Re: New CF8 vulnerability
So do we not need to restart ColdFusion after making this change? On Fri, Jul 3, 2009 at 5:32 PM, Eric Roberts < ow...@threeravensconsulting.com> wrote: > > Dave (or anyone else with information), > > I know the vulnerability was in older versions of FCKEditor...if one were > to > install and use the current version, does it still have the vulnerability > or > has that been fixed? I just got an emergency gig to fix a site that was > hacked because of this and we need to know if it is safe to do this or just > keep FCKEditor disabled inthe meantime. > > Eric > > > On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts wrote: > > > > > You may want to check for this on any clients/projects you've worked > with: > > http://isc.sans.org/diary.html?storyid=6715 > > > > Remediation steps available here: > > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > > > Fig Leaf Software provides the highest caliber vendor-authorized > > instruction at our training centers in Washington DC, Atlanta, > > Chicago, Baltimore, Northern Virginia, or on-site at your location. > > Visit http://training.figleaf.com/ for more information! > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324212 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Supposedly on July 6 a new version will be released that is at least better, if not 'fixed'. Kind of glad I put mine behind logins from the get-go. I am guessing that this affects all FCKEditor installations and not just CF8's cftextarea. Way back when, an earlier cf connector was so full of holes I wound up rewriting it with another developer's help and posting it on their forum. Guess that since then its code got a lot more complex but not a lot better. -- -...@robertson-- Janitor, The Robertson Team mysecretbase.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Dave (or anyone else with information), I know the vulnerability was in older versions of FCKEditor...if one were to install and use the current version, does it still have the vulnerability or has that been fixed? I just got an emergency gig to fix a site that was hacked because of this and we need to know if it is safe to do this or just keep FCKEditor disabled inthe meantime. Eric On Thu, Jul 2, 2009 at 6:17 PM, Dave Watts wrote: > > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324210 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Using iText with CFML for PDF forms
On Thu, Jul 2, 2009 at 5:16 PM, Arsalan Tariq Keen wrote: > Does anyone has any experience of populating PDF forms using iText. AcroForm or XFA? Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Using iText with CFML for PDF forms
If you have CF8, use CFPDFFORM. If you have something else, use iText. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Arsalan Tariq Keen Sent: Friday, 03 July, 2009 14:56 To: cf-talk Subject: Re: Using iText with CFML for PDF forms :) nice imagination although I was just inquiring... rather trying to find out a way to dynamically populate PDF Forms with a standard CF8 engine ... not just railo :) -- From: "James Holmes" Sent: Friday, July 03, 2009 9:24 PM To: "cf-talk" Subject: Re: Using iText with CFML for PDF forms > > Probably not, unless Gert manages to see this. For some strange > reason, Adobe ColdFusion lists are populated by people with experience > in Adobe ColdFusion. > > I imagine that Railo lists are populated by people with Railo > experience. But that's just a guess. > > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > 2009/7/3 Arsalan Tariq Keen : >> >> come on guys ... doesn't anyone here has answer to my problem?? >> >> -- >> From: "Leigh" >> Sent: Friday, July 03, 2009 8:25 PM >> To: "cf-talk" >> Subject: Re: Using iText with CFML for PDF forms >> >>> >>> Paul Hastings wrote: rather than guess, why not post to the railo list? >>> >>> Well if you are going to resort to logic ... ;) > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324208 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
Sorry for omitting the actual URLs, but I'm sending all this from my phone. And CF doesn't run on Windows Mobile! Dave Watts, CTO, Fig Leaf Software -Original Message- From: Ian Skinner Sent: Friday, 03 July, 2009 13:17 To: cf-talk Subject: Re: New CF8 vulnerability Dave Watts wrote: > Yes, I'm pretty certain that's how it works. You may want to test the actual > CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in > its configuration to ensure that some URLs work in any case. > > Dave Watts, CTO, Fig Leaf Software Well, that was my subtle request for a good URL or two to test!! :-) I tried one or two I could guess by looking at the directory under scrutiny and I got an encouraging 404 Not Found for them. But I realize I may not be using the best URL's for my testing. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324207 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Using iText with CFML for PDF forms
:) nice imagination although I was just inquiring... rather trying to find out a way to dynamically populate PDF Forms with a standard CF8 engine ... not just railo :) -- From: "James Holmes" Sent: Friday, July 03, 2009 9:24 PM To: "cf-talk" Subject: Re: Using iText with CFML for PDF forms > > Probably not, unless Gert manages to see this. For some strange > reason, Adobe ColdFusion lists are populated by people with experience > in Adobe ColdFusion. > > I imagine that Railo lists are populated by people with Railo > experience. But that's just a guess. > > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > 2009/7/3 Arsalan Tariq Keen : >> >> come on guys ... doesn't anyone here has answer to my problem?? >> >> -- >> From: "Leigh" >> Sent: Friday, July 03, 2009 8:25 PM >> To: "cf-talk" >> Subject: Re: Using iText with CFML for PDF forms >> >>> >>> Paul Hastings wrote: rather than guess, why not post to the railo list? >>> >>> Well if you are going to resort to logic ... ;) > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324206 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Dave Watts wrote: > Yes, I'm pretty certain that's how it works. You may want to test the actual > CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in > its configuration to ensure that some URLs work in any case. > > Dave Watts, CTO, Fig Leaf Software Well, that was my subtle request for a good URL or two to test!! :-) I tried one or two I could guess by looking at the directory under scrutiny and I got an encouraging 404 Not Found for them. But I realize I may not be using the best URL's for my testing. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324205 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
You should take the same precautions you would with any file upload. Don't allow uploads to web-accessible directories that allow code execution on the server. Better yet, don't allow uploads to web-accessible directories at all, so that your server can't unwittingly host client-side malware. Don't run CF with root credentials, so that successfully uploaded CF scripts can't do bad things to your system. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Brian McCairn Sent: Friday, 03 July, 2009 10:38 To: cf-talk Subject: Re: New CF8 vulnerability what if you want to do file upload with fckeditor? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: New CF8 vulnerability
Yes, I'm pretty certain that's how it works. You may want to test the actual CF URLs even if you've moved CFIDE, as CF has a defined URL pattern match in its configuration to ensure that some URLs work in any case. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Ian Skinner Sent: Friday, 03 July, 2009 10:08 To: cf-talk Subject: Re: New CF8 vulnerability Dave Watts wrote: > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually work? I presume it is somebody directly accessing the exposed, vulnerable, exploitable files via www.yourSite.org/cfide/scripts/something? Is that correct? If so, we may have been lucky enough that our cfide folder is not publicly available at the moment, but I would like to know more as I present this up the chain to get remediation steps done on our production servers. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (ot) Authorize.net down Anyone get through support yet?
Seems like they had a fire in their main datacenter http://www.dslreports.com/shownews/Credit-Card-Processing-Company-Authorizenet-Knocked-Offline-103256 http://twitter.com/authorizenet >Casey, > >I have a number of customers currently down due to this issue. I suspect >support is flooded with calls. The main web site is not up either so my >guess would be a major network issue. > >-mark > > > >Mark A. Kruger, CFG, MCSE >(402) 408-3733 ext 105 >www.cfwebtools.com >www.coldfusionmuse.com >www.necfug.com > >I'm on hold 1 hour 5 minutes now. > >Anyone get though to their suppor about authorize.net being down? > >-- >Casey ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Using iText with CFML for PDF forms
Arsalan Tariq Keen wrote: > come on guys ... doesn't anyone here has answer to my problem?? it was already answered on the railo list (here previously). itext is distributed w/railo. it powers it's cfdocument & cfpdf. if you want ease of use, use the built-in tags. if you want insane control over your PDF docs, use itext. if you use itext, first thing is buy bruno's book from manning: http://www.manning.com/lowagie/ if you use itext more than once, it's by far the best investment you'll ever make. next read the mysterious cfsearching's blog ;-) http://cfsearching.blogspot.com/search/label/iText gobs & gobs of examples. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324201 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Using iText with CFML for PDF forms
Probably not, unless Gert manages to see this. For some strange reason, Adobe ColdFusion lists are populated by people with experience in Adobe ColdFusion. I imagine that Railo lists are populated by people with Railo experience. But that's just a guess. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/3 Arsalan Tariq Keen : > > come on guys ... doesn't anyone here has answer to my problem?? > > -- > From: "Leigh" > Sent: Friday, July 03, 2009 8:25 PM > To: "cf-talk" > Subject: Re: Using iText with CFML for PDF forms > >> >> Paul Hastings wrote: >>> rather than guess, why not post to the railo list? >> >> Well if you are going to resort to logic ... ;) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324200 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Using iText with CFML for PDF forms
come on guys ... doesn't anyone here has answer to my problem?? -- From: "Leigh" Sent: Friday, July 03, 2009 8:25 PM To: "cf-talk" Subject: Re: Using iText with CFML for PDF forms > > Paul Hastings wrote: >> rather than guess, why not post to the railo list? > > Well if you are going to resort to logic ... ;) > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324199 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
Brian McCairn wrote: > what if you want to do file upload with fckeditor? The recommendation seems to be to install the latest version of fckeditor independently of the built in ColdFusion edition and to make sure that it resides and works within properly sandboxed portions of you system so that permission escalation is much harder to accomplish. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
what if you want to do file upload with fckeditor? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Using iText with CFML for PDF forms
Paul Hastings wrote: > rather than guess, why not post to the railo list? Well if you are going to resort to logic ... ;) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324196 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (ot) Authorize.net down Anyone get through support yet?
Casey, I have a number of customers currently down due to this issue. I suspect support is flooded with calls. The main web site is not up either so my guess would be a major network issue. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Casey Dougall [mailto:ca...@uberwebsitesolutions.com] Sent: Friday, July 03, 2009 9:10 AM To: cf-talk Subject: (ot) Authorize.net down Anyone get through support yet? I'm on hold 1 hour 5 minutes now. Anyone get though to their suppor about authorize.net being down? -- Casey ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324195 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: PHP MD5 Crypt equivalent in CF?
You need to ask a PHP list how the crypt function applies the salt when MD5ing the input. mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/3 Oli Rosenbladt : > > On original input in the PHP system, the salt is generated by a unique, > 8-digit user code, prepended by "$1$" and appended with "$" for the 12 digits > necessary for MD5 encryption. The user code is stored in the database, so > what I was hoping to do was take the user code, recreate the stored password > by combining user input and the salt/user code, and compare the two strings. > >> >> So what calculates the salt ? > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324194 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
(ot) Authorize.net down Anyone get through support yet?
I'm on hold 1 hour 5 minutes now. Anyone get though to their suppor about authorize.net being down? -- Casey ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324193 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: New CF8 vulnerability
Dave Watts wrote: > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 How does this exploit actually work? I presume it is somebody directly accessing the exposed, vulnerable, exploitable files via www.yourSite.org/cfide/scripts/something? Is that correct? If so, we may have been lucky enough that our cfide folder is not publicly available at the moment, but I would like to know more as I present this up the chain to get remediation steps done on our production servers. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324192 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
How to clean out HTML from a CFDIV?
I have a CFDIV which is filled up with an error message issued by an Ajax routine. The only problem is that under certain circumstances, when I open the window that it appears on, the leftover error message from the last invocation is still sitting there. Much of what I am doing is initiated thru Javascript, so I need to find a way to clean out the message from Javascript too (if the message exists). The cfdiv looks like this: The following result code is placed into the cfdiv when the error occurs: >>> Your Preferred UserName is already in use. Please choose another. Can anyone suggest how I can clear this out, using Javascript, before I start up? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324191 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: PHP MD5 Crypt equivalent in CF?
On original input in the PHP system, the salt is generated by a unique, 8-digit user code, prepended by "$1$" and appended with "$" for the 12 digits necessary for MD5 encryption. The user code is stored in the database, so what I was hoping to do was take the user code, recreate the stored password by combining user input and the salt/user code, and compare the two strings. > > So what calculates the salt ? > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324190 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: PHP MD5 Crypt equivalent in CF?
On Friday 03 Jul 2009, Oli Rosenbladt wrote: > when you look at the result of a PHP crypt(string,salt) function that uses > MD5, the entire 12-character user salt ends up prepended to the resulting > string, So what calculates the salt ? -- Helping to appropriately deploy killer customized environments as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324189 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: PHP MD5 Crypt equivalent in CF?
when you look at the result of a PHP crypt(string,salt) function that uses MD5,
the entire 12-character user salt ends up prepended to the resulting string,
which is the one that ends up in the DB, and I am trying to rebuild/compare in
CF.
So, in PHP:
user password: sydney
user salt: $1$ISzYi6zf$
evaluates to: $1$ISzYi6zf$prff0mAKPVBHNKOlRradj1
in CF:
hash('sydney','MD5') evaluates to: A8113A9B4F61B178CD1FEA4EFA5BF4C8
Any resources on MD5 and its particular flavors would be appreciated!
Thanks,
Oli
> You'll have to find out how PHP combines the input with the salt
> (append ?
> prepend ? XOR ? ... ?) and do that before calling CF's hash().
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324188
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: PHP MD5 Crypt equivalent in CF?
The CF and PHP hash functions of the same string actually return the same result; it's in combination with the salt that the string changes substantially. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324187 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: PHP MD5 Crypt equivalent in CF?
> How did the cf hash() function's output differ from the PHP one? > > mxAjax / CFAjax docs and other useful articles: > http://www.bifrost.com.au/blog/ > > 2009/7/3 Oli Rosenbladt : > > > > Hello, > > > > I am trying to use CF to compare a password encrypted with MD5 in > PHP using: > > > > crypt($password, $user_salt) // where user_salt is a 12-character > string like "$1$ISzYi6zf$" > > > > This results in a string like: "$1$ISzYi6zf$prff0mAKPVBHNKOlRradj1" > > > > So far, nothing I have tried in CF has allowed me to "rebuild" the > result 34-character string so that I can compare them to what's in the > database, ie. I am looking to take user input, add the known salt to > it, and come up with a 34 character string in order to compare them. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324186 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: PHP MD5 Crypt equivalent in CF?
On Friday 03 Jul 2009, Oli Rosenbladt wrote: > So far, nothing I have tried in CF has allowed me to "rebuild" the result > 34-character string so that I can compare them to what's in the database, > ie. You'll have to find out how PHP combines the input with the salt (append ? prepend ? XOR ? ... ?) and do that before calling CF's hash(). -- Helping to vitalistically morph fifth-generation intuitive advanced killer e-services as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324185 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
On Friday 03 Jul 2009, Dave Watts wrote: > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat Site down, probably load. In summary: CF8.0.1 ships with a plugin in the FCKeditor that powers rich text editing in a non-default, insecure state. Find config.cfm in ../CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm and change 'Config.enabled' to false at the top. Then review if you need any of the features you just turned off and take it from there. -- Helping to vitalistically compete cross-platform mindshares as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324184 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: New CF8 vulnerability
On Friday 03 Jul 2009, Adrian Lynch wrote: > Am I missing something? You're on CF8.0.0 not 8.0.1 and so fine ? -- Helping to biannually pursue best-of-breed sexy holistic eyeballs as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324183 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
There's nothing OS-specific about the vulnerability, as far as I can see. Dave Watts, CTO, Fig Leaf Software -Original Message- From: James Holmes Sent: Thursday, 02 July, 2009 20:56 To: cf-talk Subject: Re: New CF8 vulnerability And that's why our prod servers are read only (and Linux). mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/3 Dave Watts : > > You may want to check for this on any clients/projects you've worked with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324182 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
I suspect you have an older version of FCKEditor deployed in that case. Dave Watts, CTO, Fig Leaf Software -Original Message- From: Adrian Lynch Sent: Friday, 03 July, 2009 06:46 To: cf-talk Subject: RE: New CF8 vulnerability I don't seem to have the same file directory as that posted in the second link. Instead I have: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm and: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\ cfm\config.cfm Both of these files look like they are encrypted. Am I missing something? Adrian > -Original Message- > From: Dave Watts [mailto:dwa...@figleaf.com] > Sent: 03 July 2009 00:17 > To: cf-talk > Subject: New CF8 vulnerability > > > You may want to check for this on any clients/projects you've worked > with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security- > threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324181 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: PHP MD5 Crypt equivalent in CF?
How did the cf hash() function's output differ from the PHP one? mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/7/3 Oli Rosenbladt : > > Hello, > > I am trying to use CF to compare a password encrypted with MD5 in PHP using: > > crypt($password, $user_salt) // where user_salt is a 12-character string like > "$1$ISzYi6zf$" > > This results in a string like: "$1$ISzYi6zf$prff0mAKPVBHNKOlRradj1" > > So far, nothing I have tried in CF has allowed me to "rebuild" the result > 34-character string so that I can compare them to what's in the database, ie. > I am looking to take user input, add the known salt to it, and come up with a > 34 character string in order to compare them. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324180 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: New CF8 vulnerability
I don't seem to have the same file directory as that posted in the second link. Instead I have: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\upload\cfm\config.cfm and: \CFIDE\scripts\ajax\FCKeditor\editor\filemanager\browser\default\connectors\ cfm\config.cfm Both of these files look like they are encrypted. Am I missing something? Adrian > -Original Message- > From: Dave Watts [mailto:dwa...@figleaf.com] > Sent: 03 July 2009 00:17 > To: cf-talk > Subject: New CF8 vulnerability > > > You may want to check for this on any clients/projects you've worked > with: > http://isc.sans.org/diary.html?storyid=6715 > > Remediation steps available here: > http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security- > threat > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324179 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
PHP MD5 Crypt equivalent in CF?
Hello, I am trying to use CF to compare a password encrypted with MD5 in PHP using: crypt($password, $user_salt) // where user_salt is a 12-character string like "$1$ISzYi6zf$" This results in a string like: "$1$ISzYi6zf$prff0mAKPVBHNKOlRradj1" So far, nothing I have tried in CF has allowed me to "rebuild" the result 34-character string so that I can compare them to what's in the database, ie. I am looking to take user input, add the known salt to it, and come up with a 34 character string in order to compare them. Many thanks for any insights! Oli ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324178 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: problems in doing a redirect - can someone assist
HI thanks for your feedback - it wasnt working at the time as there was an incorrect entry in the DNS server. This has been corrected and now everything works fine - done with a permanent redirect in Apache. Regards On Thu, Jul 2, 2009 at 12:31 AM, Justin Scott wrote: > > > I still get the message that it works > > I'm dumbfounded at present > > I would recommend a resource that focuses on Apache configuration, as this > is a ColdFusion-centric mailing list. > > > -Justin > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324177 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Using iText with CFML for PDF forms
rather than guess, why not post to the railo list? http://groups.google.com/group/railo?hl=en&pli=1 ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324176 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
