Re: ckeditor in CF 11?
CKeditor is not included in CF11. CF8-11 includes FCKeditor, which is the predecessor to CKeditor. To answer question 3 in the context of FCKeditor, yes your updates to it could potentially be overwritten by the updater. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Jan 16, 2015 at 10:30 AM, Nick Gleason n.glea...@citysoft.com wrote: Hi Folks, I have a question about ckeditor. We use it in our CMS, but have not used the version bundled with CF before. I have a couple of questions that I am hoping folks here can answer: 1. Is ckeditor included in CF 11? 2. If so, have people had good experiences with it (we've used it for a while - but not the CF bundled version - and have generally liked it)? 3. If the CF bundled version is customized / forked, are there then risks of the forks being over-written in the context of an upgrade? 4. Are there licensing issues with the CF bundled version? In other words, if you use the free version from cksource in a commercial product, there is typically a license fee. If you use the CF bundled version in a commercial product, is there still a licensing fee? Or is that waived in the context of using CF server? Thanks in advance for your thoughts. Best, Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359985 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sending SMS
I've worked quite a bit with Twilio for sending and receiving text messages in CF: https://www.twilio.com/ they have a REST api, that is pretty easy to use: https://www.twilio.com/docs/api/rest/sending-messages -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Nov 18, 2014 at 6:09 PM, Rick Sanders r...@webenergy.ca wrote: Hey guys, Does anyone know a service I can use for sending sms messages from cold fusion? I want to make an app that notifies someone by sms when their product is ready. Kind Regards, Rick Sanders Canada: USA: 171 Main St 1205 N. Second Ave Dartmouth, NS Siler City, NC T: 902-401-7689 T: 919-799-9076 W: www.webenergy.cahttp://www.webenergy.ca/ W: www.webenergyusa.comhttp://www.webenergyusa.com/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359676 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9.02 administrator hack
Most likely a virus / malware on your computer, not the server: https://www.google.com/search?q= Your+Java+version+is+outdated%2C+have+security+risks -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Nov 12, 2014 at 11:39 AM, Tom McNeer tmcn...@gmail.com wrote: Hi, I've just discovered that one of my servers, running 9.02, has been hacked. I'm not sure of the update level, because the hack is visible in the administrator and prevents its use. It's not the old h.cfm hack. I haven't been able to find any references to what I'm seeing, but I hope someone else knows what's up. I have not seen any obvious problems caused in the sites delivered from the server. It became evident when I tried to log in to the admin today to check on something. The immediate symptoms are that an ad appears in an iframe below the CF Admin login inputs; the username input label has been restyled and appears to have a link behind it. A recurring popup says The page at b1.zcxbtm.com says: WARNING, Your Java version is outdated, have security risks, Please update now. Naturally, none of this is visible in View Source. No reference to other files and scripts. The View Source is identical to one on a non-hacked server. The CF Admin is not publicly accessible - at least not normally. I can see that a site was added and used temporarily which had a virtual directory pointing to the admin, most likely one created by running the config tool. That site is dead now, but it could easily have been a vector at one time. The CF service _is_ running under the System account. I know this is bad practice, but I didn't set up the server. Any suggestions for troubleshooting this would be greatly appreciated. And I'll certainly be happy provide any other details I can. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359635 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam EncodeForHTML
cfqueryparam and EncodeForHTML are used to prevent two different types of attack. cfqueryparam is for SQL injection attacks, as Byron explained. EncodeForHTML is used to prevent cross site scripting attacks (it does not prevent/escape sql injection), which exist when the attacker can execute arbitrary client side code (such as javascript). Suppose we specified companyName=Johnson Johnson'sscript src=//hackers.r.us/badstuff.js If you inserted that value into the db everyone who views that record in the DB may potentially execute the hackers javascript file which can do lots of things, potentially on behalf of the currently authenticated user. You don't necessarily need to run EncodeForHTML before inserting the data into the database, you just need to make sure that you call EncodeForHTML every time you output the variable. The reason for this is that you can end up double encoding when you edit the record, or maybe you want to output the value in another context such as a HTML attribute, then you want to use EncodeForHTMLAttribute on the raw value instead. In some apps though it can be a much easier solution to just encode it before inserting the data if it is output in a million places. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 3, 2014 at 3:41 PM, Stephens, Larry V steph...@iu.edu wrote: Text input field Entry is Johnson Johnson's I store it in a table using cfqueryparam. All is good. Let's say the hacked entry is Johnson Johnson's;delete * (or something akin to that - you get the drift) I use cfqueryparam but it won't catch the hack; it's still just a string. At some point, before storing or after retrieval, I use EncodeForHTML to make that safe. Now I have either Johnson amp; Johnson#x27;s or Johnson amp; Johnson#x27;s#x3b;delete #x2a; Supposedly, that's safe. Regex could strip out the delete or kill the thing when I tried to save the data in the first place, but I tried several examples and none seemed to work. The thing is, Johnson amp; Johnson#x27;s may display correctly on the screen but it's not good for a search function, particularly if I have a legacy database. To parody a commercial for a different product, what are you using for protection? Larry V. Stephen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359562 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Work Around for SSLv3 Vulnerability?
The SSL handshake handled by the JVM (though there might be some config that takes place in the CF engine, not sure), Java 6 supports only TLS 1.0, java 7 adds support for TLS 1.1 and 1.2. The actual crypto parts of it is handled by the JCE (java cryptography engine) which if you are running Enterprise is RSA Bafe CryptoJ. That other thing that comes into play is the SSL cipher suite support, so it is possible that the JVM and the server cant' find a protocol and cipher suite that they both support. There are also some JVM arguments you can use to tell the JVM which protocols to use, here is the reference doc for Java7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization you might try setting -Dhttps.protocols=TLSv1 not sure if that will help, I think the CF engine *may* overrides the property (in some versions of CF). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 30, 2014 at 9:07 PM, Michael Grant mgr...@modus.bz wrote: I'll try that with them, thank you SO much. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359548 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: HMAC Algorithms and Encoding?
Try HMACSHA256 for the algorithm see http://cfdocs.org/hmac -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Sep 9, 2014 at 11:22 AM, Sandra Clark sclarkli...@gmail.com wrote: Thanks I'm trying to encrypt payment information for a group using CyberSource. I found documentation on encrypt() that specified using HMAC-SHAx (where x could be 256). Got the same error. http://help.adobe.com/livedocs/coldfusion/8/htmldocs/help.html?content=funct ions_e-g_01.html. CF10 documentation for encrypt is not as useful Since I don't have time to try every iteration that it could possibly be, I finally gave up, found Ben Nadel's Crypto library and it worked out of the box. But really, Adobe do the documentation correctly. HMAC Creates Hash-based Message Authentication Code for the given string based on the algorithm and encoding. Hash-based Message Authentication Code (HMAC) is used to verify the data integrity and authenticity of a message transmitted. It involves a cryptographic hash function in combination with a secret key. The cryptographic hash function can be Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and so on. See also SessionInvalidate, Session Rotate. Example h2HMAC Test/h2 cfset x=hmac(Hi There,key1,HMACRIPEMD160) cfoutput#x#/cfoutput None of this tells me anything. Especially since I can't find any reference to HMACRIPEMD160 (hoping that would lead me to something) other than that HMAC documentation or some PDF's that are generated from the Wiki Pages and the above mentioned CF8 page, which again lists HMAC-SHA256. -Original Message- From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Tuesday, September 9, 2014 11:01 AM To: cf-talk Subject: Re: HMAC Algorithms and Encoding? Sandy, Looking at the example in the HMAC() docs, they prefixed the algorithm type with HMAC. Maybe if you try HMACSHA-256, to see if it works? On Tue, Sep 9, 2014 at 10:46 AM, Sandra Clark sclarkli...@gmail.com wrote: Tried that, I am now getting an error telling me that An error occurred while generating HMAC. Error: Algorithm SHA-256 not available. HASH() documentation is showing SHA-256 *sigh* -Original Message- From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Tuesday, September 9, 2014 9:53 AM To: cf-talk Subject: Re: HMAC Algorithms and Encoding? Sandy, I do believe that you can use any algorithm that the hash function supports. Take a look at the documentation for hash and you will see what options you have. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Moving part of my hosting business - thoughts about my plan please ...
On Fri, Mar 28, 2014 at 5:21 AM, Mike K afpwebwo...@gmail.com wrote: Are there any other 'gotchas' moving from windows to linux? I did a presentation on Linux for CF users at cf.Objective() this year, my slides are here: http://slides.com/petefreitag/cf-on-linux#/ Is there any benefit of one flavour of Linux over another? Yes, if you pick an obscure distribution intended for hardcore linux users (for example Gentoo linux) you will have a hard time as a newbie. Pick one that is commonly used such as Redhat Enterprise Linux / CentOS or Ubuntu. I like RHEL/CentOS because they are pretty stable and they don't do bleeding edge, main bug/security fixes, you have to upgrade to the next major release to upgrade major versions of many packages. This has downsides too, for example RHEL/CentOS 6.x will only support Apache 2.2.x if you want Apache 2.4 you have to install it manually or wait for RHEL7. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358706 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: httponly and cookie-secure
On Mon, May 19, 2014 at 9:45 AM, brad f b...@ciswired.com wrote: Not sure what I am missing here. We are running Coldfusion 9.0.2 in a clustered environment. I added the -Dcoldfusion.sessioncookie.httponly=true to the jvm.config file. I restart the coldfusion instances. Run an application scan and it still says the y are not httponly I think that setting only applies to CFID/CFTOKEN cookies, not the jsessionid cookie. You can try this trick: http://www.petefreitag.com/item/740.cfm or use your web server to append httponly to the cookies for you. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358677 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Wed, Mar 5, 2014 at 11:16 AM, Nick Gleason n.glea...@citysoft.comwrote: Hi Pete, I've been researching CSP and it sounds like a pretty cool option. But, I just wanted to follow up on this comment that you made below:-- it will also block inline scripts and style elements-- Are you saying that even if you have the self or default values in place, it will block a regular old script in your page? For instance, if you just have something like this:scriptCODE HERE/scriptThat will be a problem? Why? Hi Nick, Yes if you have the following: Content-Security-Policy: default-src 'self'; It will block any scriptcode here/script tags in your page, you can only use script src=/some/uri/script This is a recognized problem in CSP1.0 and CSP 1.1 is currently in development right now with two solutions for this use case, you can specify a nonce in the header, so you would do something like this: Content-Security-Policy: script-src 'self' 'nonce-random_string_123'; Then you can do this: script nonce=random_string_123code here/script You can do the same for inline style tags. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#nonce-usage-for-script-elements The second option in CSP1.1 is hash whitelisting, where you compute a hash of the script contents and put that in the header. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#hash-usage-for-script-elements -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357861 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Mon, Mar 3, 2014 at 5:11 PM, Nick Gleason n.glea...@citysoft.com wrote: Pete, Much appreciated. I guess where I'm being a bit of a dunce is that in your example, if a malicious url.query variable was passed in by a hacker, wouldn't the display only be available on that single request? And if I come to the same search form 2 minutes later and do a normal search, won't it be clean? I guess that, assuming we have no sql injection to the db, I don't see how that attack stays persistent (as it would possibly for a comment or forum post). Sorry to be over-simple on this. Hi Nick, It is not a persistent attack unless it gets saved to a DB somewhere, etc. But it is still considered harmful, for example if I send you a link that uses javascript to write a login form on the page that submits to my server... then that is not a good thing. Normal visitors can't parse a query string to recognize that it is rewriting the DOM, especially when they see HTTPS they expect that everything on the page is as you intended it. Or the attacker might simply grab cookies and use them to hijack the victim's session. These examples are a bit more targeted, they will probably effect every user of the site but the attacker can use the hole to eventually get the info they are after. Re: the content security policy, that looks very interesting. Watching a presentation on it now. One quick question. If we are using that on a site and then an admin comes in and uses an iframe widget from youtube to display a video on a page in the site, does that get filtered by CSP (and require an exception for youtube)? I gather that would need to be excepted in the frame-src header, right? Yes you would have to allow the youtube.com domain in your CSP header, eg: Content-Security-Policy: default-src 'self'; frame-src 'self' youtube.com; One thing to keep in mind with Content-Security-Policy is that when you enable it, it will also block inline scripts and style elements, you can override that using unsalfe-inline but then you also loose a lot of the benefits of CSP. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357846 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Sun, Mar 2, 2014 at 11:21 PM, Nick Gleason n.glea...@citysoft.comwrote:
Hi guys,
Following up on this thread I have a related question - what are some
examples of XSS scenarios other than comments and forum posts.
Any other prominent risk scenarios for XSS?
There are a lot of scenarios, essentially anywhere you output a variable
that originated in some part from an external source.
So for example, let's say you have a search form for your site with some
code like this:
cfoutputYour search for #url.query# returned #search.recordcount#
results/cfoutput
There is an XSS risk there because someone could create a link to
/search.cfm?query=scriptalert('xss')/script (now if you try that
example in a modern browser you will find that it might not actually work
due to the builtin XSS protection in browsers, but the hole is there and
there are ways to bypass the browsers xss protection).
So basically any time you take a variable that comes from the user or some
other untrusted source and output it, you have the potential for an XSS
hole.
Also you should checkout Content-Security-Policy headers this can help
reduce XSS risks significantly on browsers that support it. See:
http://content-security-policy.com/ for more info or come to my
cf.Objective(2014) presentation :)
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting Products
http://hackmycf.com - Is your ColdFusion Server Secure?
http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10
minutes
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357812
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Versions of Apache Supported on CF10 Linux?
On Tue, Feb 25, 2014 at 8:32 PM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: It does support Apache on 64-bit Windows, just not 64-bit Apache. I would not be surprised if the Linux stuff is the same. 64 bit Apache on Linux does work with CF10 and CF9 for that matter, I've set it up on several servers with out any issues. No building from source necessary. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357794 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP SSL call returns Peer Not Authenticated
Is the server using a 2048 bit or higher key? I had a client with some issues connecting to twitter after they upgraded their SSL to 2048 bit, and the issue was resolved in this case by updating the CF9 server with the latest hotfixes (9.0.1 Cumulative Hotfix 4). I know you are on CF8, but you might still want to make sure you have applied all the hotfixes for CF8, and also update the JVM to the latest 1.6.x (since you are on CF8 you can't upgrade to java 1.7) you can find (sometimes SSL issues are bound to the jvm as well). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 24, 2014 at 12:58 PM, David Phelan dphe...@emerginghealthit.com wrote: I have written a page that makes an SSL web service call using CFHTTP but I cannot seem to get the service to respond with anything other than Peer Not Authenticated. I have imported the certificates for the servers into the CF keystore and restarted the CF services. I found a post relating to a similar issue, but it is an issue in CF9 Enterprise only. I tried the workaround anyway to no avail. The call is being initiated by our servers in our DMZ to servers in our internal network for which we added a permanent route to our server. I can ping the server and get the replies. I can get the WSDL from the host server through the browser on the client server, but the call through CF fail. Any help would be appreciated. We are using CF8 on a win2k8 R2 server. David Phelan Web Developer IT Security Web Technologies Montefiore IT 3 Odell Plaza, Yonkers, NY 10701 914-457-6465 Office 862-234-9109 Cell dphe...@emerginghealthit.commailto:dphe...@emerginghealthit.com www.emerginghealthit.comhttp://www.emerginghealthit.com/ www.montefiore.orghttp://www.montefiore.org/ [Description: Montefiore IT logo] http://www.emerginghealthit.com/default.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357747 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Versions of Apache Supported on CF10 Linux?
On Tue, Feb 25, 2014 at 10:42 AM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: 64-bit Apache is not officially supported. I don't think that is true, perhaps with Apache on Windows? But not with linux. The support matrix lists Apache support for both 32 and 64 bit on all platforms: http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/coldfusion10-support-matrix.pdffor what its worth. If you are on RHEL then make sure you update httpd using yum to the latest... Note that with RHEL the apache version number may not change, but RH will apply security patches or bug fixes as needed. More on that here: http://www.petefreitag.com/item/826.cfm What version of RHEL are you running? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357754 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Richard, Normally you can switch between J2EE and CFID/CFTOKEN cookies without problem unless something in your application code is relying on one or the other. It may be easy to change that or it may be quite involved, it depends quite a bit on how your application is coded. If you want to use J2EE sessions then you have to edit the jrun-web.xml file http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet13.htm#1154030but this is server wide so it will be the same for all sites / applications on the server. Another option would be to use the web server to add the appropriate flags to the web server, here's an example of how you do this on IIS7+ using the IIS rewrite module: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 2:39 PM, Richard White rich...@re-base.net wrote: Hi Pete, yes although if i disable this my login stops working and appears the session variables that i use throughout the application cease to function. Thanks, Richard Hi Richard, do you have Use J2EE session variables checked in the CF administrator? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 5:41 AM, Richard White rich...@re-base.net wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357724 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Moving from CF8 tp CF10 - Session Issues
Hi Les, Here is a place to start for you: http://www.petefreitag.com/item/815.cfm Use Chrome Developer tools to look at the session cookies, see if they are changing from request to request. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 6:04 PM, Les Mizzell lesm...@bellsouth.net wrote: Got a site currently running on CF8 that we're migrating to a completely new server with a fresh CF10 install. There's an informal members only section with user/pass login that we're having trouble with. No code changes - no problems on the CF8 server. But, in various browsers, it seems the logged-in session var isn't holding and the second you log in, it just kicks you back out. CF8 version - all browsers stay logged in with no problems. CF10 version - Chrome kicks you right back out. IE works great (??) So ... pretty simple stuff. If the username/pass matches: cfif qVerify.RecordCount !--- This user has logged in correctly, change the value of the session.allowin value --- cfset session.allowin = True / cfset session.user_id = qVerify.uniqID / /cfif ... and there you go.. Application file settings: cfapplication name=MyMemberSection clientmanagement=yes sessionmanagement=yes setclientcookies=yes setdomaincookies=yes sessiontimeout=#CreateTimeSpan(0,8,00,0)# applicationtimeout=#CreateTimeSpan(0,8,00,0)# clientstorage=cookie So the question is - what's different between CF8 and CF10 that I need to be looking for? I'm not even sure where to start looking at the moment. Ideas? Tearing my hair out so far. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357725 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Richard, do you have Use J2EE session variables checked in the CF administrator? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Feb 20, 2014 at 5:41 AM, Richard White rich...@re-base.net wrote: Thanks Pete, this does seem to work by adding it to the application.cfc. However, when i first open the browser and go to the site it shows an error that the session.cfide does not exist. The culprit is in the onSessionStart method as shown below. If I reload the window then its all fine as I suppose at this point the session.cfide has been created. Would you know how to resolve this? cffunction name=onSessionStart cfcookie name=CFID value=#session.cfid# httponly=true secure=yes cfcookie name=CFTOKEN value=#session.cftoken# httponly=true secure=yes /cffunction Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357714 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Hi Nick, It is tricky to handle HTML content while avoiding XSS, there are a two tools I'm aware of that can help you here: 1) scrubHTML() - This is one I built in pure CFML and I think it is pretty easy to build a whitelist of allowed html using it: https://github.com/foundeo/cfml-security it will use your whitelist and only allow HTML tags and attributes that you allow to come out the other end, anything not matching the whitelist is removed. 2) AntiSamy - written in java, widely used, but its policy files can be tricky to work with, example using it with CFML: http://www.petefreitag.com/item/760.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Feb 19, 2014 at 11:08 PM, Nick Gleason n.glea...@citysoft.comwrote: Hi All, I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. Thanks in advance! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Setting Cookie Secure, Domain, Path
Hi Richard, You can use the technique here: http://www.petefreitag.com/item/764.cfm it doesn't set path, domain, or secure but you can just add that to the cfcookie tag in the CF9 example. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Feb 18, 2014 at 1:36 PM, Richard White rich...@re-base.net wrote: Hi, Is there a way to set the secure, domain and path values for session CFID and CFTOKEN cookies in the application.cfc page of CF9? I have done some searches but cannot seem to find an answer. Many thanks, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357709 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: introspect Java process OSX to determine Coldfusion Run Status?
Maybe, but you would probably get a more useful result by working from within the JVM to get the info you are after. I'd start with a thread dump: http://helpx.adobe.com/experience-manager/kb/TakeThreadDump.html -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Jan 22, 2014 at 3:49 AM, Don danfar...@hotmail.com wrote: Was wondering if the above was possible. Seems I can retrieve a list of running processes. Of course since CF runs in Java, its impossible to determine what exactly is running in Java. Which is the data I am looking for. I fear that I'm going to be blocked by Java security at this point. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357578 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure attribute on CF Session Cookies
On Fri, Dec 6, 2013 at 2:52 PM, Wil Genovese jugg...@trunkful.com wrote: Iè´e seen people request this before due to a PCI security audit. Usually the best solution, depending on the code, is to switch to J2EE session variables. Instead of physical cookies the session cookies are true session cookies in browser memory. This would eliminate the secure cookies issue. I think? You can create a browser session cookie for CFID/CFTOKEN cookies as well, you just have to write the cookies manually. But what Robert was asking about was the secure flag on the cookie, which indicates that the user agent should only send the cookie over a secure connection (eg HTTPS), again you have to do this by writing the cookies manually in CF9 and lower, here's an example showing how to do this: http://www.petefreitag.com/item/764.cfm For CF10 it is easy you just specify in your Application.cfc this.sessioncookie.secure = true Also with CF10 (or Tomcat rather) it will automatically add the secure flag to your JSESSIONID cookie on HTTPS requests, this causes your HTTP and HTTPS requests to be on different sessions, which for security is a good thing, but can lead to issues if you have coded your apps to expect otherwise. More info on that here: http://www.petefreitag.com/item/817.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357316 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Cumulative Hotfix 3 4
Hi Nick, If you install CHF4 it will include CHF3 and prior ones, but any security hotfix released AFTER CHF4 will need to be reapplied, HackMyCF will tell you that as well once you install it, but just wanted to give you a heads up -- those hotfixes are APSB13-10 APSB13-13 and APSB13-19 -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Oct 4, 2013 at 12:18 PM, Nick Gleason n.glea...@citysoft.comwrote: Thanks guys. We use Hackmysite and love it. we've got all the security hotfixes patched, so we're good on that. I'm assuming, but want to get your take, that installing the cumulative hotfixes will not over-write previously installed hotfixes. that would seem to be an obvious thing to avoid, but just want to make sure. Nick Return-Path: listmas...@houseoffusion.com Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Fri, 4 Oct 2013 09:30:55 -0400 To: cf-talk cf-talk@houseoffusion.com Message-ID: cakuzz-_hr7ndchjj4i-e0het_u+ogas-orwsjdzn8eexbnh...@mail.gmail.com Subject: Re: Cumulative Hotfix 3 4 References: ce7431ca.4fc97%bo...@acoderslife.com Date: Fri, 4 Oct 2013 14:30:45 +0100 Precedence: bulk Reply-To: cf-talk@houseoffusion.com From: Russ Michaels r...@michaels.me.uk MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Rcpt-To: n.glea...@citysoft.com X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 I would also suggest hackmycf to keep your patches up to daye Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 4 Oct 2013 13:53, Bobby wrote: Right, cumalative would mean that 4 includes 3 (and previous). Russ is right, there are plenty of security patches that are NOT in the cumulative hotfix. I do believe the unofficial updater has many of them included though so you might consider that if you are looking for more than what is in the cumulative hotfix. On 10/4/13 4:01 AM, Russ Michaels wrote: yes each CHF includes all fixes from previous ones. You should however be sure to check carefully on their site what is NOT included, often security fixes are not included. On Fri, Oct 4, 2013 at 8:06 AM, Nick Gleason wrote: Hi All, A quick question. I need to install Cumulative Hotfix 3 and 4 on a server. If I install 4, will that include 3 (as the word cumulative seems to imply)? Or do I need to install CH 3 first and then install CH 4? Thanks! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356880 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hacking?
Yes, it certainly can be used by hackers. It can be used to manipulate the file system, upload files, execute exe's, and run database queries against your datasources. This file is most commonly found via the adminapi Hack widely exploited in Dec/Jan 2012 (eg /CFIDE/h.cfm, etc), but I've also seen this particular file on hacked servers sprinkled through the file system (eg 20-30 instances, using random file names). Also I've found in many cases that a server had patched the adminapi issue and blocked /CFIDE/adminapi but never cleaned up files that attackers placed, so they keep getting hit. You will want to take a close look at the server, and consider moving to a fresh server after you have cleaned up. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Sep 6, 2013 at 9:32 AM, Robert Harrison rob...@austin-williams.comwrote: Is anyone familiar with this code: http://pastebin.com/2v3PMx4M We found this in one of our sites which has been getting hacked lately. We also found a few other infected files which we've cleaned, but this on in particular was somehow injected into one of our sites. Anyone know what this does and if it could be used as a hacking aid? Thanks Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356714 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Good jvm ram settings for 64 bit ColdFusion
On Tue, Sep 3, 2013 at 9:08 AM, Mark A Kruger mkru...@cfwebtools.comwrote: In 32 bit addressing each memory address takes up 4 bytes (4 x 8 bits) but a 64 bit address space is wider (as in 8 x 8 bits). So for example, if you store an integer - say 14 - on a 32 bit system, it will take 4 bytes to do it ( 1110). That is correct about the addressing being larger on 64 bit, but it still uses 32 bits to store an int (in Java at least, this may differ if you are doing c/c++, etc), but it's address is twice as big. So what accounts for the extra heap usage is that when you have an object reference (or a pointer) to another object or primitive within an object instead of taking 32 bits per reference it takes 64 bits. Also Michael - 2gb perm size seams rather large generally speaking (unless you have tons of cfm/cfc files). Further if your server has 8GB of ram, and you are setting 6GB max heap and 2GB max perm size then you are not leaving any room for the OS to operate when things get full. The perm size does not usually change much once the application is fully loaded and all possible logic routes have executed at least once (unless you have some sort of dynamic cfml generating going on) so you should be able to see how much you are actually using at runtime by running this code: http://www.petefreitag.com/item/821.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356698 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 4:29 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Pete, So is that the purpose of the !3000 then? Got it! That's correct Mark, you got it. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
On Mon, Jul 22, 2013 at 12:45 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Doesn't the /* */ force the whole string into a comment? Hard to see how that would succeed. It is a MySQL version specific comment so if MySQL version is greater than version 3.0 in this case it would execute, all other DB engines would treat as a comment. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How to Change the User Name field in CF Administrator's Info Page
That means you are running CF under the system account, you can create a dedicated windows user account, and change the ColdFusion service logon identity to be that new account. You will also need to make sure this new user has the appropriate NTFS permissions, see the CF9 lockdown guide for more info on that: http://bit.ly/cf9lockdown -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Jul 2, 2013 at 3:51 PM, Eugene Colucci ecolu...@buffalo.edu wrote: I currently use ColdFusion 9,0,1,274733 Standard, stand-alone edition on Windows Server 2008 R2 on a machine that was cloned from another computer. After I log into the ColdFusion Administrator and select the (System) Information page, I scroll to the User Name field and see ABCserver$ (not the real name), which is the same as the User Name on the machine that was cloned. According to CF Administrator Help, the User Name field is The account that runs the ColdFusion service. However, the User Name field value actually seems to be the computer name--in my case the computer name of the original server. I checked this field on our other CF servers, and the names in each case matched the correct computer name--even on our other cloned computers. However for some reason on one particular machine, the User Name field still retains the value of the original computer name. Does someone know a way to change this value manually? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How to Address Prompts for Java Updates
Java 1.6.0_17 has several of security issues, so you probably do want to update java, BUT you need to make sure you have applied the latest ColdFusion hotfixes first because Java 1.7 support was only added a few months ago via hotfixes. You don't want to overwrite the C:\ColdFusion\runtime\jre JVM, you want to install the jvm in its own place, and then update the JVM path in your ColdFusion administrator or jvm.config file. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Jul 2, 2013 at 3:41 PM, Eugene Colucci ecolu...@buffalo.edu wrote: I currently use ColdFusion 9,0,1,274733 Standard, stand-alone edition on Windows Server 2008 R2 with Java Version 1.6.0_17 from Java Vendor Sun Microsystems Inc. with Java Home located at C:\ColdFusion\runtime\jre. I am receiving prompts to update the installed version of Java on my servers to 1.7.whatever. WITH REGARD TO COLDFUSION'S PROPER FUNCTIONING, should I install the Java updates when prompted? If so, should I install the updates in C:\ColdFusion\runtime\jre overwriting what already is there so that my CF Server recognizes the updated Java version, install the Java updates elsewhere on my computer where there is no impact on my CF Server, or ignore the prompts to update my Java installations? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356109 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Issue instantiating java on CF10
Hi Edward, You are trying to invoke the java class application.TextExtractor which is not part of the standard java class library (those all start with java.something or javax.something typically). The only other possibility is that this class is included as part of CF8, as a sanity check I tested a CF8 server with your code and got: Object Instantiation Exception. Class not found: application.TextExtractor as expected. So you MUST have at some point put a jar file or some .class files into your classpath on the CF8 server. Even if your Java class path entry is empty in the CF administrator you still could have put the class or jar files in some locations such as WEB-INF/lib or WEB-INF/classes which would cause them to be picked up automatically by the classloader. Do a double check on your CF8 server and I think you will find the java code you are missing. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Apr 26, 2013 at 5:25 AM, Edward Chanter firew...@cc.uk.com wrote: Dear Java Gurus, I'm using some java to do text extraction, it was built on CF8 running on linux but we recently moved to a new CF10 server running on windows. The code doesn't work and I can't work out why. It's not using any custom jar files and I was able to port the same code from one CF8 linux server to another without a problem. Move it to CF10 windows (64bit) and I start getting instantiation errors. I realise it's a whole different operating system and 2 versions of CF so maybe my hope that it would just work was misguided. Just wondering if anyone with cf/java expertise had any ideas. My code looks like this: this.tweeturl = http://thefinanser.co.uk/fsclub/2013/04/why-all-banks-will-change-core-systems.html?utm_source=twitterfeedutm_medium=twitter ; myExtractor = CreateObject( java, application.TextExtractor).init(); myExtractor.extract( this.tweeturl ); params.description = myExtractor.getExtractedText(); The error: Object Instantiation Exception. Class not found: application.TextExtractor Simple case of a class not found I hear you say! Except I never installed any classes for it. I just wrote the code on CF8 and it worked. If anyone has any ideas I'd be most grateful. -= Ed ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355608 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: postParametersLimit in CHF4
Just to give you an idea with 80,000 post params that caused a hash collision it took my quad core desktop 31 minutes to respond to the request, sending a larger number of post params 120,000 that did not have a collision executed in 3 seconds. So what is safe really depends on your tolerance and CPU processing power. With 1000 colliding params you can probably cause a few seconds of processing time on the server. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 4:57 PM, Chris 0404tow...@gmail.com wrote: How many is too many post parameters? We've had a few applications fail with the new postParametersLimit in CHF4 (the included Security Hotfix APSB12-06, http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ) Even increasing postParametersLimit from 100 to 200 isn't enough -- one application uses 1006 post parameters ( !! ) So given that this is a denial of service attack prevention, how risky is it letting 1100 post parameters go through with every request? I'm figuring a real DoS attack would have a lot more than 1100 parameters, but setting post parameters for 11 times the security update value sounds like poor practice. thank you, Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: postParametersLimit in CHF4
The vulnerability is caused by hash collisions, so if two strings hash to the same value, for example the result of java's hashCode() function on the name of a form field, then the hash table data structure becomes very inefficient. ColdFusion uses some sort of hash table algorithm to store the form fields (as well as url fields, cookies, etc but these are typically limited in size which makes them less of a target for this attack). CF was not the only technology to get hit by this issue many others including ASP.NET, node.js, j2ee/Tomcat, etc. Typically a hash table algorithm will account for collisions by putting all objects with the same hash code in a bucket, and then does a comparison of each value in the bucket to fetch the correct one, or to see if it is a duplicate when adding a new entry. You can see how the bucket could get very big, and operations on it get slower and slower with each collision added to the bucket if an attacker crafts a request with thousands of input variables whose names all collide to the same hash code. Under normal circumstances having 1000 form fields will not cause any collisions at all, and hash table lookups are quite fast. You may still want to limit the overall size of a request, but the HashDOS can be relatively small (eg 1-2mb) so that is why limiting the number of fields is considered the best protection. I wrote a blog entry on this a while back that also explains it as well: http://www.petefreitag.com/item/808.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 5:23 PM, Russ Michaels r...@michaels.me.uk wrote: So what actually causes the collision? Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 4, 2013 10:10 PM, Pete Freitag p...@foundeo.com wrote: Just to give you an idea with 80,000 post params that caused a hash collision it took my quad core desktop 31 minutes to respond to the request, sending a larger number of post params 120,000 that did not have a collision executed in 3 seconds. So what is safe really depends on your tolerance and CPU processing power. With 1000 colliding params you can probably cause a few seconds of processing time on the server. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 4:57 PM, Chris 0404tow...@gmail.com wrote: How many is too many post parameters? We've had a few applications fail with the new postParametersLimit in CHF4 (the included Security Hotfix APSB12-06, http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ) Even increasing postParametersLimit from 100 to 200 isn't enough -- one application uses 1006 post parameters ( !! ) So given that this is a denial of service attack prevention, how risky is it letting 1100 post parameters go through with every request? I'm figuring a real DoS attack would have a lot more than 1100 parameters, but setting post parameters for 11 times the security update value sounds like poor practice. thank you, Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
On Fri, Mar 29, 2013 at 2:10 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the reply, Pete... If I remember all of the conversation correctly, when we came to the dingfor consecutive session variables, the scanning vendor rep did mention thefact that a CFToken was involved and that made a difference. I did look upthe information on this in the docs (CF9) and it did mention changing theCFToken to a long format (I didn't want to say UUID because, withoutlooking it up, I wasn't sure that's the way it was labeled). Yes it is labeled use UUID for CFTOKEN in ColdFusion administrator, but it is actually more than just a UUID in modern versions of ColdFusion, for example it might look like this: 545fa4955f796cd4-AF350107-CF9E-E638-A240BBF644B48476 ^ (Random) ^ (UUID) Which contains a random value (which I believe is also generated using a secure random generator like the jsessionid) concatenated with a UUID. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Mar 29, 2013 at 11:49 AM, Rick Faircloth r...@whitestonemedia.comwrote: Hi, all... Trying to get my server to pass PCI-Compliance and I was dinged for the server(CF) using non-random session id's (CFID's). They found three consecutive CFID'sin use. However, I noticed in the CF documentation that CF-Tokens are random.And I opted for the long-form CF-Tokens in the administrator. Is there a way to use random CFID's or is that what the random CF-Tokens arefor: to provide a pair of variables, that together satisfy randomness requirementsfor sessions? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 lockdown question
Hi Larry, There has been a LOT of attacks targeting ColdFusion lately, it's time for us all to step up our security practices. There is a lot you can do to harden your server installation, and your application code beyond what you have mentioned. Security is one of those things that you can never say ok, everything is secure I can check that off my list and move on, it is a constant ongoing thing you need to always be working on. Some things to get started: 1) Follow the CF10 lockdown guide: https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf 2) If you can remove your need for /CFIDE this can make lockdown easier because you can just block it 3) Another very important thing to check besides that your queries have been cfqueryparamed is to check all your file operations for vulnerabilities. Here are some tips for file uploads: http://www.petefreitag.com/item/701.cfm you should also make check any file operation that uses variables that can be tainted by the requester, for example cfinclude template=static/#url.path#.html could be used to download any file CF has access to (not just html files). 4) Leverage some of the new session functions in CF10 like SessionRotate (after a successful login), SessionInvalidate (on logout). 5) Employ redundant layers of security (defense in depth), for example using a web application firewall, such as the one my company makes http://fuseguard.com/ there are other ones that are non specific to CF as well. 6) Use security monitoring and scanning tools, such as a PCI scanner, and http://hackmycf.com/ (note HackMyCF is not a PCI scanner, you should still use a PCI scanner in addition to HackMyCF, which is highly CF specific). 7) I could go on and on, so go and register for cf.Objective() where you can hear a several presentations on CF security given by David Epler, Phil Duba, Bilal Soylu, and myself: http://www.cfobjective.com/sessions/ you can find some of my past presentations here: http://www.petefreitag.com/tag/security which also give a lot more detail than we can get into on this thread. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Mar 5, 2013 at 9:03 AM, Stephens, Larry V steph...@iu.edu wrote: Our webserver utilizing CF8 was hacked. We're not sure how (in what manner), at least at this point, but I am in the process of moving all CF stuff to a new server using CF10. I am checking all #variables# used in queries to be sure cfqueryparam is used. We are moving everything from MS Access to SQL Server. I am shedding all cfajaximport's and using jQuery ajax calls. While I don't *think* this is security related, I am also eliminating all cfform's (but, see below). Q1: By eliminating cfajaximport does the public need access to CFIDE or can I lock that down to my access, only? I recall having an issue with validation in cfform that had to do with not finding CFIDE (but I'm eliminating that issue). Q2: As far as CF goes, anything we're missing? Thanks. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354854 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Issues after applying Coldfusion patches
Double check that you are installing the hotfix for the correct version of CF, eg that they are not installing a CF9 patch on CF8. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Feb 13, 2013 at 2:36 PM, funand learning funandlrnn...@gmail.comwrote: All - Our admins have been applying patches to our Coldfusion servers (version 8). They said most of the patches affect coldfusion admin. During testing coldfusion administrator after applying patches, I found that verifying databases would throw this error There was an error accessing this page. Check logs for more details..The log file just has this error *There was an error while verifying the token. Either the session timed out or un-authenticated access is suspected.* * * Any suggestions on this? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354496 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
Hi Robert, CFChart relies on the URI /CFIDE/GraphData.cfm so if you block /CFIDE then cfchart also stops working, there is no way I'm aware of to tell CFChart to use a different URI (I wish there was!). This also adds confusing for some because the file /CFIDE/GraphData.cfm does not exist in your /CFIDE folder, but there is a servlet mapping in ColdFusion's web.xml file that allows it to handle this request. So you have to keep that URI open if you want to use cfchart, but you will still want to block the rest of /CFIDE. If you are on IIS7 one way to do this is using Request filtering, you will want to add a Deny URI Sequence for every folder in /CFIDE -- do this at the IIS level applicable to all sites. Unfortunately you can't say Deny /CFIDE and Allow /CFIDE/GraphData it will still block it. This is all covered in the CF9/10 lockdown guides. Another possible solution might be to rewrite the HTML generated by CFChart to use a different URI and then setup a virtual directory mapping on the web server (or alter the servlet mapping in web.xml). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 4:03 PM, Robert Harrison rob...@austin-williams.comwrote: Thanks everyone for the help. Many had some very useful advice and were dead on about the files and issues with mapping and /CFIDE. Yes, the culprit files were in CFIDE/adminapi/customtags, but we found a curious commonality in all the sites that were affected. Every site affected used CFChart. I remember our server guy had to set-up some special mapping to CFIDE and allow files to be written there because of some sort of temp file CFChart uses when creating a .jpg. Now that it's been locked down again, CFCHART no longer displays the image. What should we do to allow CFChart to function without opening a security hole? Thanks, Robert ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
Hi Paul, That approach may work in some cases, but there are cases where /CFIDE/administrator/index.cfm may still resolve even if there is no folder there (or no virtual directory). We often receive reports saying that hackmycf.com is incorrectly reporting CF administrator open because /CFIDE/administrator/ returns a 404, but if you add index.cfm to the end it will infact resolve CF administrator. That's why it is so important to put explicit blocks to /CFIDE uri's in place on your web server. In addition, the administrator is not the only folder to be worried about under /CFIDE several other folders have had exploits including adminapi, componentutils, wizards, scripts, and perhaps others. In short, you should block as much of the /CFIDE is you possibly can. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 4:29 PM, Paul Vernon paul.ver...@web-architect.co.uk wrote: What should we do to allow CFChart to function without opening a security hole? What we do is this. 1. Duplicate the CFIDE directory in full. 2. In the duplicate, remove the administration folders altogether. 3. In all but the CFAdmin site itself on the server (which should really not be accessible over the web), map the CFIDE to the version that no longer contains the admin folder. This stops no end of possible security threats before they can start and if this had been implemented on your server would probably have stopped the hack from being successful. Paul ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
Paul, Sorry to clarify if the folder is gone 100% from the server it will not work, but if you kept it in the default install location, eg c:\inetpub\wwwroot or c:\coldfusion9\wwwroot\CFIDE and even though there is no website that points to that on the webserver it can still resolve. So in that case CF will intercept the request and serve it from the default installed location. There are a few other settings that might need to into play for that to work but it does happen quite frequently from what I have seen. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 6:13 PM, Paul Vernon paul.ver...@web-architect.co.uk wrote: Pete, That approach may work in some cases, but there are cases where /CFIDE/administrator/index.cfm may still resolve even if there is no folder there (or no virtual directory). You're going to have to explain how /CFIDE/administrator/index.cfm could resolve when the CFIDE mapping is pointing to a directory that is a duplicate CFIDE with *all* the administrator folders removed. I must be missing something here but how can it resolve when there is definitely no file or folder and the mappings in CF and the web server all point at the duplicate? Has CF got some special code that I should know about that breaks the rules as to how web servers work? I've been working with CF since 4.0 and never seen it serve a page that does not exist... Paul ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354291 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
On Wed, Jan 23, 2013 at 12:57 PM, Rob Voyle robvo...@voyle.com wrote: Hi Greg As I continue to update my security processes, I'm curious Was this injection attempt at the url or at a form input. Keep in mind that vulnerabilites can come from any input that the attacker can manipulate, eg form, url, cgi, cookie variables are all game. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure Image Uploads
From a security perspective you don't want to skip the file extension test(s) - that is critical. Also make sure you upload to a directory outside of the webroot, then perform your validation. Only move it under the webroot if you are sure it is a valid image and has an approved file extension. Finally use your web server and/or CF sandbox security to prevent execution on the image upload folder. I also wrote a blog entry a while with some tips for secure file uploads: http://www.petefreitag.com/item/701.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Dec 18, 2012 at 10:35 PM, Dan Baughman dan.baugh...@gmail.comwrote: skip all the nonsense and just try to resize the image. If that fails its either a color pallete java can't handle or it isn't an image. - Dan On Tue, Dec 18, 2012 at 8:12 PM, Terry Troxel terry.tro...@gmail.com wrote: I am looking for a safe and secure way to put an example page on my site that will allow a potential client to upload a JPG in order to see an example of a responsive photo gallery he can create using my new responsive web template I am in the process of building. Here is what I am considering in the upload process: 1...JPG extension only 2...file size limit 3...remove exif data if it exists 4...Convert file to PNG and save after doing the resizing, etc. that I need to. I would like some opinions, suggestions, etc. to tell me if I am missing something or there is any other avenues I can persue to accomplish my goal to stop anyone from using this to hack my site. Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
On Mon, Nov 19, 2012 at 1:48 PM, Jamie Bowers jamiembow...@netscape.netwrote: Somewhat related, how do I determine that any hot-fix or security patch I may download and install is indeed installed? Jamie, one thing I'd like to point out is that if your are using CF7 then you have unpatched vulnerabilities on the server, CF7 has been End of Life for a while and has not received any security updates in a couple years - so even if your code is secured your server platform is likely not. You will also need to make sure your JVM is patched, which again might be a challenge since CF7 doesn't run on Java 1.6 (without appropriate JVM patches an attacker can simply send a magic number to your server and cause it to hang, among other possibilities). To answer your question here about how do you know what patches are installed: plugI created a service http://hackmycf.com specifically for that reason - you can scan your domain for free but we also offer paid services that can find more details./plug You can also try using the ColdFusion administrator to see what the update level is but that is not a great solution, see http://www.carehart.org/blog/client/index.cfm/2012/6/18/what_hotfixes_have_been_applied for more info. Finally I also wanted to point out that XmlFormat is not a stopgap for XSS either, for example if you have this: cfoutput script var id = #XmlFormat(url.id)#; /script /cfoutput You are not at all protected from XSS - so XSS protection really depends on where the variable is output, it could be in a tag, javascript, css, a url, a tag attribute, all have their own encoding rules that must be applied to properly prevent the attack. Hope that helps. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Multiple application in webroot with different sessions
You will need to make sure each of the session cookies specify a path attribute otherwise the user will loose sessions when going from app to app (if you have the session fixation patch enabled). This will also allow you to have unique session ids for each app. You can do this by writing the CFID/CFTOKEN cookies yourself in onSessionStart (example: http://www.petefreitag.com/item/764.cfm) or if you are on CF10 you could try this.sessioncookie.path (but that may not work, looks like they may not allow you to set the path this way). The session timeout is internal to CF so even if the session cookies are not expired it doesn't mean that the session is still valid. So even without all of the path attribute set you can still have unique timeouts, but the session can only be valid for one app at a time. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Nov 20, 2012 at 12:25 PM, Uday Patel udayjpatel2...@gmail.comwrote: Did you assign different names to the two applications? On Mon, Nov 19, 2012 at 9:48 PM, Uday Patel udayjpatel2...@gmail.com wrote: yes the application names are different for all sites ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353267 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
You left out the algorithm: AES in your encrypt() call this time - also since you have the unlimited strength policy files you might consider generating a 256 bit key instead of the default 128, by doing: GenerateSecretKey(AES, 256) I have not found that I need the unlimited strength jurisdiction policy on CF9 standard when using the default 128 bit AES encryption, only when going up to 256 bit keys. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 5, 2012 at 7:15 PM, Eric Bourland e...@ebwebwork.com wrote: Hi, Wil, I read up on the generateSecretKey function, both in your very helpful example page, and on adobe: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-6e72.html I am having a little trouble with syntax. Here is my insert statement: !--- provide default value for form.AES --- cfparam name=form.AES default= !--- insert statement uses encrypt function to place in the database an encrypted value for CreditCardNumber --- CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,generateSecretKey(form.AES),UU)#, This insert statement returns the error: The '' algorithm is not supported by the Security Provider you have chosen. (I am also not clear why the encryption method, AES, needs to be defined in the scope of FORM.) I was wondering if I could do the generateSecretKey function, and store the result in a variable (as you did, I think, in your example on trunkful.com ). But again I get confused. Doesn't the key have to be a constant value? And stored in a constant place? It seems like the generateSecretKey function generates a new key every time the form is processed. Sorry to drag on with this question. I am still reading up in the documentation to see if I can construct a working insert statement. Thank you all again for your time and advice. Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353068 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 9 Updates
Hi Steve, 9.0.1 Cumulative hotfix 2 does not include all the security patches, it is missing APSB11-29, APSB12-06, APSB12-15 and APSB12-21. 9.0.2 it is only missing security hotfix APSB12-21 See this page for more info: http://www.petefreitag.com/item/804.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Fri, Oct 19, 2012 at 3:59 PM, Steve LaBadie slaba...@po-box.esu.eduwrote: Hey Pete, Will uploading update 2 take care of everything? Steve LaBadie, Web Manager East Stroudsburg University 570-422-3999 slaba...@esu.edu -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, October 18, 2012 3:49 PM To: cf-talk Subject: Re: CF 9 Updates The hotfixes and updates will fix many more issues than they will create. The only issue that seams to bite some folks is the session fixation patch, which should only cause a problem if you have multiple CF applications running on the same domain with different application names and using sessions. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 18, 2012 at 3:17 PM, Steve LaBadie slaba...@po-box.esu.edu wrote: I have installed CF 9 version 9,0,0,251028 standard on a windows 2008 with IIS 7. Are there any none issues with updates 1 and 2 and hotfixes and patches? Steve LaBadie, Web Manager East Stroudsburg University 570-422-3999 slaba...@esu.edumailto:slaba...@esu.edu [facebook-16x16]http://www.facebook.com/eaststroudsburguniversity [twitter-16x16] http://twitter.com/esuniversity [youtube-16x16] http://www.youtube.com/user/esuedu ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352962 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 9 Updates
The hotfixes and updates will fix many more issues than they will create. The only issue that seams to bite some folks is the session fixation patch, which should only cause a problem if you have multiple CF applications running on the same domain with different application names and using sessions. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Oct 18, 2012 at 3:17 PM, Steve LaBadie slaba...@po-box.esu.eduwrote: I have installed CF 9 version 9,0,0,251028 standard on a windows 2008 with IIS 7. Are there any none issues with updates 1 and 2 and hotfixes and patches? Steve LaBadie, Web Manager East Stroudsburg University 570-422-3999 slaba...@esu.edumailto:slaba...@esu.edu [facebook-16x16]http://www.facebook.com/eaststroudsburguniversity [twitter-16x16] http://twitter.com/esuniversity [youtube-16x16] http://www.youtube.com/user/esuedu ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352950 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Resolving security vulnerability
If you are doing something like this: input type=hidden name=ip value=#cgi.remote_addr# / and cgi.remote_addr is resolving to an internal IP such as 10.x.x.x or 192.168.x.x due to a proxy or load balancer then you are disclosing the internal IP of a computer on your network. Thus your PCI scan is saying you are leaking that info. In most cases the value you want is the actual remote user's IP address, then the proxy or load balancer will send that along in the X-Forwarded-For header (Which you can access as GetHttpRequestData().headers[X-Forwarded-For]). If you really want to pass that info, you could also encrypt it and pass that value, just be sure to validate and sanitize it as well. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Oct 4, 2012 at 9:57 AM, fun and learning funandlrnn...@gmail.comwrote: Hi All, I am using input hidden fields for some CGI variables. The security scan has issued 'information leakage' threat. These variables are defined in a file and the file is included in various places. What is the best way to resolve this vulnerability? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352857 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFMX 9 - Spell Check
Foundeo Spell Checker can work on cftextarea when format=html, here's an example with a button outside of the toolbar: http://foundeo.com/spell-checker/fckeditor.cfm I know we have some code for adding it to ckEditor toolbar as well, would probably not be too difficult to add to the toolbar. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Oct 3, 2012 at 1:40 PM, ColdFusion Developer cfdev2...@gmail.comwrote: Does anyone know a means to implement Spell Check functionality into the CFTEXTAREAs toolbar? I don't think CFMX 9 has a SpellCheck engine so I have to find an alternative. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352843 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Invoking Java component that sends SSL Client Key in CF9 Ent
My Guess is that this has something to do with the RSA BSafe crypto-j security provider that CF Enterprise ships with. This API was upgraded in CF10, so you could try that as an option. When you run Java from the command line, you are not using Crypto-J, when you run java within CF you are. Another thing to try would be CF Standard since CF standard uses the default Java security provider. You might also be able to have CF9 Ent run with the default security provider via some JVM options. Also can you post the full stack trace for the error you are getting in CF? -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Oct 2, 2012 at 11:01 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Thanks Dave, You just pass the location of the key file as a string so I'm just passing in C:\wamp\.\ClientKey.pem both in CF and Java class. I've tried using Wireshark as well to look at the packets being sent. From Java the request is fine, from CF the remote URL never gets called at all so it's not even getting to the bit where it makes the request. What I don't understand is why it's throwing the same error when I use a wrapper java class that then invokes the SDK. Even if I hard code the paths to the files in the java wrapper class and all CF does is call the wrapper class I get the same error. I'm thinking it may be some sort of permission issue why it can't read the key file but I can't figure out what to change. CF and Java and Apache all have full permissions on the directories. Donnie Bachan This returns an error: Cannot get key bytes, not PKCS#8 encoded. If, however, I wrap this in a java class and execute from command line it works just fine. It just refuses to work when called from ColdFusion. How are you providing the key file to the Java class from within CF? Are you just reading it via CFFILE? I suspect that's the problem, although I don't know what the solution would be exactly. When you execute the Java class from the command line, how are you providing the file in that case? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352811 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9 enterprise runs on 64-bit Red Hat 6?
Dan, I'm pretty sure it is not a supported OS for CF9. I do recall some folks running into issues getting it to run on RHEL 6, but I think you can workaround it, I have not tried personally. I have used CF10 on RHEL 6 and it works well. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Oct 2, 2012 at 6:57 PM, Dan LeGate d...@legeek.com wrote: I'm trying to find the equivalent ColdFusion 9 page to this CF10 page: http://www.adobe.com/products/coldfusion-enterprise/tech-specs.html trying to answer thee question Will ColdFusion 9 Enterprise run on 64-bit Red Hat 6? Any information is greatly appreciated! Dan ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352835 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF DDos update released
On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.comwrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF DDos update released
Yes don't forget to count hidden form fields as well :) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 13, 2012 at 12:51 PM, Patti, Michael mpa...@sherwood-group.comwrote: I just read Pete's post about the HashDos vulnerability ( http://www.petefreitag.com/item/808.cfm) and then went back to the adobe bulletin about this ( http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html). After adding var name='postParametersLimit'number500.0/number/var and restarting CF, I'm now able to submit that form successfully. Thanks in helping me to resolve this situation! -Michael -Original Message- From: Patti, Michael Sent: Thursday, September 13, 2012 11:28 AM To: cf-talk Subject: RE: CF DDos update released I have the ability to change security groups for my profile within eSeries, and when I do that, it lowers the number of fields displayed on the profile edit screen to 38. When I submit the form, it's still throwing the same error, so I think Brian and Pete are correct that this isn't about a limit to the number of fields submitted. I'm honestly not sure where I'd change the default for number of fields that can be submitted, but I'm fairly certain that can be ruled out as a cause. I'm still stumped as to why this particular form refuses to submit. It definitely has something to do with one of the recent hotfixes. Before last night, I had only applied hf901-3.jar (on CF 9.0.1 standard), so I was a few behind when I installed hf901-6.jar. I followed the instructions in Section 2 of http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.htmlto the letter, and given that every other form submission I've tested works fine, I don't think this is a case of a corrupted install. I'm poking around the source code of the form submission script to see if something in there might be causing it to stop; but does anyone know whether what I'm seeing (the HTTP Error 500) is the expected behavior when CF intercepts what it deems to be a CSRF attack? Thanks again for your help. -Michael -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, September 13, 2012 10:53 AM To: cf-talk Subject: Re: CF DDos update released On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.com wrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says The HTTP protocol does not place any a priori limit on the length of a URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352595 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Denial of Service bug?
On Mon, Sep 10, 2012 at 1:28 PM, Tony F tnorther...@gmail.com wrote: Does 9.0.2 have any fixes not included in 9.0.1 Cumulative Hot Fix 2? There are 3 security hotfixes APSB11-29, APSB12-15 and APSB12-06 that were released after 9.0.1 Cumulative Hotfix 2 (which includes all 9.0.1 Security hotfixes prior to and including APSB11-14 for 9.0.1). Those security hotfixes are included in 9.0.2. Some more info here: http://www.petefreitag.com/item/804.cfm The APSB12-06 hotfix is a DOS vulnerability, the HashDos vulnerability but the attack vector for that does not coincide with what you posted. More on HashDos here: http://www.petefreitag.com/tag/hashdos I tested your example and was able to produce the original error but did not see subsequent requests failing even when running through a load tool 2000 requests / 20 concurrent. Not to say the issue doesn't exist in your setup, it could be specific to your setup or common to other - it sound like it would be worth further investigation. You can pass the issue along to Adobe PSIRT http://www.adobe.com/support/security/alertus.html for proper handling, but make sure you have applied all the security hotfixes first. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Getting thread name via CF
Yes the java.lang.Thread class has a static method you can call currentThread() which gives you the current thread, just call getName() on it, eg: cfset currentThread = CreateObject(java, java.lang.Thread).currentThread() cfoutputCurrent Thread: #currentThread.getName()#/cfoutput -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 6, 2012 at 3:28 PM, Rick Root rick.r...@gmail.com wrote: Hi, I have a process that runs using an event gateway. Sometimes, I'd like to be able to look in FusionReactor and see what it is currently doing, if anything. But I don't alwaysk now what thread to look at, and I don't want to have to look and every thread to find it. I know that if I do a cflog statement, it will log the thread name... I wondered if there's a way I can access the current java thread name from within the CF code itself. Thanks. Rick -- *The beatings will continue until morale improves.* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352443 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: turning of port 3306
Hi Rob, You need to setup your network and/or OS firewall to block port 3306, and then if MySQL is on the same box as CF, just use 127.0.0.1 and port 3306 to connect to the DB. If CF and the DB are on different machines then configure the firewall such that only the CF server's IP can access port 3306 on the DB server. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Sep 6, 2012 at 11:54 PM, Rob Voyle robvo...@voyle.com wrote: Hi Brian Its for PCI compliance for doing credit card transctions. control scan keeps reporting Port 3306 being open to the internet. I just need coldfusion to access Mysql. I used FreeSShd to create a ssh tunnel which I can access on port 22 from Navicat on my desktop, So I can administer the Mysql data base. But I can't get coldfusion to access the port 22. Rob On 6 Sep 2012 at 22:25, Brian Thornton wrote: Or use a DMZ port forwarding method based on the packet header... Is this for SOX compliance? On Sep 6, 2012 10:00 PM, Scott Slone ssl...@rubbergumball.net wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352444 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for Homesite+
FYI Just saw, this if you go here: http://www.adobe.com/cfusion/tdrc/index.cfm?product=jrunloc=en_us you can download Homesite 5.5 -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 16, 2012 at 3:17 PM, wrote: I just need to update the tag definitions to the latest version of CFM. However, what is the last supported CF version and where are the updates available ? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hashing in CF9
The result of Hash using SHA-512 will always be 128 character hex string no matter what the input it will always be that length. You can simply append or prepend the salt to the value you are hashing, eg: #Hash(password salt, SHA-512)# You don't need to Encrypt your password if you are hashing it, and your salt should be different for every user, something like a UUID or GenerateSecretKey(AES) is what i use. You can store the salt in another column in your user table. I typically generate a new salt every time the user changes password. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, May 14, 2012 at 8:58 AM, Brian Thornton br...@cfdeveloper.comwrote: Docs are at: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c2f.html My client is moving from cf MX to cf 9 and I find this could be handled better.. I am used to a 512 character to be created. In CF 9 cfset passwordHash = Encrypt(password,SHA-512) / is generating a 11 character sized text. cfset passwordHash = Hash(Encrypt(password,SHA-512)) / will get me 512 but is this duplicitous? cfset password = myP@ssw0rd / cfset salt = foo cfset passwordHash = Hash(Encrypt(password,SHA-512)) / Where is the salt handled? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351135 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
You need to use a feedback mode other than ECB (the default when you omit it from the algorithm) to use an IV, try using AES/CBC/PKCS5Padding for your algorithm. This KB article has a lot of info about this stuff: http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, May 10, 2012 at 2:52 PM, Carol Knapp c...@kargo.net wrote: Here's the test code. I'll take AES or DESEDE or better. Running cf enterprise. !--- testenc.cfm ** Purpose:test encryption --- html headtitleTest ENC/title/head body style=margin:20px; font-family:Arial, Helvetica, sans-serif; font-size:12px; background-color:#f2f0db; h3Test ENC/h3 !--- Do the following if the form has been submitted. --- cfif IsDefined(Form.myString) cfscript theKey=generateSecretKey(Form.myAlgorithm); anotherKey=generateSecretKey(Form.myAlgorithm); useasiv = encryptBinary(anotherkey,theKey,Form.myAlgorithm,Form.myEncoding); //Encrypt the string. encrypted=encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding); IVencrypted = encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding,useasiv); //Decrypt it. decrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding); IVdecrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding,useasiv); /cfscript !--- Display the values and the results. --- cfoutput bThe algorithm:/b #Form.myAlgorithm#br br bThe key:nbsp;nbsp;/B #theKey#br br bThe string:/b #Form.myString# br br bEncrypted:nbsp;nbsp;nbsp;/b #encrypted#br bIVencrypted:/b #IVencrypted#br br bDecrypted:/b #decrypted#br bIVecrypted:/b #ivdecrypted#br brbr /cfoutput /cfif cfparam name=myEncoding default= cfparam name=myAlgorithm default= !--- The input form. --- form action=cfoutput#CGI.SCRIPT_NAME#/cfoutput method=post input type=hidden name=onetimeid value=cfoutput#onetimeid#/cfoutput bSelect the encoding/bbr select size=1 name=myEncoding option cfif myEncoding IS UUselected/cfifUU/option option cfif myEncoding IS Base64selected/cfifBase64/option option cfif myEncoding IS Hexselected/cfifHex/option /selectbr br bSelect the algorithm/bbr select size=1 name=myAlgorithm option cfif myAlgorithm IS AESselected/cfifAES/option option cfif myAlgorithm IS DESselected/cfifDES/option option cfif myAlgorithm IS DESEDEselected/cfifDESEDE/option /selectbr br bEnter string to encrypt/bbr textArea name = myString cols = 40 rows = 2 WRAP = VIRTUAL1234567890123456/textArea input type = Submit value = Encrypt my String /form ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Blank page with no HTML tags
Try this: cfcontent reset=true type=text/plaincfabort That should be blank in all browsers, and will reset the output buffer from any whitespace that might have been caused by code running prior to that or in your Application.cfc/cfc -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Fri, Mar 9, 2012 at 12:40 PM, Chad Baloga cbal...@gmail.com wrote: Thanks for the ideas.. I'll give them a try ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350327 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Hi Robert, You are caught in a bit of a catch 22 here. If you want to set the secure attribute on session cookies delivered over SSL, but also have it use the same cookie values over non-ssl - then that defeats the purpose of adding the secure attribute. If you want to do that you can't use the secure attribute on the cookies. The secure attribute says only send this cookie over SSL, so when you make a request to a non-ssl url the browser will not send the cookie, this causes ColdFusion to issue a new session. The best solution is to run all on SSL as Cameron suggested, here's a good read on the performance of SSL and TLS: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html the main point being that SSL is not as computationally expensive as you may think. If that's not going to fly then you need to build something to share data between the sessions, while making sure that the non-ssl data is not privileged - it can get complicated to ensure that your not opening yourself up to security issues over non-ssl. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes rrhode...@gmail.com wrote: So a site that I built failed PCI compliance testing because the jsessionid cookie is not set securely. I found this post http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/ that shows how to force jrun to do always set the session cookies securely, but the user loses their session state when they move between secure and non-secure pages (the jsessionid is different for secure pages). This is obviously a big problem, since we can't have the entire user session running under ssl. Any ideas on how to get the jsessionid to be the same on secure and non-secure pages? I am a little lost here. I am running cf9.01, with the app set to sessionmanagement=yes and setclientcookies=no. In the administrator, I have Cookie set as my default client storage storage mechanism, and J2EE session variables enabled. I also have use UUID for cftoken enabled, but since I have setclientcookies set to no, I don't think that matters. *-RR* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350275 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF attack on a buddies server
On Thu, Feb 23, 2012 at 7:39 PM, James Holmes james.hol...@gmail.comwrote: This would confirm which patches are missing: http://www.hackmycf.com/ James - it will let you know to the best of its abilities, but there are certain factors that might cause it to not detect a missing patch (eg perhaps something is not there on one virtual host that is on another, and some patches we could detect remotely but would cause your server to crash so we don't do those tests ofcourse). For paid subscribers we (full disclosure I own the company that sells the service) have a cfm file that you can place on your server that we call the probe. The probe.cfm file allows hackmycf.com and your server to communicate (encrypted with AES and you can also layer SSL on top of that) additional info that yields a more reliable result than the free version. The probe sends back Java Version information, a list jar of file names in the lib/updates directory, and we are also able to request a md5 checksum of certain files. Here's a screenshot that shows the additional info you can get on a CF9.0.1 server: https://foundeo.com/hack-my-cf/images/6-reasons.png I hope that answers your question feel free to contact me directly, and you all can use discount code 543m to get $5 off your first 3 months (new accounts only, expires 3/1/12). -pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350087 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Application Mappings RE: Ram Disk problem under load
Do you have code that calls ApplicationStop() on error or something I wonder if that might cause the application scoped mappings to be undefined for a split second while the application is reloading? Just a guess. On Thu, Feb 23, 2012 at 1:10 PM, Brook Davies cft...@logiforms.com wrote: So we ran a load test last night with 100 concurrent users. Everything went fine *except* this ram disk problem and another problem with a missing template include. Looking at it closer, both errors Could not find the included template used application mappings to do the include. These are defined in the application.cfc: cfcomponent output=false extends=coldfireApplication cfset this.name= 'YourMama' cfset this.mappings[ /publicroot ] = webroot 'web\public\' / cfset this.mappings[ /ram ] = ram:// / /cfcomponent Cf 8.01 had a hotfix that was supposed to fix custom tag path mappings acting up under load: http://kb2.adobe.com/cps/529/cpsid_52915.html 73761 Fix for the error Cannot find CFML template for custom tag thrown under load when using THIS.customtagpath in application.cfc and enable per app settings is enabled. But I am running CF 9.01 with all the hotfixes. BTW, I dumped the ram disk after some failed includes and the file *did exist* on the ram disk. -- I just did another load test this morning, however this time the load was all done on a single application testing a form submission process (this is where the include error was generated). No errors this time. The difference between this test and the last test that generated lots of errors is that this test did not run concurrent load on the other side of this application which uses an application.cfc that extends the main application.cfc via applicationProxy.cfc. Its a child application that shares the main applications name and scope but also enables client variables and does some other stuff (pseudo code below) cfcomponent output=false extends=ApplicationProxy cfset this.clientManagement= true cfset this.setClientCookies= true cfset this.setDomainCookies= true cfset this.clientStorage= 'LF-CLIENTVARS' !--- NO MAPPINGS HERE LIKE IN THE MAIN APPLICATION.CFC. COULD THAT BE THE PROBLEM?? --- cffunction name=onRequestStart returnType=boolean output=false cfargument name=thePage type=string required=true cfset super.onRequestStart(arguments.thePage) cfreturn true /cffunction /cfcomponent --- So my guess is that because it doesn't include the application mappings that it is somehow overwriting them when two requests run at the same time. Strange I know, but thats the best I can figure. I am gonna run another load test tomorrow night, and try adding the mappings into the child application and see if that helps. Brook -Original Message- From: Brook Davies [mailto:cft...@logiforms.com] Sent: February-22-12 12:30 PM To: cf-talk Subject: RE: Ram Disk problem under load Hi Raymond, I don't see your reply actually... oh here it is in my junk folder...g... Tonight when the load test is running, I'll pause midway and swap in a real file path and see how that runs. The only other thing I can think is that there is a name collision and the file is deleted by another thread who was using the same filename. But the filename variable IS var scoped (FYI, this IS inside an application scoped CFC). Brook -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: February-22-12 11:38 AM To: cf-talk Subject: Re: Ram Disk problem under load Noticed you didn't reply to my idea... can you also ensure that it really is a VFS issue by simply switching to a real folder - just for testing? On Wed, Feb 22, 2012 at 12:05 PM, Brook Davies cft...@logiforms.com wrote: Good idea, I'll check the contents of the ram disk after any failures... Brook -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: February-22-12 9:58 AM To: cf-talk Subject: Re: Ram Disk problem under load Hi Brook, Certainly you will want to have a try / catch around that, you could put the delete of the ram file in a cffinally tag to ensure it runs, otherwise if an error is thrown in the cfinclude the file never gets deleted and stays in ram. Also to answer your question about the garbage collection, I don't think that would be the issue, the garbage collector only removes objects that have a reference count of zero, I would assume that when you have a file on the ram disk ColdFusion maintains a reference to it, when you delete the file CF will delete the reference and allow the GC to cleanup. I don't think reducing the size of your ram disk will make the problem go away. What you might want to do is run this after you run your load test to see
Re: CF attack on a buddies server
On Wed, Feb 22, 2012 at 7:55 PM, Ras Tafari rastaf...@gmail.com wrote: any idea how they were able to get the file that ran into the cfide directory? and what might prevent that part? that's the most haunting part to him. i said it was probably a windows exploit first... not sure tho. If they are running CF8 without security hotfixes then there is a really good chance that it was the FCKeditor vulnerability: http://www.adobe.com/support/security/bulletins/apsb09-09.html But there are also so many other things ways they could have done it. The bottom line is you want to make sure you have all security hotfixes in place, and then make sure everything is running with the least possible privilege. Otherwise its pretty easy to take control of your server! -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350075 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Ram Disk problem under load
Another thing to consider is that the Ram disk has a size limit specified in the ColdFusion administrator. Is it possible that the write failed (perhaps silently) because the ram disk was full. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 3:12 AM, Brook Davies cft...@logiforms.com wrote: Hey everyone, Did some very light pre-load testing yesterday in preparation for a larger test tomorrow. This limited load threw some errors. I'm writing to the in memory file system some CFML code, that I then cfinclude to execute it. Its pretty straight forward code, and this was under very little load (10 concurrent users only). Note: I have an application mapping for the ram disk in application.cfc: cfset this.mappings[ /ram ] = ram:// / And then in the problem code: - !--- set the filename to a unique name --- cfset filename = 'wildcardparsing-#createUUID()#.cfm' !--- write the file --- cffile action=write output=#cfml# file=ram://#filename#/ !--- include and execute the cfml --- cfinclude template=/ram/#filename# / !--- clean up --- cffile action=delete file=ram://#filename#/ - The error I got was: Could not find the included template /ram/wildcardparsing-66031760-EEDC-69FB-8F2EFEC77564096A.cfm. I got a similar error in another template on a different execution that uses similar code to generate the CFML for a CFDOCUMENT tag and then writes it to ram disk and includes. I have never seen this error in development it only started happening under a wee bit of load. What could be the problem? The In memory file system is set to 500 megs in the cfadmin (which is probably overkill..). Would a garbage collection before the include had been completed cause this to happen? Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350030 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF attack on a buddies server
I have seen variants of that script before, it is published in several places. In addition to what has already been mentioned, here are some steps you can take to make sure these types of attacks fail (obviously though the more critical issue is how did the attacker get the file there in the first place, probably though a file upload vulnerability, or a path traversal that exposed a password they could then use to upload) 1) Change the default encryption seed in CF administrator (this is for CF9 only) 2) Check Disable access to internal ColdFusion Java components in the CF Admin to prevent access to the service factory 3) Setup a sandbox (and Yes you can still setup a sandbox on Standard edition, you are just limited to one set of sandbox settings for the entire server, instead of being able to create multiple sandboxes) to block cfexecute, and more if possible. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 11:31 AM, Ras Tafari rastaf...@gmail.com wrote: here's the code again incase pastebin killed that link http://pastebin.com/qvBTEP50 On Wed, Feb 22, 2012 at 11:12 AM, Dave Watts dwa...@figleaf.com wrote: this code was somehow dropped into my friends cfide directory and ran, did lots of bad things, stole db passwords, changed his cf code, etc. http://pastebin.com/Jg2Cs0ch any idea how to protect from this kinda attack? thanks! I would recommend that you read the CF 9 Server Lockdown Guide: http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf In this specific case, you shouldn't allow CF to write to any web content directories by default, and you shouldn't allow file uploads to any web content directories. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Ram Disk problem under load
Hi Brook, Certainly you will want to have a try / catch around that, you could put the delete of the ram file in a cffinally tag to ensure it runs, otherwise if an error is thrown in the cfinclude the file never gets deleted and stays in ram. Also to answer your question about the garbage collection, I don't think that would be the issue, the garbage collector only removes objects that have a reference count of zero, I would assume that when you have a file on the ram disk ColdFusion maintains a reference to it, when you delete the file CF will delete the reference and allow the GC to cleanup. I don't think reducing the size of your ram disk will make the problem go away. What you might want to do is run this after you run your load test to see whats in there: cfdirectory directory=ram:// action=list recurse=true name=dir cfdump variable=#dir# -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 12:44 PM, Brook Davies cft...@logiforms.com wrote: Hi Pete, I don't think its possible because the ram disk size is set to 500 megs, and this was only 10 concurrent users! I have another test with 100 cuncurrent users running tonight and I guess we'll see what happens though I am sure this is going to be an issue. I added a try/catch around the write/read and am them attempting to do it again, so I guess we'll see what happens. Maybe I should reduce the size allocated to the ram disk? Brook -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: February-22-12 9:35 AM To: cf-talk Subject: Re: Ram Disk problem under load Another thing to consider is that the Ram disk has a size limit specified in the ColdFusion administrator. Is it possible that the write failed (perhaps silently) because the ram disk was full. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 3:12 AM, Brook Davies cft...@logiforms.com wrote: Hey everyone, Did some very light pre-load testing yesterday in preparation for a larger test tomorrow. This limited load threw some errors. I'm writing to the in memory file system some CFML code, that I then cfinclude to execute it. Its pretty straight forward code, and this was under very little load (10 concurrent users only). Note: I have an application mapping for the ram disk in application.cfc: cfset this.mappings[ /ram ] = ram:// / And then in the problem code: - !--- set the filename to a unique name --- cfset filename = 'wildcardparsing-#createUUID()#.cfm' !--- write the file --- cffile action=write output=#cfml# file=ram://#filename#/ !--- include and execute the cfml --- cfinclude template=/ram/#filename# / !--- clean up --- cffile action=delete file=ram://#filename#/ - The error I got was: Could not find the included template /ram/wildcardparsing-66031760-EEDC-69FB-8F2EFEC77564096A.cfm. I got a similar error in another template on a different execution that uses similar code to generate the CFML for a CFDOCUMENT tag and then writes it to ram disk and includes. I have never seen this error in development it only started happening under a wee bit of load. What could be the problem? The In memory file system is set to 500 megs in the cfadmin (which is probably overkill..). Would a garbage collection before the include had been completed cause this to happen? Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350033 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Required folders under CFIDE
Pradeep, I would not suggest copying the /CFIDE/ scripts folder into every site root. This can become a nightmare to manage when you need to update with patches or new versions. Instead you should create a virtual directory. I do recommend you setup a virtual host just for ColdFusion administrator, this makes it easy to restrict, log, etc. Some use the built-in JRun web server for this purpose and that also works well in many scenarios. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 2:37 PM, Pradeep Rajasekaran pradeepviswanatha...@gmail.com wrote: Pete, Sorry on the delayed response. Thank you for the extra tips. I am planning to setup the servers with 1 web server but with individual virtual hosts for every CF Applications and ColdFusion Administrator. The CFIDE folder containing just the scripts and other required stuff to be copied under every virtual host. The other option i have is to have 2 web servers on the same box. One for the ColdFusion Administrator and the other for CF Applications. Again all apps will have individual virtual hosts . Guess sounds a bit crazy, but please let me know your comments on this. Pradeep, There are also some other internal mappings that fall under /CFIDE that you should be aware of if you are using Flash Forms or cfchart (RDS also has a mapping under /CFIDE but hopefully you have disabled that on production). The /CFIDE/scripts/ folder can be moved somewhere else, see: http://www.petefreitag.com/item/774.cfm if you are not using cfform, cffileupload, cfmediaplayer then it is probably not needed, though keep in mind that ColdFusion administrator does use cfform. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 8, 2012 at 10:04 AM, IT (Pradeep Viswanathan) prade...@emiratesnbd.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350039 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFScript Book
For what its worth I have a cfscript cheatsheet here: http://www.petefreitag.com/cheatsheets/coldfusion/cfscript/ It lists much but certainly not all of what you need to know to use cfscript. Feedback, suggestions welcome. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, Feb 20, 2012 at 12:25 PM, Cameron Childress camer...@gmail.comwrote: On Mon, Feb 20, 2012 at 10:48 AM, Robert Rhodes rrhode...@gmail.com wrote: Are there any CFScript books out there? I ordered this onw but it was a complete joke. A total waste of money: http://www.barnesandnoble.com/w/cfscript-lambert-m-surhone/1026883099. Is there a reason you want to only learn CFScript? The CFML language has so many tags and many ways of doing things. Learning only CFScript may not serve you well. Attempting to use all tags or all script is probably not the best goal IMHO. Having said that, the Adobe docs are a good starting point for learning CFScript, but if you want more than that I'd look at a regular ole CF Book like CFWACK, and then look for a CFScript equivalent for what you're doing if you really need/want one. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349969 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Required folders under CFIDE
Pradeep, There are also some other internal mappings that fall under /CFIDE that you should be aware of if you are using Flash Forms or cfchart (RDS also has a mapping under /CFIDE but hopefully you have disabled that on production). The /CFIDE/scripts/ folder can be moved somewhere else, see: http://www.petefreitag.com/item/774.cfm if you are not using cfform, cffileupload, cfmediaplayer then it is probably not needed, though keep in mind that ColdFusion administrator does use cfform. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 8, 2012 at 10:04 AM, IT (Pradeep Viswanathan) prade...@emiratesnbd.com wrote: I am currently setting up a new server where my CFIDE is compeletely not exposed - it actually runs on a different web server/port. I would want to copy the folders that are essential from the CFIDE folder to make the AJAX /others cftags to work, can someone please tell me what folders will be required. I see that scripts folder is required? Thx rgds, Pradeep Viswanathan R DISCLAIMER: This e-mail message including any of its attachments is intended solely for the addressee(s) and may contain privileged information. If you are not the addressee or you have received this email message in error, please notify the sender who will remove your details from its database. You are not authorized to read, copy, disseminate, distribute or use this e-mail message or any attachment to it in any manner and must delete the email and destroy any hard copies of it. This e-mail message does not contain financial instructions or commitments of any kind. Any views expressed in this message are those of the individual sender and do not necessarily reflect the views of Emirates NBD PJSC, or any other related subsidiaries, entities or persons. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349873 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Sending an email by fax solution
I use interfax.net they also have an api you can use in addition to sending email. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Jan 25, 2012 at 1:05 PM, Terry Troxel terry.tro...@gmail.comwrote: Any suggestions as to a good solution to have an email sent to a fax service from my website in CF? Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349628 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: How many of the CF-Talk regulars blog?
Here's mine: http://www.petefreitag.com/rss/ -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Jan 12, 2012 at 10:31 AM, DURETTE, STEVEN J sd1...@att.com wrote: Hey All, I was just updating the RSS feeds for the blogs that I read, and I was wondering how many of the regulars here on CF-Talk blog. I mean there are a lot of people who, I have come to really respect on this list and I like reading their opinions, answers, etc (Dave Watts, Jochem, plus so many others) and if they have blogs I would really like to read them. If you blog please reply and include the link to the blog. I really don't know what I would have done starting out in ColdFusion if it hadn't been for this list and all the people on it! Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: One app kills another's session
Bryan, Are these apps running on the same domain or different domains, if they are on the same domain then you will need to specify the path in your session cookies so they don't invalidate each other (this relatively new behavior due to the session fixation security hotfix APSB11-04 released in Feb). Also if you are experiencing a cookie problem on one browser but not another make sure you have cleared cookies first. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Dec 15, 2011 at 12:22 PM, Bryan Stevenson br...@electricedgesystems.com wrote: Hey All, Can't say that I've bumped into this before. 1) 2 apps are involved and both use SESSION vars to store user details once they login. 2) Both apps are set to setClientCookies in CFAPPLICATION 3) App 1 uses a standard login form where credentials are verified and the SESSION vars are set if successful 4) App 2 uses Windows Integrated Authentication to grab the user's ID off the network and use that as part of the authentication process - when successful...SESSION vars are set as in app 1 5) Both apps have a different name in CFAPPLICATION ;-) 6) both apps reside on the same server running CF 8 against Oracle 10G Here's what happens on WinXP Pre SP 3 with IE 7: 1) Open new IE7 window and log in to app1 2) Open new IE7 window and log in to app 2 3) Go back to the browser with app 1 and try to navigate through app - get kicked to session expired screen This was tested by another user on XP with IE8 and the issue did not occur. So I'm pretty sure this is an IE7 issue, but I'm a tad lean on things to checkany ideas? TIA Cheers -- Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: br...@electricedgesystems.com web: www.electricedgesystems.com Notice: This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. Please consider the environment before printing this e-mail ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349171 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Weird attack
On Thu, Nov 24, 2011 at 9:41 AM, Matt Blatchley m...@bridgeleaf.com wrote: I've never used Fuseguard before, looks pretty good though. Any experience with the customizations? It says fully customizable, but is it all done via code, or a GUI? Hi Matt, Just wanted to provide some more details on how customizing FuseGuard - it is customized a CFC file called a Configurator. You can use one configurator for all your sites, or create customized configurators for each site / application. When you add FuseGuard to your Application.cfc/cfm you simply tell it which Configurtor CFC to use for the given application. The Configurator tells FuseGuard which filters (filters inspect the request and give it a threat level, they do not modify the input as that can lead to hard to debug issues), loggers (log to db, email, files, etc), and block listeners (api hook that runs if FuseGuard is configured to block a request, and a request is blocked) to run, along with a few other FuseGuard instance specific settings. You can find the Install / Config Docs here: http://foundeo.com/security/fuseguard/docs/2.0/ and the CFC api reference here: http://foundeo.com/security/fuseguard/docs/2.0/reference/ or if you prefer here's a 10 min video on installing / configuring FuseGuard: http://www.youtube.com/watch?v=ubESB87vl5U Feel free to contact me directly if you want. Thanks. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secu ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348902 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FCKEditor.. XML Request error: Access denied (403)
This is disabled by default, you need to enable it via a Java System Property, see details here: http://www.petefreitag.com/item/718.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Nov 2, 2011 at 7:40 PM, Terry Troxel terry.tro...@gmail.com wrote: Coldfusion 9, just started has been working fine on all the websites until today when using FCKEditor to browse server for an image. Any Ideas? Java recently Updated. Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348521 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Images stored in a database...
On Wed, Oct 19, 2011 at 10:52 PM, Gerald Guido gerald.gu...@gmail.com wrote: Awesome find Pete. Thanx for Sharing! You're welcome Gerald. One thing I forgot to mention about the IIS version (from Helicon) is that it requires CF 9.0.1 running the native IIS7 connector - it doesn't work in IIS6 compatibility mode. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Images stored in a database...
Another solution to consider for this besides a third party CDN is installing mod_xsendfile (you can get this for both Apache and IIS 7 via Helicon Ape). With mod_xsendfile on your server you simply write a X-Sendfile: c:\path\to\file.jpg in your getImage.cfm file (you don't need to serve it with cfcontent, which frees up CF to do other things). This allows you to keep the files outside of the web root (protected) and still allow you to run your security code in CF. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Oct 19, 2011 at 8:25 PM, Al Musella, DPM muse...@virtualtrials.comwrote: You may get to a point where there is so much traffic in the SQL server that the rest of the website slows down or stops responding. I would use a cdn or set up a separate server to serve the static images. Note that google recommends using a different domain name for images (like images.mydomain.com) so you don't send the cookies that are sent with the requests to the main domain, and your browser can retrieve them in parallel with the web content. At 08:41 AM 10/19/2011, you wrote: Can anyone shed some light on this issue for me? I was originally storing some images in a database, but then I convinced myself that it wasn't the most efficient way to deliver the images, so I switched my solution to static files. In general, can someone walk me through the pros and cons of placing images that will be accessed heavily in a database versus keeping them in static files? What I'm most curious about is: 1) When I use a .cfm page in the image tag ( img src='getImage.cfm?id=282828'/ ), is it cached within browsers just like a static file? 2) Is it too much strain on the database to be constantly requesting 5k - 60k blobs? Maybe I should just punt and start using Amazon S3? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: JVM Heap Size
On Wed, Oct 5, 2011 at 11:36 AM, John M Bliss bliss.j...@gmail.com wrote: Related: I just tried to upgrade to Java version 1.6.0_27 but CF failed to start after I did so. Know what the max Java version 1.6.0_* usable with ACF 8 is? The latest version of the JVM that Adobe has certified and supports for ColdFusion 8 (and CF9 for that matter) is 1.6.0_24 (see: http://kb2.adobe.com/cps/894/cpsid_89440.html), but more current versions should still work fine generally speaking. The error you experienced may just have been due to a file path typo, or something like that. In case you are not aware versions less than 1.6.0_24 have a DOS vulnerability that is fairly easy to exploit, so you will want to make sure you have upgraded your JVM to at least 1.6.0_24. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347982 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Can JS read CGI Environmental Variables?
You can't access CGI environment variables in javascript, but you can access
some variables in javascript that the browser sends which are part of http
request headers and then placed in the cgi scope, including the referrer.
Try using document.referrer in JavaScript to get what you are looking for.
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?
On Thu, Sep 29, 2011 at 1:30 PM, Rick Faircloth r...@whitestonemedia.comwrote:
Ok... I'm tired of searching.
Can JS read CGI variables?
e.g.
var referer = cgi.http_referer.slice('/').pop();
if ( referer === 'index.cfm' )
etc.
Rick
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347909
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfquickdocs.com down?
On Tue, Sep 27, 2011 at 9:58 PM, Larry Lyons larrycly...@gmail.com wrote: Bookmarked already Peter. It looks very nice. A couple of comments though. I looked at a random set of tags and one thing that made things a bit difficult what the lack of differentiation in the attributes tables. How about adding some striping there if possible, or at least use a border. Also one thing I've found very useful with cfquickdocs was the cfquickdocs search widget you could add to firefox. (the search field in teh upper right corner). If you could set something like that up cfdocs would really kick butt. Otherwise its looks great. Many thanks, Hi Larry, Thanks for the feedback! I have updated the table CSS and there is actually a firefox search plugin already, which you can install from here: http://www.petefreitag.com/searchlets/ Enjoy, -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347767 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Paypal integration
You can specify notify_url as a hidden form element: Here's the docs on the form elements that you can use: https://cms.paypal.com/us/cgi-bin/?cmd=_render-contentcontent_ID=developer/e_howto_html_Appx_websitestandard_htmlvariables Keep in mind that the hidden fields could be modified by the user, that's why using the paypal button api, or the paypal website are the best solutions, but depending on what you are doing you might be able to do sufficient validation in the IPN. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Sep 27, 2011 at 11:44 AM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Buy now button (form submission). Does anyone know if it is possible to use the form to specify a different IPN url? I'm currently using the URL specified in the Merchant Services section of the customer's account, but it would save me a lot of time if I could specify it using the form instead. Thanks in advance, Jenny Gavin-Wear Fast Track Online Tel: 01262 602013 http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 3037 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347749 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfquickdocs.com down?
Hi Guys, Several years ago I created http://cfdocs.org which had CF 5,6,7 docs - I just updated the site with CF9 docs, I'm also testing out hosting it on Amazon CloudFront CDN to provide even faster response times for all of you, but I have a few kinks to iron out before I flip the switch on that. The main reason I created the site back in the day was so you could do a url shortcut like http://cfdocs.org/cfqueryparam to get to the cfqueryparam docs. You can do this with any tag or function, and here are a few other handy shortcuts: http://cfdocs.org/tags - all tags http://cfdocs.org/functions - functions by category http://cfdocs.org/application-cfc - Application.cfc reference Let me know if you find any problems with the new site. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, Sep 26, 2011 at 6:09 PM, Alan Rother alan.rot...@gmail.com wrote: If you guys ever get hold of him, I'd be happy to act as a mirror. It would be nice to have a few of those out there... =] On Mon, Sep 26, 2011 at 3:03 PM, Josh Nathanson joshnathan...@gmail.com wrote: Through some digging I was able to connect it to Jacob Munson, who I believe is on this list, or at least was at one time. Jake you out there?? We need CFQuickDocs! -- Josh On Mon, Sep 26, 2011 at 11:36 AM, Kumar Shah shahku...@gmail.com wrote: http://cfquickdocs.com/ seems to be down (since yesterday) I believe. Anybody know who maintained this/can reach out to them? Has proved to be really useful for looking things up. Thanks -- Kumar Shah http://www.coldfusion-ria.com/Blog/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347757 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFHTTP Connection Failure on SSL
On Tue, Sep 6, 2011 at 3:27 PM, webmas...@pegweb.com wrote: Nope I tried a restart of the service and it still says connection failure. Says I am using JVM 1.6.0_14 What is the latest supported JVM? The latest *supported* JVM for CF 8 and CF 9 is 1.6.0_24 (see http://kb2.adobe.com/cps/894/cpsid_89440.html). Note that more current versions typically work just fine, but are not officially supported by Adobe. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347255 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Can't Delete Sessions Programmatically
On Thu, Aug 18, 2011 at 5:50 PM, Richard Steele r...@photoeye.com wrote: Thanks Peter, that's helpful. Any thoughts about the Session is Invalid problem? Richard. One cause for that exception is if your session variable timeouts don't match the J2EE session timeout (configured in jrun-web.xml and defaults to 30 minutes). So if the J2EE timeout is less than your session timeout, you can run into this condition. One thing that might remedy the situation would be to add the following to your onSessionStart() in Application.cfc: cfset getPageContext().getRequest().getSession().setMaxInactiveInterval(numSeconds) Where numSeconds matches the length of your ColdFusion session timeout. I've never tried that solution, but it seams to me like it might work, please let us know. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346862 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Function to decode string?
Another method, which may be a bit more robust is the OWASP ESAPI's (Enterprise Security API) Encoder methods: decodeForHTML(str) or canonicalize(str): http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#decodeForHTML%28java.lang.String%29 The last two security hotfixes for CF 8 and 9 both include ESAPI in the classpath, so you can use it without adding any jars, here's some example code: http://www.petefreitag.com/item/788.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 18, 2011 at 4:16 PM, Kevin Pepperman chorno...@gmail.comwrote: XMLUnFormat() from CFLIB should do the trick. http://www.cflib.org/index.cfm?event=page.udfbyidudfid=800 -- /Kevin Pepperman *Never memorize what you can look up in books*. --Albert_Einstein ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346848 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: My limited testing shows this won't work...
Rick,
You want to make sure you upload into a temporary directory that is outside
of the web root first, otherwise as Leigh pointed out the mime type could be
spoofed, and the file could be executed before you've even had a chance to
perform any other validation on it. The link got truncated in my email:
http://www.petefreitag.com/item/701.cfm
Once the file is in the temp directory you can give it a new name and move
it under the web root after you have performed your validations.
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?
On Thu, Aug 18, 2011 at 1:18 PM, Rick Faircloth r...@whitestonemedia.comwrote:
Am I correct? The image upload, using makeunique can't be used
in conjuction with reReplace as in:
cffile action= upload
filefield = image
destination = #expandPath('images\')##reReplace(image,
'[^a-zA-Z0-9_.]', '', 'all')#
accept= image/jpg, image/pjpg, image/jpeg, image/pjpeg
nameConflict=makeUnique /
It doesn't seem like it should work, since I'm trying to use server side
CF,
while
the server is actually receiving the image...
Rick
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346849
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Can't Delete Sessions Programmatically
Richard, One point, going back to your original problem is that in my experience in order to remove the cookie the browser must match all attributes of the cookie, so if the cookie path, domain, secure flag, httponly flag differ you cant delete it unless you match all those parameters. Now I say all but it's possible that all don't need to be an exact match (and that may differ by browser), but I know that some do (eg path and domain). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 18, 2011 at 5:02 PM, Richard Steele r...@photoeye.com wrote: Well I tried J2EE sessions and we are getting the occasional but unacceptable Session is Invalid error even after changing the web.xml of each instance to be longer than the session timeout in the application.cfc. It seems that there may be numerous causes of Session is Invalid in CF8 from improper patching to legitimate CF bugs. Now I'm thinking about going back to NOT using J2EE. At least CFID and CFToken duplications were just a few in a thousand. Is there any problem apart from people losing their sessions, resulting from turning off J2EE sessions? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346854 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safe, Secure Image Upload
Hi Terry, I wrote up a blog entry with a few tips on secure file uploads a while back: http://www.petefreitag.com/item/701.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Aug 10, 2011 at 11:09 AM, Terry Troxel terry.tro...@gmail.comwrote: I am building a demo website to promote a new web template approach for small business owners to manage their site. I want them to be able to upload a picture and try out the toolset I provide them using Coldfusion and various Custom tags I have purchased through the ages. My concern is how to make the upload of images safe and secure for my server as these folks will be out front and not in The normal password protected area when they own their site. I would appreciate and positive input on this. Terry ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346651 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Client Variables not persisting.
Hi Eric, Yes if sticky sessions were not working or configured properly on your load balancer that would certainly cause you to get new CFID/CFTOKEN on each request. As of the ColdFusion security patch for session fixation (APSB11-04) if the CFID/CFTOKEN values do not correspond to a valid session on the server it will return new ones. In prior versions of CF it would just create a new session with the CFID/CFTOKEN values that were sent. The problem with that is that your session id's can last a long long time. You can actually disable the session fixation patch by adding a JVM argument: Dcoldfusion.session.protectfixation=false but I'm not sure that you want to, first I'd double check that your load balancer has sticky sessions setup properly. One way you could validate that would be to create a page that returned something unique to each server in the cluster (eg it's IP address, or CF serial number) then hit that page, if it keeps changing then you are hitting different servers. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Jul 28, 2011 at 8:41 AM, Eric Cobb cft...@ecartech.com wrote: I've got a strange problem here that I need some help figuring out. We have a site running on 8 load balanced CF 9 servers. We're doing a lot of stuff with Client Variables, and all of our code works fine in development/staging, but in production none of the client variables persist. After digging in to it, I find that we're getting a new CFID/CFTOKEN on every page request, which explains why the variables don't persist from page to page. My question is, could this be a problem at the load balancer? If sticky sessions were not enabled or configured correctly, wouldn't it cause this? My gut tells me yes, but I wanted to see if any of you have run into this. Thanks! Eric. http://www.cfgears.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346386 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion 9 64-bit Image Manipulation
Lots of image functions were built into ColdFusion starting with version 8: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec1a60c-7ffc.html#WSc3ff6d0ea77859461172e0811cbec22c24-66e4 -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Jul 28, 2011 at 2:43 PM, Donnie Carvajal donnie.carva...@transformyx.com wrote: We are upgrading our system to CF9 64-bit and our CFX tags we use for image resizing and info gathering are not working. We get an unable to load library error. Since these tags have been in this application for over 10 years, I will assume that they were compiled for 16-bit and 64-bit CF on Windows 2008 can not process them. Does anyone know of any CFX tags that will run on 64-bit for image manipulation? Is there anything native to CF 9 that I can use? Thanks, Donnie ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346395 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FuseGuard (was: down?)
Hi Folks, Just thought I'd chime in about FuseGuard (my company makes it). The execution time depends on your server hardware and configuration if you have a more verbose configuration it will take a bit longer to execute but you can typically expect it to be below 100ms. The best way to know is to download the evaluation version: https://foundeo.com/security/eval/ and give it a spin. The evaluation version is basically the same as the full version except it will disable after 30 days and print a evaluation expired message, the source code is also encoded. Thanks for the recommendation Jordan, much appreciated. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, May 25, 2011 at 8:19 PM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Hi Brook, You asked about Fuseguard:- http://www.cfhour.com/post.cfm/show-57-melting-and-fuseguard I recommend skipping the first 5 mins of chatter ;) Jenny No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 9.0.901 / Virus Database: 271.1.1/3658 - Release Date: 05/24/11 19:34:00 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344956 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: down?
On Wed, May 25, 2011 at 5:49 PM, Michael Dinowitz mdino...@houseoffusion.com wrote: I'm going to ask about a license soon but I still want to do some code checking. Better safe than sorry. Michael I'd be happy to donate some FuseGuard licenses for HOF, as well as a HackMyCF paid subscription. Just send me an email when your ready. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344957 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FuseGuard (was: down?)
On Fri, May 27, 2011 at 11:26 AM, Ken Hammond khamm...@saleminc.com wrote: Any chance for a HOF list member discount? :-) You got it Ken -- 15% discount code for FuseGuard or any Foundeo product is: hofrocks (expires July 4th 2011) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344960 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FuseGuard (was: down?)
Thanks Ken, you rock! -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Fri, May 27, 2011 at 12:41 PM, Ken Hammond khamm...@saleminc.com wrote: I went ahead and bought the spell checker for good measure LOL -Original Message- From: Pete Freitag p...@foundeo.com To: cf-talk cf-talk@houseoffusion.com Date: Fri, 27 May 2011 11:54:55 -0400 Subject: Re: FuseGuard (was: down?) On Fri, May 27, 2011 at 11:26 AM, Ken Hammond khamm...@saleminc.com wrote: Any chance for a HOF list member discount? :-) You got it Ken -- 15% discount code for FuseGuard or any Foundeo product is: hofrocks (expires July 4th 2011) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344967 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FuseGuard (was: down?)
On Fri, May 27, 2011 at 3:56 PM, Ken Hammond khamm...@saleminc.com wrote: It says I should get the security checklist for free with purchase, where do I find that? You should be able to download it from https://foundeo.com/customer/ feel free to email me offlist if you have any problem finding it from there. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344970 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Debugging SOAP
SoapUI is a great tool for debugging soap: http://www.soapui.org/ If you give it a WSDL url it can generate stubs for testing the remote service and lets you see and edit all aspects of the soap request and response. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Sun, May 22, 2011 at 7:16 PM, Robert Rhodes rrhode...@gmail.com wrote: Hello everyone. I appreciate the help you have given me recently. Now I have a new challenge, and I am sure some of you have faced it before. I have written an application that gets and puts data to a SOAP .asmx web service running on a windows server across the internet. I am using cfinvoke. All my gets are working fine. I am getting the expected data. However all my puts are failing, and the guy at the other end says my soap xml must be wrong. Hey, it might be, but I have not been able to come up with a way to see it. I did a google search and found Fiddler and Charles, and installed them both on the dev server which is running my application. But no luck. Each program seems to monitor the traffic between my browser and local dev server, but I need to monitor traffic betwen dev server and the other server across the internet (on a non-standard ssl port). Would one of you kind souls tell me how to configure one of these programs (or some other program) so I can see my SOAP going out and see the response? RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344840 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS
Hi Brook, I think it would be difficult to get AntiSamy to ignore the google analytics script, and not other scripts. You can pass regex into Anitsamy for attribute validation, but I don't think you can match a global pattern in the policy file. I think the best approach in your situation is to strip out the analytics code before sending it to AntiSamy for validation as you suggested. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, May 19, 2011 at 11:44 PM, Brook Davies cft...@logiforms.com wrote: Hi Andrew, But consider a CMS or 'landing page creator' that allows users to create their own landing pages - and insert their own google analytics code. So I would need to be able to tell antiSamy that I want to allow a specific script... A google search didn't turn up anything. I guess I could use a regex to find it, strip it out, then run AntiSammy, then put the GA code back in... Brook -Original Message- From: Andrew Scott [mailto:andr...@andyscott.id.au] Sent: May-19-11 4:56 PM To: cf-talk Subject: RE: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Anti Samy is brilliant, the way this is used is as a HTML string cleaner. What that means is that you define which configuration type you want, there are predefined configs like Slashdot to name but one. These configs are fully configurable to the HTML Elements. SlashDot config is what SlashDot itself uses to clean any user input from their site, that contains HTML inputs. Now as for your question, it doesn't clean the HTML that is first being server or generated by your Application. It cleans any text or string input, by passing it through the library, and then getting back a sanitized version that you can then do with. So that means your GA will still work because that came from the page itself, and you would not want to use GA in what people enter in your text boxes and text areas. Hope that helps. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Brook Davies [mailto:cft...@logiforms.com] Sent: Friday, 20 May 2011 1:09 AM To: cf-talk Subject: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Hi Guys, I'm currently using the safeText UDF (http://www.cflib.org/udf.cfm/safetext) to clean user submitted content, both HTML fragments and full HTML documents. Based on some reading over at http://www.petefreitag.com/item/760.cfm , I am considering using AntiSammy instead. What I want to know is: 1. What are your experiences with this? 2. I need to be able to allow explicitly allow some script tags - like the google analytics code. Is this possible with AntiSammy? 3. I'm gonna test this some more on my end, but I am guessing that there would be substantially more overhead in instaniating and invoking the antiSpammy java classes and scanning 100 elements than there would calling an application scoped UDF method. Does that sound right? I'm gonna (time permitting) test this today. Just thought I would post this (maybe someone who's not knee deep in 'ColdFusion and Ajax Choices' nonsense) and see if anyone had any experience with it before I jump in.. Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344751 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: File Upload uploading open file
Hi Don, The mime type of the file is determined by the browser (client side), and then sent in the HTTP request to upload the file. ColdFusion uses the same mime type sent by the browser in cffile. So it sounds like the accept attribute of cffile is causing this exception to be thrown. Try adding this mime type to the cffile accept attribute list, and then make sure you are validating the file extension of the uploaded file to be doc or docx. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, Mar 7, 2011 at 11:50 AM, Don danfar...@hotmail.com wrote: Hi Folks =) Trying to upload a file ( word doc ) that is concurrently OPEN in the OS. Upon upload attempt via cffile coldfusion is seemingly returning a mime type error: The MIME type of the uploaded file application/octet-stream was not accepted by the server. is there a way to prevent (open) files from being uploaded? how would I ignore/bypass this error so as to actually upload the original file? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:342826 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The INSERT statement conflicted with the FOREIGN KEY constraint
This error probably means that the value you are trying to insert into a foreign key column does not correspond to an actual row, I am guessing that it is this line: cfprocparam type=In cfsqltype=CF_SQL_INTEGER dbvarname=intMemberIDUpdate value=0 Since the value of 0 does not correspond to a valid memberID. If you have a foreign key constraint setup the proper way to handle such as case would be to use a null value instead of a zero. Or remove the constraint if you really need to store a zero in there. -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Dec 16, 2010 at 2:16 PM, Monique Boea moniqueb...@gmail.com wrote: Hello All. I have a stored proc that when I execute it from SQL server mgmt studio, it works fine. But when I try to execute it in CF, I get the following error: *Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]The INSERT statement conflicted with the FOREIGN KEY constraint* Here is my code: cfstoredproc procedure=spmembersII_savegroups datasource=#request.dsn# returncode=yes cfprocparam type=In cfsqltype=CF_SQL_INTEGER dbvarname=intInstitutionID value=541 cfprocparam type=In cfsqltype=CF_SQL_INTEGER dbvarname=intMemberID value=10008 cfprocparam type=In cfsqltype=CF_SQL_VARCHAR dbvarname=strStages value= cfprocparam type=In cfsqltype=CF_SQL_INTEGER dbvarname=intMemberIDUpdate value=0 cfprocresult name=enrollmentquestions /cfstoredproc Any suggestions? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FuseGuard, Anyone?
On Thu, Dec 9, 2010 at 11:24 AM, Rick Root rick.r...@gmail.com wrote: Anyone have an experience with this tool, FuseGuard? http://foundeo.com/security/ Just curious .. I wonder how much overhead it would add on a busy site.. Hi Rick, Our experience shows that it typically adds less than 0.1 seconds to the request execution time. Performance will be dependent on how it is configured (and the server hardware), we can help you tune the configuration for a good mix of security and performance. We typically spend a lot of time with customers helping them optimize the configuration to meet their needs. You can download an evaluation copy here: https://foundeo.com/security/eval/ and test it out for yourself as well. Thanks, -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339990 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: wrap function question
According to the docs Wrap() uses the OS line separator which is different on Unix/Mac and Windows. That might cause an issue because for unix it only looks for \n but on windows it is probably looking for a \r\n. So if you are on windows, and your example text only used \n to break lines, then it would produce the results you got. Try passing a true into the third argument to strip out existing new line chars, or you might need to find / write a UDF if you want to preserve existing line breaks. Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Nov 9, 2010 at 12:32 PM, Eric Roberts ow...@threeravensconsulting.com wrote: I am trying to use the cf wrap function and I am getting some odd results. Here is the text (entered in a text area...the line breaks shown are from hitting the enter key) Life is but a stopping place, A pause in what's to be. A resting place along the road, To sweet eternity. Here is the results of the text string after it is wrapped and put into an array. Why would A be in a single line instead of part of the contents of line three and also notice the odd breaks with 4,5,6, and 7 array 1 Life is but a stopping place, 2 A 3 pause in what's to be. 4 A resting 5 place along the road, 6 To sweet 7 eternity. Should look like 1. Life is but a stopping place, 2. A pause in what's to be. 3. A resting place along the road, 4 To sweet eternity. here is the code that accomplishes the above. Arguments.char_count=34 int his case. cfset variables.text.txtWrapped=wrap(variables.text.string, arguments.char_count) cfset nol=listlen(variables.text.txtWrapped,#chr(10)#) cfset variables.text.txtLines=arrayNew(1) cfloop from=1 to=#nol# step=1 index=x cfset variables.text.txtLines[x]= listgetat(variables.text.txtWrapped,x,#chr(10)#) /cfloop Any ideas as to what i am doing wrong? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339085 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL 139 transaction error
Since MyISAM is a non-transactional storage engine, the error doesn't make too much sense to me. Are you sure your migration from InnoDB was successful, and that you are infact using MyISAM and not InnoDB on this table? -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Fri, Oct 15, 2010 at 10:34 AM, cfcom cf...@aceligent.com wrote: Is anyone familiar with MySql 139 transaction storage error. I've switched the engine from InnoDB to MyISAM but am still seeing issues. Am running MySql 5. Am wondering if I should move from open source to a different DB - Any suggestions or insight would be most appreciated. TIA ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
