bcc
and just divide the list up and try sending it that way? I
think that limiting the # of e-mail addresses will help with
any potential time-out issues.
Rob
On 11/5/08, Nick Gleason [EMAIL PROTECTED] wrote:
Rob,
Thanks for your response. To answer your
://undelivrnator.riaforge.org/
Simply set up a scheduled task, a table in the db to use as a
monitor, and you're good to go.
andy
-Original Message-
From: Nick Gleason [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2008 7:27 AM
To: cf-talk
Subject: Script to move email
Hey there - another cfmail related question. A client is having problems
sending out an email through our application using cfmail. We are seeing
the following record in mail.log:
Error,scheduler-8,11/04/08,15:10:23,,[EOF]
I gather that EOF stands for end of file, but I'm not sure what that
Hi folks,
We need to develop a script that can move mail from the undelivr folder to
the spool folder in CF. My recollection is that there was some talk on this
board a while back about this issue and maybe that a script had been
developed. I checked the archives and riaforge with no luck.
:11 PM
To: cf-talk
Subject: Re: Script to move email to from undelivr to spool?
What platform are you on, and what is the criteria needed to
move the messages?
Speeves
On 11/3/08, Nick Gleason [EMAIL PROTECTED] wrote:
Hi folks,
We need to develop a script that can move mail from
Hi folks,
We are planning on logging various actions (e.g. certain errors generated in
our application) and need to decide whether to log to a db table vs. a text
file in the web server. Are there any clear best practices on this?
Thanks!
Nick
Syslog daemon, or many other output targets.)
http://logging.apache.org/log4j/
http://cdscott.blogspot.com/2005/09/using-log4j-in-coldfusion.html
On Mon, Sep 22, 2008 at 4:06 PM, Nick Gleason
[EMAIL PROTECTED]wrote:
h
We have a client who wants our CF based application to display chinese
characters. We've done a bit of research but haven't been able to pull it
off yet. So, I wanted to see if others have figured that out and have any
words of advice to share.
Thanks!
Nick
1 - 100 of 138 matches
Mail list logo