Re: Millions of Coldfusion sites need to apply patches
ColdFusion 7 is no longer supported by Adobe. Therefore only customers who have extended support, which you pay for, are entitled to a fix for CF7. But has already been pointed out, just restrict your /CFIDE. Andy On 11 August 2010 22:17, Gerald Guido gerald.gu...@gmail.com wrote: Wait a second According the ProCheckUp site the vulnerability affects ColdFusion MX7 7,0,0,91690 base patches ColdFusion MX8 8,0,1,195765 base patches ColdFusion MX8 8,0,1,195765 with Hotfix4 And Adobe's Security bulletin says it affects ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX Are there no patches for CF 7.01 or below? G? On Wed, Aug 11, 2010 at 4:50 PM, Procheckup news n...@procheckup.comwrote: Millions of users of Adobeç´ ColdFusion programming language are at risk of losing control of their applications and websites. Penetration testing company ProCheckUp were able to access every file including username and passwords from a server running ColdFusion. This was completed through a directory traversal and file retrieval flaw found within ColdFusion administrator. A standard web browser was used to carry out the attack; knowledge of the admin password is not needed. A competent attacker would be able to steal files from the server and gain access to secure areas as well and eventually modify content or shut down the website or application. Richard Brain of ProCheckUp commented å ¸his is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of  sites using Coldfusion. Procheckup has released an advisory relating to this flaw, though will not publish the exploit code for 7 days giving administrators time to apply the Adobe patches. Procheckup felt it unwise to delay releasing the exploit any longer, as the exploit is trivial and can be easily determined by analysing the patches. The full details of the vulnerability can be found on www.procheckup.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336220 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
ColdFusion 9 Developer Tutorial
This has been out for a few weeks but I don't remember it being announced here so, just in case... http://www.amazon.com/ColdFusion-Developer-Tutorial-John-Farrar/dp/1849690243/ -- John Bliss IT Professional @jbliss (t) / http://www.brandiandjohn.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336221 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF9.0.1 Updater - stuck updating stubs?
Hi, I'm running the CF9.0.1 updater and it seems to be taking a long time doing this: Installing... C:\Coldfusion9$$stubs Does anyone recall seeing this message for a long time? Does it eventually finish or is it stuck? Thank you. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336222 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Upgrade CF5 to CF8 and undefined session
Thanks everybody for your helps. I'm confused, I didn't answered your questions because i thought that a mail was sent for every answer, for me no mail = no answer. I found today my stupid mistake : the name of the application was CFAPPLICATION NAME=Xx in then first Application.cfm and CFAPPLICATION NAME=xx in the second. CF5 didn't care of but CF8 does. Thanks for your help. Merci les amis. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336223 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: getting path of not existent directory
Here's a great beginner guide: http://www.addedbytes.com/for-beginners/url-rewriting-for-beginners/ http://www.addedbytes.com/for-beginners/url-rewriting-for-beginners/ On Wed, Aug 11, 2010 at 5:58 PM, Matthew P. Smith m...@smithwebdesign.netwrote: Any way you could provide an example? I am looking here but did not see how to do what you stated. http://httpd.apache.org/docs/2.0/misc/rewriteguide.html On Wed, Aug 11, 2010 at 6:32 AM, Michael Grant mgr...@modus.bz wrote: You could also use urlrewrite to rewrite /myDir/ to /myDir/index.cfm which should then meet your criteria. On Wed, Aug 11, 2010 at 7:25 AM, Gert Franz gert.fr...@railo.ch wrote: 2 Solutions: 1. either you handle it in the 404.cfm in the identical way 2. the problem might be that the directory call isn't actually calling the index.cfm. Have you checked the default document that is called? If yes, and you use IIS please go to IIS and check under the properties of the website in question whether the verify that file exists checkbox is activated. It is located under Properties/Website/configuration (for IIS 6) and somewhere under Handler Mappings for IIS7. HTH Greetings from Switzerland Gert Franz Railo Technologies Professional Open Source skype: gert.franz g...@getrailo.com +41 76 5680 231 www.getrailo.com -Ursprüngliche Nachricht- Von: Matthew P. Smith [mailto:m...@smithwebdesign.net] Gesendet: Mittwoch, 11. August 2010 13:12 An: cf-talk Betreff: getting path of not existent directory I am trying to use a custom 404 to serve more se friendly pages. Using application.cfc, I can properly serve this page, using the onMissingTemplate method: domain.com/art/paintings-21/index.cfm I am parsing the path obtained from #arguments.template# to get the key(21) and display the page by calling /404.cfm with the template info. I am having trouble doing the same with this, though: domain.com/art/paintings-21/ It does not seem to invoke the onMissingTemplate method, and rather calls /404.cfm directly. So in the CGI scope, I have: SCRIPT_NAME=/404.cfm PATH_INFO= How can I access the /art/paintings-21/ to get the info I need? I would like the page displayed for both: domain.com/art/paintings-21/index.cfm domain.com/art/paintings-21/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336224 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion 9 Developer Tutorial
John, I was one of the technical editors of the book. If people are curious it was almost completely rewritten and additional chapters were added on things like unit testing (MXUnit) and ORM. I'm happy to see CF books selling well enough that their number is increasing ;). I just bought the CF Anthology and it's a great read too. Rick Mason On Thu, Aug 12, 2010 at 6:48 AM, John M Bliss bliss.j...@gmail.com wrote: This has been out for a few weeks but I don't remember it being announced here so, just in case... http://www.amazon.com/ColdFusion-Developer-Tutorial-John-Farrar/dp/1849690243/ -- John Bliss IT Professional @jbliss (t) / http://www.brandiandjohn.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336225 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Millions of sites applying one patch is better than Millions of sites applying Millions of patches ^^ http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336226 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Extracting data from Java ByteArrayOutputStream
I am working with a SOAP web service in CF 8.0.1 and the filecontent attribute of the cfhttp response is a java.io.ByteArrayOutputStream. If I use the toString() method to convert this to text, I can see the XML response data plus the binary image strings that I was expecting. The problem is, I am not sure how to get this information out of the ByteArrayOutputStream. So far, Google has not proved real helpful. Can anybody offer some pointers? Thanks. -- Jeff Chastain http://www.admentus.com http://ams.admentus.com Admentus is a custom web based solutions provider, delivering business software applications, systems integration, strategic consulting, and ColdFusion application maintenance services which allow our clients to grow their business and plan for the future. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336227 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam list attribute
null=#!isDefined('myVar') OR !ListLen('myVar')# Thanks Carl, I haven't actually tried both together, I've tried them by themselves (as well as isNumeric and was unsuccessful 100% of the time. I'll give this one a try next time I find a spot it could be used and tested. Thank you! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336228 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Just a reminder, we published a ColdFusion 9 Server Lockdown Guide back in June. It provides details and instructions for securing the ColdFusion Administrator. While the guide was written for ColdFusion 9 specifically, most of the tips will apply to version 6+. http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf -Adam On Thu, Aug 12, 2010 at 11:05 AM, Dan Baughman dan.baugh...@gmail.comwrote: Millions of sites applying one patch is better than Millions of sites applying Millions of patches ^^ http://www.digitaltrends.com/computing/microsoft-issues-record-number-of-patches/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Extracting data from Java ByteArrayOutputStream
I am working with a SOAP web service in CF 8.0.1 and the filecontent attribute of the cfhttp response is a java.io.ByteArrayOutputStream. If I use the toString() method to convert this to text, I can see the XML response data plus the binary image strings that I was expecting. The problem is, I am not sure how to get this information out of the ByteArrayOutputStream. Out of curiosity, is there a reason why you're using CFHTTP to invoke a SOAP service instead of CFINVOKE? If you can't use CFINVOKE, you can probably just invoke the underlying Axis classes using Java. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336230 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Extracting data from Java ByteArrayOutputStream
Dave, Per my message earlier this week (http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336189), when I try cfinvoke or createObject( webservice ..., I am getting an AxisFault error that I cannot get around. When I use cfhttp to post, I am getting the expected response back, but in a ByteArrayOutputStream. Thanks -- Jeff I am working with a SOAP web service in CF 8.0.1 and the filecontent attribute of the cfhttp response is a java.io.ByteArrayOutputStream. If I use the toString() method to convert this to text, I can see the XML response data plus the binary image strings that I was expecting. The problem is, I am not sure how to get this information out of the ByteArrayOutputStream. Out of curiosity, is there a reason why you're using CFHTTP to invoke a SOAP service instead of CFINVOKE? If you can't use CFINVOKE, you can probably just invoke the underlying Axis classes using Java. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: hostek.com - daily outages
hi guys, now before i get the use a dedicated vps response, i am fully aware a shared hosting account isn't going to be as solid as a vps... however, hostek.com... we are getting cannot read response from server errors multiple times a day across several websites. the queries involved are very simple, querying small recordsets. the db is mysql. has anyone else who use hostek.com experienced increased downtime lately? mike Mike, I think the problems you encountered were related to some MySQL connection pooling we added for a few servers, which caused a connection problem on a specific MySQL server, which has been corrected. If you're still having a problem with a site or sites, please contact support and have them get with me about your issue. Brian A Hostek.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336232 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Trying to understand application.cfc...
Ok...I worked with application.cfc's for awhile and things seemed to work fine, but then I had some issues and went back to old reliable application.cfm. Now, however, I'd like to try again to get a grasp on how to use application.cfc's. First question: Why can I set the application.website variable like this: cffunction name = onRequestStart cfset application.website = RickFaircloth.com /cffunction But not like this: cffunction name = onApplicationStart cfset application.website = RickFaircloth.com /cffunction ??? OnApplicationStart would seem to be a more logical place to set a global variable for an entire application than onRequestStart. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336233 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
re: Trying to understand application.cfc...
I do exactly that, Rick, and it works fine. All my app vars are set in onApplicationStart, except for the constants like 'name', which I set outside the methods: cfcomponent output=false cfscript this.name = myAppName; this.applicationTimeout = createTimeSpan(0, 8, 0, 0); ... /cfscript cffunction name = onApplicationStart cfset application.dsn= myDatasource /cffunction From: Rick Faircloth r...@whitestonemedia.com Sent: Thursday, August 12, 2010 2:10 PM To: cf-talk cf-talk@houseoffusion.com Subject: Trying to understand application.cfc... Ok...I worked with application.cfc's for awhile and things seemed to work fine, but then I had some issues and went back to old reliable application.cfm. Now, however, I'd like to try again to get a grasp on how to use application.cfc's. First question: Why can I set the application.website variable like this: cffunction name = onRequestStart cfset application.website = RickFaircloth.com /cffunction But not like this: cffunction name = onApplicationStart cfset application.website = RickFaircloth.com /cffunction ??? OnApplicationStart would seem to be a more logical place to set a global variable for an entire application than onRequestStart. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336234 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Millions of Coldfusion sites need to apply patches
Same here... restricted by internal IP address and username/password. -Original Message- From: Andrew Grosset [mailto:rushg...@yahoo.com] Sent: Wednesday, August 11, 2010 2:08 PM To: cf-talk Subject: Re: Millions of Coldfusion sites need to apply patches phew!! for a moment I was worried No authentication is needed; all that is needed is that the admin console is accessible to the Internet. Apply patches as described below, or restrict access to /CIDE/administrator/ by IP address or other similar controls. this line is important: restrict access to /CIDE/administrator/ by IP address or other similar controls this should be mandatory irrespective of the patches applied (in my opinion). Millions of users of Adobeââ¬â¢s ColdFusion programming language are at risk of losing control of their applications and websites. The full details of the vulnerability can be found on www.procheckup. com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Trying to understand application.cfc...
Thanks for the reply, Jason... Well...I swear, the first time I tried to set application.website inside onApplicationStart, I got an error saying application.website wasn't defined. Now, for some reason, it works. The only thing I added was output=false as you have in your example. At first, I used: cfcomponent cfset this.name = siteManager cfset this.sessionManagement = true cfset this.sessionTimeout = #createTimeSpan(0,1,0,0)# cfset this.applicationTimeout = #createTimeSpan(1,0,0,0)# cffunction name = onApplicationStart cfset application.website = RickFaircloth.com /cffunction /cfcomponent Any wrong or missing? -Original Message- From: Jason Fisher [mailto:ja...@wanax.com] Sent: Thursday, August 12, 2010 2:17 PM To: cf-talk Subject: re: Trying to understand application.cfc... I do exactly that, Rick, and it works fine. All my app vars are set in onApplicationStart, except for the constants like 'name', which I set outside the methods: cfcomponent output=false cfscript this.name = myAppName; this.applicationTimeout = createTimeSpan(0, 8, 0, 0); ... /cfscript cffunction name = onApplicationStart cfset application.dsn= myDatasource /cffunction ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Is it sufficient to restrict access to /cfide/administrator? The easiest solution is to restrict access to /CFIDE/, which unfortunately only a slight majority of Coldfusion sites have done. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336237 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Trying to understand application.cfc...
You should be able to set that variable in OnApplicationStart() with no problems. In fact, as you said, that's the preferred place to set it. You must have something else going on that's causing the problem. Thanks, Eric Cobb ECAR Technologies, LLC http://www.ecartech.com http://www.cfgears.com Rick Faircloth wrote: Ok...I worked with application.cfc's for awhile and things seemed to work fine, but then I had some issues and went back to old reliable application.cfm. Now, however, I'd like to try again to get a grasp on how to use application.cfc's. First question: Why can I set the application.website variable like this: cffunction name = onRequestStart cfset application.website = RickFaircloth.com /cffunction But not like this: cffunction name = onApplicationStart cfset application.website = RickFaircloth.com /cffunction ??? OnApplicationStart would seem to be a more logical place to set a global variable for an entire application than onRequestStart. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336238 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Trying to understand application.cfc...
Rick, Is it highly possible that you had run the application, and then placed that code into onApplicationStart? If this is the case then the undefined variable would make sense, and why it works for you now. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Friday, 13 August 2010 4:31 AM To: cf-talk Subject: RE: Trying to understand application.cfc... Thanks for the reply, Jason... Well...I swear, the first time I tried to set application.website inside onApplicationStart, I got an error saying application.website wasn't defined. Now, for some reason, it works. The only thing I added was output=false as you have in your example. At first, I used: cfcomponent cfset this.name = siteManager cfset this.sessionManagement = true cfset this.sessionTimeout = #createTimeSpan(0,1,0,0)# cfset this.applicationTimeout = #createTimeSpan(1,0,0,0)# cffunction name = onApplicationStart cfset application.website = RickFaircloth.com /cffunction /cfcomponent Any wrong or missing? -Original Message- From: Jason Fisher [mailto:ja...@wanax.com] Sent: Thursday, August 12, 2010 2:17 PM To: cf-talk Subject: re: Trying to understand application.cfc... I do exactly that, Rick, and it works fine. All my app vars are set in onApplicationStart, except for the constants like 'name', which I set outside the methods: cfcomponent output=false cfscript this.name = myAppName; this.applicationTimeout = createTimeSpan(0, 8, 0, 0); ... /cfscript cffunction name = onApplicationStart cfset application.dsn= myDatasource /cffunction ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael- Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:336236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336239 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Is it sufficient to restrict access to /cfide/administrator? You may also want to restrict access to /CFIDE/adminapi. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Trying to understand application.cfc...
Rick, One thing I do is to place a piece of code into the onRequestStart method to reinit the application variables. This will let you set variables in the onApplicationStart method and be able to change them without having to restart ColdFusion or wait for the application to timeout. In you onRequestStart() function, place the following: cfif StructKeyExists(URL, reinit) cfscript OnApplicationStart(); /cfscript /cfif Then, call your website like http://www.yourwebsite.com?reinit=1 This will allow you to update your Application scoped variables if you have them all set up in the onApplicationStart() function. Paul Paul Day Principal / Developer 410.241.8465 p...@nucomsolutions.com http://www.nucomsolutions.com/ From: Rick Faircloth r...@whitestonemedia.com Sent: Thursday, August 12, 2010 2:31 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: Trying to understand application.cfc... Thanks for the reply, Jason... Well...I swear, the first time I tried to set application.website inside onApplicationStart, I got an error saying application.website wasn't defined. Now, for some reason, it works. The only thing I added was output=false as you have in your example. At first, I used: Any wrong or missing? -Original Message- From: Jason Fisher [mailto:ja...@wanax.com] Sent: Thursday, August 12, 2010 2:17 PM To: cf-talk Subject: re: Trying to understand application.cfc... I do exactly that, Rick, and it works fine. All my app vars are set in onApplicationStart, except for the constants like 'name', which I set outside the methods: this.name = myAppName; this.applicationTimeout = createTimeSpan(0, 8, 0, 0); ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Trying to understand application.cfc...
That's most likely what happened... -Original Message- From: Andrew Scott [mailto:andr...@andyscott.id.au] Sent: Thursday, August 12, 2010 2:31 PM To: cf-talk Subject: RE: Trying to understand application.cfc... Rick, Is it highly possible that you had run the application, and then placed that code into onApplicationStart? If this is the case then the undefined variable would make sense, and why it works for you now. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Friday, 13 August 2010 4:31 AM To: cf-talk Subject: RE: Trying to understand application.cfc... Thanks for the reply, Jason... Well...I swear, the first time I tried to set application.website inside onApplicationStart, I got an error saying application.website wasn't defined. Now, for some reason, it works. The only thing I added was output=false as you have in your example. At first, I used: cfcomponent cfset this.name = siteManager cfset this.sessionManagement = true cfset this.sessionTimeout = #createTimeSpan(0,1,0,0)# cfset this.applicationTimeout = #createTimeSpan(1,0,0,0)# cffunction name = onApplicationStart cfset application.website = RickFaircloth.com /cffunction /cfcomponent Any wrong or missing? -Original Message- From: Jason Fisher [mailto:ja...@wanax.com] Sent: Thursday, August 12, 2010 2:17 PM To: cf-talk Subject: re: Trying to understand application.cfc... I do exactly that, Rick, and it works fine. All my app vars are set in onApplicationStart, except for the constants like 'name', which I set outside the methods: cfcomponent output=false cfscript this.name = myAppName; this.applicationTimeout = createTimeSpan(0, 8, 0, 0); ... /cfscript cffunction name = onApplicationStart cfset application.dsn= myDatasource /cffunction ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael- Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:336236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336242 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Trying to understand application.cfc...
Thanks for the tip! -Original Message- From: Paul Day [mailto:p...@nucomsolutions.com] Sent: Thursday, August 12, 2010 2:36 PM To: cf-talk Subject: RE: Trying to understand application.cfc... Rick, One thing I do is to place a piece of code into the onRequestStart method to reinit the application variables. This will let you set variables in the onApplicationStart method and be able to change them without having to restart ColdFusion or wait for the application to timeout. In you onRequestStart() function, place the following: cfif StructKeyExists(URL, reinit) cfscript OnApplicationStart(); /cfscript /cfif Then, call your website like http://www.yourwebsite.com?reinit=1 This will allow you to update your Application scoped variables if you have them all set up in the onApplicationStart() function. Paul Paul Day Principal / Developer 410.241.8465 p...@nucomsolutions.com http://www.nucomsolutions.com/ From: Rick Faircloth r...@whitestonemedia.com Sent: Thursday, August 12, 2010 2:31 PM To: cf-talk cf-talk@houseoffusion.com Subject: RE: Trying to understand application.cfc... Thanks for the reply, Jason... Well...I swear, the first time I tried to set application.website inside onApplicationStart, I got an error saying application.website wasn't defined. Now, for some reason, it works. The only thing I added was output=false as you have in your example. At first, I used: Any wrong or missing? -Original Message- From: Jason Fisher [mailto:ja...@wanax.com] Sent: Thursday, August 12, 2010 2:17 PM To: cf-talk Subject: re: Trying to understand application.cfc... I do exactly that, Rick, and it works fine. All my app vars are set in onApplicationStart, except for the constants like 'name', which I set outside the methods: this.name = myAppName; this.applicationTimeout = createTimeSpan(0, 8, 0, 0); ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336243 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adobe Security update: Hotfix available for ColdFusion
Secunia advisory: http://secunia.com/advisories/40909/ Being stuck on CF 7, does anyone know if locking down the CF administrator pages via Windows authentication is sufficient? (Versus the alternative of ... ?) Thanks, ~James I believe it addresses a potential vulnerability in ColdFusion Administrator. --- Ben They don't say what the vulnerability is but... http://www.adobe.com/support/security/bulletins/apsb10-18.html -- Michael Dinowitz Lead Author - Adobe Coldfusion Anthology http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272 155/?tag=houseoffusion ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336244 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adobe Security update: Hotfix available for ColdFusion
test On Thu, Aug 12, 2010 at 11:44 AM, James Skemp jsk...@wisbar.org wrote: Secunia advisory: http://secunia.com/advisories/40909/ Being stuck on CF 7, does anyone know if locking down the CF administrator pages via Windows authentication is sufficient? (Versus the alternative of ... ?) Thanks, ~James I believe it addresses a potential vulnerability in ColdFusion Administrator. --- Ben They don't say what the vulnerability is but... http://www.adobe.com/support/security/bulletins/apsb10-18.html -- Michael Dinowitz Lead Author - Adobe Coldfusion Anthology http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272 155/?tag=houseoffusion ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336245 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adobe Security update: Hotfix available for ColdFusion
Being stuck on CF 7, does anyone know if locking down the CF administrator pages via Windows authentication is sufficient? (Versus the alternative of ... ?) As a related question, If I wanted to restrict access to the CF Admin would .htaccess on Centos Linux/Apache be sufficient? Or should I put other measures in place? If so, what other security measures would you all recommend. As always, many TIA, G? On Thu, Aug 12, 2010 at 2:44 PM, James Skemp jsk...@wisbar.org wrote: Secunia advisory: http://secunia.com/advisories/40909/ Being stuck on CF 7, does anyone know if locking down the CF administrator pages via Windows authentication is sufficient? (Versus the alternative of ... ?) Thanks, ~James I believe it addresses a potential vulnerability in ColdFusion Administrator. --- Ben They don't say what the vulnerability is but... http://www.adobe.com/support/security/bulletins/apsb10-18.html -- Michael Dinowitz Lead Author - Adobe Coldfusion Anthology http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272 155/?tag=houseoffusion ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336246 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
I get 2,800,000,000 results. If you google for inurl:*.cfm You get 259 million results. andy Richard Brain of ProCheckUp commented ââ¬ÅThis is a trivial attack which can be performed easily by a competent engineer; ProCheckUp thanks Adobe for consciously working with us to produce a patch which fixes the traversal attack. By performing a simple Google search for inurl:index.cfm, it was found that over 80 million examples of sites using Coldfusion. Gee, I thought ColdFusion was dead. Guess not Will ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336247 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
For the bare minimum restrict access to the following directories:- /CFIDE/adminapi/ /CFIDE/administrator/ /CFIDE/componentutils/ /CFIDE/wizards/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336248 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adobe Security update: Hotfix available for ColdFusion
On Thu, Aug 12, 2010 at 3:13 PM, Gerald Guido gerald.gu...@gmail.com wrote: As a related question, If I wanted to restrict access to the CF Admin would .htaccess on Centos Linux/Apache be sufficient? Any method of securing /CFIDE/Administrator/* so that CFM pages are not executed until after the user authenticates will suffice. So Apache basic security, IIs integrated security both work pretty much the same as they pertain to protecting you here. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336249 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfqueryparam list attribute
null=#!isDefined('myVar') OR !ListLen('myVar')# Thanks Carl, I haven't actually tried both together, I've tried them by themselves (as well as isNumeric and was unsuccessful 100% of the time. I'll give this one a try next time I find a spot it could be used and tested. Thank you! I wanted to just reply back with another modification I did because I was still getting an error when there was no value coming through, but most likely the variable itself was defined. cfqueryparam value=#isDefined('myVar')?myVar:''# null=#!isDefined('myVar') OR !ListLen('myVar') OR !isNumeric('myVar')# cfsqltype=cf_sql_integer / I simply added in the null field !isNumeric('myVar') which checks to see if it's numeric or not. I thought isDefined would catch it, but again it's a field that's accepting integers and so maybe it was passing a '' value which is not accepted in a numeric field. Correct me if I'm wrong please. I'm still experimenting. So, for now this is what I'm using, though I haven't tested it on a list of integers yet. We'll see. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336250 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Can someone pass me the Perl regex to allow the scripts folder? I'm just not getting it on my own. So the rule would match anything that contains /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive. Thanks in advance for saving me hours and hours of trial and error. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336251 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley cascadefreehee...@gmail.comwrote: Can someone pass me the Perl regex to allow the scripts folder? I'm just not getting it on my own. So the rule would match anything that contains /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive. You can put the /CFIDE/scripts/ folder anywhere you want, just put it somewhere (eg /cf-scripts/), and change the setting in ColdFusion administrator (Script Src on settings page). -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336252 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Millions of Coldfusion sites need to apply patches
Thanks Pete. Unfortunately, I'm dealing with a virtual directory issue and ghetto architecture in IIS. I was able to figure out how to lock it down using the firewall and http proxy rules. On Thu, Aug 12, 2010 at 2:09 PM, Pete Freitag p...@foundeo.com wrote: On Thu, Aug 12, 2010 at 4:21 PM, Tony Bentley cascadefreehee...@gmail.comwrote: Can someone pass me the Perl regex to allow the scripts folder? I'm just not getting it on my own. So the rule would match anything that contains /CFIDE/ *except /CFIDE/SCRIPTS/ case insensitive. You can put the /CFIDE/scripts/ folder anywhere you want, just put it somewhere (eg /cf-scripts/), and change the setting in ColdFusion administrator (Script Src on settings page). -- Pete Freitag http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336253 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm