RE: iis7.5 connector question

2012-11-16 Thread DeMarco, Alex 

Ok  phew.. thanks!

-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk] 
Sent: Friday, November 16, 2012 7:53 PM
To: cf-talk
Subject: Re: iis7.5 connector question


It is the correct connector, for some Bizzare reason Adobe never changed the 
filename to jrun_IIS7_wildcard, which clearly does cause some confusion.



On Sat, Nov 17, 2012 at 12:42 AM, DeMarco, Alex wrote:

>
> Hello All,
>
> I was reviewing this page:
>
> http://blogs.adobe.com/cfdoc/tag/coldfusion-9
>
> Specifically the section about increasing worker threads..  My 
> question is that I have using IIS7.5 (no iis6 compat mode installed) 
> yet my connector files are all jrun_iis6_wildcard  I dropped all 
> my connections and redid them and they are still jrun_ii6 .. is this correct??
>
> Everything seems to work I am just concerned that it is wrong...
>
> Thanks!
>
>
>
> [circle]
>
> Alex DeMarco
> Manager of Technical Services
> The State University of New York
> State University Plaza - Albany, New York 12246
> Tel: 518.320.1398Fax: 518.320.1550
> Be a part of Generation SUNY: Facebook< 
> http://www.facebook.com/generationsuny> - Twitter< 
> http://www.twitter.com/generationsuny> - YouTube< 
> http://www.youtube.com/generationsuny>
>
>
>
>
>
> 



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353226
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: iis7.5 connector question

2012-11-16 Thread Russ Michaels 

It is the correct connector, for some Bizzare reason Adobe never changed
the filename to jrun_IIS7_wildcard, which clearly does cause some confusion.



On Sat, Nov 17, 2012 at 12:42 AM, DeMarco, Alex wrote:

>
> Hello All,
>
> I was reviewing this page:
>
> http://blogs.adobe.com/cfdoc/tag/coldfusion-9
>
> Specifically the section about increasing worker threads..  My question is
> that I have using IIS7.5 (no iis6 compat mode installed) yet my connector
> files are all jrun_iis6_wildcard  I dropped all my connections and
> redid them and they are still jrun_ii6 .. is this correct??
>
> Everything seems to work I am just concerned that it is wrong...
>
> Thanks!
>
>
>
> [circle]
>
> Alex DeMarco
> Manager of Technical Services
> The State University of New York
> State University Plaza - Albany, New York 12246
> Tel: 518.320.1398Fax: 518.320.1550
> Be a part of Generation SUNY: Facebook<
> http://www.facebook.com/generationsuny> - Twitter<
> http://www.twitter.com/generationsuny> - YouTube<
> http://www.youtube.com/generationsuny>
>
>
>
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353225
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

iis7.5 connector question

2012-11-16 Thread DeMarco, Alex 

Hello All,

I was reviewing this page:

http://blogs.adobe.com/cfdoc/tag/coldfusion-9

Specifically the section about increasing worker threads..  My question is that 
I have using IIS7.5 (no iis6 compat mode installed) yet my connector files are 
all jrun_iis6_wildcard  I dropped all my connections and redid them and 
they are still jrun_ii6 .. is this correct??

Everything seems to work I am just concerned that it is wrong...

Thanks!



[circle]

Alex DeMarco
Manager of Technical Services
The State University of New York
State University Plaza - Albany, New York 12246
Tel: 518.320.1398Fax: 518.320.1550
Be a part of Generation SUNY: Facebook 
- Twitter - 
YouTube





~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353224
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Running CF-32bit on Windows Server 2008 R2 64-bit

2012-11-16 Thread .jonah 

Nice to know!

On 11/16/12 2:25 PM, Russ Michaels wrote:
> 32bit com wont work on 64bit windows by default.
> See this
> http://www.gfi.com/blog/32bit-object-64bit-environment/
>
> Regards
> Russ Michaels
> www.michaels.me.uk
> www.cfmldeveloper.com - Free CFML hosting for developers
> www.cfsearch.com - CF search engine
> On Nov 16, 2012 5:51 PM, "jul...@b-ravestudio.com jul...@b-ravestudio.com" <
> jul...@b-ravestudio.com> wrote:
>
>> Trying to run the 32-bit version of CF with Windows Server 2008 because of
>> problems with COM objects.
>> Verified that CF 32-bit is running, Application Pool configured to allow
>> 32-bit apps.
>> Still getting the msg about "Can not use native code: Initialisation
>> failed." when trying to instantiate a COM object.
>> Is there anything else that has to be set up to allow COM objects to be
>> called from 32-bit version of CF running under Windows Server 2008.?
>> Thanks in advance.
>> J
>>
>>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353223
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Running CF-32bit on Windows Server 2008 R2 64-bit

2012-11-16 Thread Russ Michaels 

32bit com wont work on 64bit windows by default.
See this
http://www.gfi.com/blog/32bit-object-64bit-environment/

Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Nov 16, 2012 5:51 PM, "jul...@b-ravestudio.com jul...@b-ravestudio.com" <
jul...@b-ravestudio.com> wrote:

>
> Trying to run the 32-bit version of CF with Windows Server 2008 because of
> problems with COM objects.
> Verified that CF 32-bit is running, Application Pool configured to allow
> 32-bit apps.
> Still getting the msg about "Can not use native code: Initialisation
> failed." when trying to instantiate a COM object.
> Is there anything else that has to be set up to allow COM objects to be
> called from 32-bit version of CF running under Windows Server 2008.?
> Thanks in advance.
> J
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353222
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Solr CF "customX" fields indexed despite schema.xml

2012-11-16 Thread David Sifford 

Hello,

We're in the process of evaluating what it's going to take to migrate from 
Verity to Solr in CF9.0.1.  It's been fairly straightforward so far, but I've 
run across something, and I'm wondering if anyone might have some advice...

We are using the custom1 through custom4 CF search fields to store information 
that we need to not be indexed (so they do not affect search results).  Verity 
seems to do this by default.  In the Solr collection directory is the config 
file schema.xml, and in that file are lines



(where "indexed is whether or not it's indexed, and stored" is whether or not 
the data is available with the record for use), and these lines are repeated 
for each customX field.  I have changed "indexed" to be false (default was 
true) for each of them, but after bouncing the Solr service and re-indexing, 
cfindex still seems to be indexing the data in those fields.  I believe I can 
verify that by changing data in those fields and then re-indexing, and the 
change ends up being reflected in the search results.

Has anyone ever run across this before and have any idea how to resolve this?

Thanks for any help.

-- David 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353221
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

here's one for the jQuery experts

2012-11-16 Thread Scott Stewart 

This is all using jQueryUI so here goes...
I have an accordion inside of a tab,

$("#adminNav").tabs({

   load: function(event,ui){

  $("#nodesMenu").accordion({

  collapsible: true,

  heightStyle: "fill",

  header: "h3"

  });

 $(ui.panel).hijack();

  }



});

  Inside of the header (h3) I have a link which takes you to the edit 
page for a particular item.. and it does, just not like I want it to
How would I intercept the href and have it come up in a div on the same 
page (inside of the same tab).

notes: the accordion is in it's own div, next to that is the div that I 
want the form to show up in..
If I remove the hijack() call then the link just opens and closes the 
accordion.

here's my attempt to drill down to find the link and simply capture the 
href in an alert box.. this doesn't even seem to fire..

$("#nodesMenu h3 div.linkRight a.activeClick").click(function() {

 alert($(this).attr('href')) ;

 return false;

  });


I'm probably missing something simple... wouldn't be the first time :)

-- 
Scott Stewart
Adobe Certified Expert / Instructor
ColdFusion 8, 9


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353220
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: JRUN Version

2012-11-16 Thread Leigh 

These links have the build numbers for most versions:

http://bigmadkev.com/blog/post.cfm/jrun-build-numbers-updaters
http://www.talkingtree.com/blog/index.cfm/2005/2/17/BuildNumbers

-Leigh



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353219
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: JRUN Version

2012-11-16 Thread Steve LaBadie 

Am I to assume that CF 9 (which I am currently installing on a new server) will 
have a newer version of jrun then my current version of MX7?

Steve LaBadie, Web Manager
East Stroudsburg University
570-422-3999
slaba...@esu.edu




-Original Message-
From: Wil Genovese [mailto:jugg...@trunkful.com] 
Sent: Friday, November 16, 2012 3:53 PM
To: cf-talk
Subject: Re: JRUN Version


That last update was for the separate download of JRUN that used to be 
available. The one shipped with ColdFusion was being updated well beyond that 
date. At least thats what I was told by persons at Adobe.



Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Nov 16, 2012, at 2:53 PM, Steve LaBadie  wrote:

> 
> From what I see on the Adobe site the last updater was October 2007.
> 
> Steve LaBadie, Web Manager
> East Stroudsburg University
> 570-422-3999
> slaba...@esu.edu
> 
> 
> 
> -Original Message-
> From: Dave Watts [mailto:dwa...@figleaf.com] 
> Sent: Friday, November 16, 2012 3:47 PM
> To: cf-talk
> Subject: Re: JRUN Version
> 
> 
>> Is jrun's version specific to the version of CF running on the server.
> 
> Not necessarily, but usually, yes. Recent versions of CF all have JRun 4, 
> with different patch levels.
> 
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> http://training.figleaf.com/
> 
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, 
> and provides the highest caliber vendor-authorized instruction at our 
> training centers, online, or onsite.
> 
> 
> 
> 



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353218
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: JRUN Version

2012-11-16 Thread Wil Genovese 

That last update was for the separate download of JRUN that used to be 
available. The one shipped with ColdFusion was being updated well beyond that 
date. At least thats what I was told by persons at Adobe.



Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Nov 16, 2012, at 2:53 PM, Steve LaBadie  wrote:

> 
> From what I see on the Adobe site the last updater was October 2007.
> 
> Steve LaBadie, Web Manager
> East Stroudsburg University
> 570-422-3999
> slaba...@esu.edu
> 
> 
> 
> -Original Message-
> From: Dave Watts [mailto:dwa...@figleaf.com] 
> Sent: Friday, November 16, 2012 3:47 PM
> To: cf-talk
> Subject: Re: JRUN Version
> 
> 
>> Is jrun's version specific to the version of CF running on the server.
> 
> Not necessarily, but usually, yes. Recent versions of CF all have JRun 4, 
> with different patch levels.
> 
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> http://training.figleaf.com/
> 
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, 
> and provides the highest caliber vendor-authorized instruction at our 
> training centers, online, or onsite.
> 
> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353217
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: JRUN Version

2012-11-16 Thread Steve LaBadie 

>From what I see on the Adobe site the last updater was October 2007.

Steve LaBadie, Web Manager
East Stroudsburg University
570-422-3999
slaba...@esu.edu



-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com] 
Sent: Friday, November 16, 2012 3:47 PM
To: cf-talk
Subject: Re: JRUN Version


> Is jrun's version specific to the version of CF running on the server.

Not necessarily, but usually, yes. Recent versions of CF all have JRun 4, with 
different patch levels.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and 
provides the highest caliber vendor-authorized instruction at our training 
centers, online, or onsite.



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353216
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: JRUN Version

2012-11-16 Thread Dave Watts 

> Is jrun's version specific to the version of CF running on the server.

Not necessarily, but usually, yes. Recent versions of CF all have JRun
4, with different patch levels.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353215
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

JRUN Version

2012-11-16 Thread Steve LaBadie 

Is jrun's version specific to the version of CF running on the server.

Steve LaBadie, Web Manager
East Stroudsburg University
570-422-3999
slaba...@esu.edu

[facebook-16x16]  
[twitter-16x16]    [youtube-16x16] 




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353214
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Running CF-32bit on Windows Server 2008 R2 64-bit

2012-11-16 Thread .jonah 

My understanding is that 64 bit windows does not support COM at all. So, 
it's not a matter of which version of CF you run, but rather the OS itself.

(I have to keep an old 32 bit server running for a single site that uses 
some COM objects...)

On 11/16/12 9:51 AM, jul...@b-ravestudio.com jul...@b-ravestudio.com wrote:
> Trying to run the 32-bit version of CF with Windows Server 2008 because of 
> problems with COM objects.
> Verified that CF 32-bit is running, Application Pool configured to allow 
> 32-bit apps.
> Still getting the msg about "Can not use native code: Initialisation failed." 
> when trying to instantiate a COM object.
> Is there anything else that has to be set up to allow COM objects to be 
> called from 32-bit version of CF running under Windows Server 2008.?
> Thanks in advance.
> J
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353213
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Security Question(s)

2012-11-16 Thread Dave Watts 

> And using the cfparam tags will help stop these type of attacks?

They can, but more importantly you have to either:
- not use values from the browser directly within functions, etc
- or, identify the range of acceptable values for these, and filter accordingly.

> Is there a good cold fusion security premier online about these kinds of 
> things somewhere?

I'd start with the CF 9 Lockdown Guide - while it doesn't really talk
about secure programming specifically, it does give you an idea of the
range and functionality of vulnerabilities. That is really well
written, and I think every CF developer and server administrator
should read it.

Beyond that, Jason Dean's site, http://www.12robots.com/, has a lot of
security info that's specific to CF.

There's also the OWASP CF resources page:

https://www.owasp.org/index.php/ColdFusion_Security_Resources

Finally, though, I would recommend that you not limit yourself to
CF-specific resources. There are lots of general resources out there,
and it's very easy to draw the conclusions you need from them.

> By the way Figleaf is where I took my ColdFusion training way back when CF3 
> was the latest and greatest.

That was a long time ago!

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353212
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Running CF-32bit on Windows Server 2008 R2 64-bit

2012-11-16 Thread jul...@b-ravestudio.com jul...@b-ravestudio.com 

Trying to run the 32-bit version of CF with Windows Server 2008 because of 
problems with COM objects.
Verified that CF 32-bit is running, Application Pool configured to allow 32-bit 
apps.
Still getting the msg about "Can not use native code: Initialisation failed." 
when trying to instantiate a COM object.
Is there anything else that has to be set up to allow COM objects to be called 
from 32-bit version of CF running under Windows Server 2008.?
Thanks in advance.
J

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353211
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Security Question(s)

2012-11-16 Thread Russ Michaels 

Yes there are resources online regarding this type of thing, did you check
the links I sent you in my previous reply.



On Fri, Nov 16, 2012 at 4:50 PM, Jamie Bowers wrote:

>
> > > I haven't done Coldfusion since CF4, however recently have been
> > tasked to look at a CF7MX appilication that has 3 security
> > > issues they are looking to fix.
> > >
> > > 1. Cross Site Scripting - I believe I have this one figured out
> > using the Admin Pannel's "Enable global script protection"
> > > 2. Format String Injection
> > > 3. Parameter Based Buffer Overflow
> > >
> > > I have been able to find generalized information on the other two
> > issues, but nothing as it relates to CF itself. Will the "Enable
> > > global script protection" fix these other two as well or should I be
> > looking elsewhere? Everything I am finding has to do with SQL
> > > injection and not Format String Injection, and I'm finding nothing
> > on Parameter Based Buffer Overflow.
> >
> > First, no, enabling global script protection will not fix all three
> > issues. In fact, it's not guaranteed to fix XSS issues; although it
> > may block many XSS attacks, it doesn't prevent XSS attacks generally,
> > it just filters data for known XSS attack strings.
> >
> > XSS attacks occur when an attacker can send client-side executable
> > code (typically JavaScript, but it could be anything else that an
> > HTML
> > page can tell a local computer to do) to your server, and your server
> > stores that and later delivers it to other users. The attack isn't
> > really targeting the server specifically, but rather those other
> > users.
> >
> > The other two things are attacks on your server, and are basically
> > similar to SQL injection: the attacker sends a value that your code
> > takes and passes directly to a function. XSS filtering has nothing to
> > do with them. For example, let's say you have a line of code like
> > this:
> >
> > 
> >
> > An attacker could inject a value there, because you're taking data
> > directly from the browser and using it to do something. Now, that
> > specific attack wouldn't be very helpful to an attacker in most cases,
> >
> > but it shows you what I mean, I guess.
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > http://training.figleaf.com/
> >
> > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> > GSA Schedule, and provides the highest caliber vendor-authorized
> > instruction at our training centers, online, or onsite.
>
>
> And using the cfparam tags will help stop these type of attacks?
>
> Is there a good cold fusion security premier online about these kinds of
> things somewhere?
>
> By the way Figleaf is where I took my ColdFusion training way back when
> CF3 was the latest and greatest.
>
> Jamie
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353210
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Security Question(s)

2012-11-16 Thread Jamie Bowers 

> > I haven't done Coldfusion since CF4, however recently have been 
> tasked to look at a CF7MX appilication that has 3 security
> > issues they are looking to fix.
> >
> > 1. Cross Site Scripting - I believe I have this one figured out 
> using the Admin Pannel's "Enable global script protection"
> > 2. Format String Injection
> > 3. Parameter Based Buffer Overflow
> >
> > I have been able to find generalized information on the other two 
> issues, but nothing as it relates to CF itself. Will the "Enable
> > global script protection" fix these other two as well or should I be 
> looking elsewhere? Everything I am finding has to do with SQL
> > injection and not Format String Injection, and I'm finding nothing 
> on Parameter Based Buffer Overflow.
> 
> First, no, enabling global script protection will not fix all three
> issues. In fact, it's not guaranteed to fix XSS issues; although it
> may block many XSS attacks, it doesn't prevent XSS attacks generally,
> it just filters data for known XSS attack strings.
> 
> XSS attacks occur when an attacker can send client-side executable
> code (typically JavaScript, but it could be anything else that an 
> HTML
> page can tell a local computer to do) to your server, and your server
> stores that and later delivers it to other users. The attack isn't
> really targeting the server specifically, but rather those other
> users.
> 
> The other two things are attacks on your server, and are basically
> similar to SQL injection: the attacker sends a value that your code
> takes and passes directly to a function. XSS filtering has nothing to
> do with them. For example, let's say you have a line of code like
> this:
> 
> 
> 
> An attacker could inject a value there, because you're taking data
> directly from the browser and using it to do something. Now, that
> specific attack wouldn't be very helpful to an attacker in most cases,
> 
> but it shows you what I mean, I guess.
> 
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> http://training.figleaf.com/
> 
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or onsite.


And using the cfparam tags will help stop these type of attacks?

Is there a good cold fusion security premier online about these kinds of things 
somewhere?

By the way Figleaf is where I took my ColdFusion training way back when CF3 was 
the latest and greatest.

Jamie 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353209
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SQL Express and CF

2012-11-16 Thread Donnie Bachan (Gmail) 

You'll need to purchase the developer edition for SSIS. It's not free but
has full standard level features and is pretty affordable $50 US  at NewEgg
http://www.newegg.com/Product/Product.aspx?Item=N82E16832416455&Tpk=sql%20server%20developer

Best Regards,
Donnie Bachan
"Nitendo Vinces - By Striving You Shall Conquer"
==
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.


On Fri, Nov 16, 2012 at 4:22 PM, Carl Von Stetten
wrote:

>
> I spoke too soon.  The installer with tools provides limited replication
> support and SSMS, but not SSIS.
> -Carl V.
>
> On 11/15/2012 4:30 PM, Carl Von Stetten wrote:
> > Starting with SQL Server Express 2008 R2 (and maybe some prior
> > versions), you can download an installer that includes the SSMS tools,
> > which I think includes SSIS as well.
> > -Carl V.
> > On 11/15/2012 1:32 PM, Mike Kear wrote:
> >> the things cut out of the express version are the kinds of things we use
> >> coldfusion for anyway.  I havent found any issues at all in connecting
> >> SQLexpress versions and Coldfusion.  The only issues I've had are to do
> >> with things like the lack of SSIS which makes things like moving data to
> >> online more difficult that's all.
> >>
> >> Cheers
> >> Mike Kear
> >> Windsor, NSW, Australia
> >> Adobe Certified Advanced ColdFusion Developer
> >> AFP Webworks
> >> http://afpwebworks.com
> >> ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month
> >>
> >>
> >> On Fri, Nov 16, 2012 at 6:32 AM, Pete Ruckelshaus
> >> wrote:
> >>
> >>> Works just like the full version, and it's what I use on my VPS.
> >>>
> >>>
> >>> On Thu, Nov 15, 2012 at 5:23 AM, Kevin Parker <
> tras...@internode.on.net
>  wrote:
>  Are there any issues using Express versions of SQL Server for
> >>> development?
> 
> 
>  Thank you
> 
> 
> 
> 
> 
>  ++
> 
>  Kevin Parker
> 
> 
> 
>  M: 0418 815 527
> 
> 
> 
>  ++
> 
> >>
> >>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353208
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: SQL Express and CF

2012-11-16 Thread Carl Von Stetten 

I spoke too soon.  The installer with tools provides limited replication 
support and SSMS, but not SSIS.
-Carl V.

On 11/15/2012 4:30 PM, Carl Von Stetten wrote:
> Starting with SQL Server Express 2008 R2 (and maybe some prior 
> versions), you can download an installer that includes the SSMS tools, 
> which I think includes SSIS as well.
> -Carl V.
> On 11/15/2012 1:32 PM, Mike Kear wrote:
>> the things cut out of the express version are the kinds of things we use
>> coldfusion for anyway.  I havent found any issues at all in connecting
>> SQLexpress versions and Coldfusion.  The only issues I've had are to do
>> with things like the lack of SSIS which makes things like moving data to
>> online more difficult that's all.
>>
>> Cheers
>> Mike Kear
>> Windsor, NSW, Australia
>> Adobe Certified Advanced ColdFusion Developer
>> AFP Webworks
>> http://afpwebworks.com
>> ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month
>>
>>
>> On Fri, Nov 16, 2012 at 6:32 AM, Pete Ruckelshaus 
>> wrote:
>>
>>> Works just like the full version, and it's what I use on my VPS.
>>>
>>>
>>> On Thu, Nov 15, 2012 at 5:23 AM, Kevin Parker >>> wrote:
 Are there any issues using Express versions of SQL Server for
>>> development?


 Thank you





 ++

 Kevin Parker



 M: 0418 815 527



 ++

>>
>> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353207
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm