Re: Embedding image to a document that is attached to an email
I have done the following: http://www.makeaherodonations.com/Images/Logo.png Neither that URL nor this one: (http://www.makeaherodonations.com/images/site/logo_print.png) Actually pull up an image through a browser. They give 404 errors. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352573 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Can you access that url from browser on server? Regards Russ Michaels On Sep 13, 2012 2:18 PM, John Drake char...@ohmss.info wrote: I have done the following: http://www.makeaherodonations.com/Images/Logo.png Neither that URL nor this one: (http://www.makeaherodonations.com/images/site/logo_print.png) Actually pull up an image through a browser. They give 404 errors. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352574 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CF DDos update released
I installed this hotfix on one development and two production servers last night, and most everything seems to be functioning correctly, except for one critical problem. Several of my sites are running an ancient CF app (iMIS eSeries) that allows people to update their profiles online. The app sends data back to the iMIS member database. After installing the patch, if a user attempts to update their profile, the browser throws the following error: Server error The website encountered an error while retrieving http://[clientsite.org]/source/Members/cMemberProcessEdit.cfm?section=My_ProfileID=[id]. It may be down for maintenance or configured incorrectly. Here are some suggestions: Reload this webpage later. HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request. --- The form that is being submitted contains 53 fields (mostly text fields). Brian Thornton mentioned in his post that the fix had something to do with Form Limit, and another bulletin, but the bulletin is vague about the specific. Does anyone know whether this hotfix would prevent a form with too many fields from being submitted? Thanks, Michael -Original Message- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Wednesday, September 12, 2012 12:27 PM To: cf-talk Subject: Re: CF DDos update released I have to agree that this bulletin is really lacking. There are organizations that just cannot do a hot-fix (DFIU), and the details in this bulletin give us no idea of exposure or a means to verify if we are at a high risk. There have been Adobe patches in the past that we have waited to a regular maintenance window perform because there was little to no risk based on our analysis of the issue. So, is it really worth the over-time, customer frustration and such to apply a hot-fix, that may or may not fix an issue (because we have not details to verify before or after the fact). Based on the bulletin and lack of detail, I would err on the pessimistic side and fear the most. Byron Mann Lead Engineer Architect HostMySite.com On Wed, Sep 12, 2012 at 11:32 AM, Judah McAuley ju...@wiredotter.com wrote: On Tue, Sep 11, 2012 at 7:48 PM, wrote: i already read tha adobe bulletin, it doesn't really say much. I doubt you will ever see details and description about any possible attack. It would be too easy for those looking for ideas... Publication of details of an attack are pretty common. Good guys will typically find an attack, alert the people who are in a position to fix the product(s), wait for them to confirm it and start on a fix and then publish the details of the attack after the vulnerability patch has been released. The reason for this is so other researchers (and people wanting to protect their own systems) have an idea of the types of issues that a product has been vulnerable to so they can poke around the edges and see if there are similar issues that may have been missed, thereby strengthening the overall security of the product. So, yes, the details are for people looking for ideas but that includes all the good people as well as the bad guys (tm). Security through obscurity isn't really security at all. cheers, Judah ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352575 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CF DDos update released
It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. On Sep 13, 2012 11:20 AM, Patti, Michael mpa...@sherwood-group.com wrote: I installed this hotfix on one development and two production servers last night, and most everything seems to be functioning correctly, except for one critical problem. Several of my sites are running an ancient CF app (iMIS eSeries) that allows people to update their profiles online. The app sends data back to the iMIS member database. After installing the patch, if a user attempts to update their profile, the browser throws the following error: Server error The website encountered an error while retrieving http://[clientsite.org]/source/Members/cMemberProcessEdit.cfm?section=My_ProfileID=[id]. It may be down for maintenance or configured incorrectly. Here are some suggestions: Reload this webpage later. HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request. --- The form that is being submitted contains 53 fields (mostly text fields). Brian Thornton mentioned in his post that the fix had something to do with Form Limit, and another bulletin, but the bulletin is vague about the specific. Does anyone know whether this hotfix would prevent a form with too many fields from being submitted? Thanks, Michael -Original Message- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Wednesday, September 12, 2012 12:27 PM To: cf-talk Subject: Re: CF DDos update released I have to agree that this bulletin is really lacking. There are organizations that just cannot do a hot-fix (DFIU), and the details in this bulletin give us no idea of exposure or a means to verify if we are at a high risk. There have been Adobe patches in the past that we have waited to a regular maintenance window perform because there was little to no risk based on our analysis of the issue. So, is it really worth the over-time, customer frustration and such to apply a hot-fix, that may or may not fix an issue (because we have not details to verify before or after the fact). Based on the bulletin and lack of detail, I would err on the pessimistic side and fear the most. Byron Mann Lead Engineer Architect HostMySite.com On Wed, Sep 12, 2012 at 11:32 AM, Judah McAuley ju...@wiredotter.com wrote: On Tue, Sep 11, 2012 at 7:48 PM, wrote: i already read tha adobe bulletin, it doesn't really say much. I doubt you will ever see details and description about any possible attack. It would be too easy for those looking for ideas... Publication of details of an attack are pretty common. Good guys will typically find an attack, alert the people who are in a position to fix the product(s), wait for them to confirm it and start on a fix and then publish the details of the attack after the vulnerability patch has been released. The reason for this is so other researchers (and people wanting to protect their own systems) have an idea of the types of issues that a product has been vulnerable to so they can poke around the edges and see if there are similar issues that may have been missed, thereby strengthening the overall security of the product. So, yes, the details are for people looking for ideas but that includes all the good people as well as the bad guys (tm). Security through obscurity isn't really security at all. cheers, Judah ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352576 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF DDos update released
On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.comwrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CF DDos update released
I have the ability to change security groups for my profile within eSeries, and when I do that, it lowers the number of fields displayed on the profile edit screen to 38. When I submit the form, it's still throwing the same error, so I think Brian and Pete are correct that this isn't about a limit to the number of fields submitted. I'm honestly not sure where I'd change the default for number of fields that can be submitted, but I'm fairly certain that can be ruled out as a cause. I'm still stumped as to why this particular form refuses to submit. It definitely has something to do with one of the recent hotfixes. Before last night, I had only applied hf901-3.jar (on CF 9.0.1 standard), so I was a few behind when I installed hf901-6.jar. I followed the instructions in Section 2 of http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.html to the letter, and given that every other form submission I've tested works fine, I don't think this is a case of a corrupted install. I'm poking around the source code of the form submission script to see if something in there might be causing it to stop; but does anyone know whether what I'm seeing (the HTTP Error 500) is the expected behavior when CF intercepts what it deems to be a CSRF attack? Thanks again for your help. -Michael -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, September 13, 2012 10:53 AM To: cf-talk Subject: Re: CF DDos update released On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.comwrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352578 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Ok, so what is the url to the image that actually works in your browser and what is the webroot for your server and the document root for that particular site? On 9/13/12 6:17 AM, John Drake wrote: I have done the following: http://www.makeaherodonations.com/Images/Logo.png Neither that URL nor this one: (http://www.makeaherodonations.com/images/site/logo_print.png) Actually pull up an image through a browser. They give 404 errors. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352579 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Here is what is weird; If you go to http://www.makeaherodonations.com/test.cfm you see the logo. If you go to http://www.makeaherodonations.com/Images/Logo.png you get a 404 error. The IMG SRC is Images/Logo.png. I am at a loss. It seems that if a file is there when you browse to it you should see it. Weird. Bruce On Sep 13, 2012, at 10:30 AM, .jonah jonah@creori.com wrote: Ok, so what is the url to the image that actually works in your browser and what is the webroot for your server and the document root for that particular site? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352580 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Lowercase l: http://www.makeaherodonations.com/Images/logo.png Try img src=/Images/logo.png/ in your PDF. On 9/13/12 9:37 AM, Bruce Sorge wrote: Here is what is weird; If you go to http://www.makeaherodonations.com/test.cfm you see the logo. If you go to http://www.makeaherodonations.com/Images/Logo.png you get a 404 error. The IMG SRC is Images/Logo.png. I am at a loss. It seems that if a file is there when you browse to it you should see it. Weird. Bruce On Sep 13, 2012, at 10:30 AM, .jonah jonah@creori.com wrote: Ok, so what is the url to the image that actually works in your browser and what is the webroot for your server and the document root for that particular site? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352581 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: CF DDos update released
I just read Pete's post about the HashDos vulnerability (http://www.petefreitag.com/item/808.cfm) and then went back to the adobe bulletin about this (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html). After adding var name='postParametersLimit'number500.0/number/var and restarting CF, I'm now able to submit that form successfully. Thanks in helping me to resolve this situation! -Michael -Original Message- From: Patti, Michael Sent: Thursday, September 13, 2012 11:28 AM To: cf-talk Subject: RE: CF DDos update released I have the ability to change security groups for my profile within eSeries, and when I do that, it lowers the number of fields displayed on the profile edit screen to 38. When I submit the form, it's still throwing the same error, so I think Brian and Pete are correct that this isn't about a limit to the number of fields submitted. I'm honestly not sure where I'd change the default for number of fields that can be submitted, but I'm fairly certain that can be ruled out as a cause. I'm still stumped as to why this particular form refuses to submit. It definitely has something to do with one of the recent hotfixes. Before last night, I had only applied hf901-3.jar (on CF 9.0.1 standard), so I was a few behind when I installed hf901-6.jar. I followed the instructions in Section 2 of http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.html to the letter, and given that every other form submission I've tested works fine, I don't think this is a case of a corrupted install. I'm poking around the source code of the form submission script to see if something in there might be causing it to stop; but does anyone know whether what I'm seeing (the HTTP Error 500) is the expected behavior when CF intercepts what it deems to be a CSRF attack? Thanks again for your help. -Michael -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, September 13, 2012 10:53 AM To: cf-talk Subject: Re: CF DDos update released On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.comwrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352582 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
I notice on the 404 page it says HandlerColdFusion-wildcard which means that the coldfusion handler is processing the request for the image, which seems like the likley cause. try disabling the cf handler briefly just to see if this fixes the problem to the png image displaying a 404. On Thu, Sep 13, 2012 at 5:37 PM, Bruce Sorge sor...@gmail.com wrote: Here is what is weird; If you go to http://www.makeaherodonations.com/test.cfm you see the logo. If you go to http://www.makeaherodonations.com/Images/Logo.png you get a 404 error. The IMG SRC is Images/Logo.png. I am at a loss. It seems that if a file is there when you browse to it you should see it. Weird. Bruce On Sep 13, 2012, at 10:30 AM, .jonah jonah@creori.com wrote: Ok, so what is the url to the image that actually works in your browser and what is the webroot for your server and the document root for that particular site? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352583 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
How do I do that? On Sep 13, 2012, at 10:57 AM, Russ Michaels r...@michaels.me.uk wrote: I notice on the 404 page it says HandlerColdFusion-wildcard which means that the coldfusion handler is processing the request for the image, which seems like the likley cause. try disabling the cf handler briefly just to see if this fixes the problem to the png image displaying a 404. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352584 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
if logging is turned off? how do i
is there a way that if logging is truned of for a cf site to recreate say, mailsent.log just through cfm in say, an include in application.cfm? dosnt need to be fancy. just would like the same info for an application. but the place it is sitting has logs disapbled,. Severity,ThreadID,Date,Time,Application,Message thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352585 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: if logging is turned off? how do i
is there a way that if logging is truned of for a cf site to recreate say, mailsent.log just through cfm in say, an include in application.cfm? dosnt need to be fancy. just would like the same info for an application. but the place it is sitting has logs disapbled,. Severity,ThreadID,Date,Time,Application,Message You can use the CFLOG tag. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352586 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
open the iis MMC, select your site, choose handlers, remove the wildcard handler for CF or run the wsconfig tool and use that to disable cf on the whole server On Thu, Sep 13, 2012 at 6:04 PM, Bruce Sorge sor...@gmail.com wrote: How do I do that? On Sep 13, 2012, at 10:57 AM, Russ Michaels r...@michaels.me.uk wrote: I notice on the 404 page it says HandlerColdFusion-wildcard which means that the coldfusion handler is processing the request for the image, which seems like the likley cause. try disabling the cf handler briefly just to see if this fixes the problem to the png image displaying a 404. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352587 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Im on a MAC On Sep 13, 2012, at 12:04 PM, Russ Michaels r...@michaels.me.uk wrote: open the iis MMC, select your site, choose handlers, remove the wildcard handler for CF or run the wsconfig tool and use that to disable cf on the whole server On Thu, Sep 13, 2012 at 6:04 PM, Bruce Sorge sor...@gmail.com wrote: How do I do that? On Sep 13, 2012, at 10:57 AM, Russ Michaels r...@michaels.me.uk wrote: I notice on the 404 page it says HandlerColdFusion-wildcard which means that the coldfusion handler is processing the request for the image, which seems like the likley cause. try disabling the cf handler briefly just to see if this fixes the problem to the png image displaying a 404. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352588 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
I can;t help you with MAC, but the url you sent earlier showed an IIS error page. On Thu, Sep 13, 2012 at 7:20 PM, Bruce Sorge sor...@gmail.com wrote: Im on a MAC On Sep 13, 2012, at 12:04 PM, Russ Michaels r...@michaels.me.uk wrote: open the iis MMC, select your site, choose handlers, remove the wildcard handler for CF or run the wsconfig tool and use that to disable cf on the whole server On Thu, Sep 13, 2012 at 6:04 PM, Bruce Sorge sor...@gmail.com wrote: How do I do that? On Sep 13, 2012, at 10:57 AM, Russ Michaels r...@michaels.me.uk wrote: I notice on the 404 page it says HandlerColdFusion-wildcard which means that the coldfusion handler is processing the request for the image, which seems like the likley cause. try disabling the cf handler briefly just to see if this fixes the problem to the png image displaying a 404. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352589 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
As someone else pointed out, if you got to: http://www.makeaherodonations.com/Images/logo.pnghttp://www.makeaherodonations.com/Images/Logo.png the image loads fine. It appears the server is case-sensitive. On Thu, Sep 13, 2012 at 11:37 AM, Bruce Sorge sor...@gmail.com wrote: Here is what is weird; If you go to http://www.makeaherodonations.com/test.cfm you see the logo. If you go to http://www.makeaherodonations.com/Images/Logo.png you get a 404 error. The IMG SRC is Images/Logo.png. I am at a loss. It seems that if a file is there when you browse to it you should see it. Weird. Bruce On Sep 13, 2012, at 10:30 AM, .jonah jonah@creori.com wrote: Ok, so what is the url to the image that actually works in your browser and what is the webroot for your server and the document root for that particular site? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352590 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Yeah, that is the live server and I have no control over that. My testing server does the same thing and it's a MAC Bruce On Sep 13, 2012, at 12:24 PM, Russ Michaels r...@michaels.me.uk wrote: I can;t help you with MAC, but the url you sent earlier showed an IIS error page. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352591 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Well I am narrowing it down to the live server. I drug and dropped the image onto the code and put in the alternate text as well as a hyperlink attribute and ran it and I got the image on my machine. Loaded it up to the live server and I get the outline and alternate text on the PDF but not the image. And yes, initially I was using an uppercase L on Logo.png. It is case sensitive. Bruce On Sep 13, 2012, at 12:30 PM, morgan lindley greyk...@gmail.com wrote: As someone else pointed out, if you got to: http://www.makeaherodonations.com/Images/logo.pnghttp://www.makeaherodonations.com/Images/Logo.png the image loads fine. It appears the server is case-sensitive. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352592 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
What tag do you have in the HTML to generate your PDF now? On 9/13/12 11:37 AM, Bruce Sorge wrote: Yeah, that is the live server and I have no control over that. My testing server does the same thing and it's a MAC Bruce On Sep 13, 2012, at 12:24 PM, Russ Michaels r...@michaels.me.uk wrote: I can;t help you with MAC, but the url you sent earlier showed an IIS error page. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352593 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
cfdocument format=PDF filename=Voucher.pdf overwrite=Yes On Sep 13, 2012, at 12:49 PM, .jonah jonah@creori.com wrote: What tag do you have in the HTML to generate your PDF now? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352594 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF DDos update released
Yes don't forget to count hidden form fields as well :) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 13, 2012 at 12:51 PM, Patti, Michael mpa...@sherwood-group.comwrote: I just read Pete's post about the HashDos vulnerability ( http://www.petefreitag.com/item/808.cfm) and then went back to the adobe bulletin about this ( http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html). After adding var name='postParametersLimit'number500.0/number/var and restarting CF, I'm now able to submit that form successfully. Thanks in helping me to resolve this situation! -Michael -Original Message- From: Patti, Michael Sent: Thursday, September 13, 2012 11:28 AM To: cf-talk Subject: RE: CF DDos update released I have the ability to change security groups for my profile within eSeries, and when I do that, it lowers the number of fields displayed on the profile edit screen to 38. When I submit the form, it's still throwing the same error, so I think Brian and Pete are correct that this isn't about a limit to the number of fields submitted. I'm honestly not sure where I'd change the default for number of fields that can be submitted, but I'm fairly certain that can be ruled out as a cause. I'm still stumped as to why this particular form refuses to submit. It definitely has something to do with one of the recent hotfixes. Before last night, I had only applied hf901-3.jar (on CF 9.0.1 standard), so I was a few behind when I installed hf901-6.jar. I followed the instructions in Section 2 of http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.htmlto the letter, and given that every other form submission I've tested works fine, I don't think this is a case of a corrupted install. I'm poking around the source code of the form submission script to see if something in there might be causing it to stop; but does anyone know whether what I'm seeing (the HTTP Error 500) is the expected behavior when CF intercepts what it deems to be a CSRF attack? Thanks again for your help. -Michael -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, September 13, 2012 10:53 AM To: cf-talk Subject: Re: CF DDos update released On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.com wrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352595 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Im on a MAC Your web server is running IIS 7.5. You need to do this from the console of your web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352596 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: if logging is turned off? how do i
Thanks Dave. I dont have access to log dit. i just did a little cffile and apended data i needed to a new line. simple. would have rather used the mailsent.log format. On Thu, Sep 13, 2012 at 1:55 PM, Dave Watts dwa...@figleaf.com wrote: is there a way that if logging is truned of for a cf site to recreate say, mailsent.log just through cfm in say, an include in application.cfm? dosnt need to be fancy. just would like the same info for an application. but the place it is sitting has logs disapbled,. Severity,ThreadID,Date,Time,Application,Message You can use the CFLOG tag. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352597 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: if logging is turned off? how do i
If you feel like getting fancy, you should be able to invoke the log4j package that comes with CF and then config it to write out to where you want. Cheers, Judah On Thu, Sep 13, 2012 at 12:29 PM, morchella morchella.delici...@gmail.com wrote: Thanks Dave. I dont have access to log dit. i just did a little cffile and apended data i needed to a new line. simple. would have rather used the mailsent.log format. On Thu, Sep 13, 2012 at 1:55 PM, Dave Watts dwa...@figleaf.com wrote: is there a way that if logging is truned of for a cf site to recreate say, mailsent.log just through cfm in say, an include in application.cfm? dosnt need to be fancy. just would like the same info for an application. but the place it is sitting has logs disapbled,. Severity,ThreadID,Date,Time,Application,Message You can use the CFLOG tag. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352598 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
Aahh, OK. And then the HTML code in that that's used to generate the content of the PDF? (Well, just the img tag in question.) On 9/13/12 11:52 AM, Bruce Sorge wrote: cfdocument format=PDF filename=Voucher.pdf overwrite=Yes On Sep 13, 2012, at 12:49 PM, .jonah jonah@creori.com wrote: What tag do you have in the HTML to generate your PDF now? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352599 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
img src=Images/logo.png width=413 height=87 alt=Make a Hero.org / On Sep 13, 2012, at 1:44 PM, .jonah jonah@creori.com wrote: Aahh, OK. And then the HTML code in that that's used to generate the content of the PDF? (Well, just the img tag in question.) On 9/13/12 11:52 AM, Bruce Sorge wrote: cfdocument format=PDF filename=Voucher.pdf overwrite=Yes On Sep 13, 2012, at 12:49 PM, .jonah jonah@creori.com wrote: What tag do you have in the HTML to generate your PDF now? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352600 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
See if img src=/Images/logo.png width=413 height=87 alt=Make a Hero.org / works... On 9/13/12 1:42 PM, Bruce Sorge wrote: img src=Images/logo.png width=413 height=87 alt=Make a Hero.org / ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352601 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
No joy. This is so frustrating. On Sep 13, 2012, at 3:30 PM, .jonah jonah@creori.com wrote: See if img src=/Images/logo.png width=413 height=87 alt=Make a Hero.org / works... On 9/13/12 1:42 PM, Bruce Sorge wrote: img src=Images/logo.png width=413 height=87 alt=Make a Hero.org / ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352602 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
it has to be something with the server because in design view in DW I see the logo fine, and when I create the PDF on my laptop which is my dev machine the PDF has the logo fine. Just not on the live site. Bruce On Sep 13, 2012, at 3:30 PM, .jonah jonah@creori.com wrote: See if img src=/Images/logo.png width=413 height=87 alt=Make a Hero.org / works... On 9/13/12 1:42 PM, Bruce Sorge wrote: img src=Images/logo.png width=413 height=87 alt=Make a Hero.org / ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352603 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Embedding image to a document that is attached to an email
It's been a few years since I had to do this last, so I don't remember exactly how cfdocument resolves paths. Maybe look at the coldfusion mappings. If you set a mapping from the server file path to /Images maybe something like that will work. On 9/13/12 3:59 PM, Bruce Sorge wrote: No joy. This is so frustrating. On Sep 13, 2012, at 3:30 PM, .jonah jonah@creori.com wrote: See if img src=/Images/logo.png width=413 height=87 alt=Make a Hero.org / works... On 9/13/12 1:42 PM, Bruce Sorge wrote: img src=Images/logo.png width=413 height=87 alt=Make a Hero.org / ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352604 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
(ot) How compatible is SQLServer 2012 with SQL Server 2005 databases?
Sorry for asking an OT question, but I've been asking around Microsoft (at least 10 different people in MS Support, and in Partner services) for more than a week and after all this time not a single MS person will even attempt to answer this question If i install a SQL Server 2012 product, (any level - Express or up to Enterprise ) how compatible is it with SQL Server 2005 databases? The reason I ask is I'm building new laptops for development, based on Windows 7 Pro OS, and want to install up to date software if i can. But my major client uses SQLServer 2005 as his production database. Therefore any machine I build has to be capable of developing SQL2005 databases. Does anyone here know the answer? Or else can anyone point me towards someone who could tell me? -- Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352605 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
