RE: Beta Tester Wanted for new CF (MVC) Framework
I disagree Russ -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 07 January 2011 16:14 To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > I'm not going head to head with anyone. I just know I've come to my > conclusions about SEO based on personal experience and the opinions of > others in this community who I respect. The owner of this list being > one of them. I don't really care to argue about. If DW thinks I'm > wrong that's the least of my worries. Well, that is certainly true. I'd hate for people not to disagree with me because of who I am. I'm ok with people disagreeing with me because I'm wrong - that happens quite a bit. But I only defer to facts, not "mojo". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340578 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
> Just as a point of note. I'm not an SEO expert. Nor am I, and I didn't say that you were, just pointing out that your argument is one that I hear people who claim to be. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Well I know I asked for it... but I'm offended all the same (ha). -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Friday, January 07, 2011 12:12 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework No, it's fucking close to water. An old Monty Python joke. Hollywood Bowl if I recall. On Fri, Jan 7, 2011 at 10:03 AM, Mark A. Kruger wrote: > > You mean not so fun when you do it but a great story to tell later?? > > > > -Original Message- > From: Judah McAuley [mailto:ju...@wiredotter.com] > Sent: Friday, January 07, 2011 11:48 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > It's like making love in a canoe. > > On Fri, Jan 7, 2011 at 9:42 AM, Mark A. Kruger > wrote: >> >> On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? >> > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340576 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
No, it's fucking close to water. An old Monty Python joke. Hollywood Bowl if I recall. On Fri, Jan 7, 2011 at 10:03 AM, Mark A. Kruger wrote: > > You mean not so fun when you do it but a great story to tell later?? > > > > -Original Message- > From: Judah McAuley [mailto:ju...@wiredotter.com] > Sent: Friday, January 07, 2011 11:48 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > It's like making love in a canoe. > > On Fri, Jan 7, 2011 at 9:42 AM, Mark A. Kruger > wrote: >> >> On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? >> > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340574 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
>>It's like making love in a canoe. +1 That's not a beer. THIS is a beer: tp:// stickandballguy.com/blog/wp-content/uploads/2009/08/baltika9.jpg >> You mean not so fun when you do it but a great story to tell later?? It is F-ing close to water. G! On Fri, Jan 7, 2011 at 12:48 PM, Judah McAuley wrote: > > It's like making love in a canoe. > > On Fri, Jan 7, 2011 at 9:42 AM, Mark A. Kruger > wrote: > > > > On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340573 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
F**king close to water On Fri, Jan 7, 2011 at 1:03 PM, Mark A. Kruger wrote: > > You mean not so fun when you do it but a great story to tell later?? > > > > -Original Message- > From: Judah McAuley [mailto:ju...@wiredotter.com] > Sent: Friday, January 07, 2011 11:48 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > It's like making love in a canoe. > > On Fri, Jan 7, 2011 at 9:42 AM, Mark A. Kruger > wrote: > > > > On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340572 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
You mean not so fun when you do it but a great story to tell later?? -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Friday, January 07, 2011 11:48 AM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework It's like making love in a canoe. On Fri, Jan 7, 2011 at 9:42 AM, Mark A. Kruger wrote: > > On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340571 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? If you get full before you get drunk, something's not right. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340570 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
It's like making love in a canoe. On Fri, Jan 7, 2011 at 9:42 AM, Mark A. Kruger wrote: > > On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340569 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
On behalf of my friends in Wisconsin... what's wrong with Old Milwaukee? -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Friday, January 07, 2011 10:16 AM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > Plus I think he's an Old Milwaukee guy (chi tea? Ouch!) Fortunately, at this stage of my life I can do a bit better than Old Milwaukee! I just went to Belgium recently - now that's some good beer. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340568 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Just as a point of note. I'm not an SEO expert. I don't call myself an SEO expert. I don't even offer SEO services other than the routine methodology I employ when building a site. These aren't the droids you're looking for. On Fri, Jan 7, 2011 at 9:51 AM, Justin Scott wrote: > > > And when it comes to SEO mojo why risk it? > > That's a non-argument that I hear from so-called "SEO experts" all the time > with little or no data to back it up. It's a fear-based approach that > really has no validity in and of itself. Show me a controlled experiment. > Show me a definitive statement from Matt Cutts. But please don't lower it > to the level of insurance sales. > > > -Justin > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340565 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Well Dave, I would say in that instance, their Mojo would just be considered their tried and true techniques to get results. Just as all of us developers use tried and true functions, frameworks, etc... which give us advantages, or Mojo, over other development companies. I do agree that it is presented as something special, I too ignore that... Dave McGraw - Oyova Software http://www.oyova.com On Fri, Jan 7, 2011 at 11:09 AM, Dave Watts wrote: > > > So you're reacting to the word mojo? > > Yeah, I am. Because, in every other area of computing, when you do > something you can measure and verify the effects. Once you lose that > ability to measure, you don't have anything worth buying. > > > You seem to have a personal axe to grind here. Did you get taken by an > SEO > > guy selling snake oil? > > No. My company does some SEO work, as an adjunct to custom application > development, CMS deployment, etc. But without fail so far, almost > everybody I've met who works solely with SEO implies that it's some > secret dark art with secret knowledge. And that's bullshit. I have a > low tolerance for bullshit. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340564 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> Plus I think he's an Old Milwaukee guy (chi tea? Ouch!) Fortunately, at this stage of my life I can do a bit better than Old Milwaukee! I just went to Belgium recently - now that's some good beer. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340563 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> I'm not going head to head with anyone. I just know I've come to my > conclusions about SEO based on personal experience and the opinions of > others in this community who I respect. The owner of this list being one of > them. I don't really care to argue about. If DW thinks I'm wrong that's the > least of my worries. Well, that is certainly true. I'd hate for people not to disagree with me because of who I am. I'm ok with people disagreeing with me because I'm wrong - that happens quite a bit. But I only defer to facts, not "mojo". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340562 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> So you're reacting to the word mojo? Yeah, I am. Because, in every other area of computing, when you do something you can measure and verify the effects. Once you lose that ability to measure, you don't have anything worth buying. > You seem to have a personal axe to grind here. Did you get taken by an SEO > guy selling snake oil? No. My company does some SEO work, as an adjunct to custom application development, CMS deployment, etc. But without fail so far, almost everybody I've met who works solely with SEO implies that it's some secret dark art with secret knowledge. And that's bullshit. I have a low tolerance for bullshit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340561 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
I'm not trying to rob you Bilbo... I'm trying to help you. -mk -Original Message- From: Michael Grant [mailto:mgr...@modus.bz] Sent: Friday, January 07, 2011 5:25 AM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework I'm not going head to head with anyone. I just know I've come to my conclusions about SEO based on personal experience and the opinions of others in this community who I respect. The owner of this list being one of them. I don't really care to argue about. If DW thinks I'm wrong that's the least of my worries. And it seems we all have sites in the top ten. The one I spent three years building rank for is #1 in just about all it's keyword areas and at least top five in the rest. Just because I call it mojo doesn't mean I'm mystified by SEO. Nor does it mean that I think changing your URL is going to make you sky rocket up the charts. On Thu, Jan 6, 2011 at 10:02 PM, Mark A. Kruger wrote: > > Mike, you sure you want to go head to head with DW? Seems risky :) Plus I > think he's an Old Milwaukee guy (chi tea? Ouch!) > > > > -Original Message- > From: Michael Grant [mailto:mgr...@modus.bz] > Sent: Thursday, January 06, 2011 5:24 PM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Know it to be true? Nobody "knows" it except the people at Google. Why risk > someone's hunch that's it isn't true? At best what do you gain if you're > right? Save a few hours dev time? And at worst? You lose search engine rank > which can have disastrous effects on a company. To me it's not worth the > risk just to "prove the SEO guys wrong." Even if you take SEO right out of > it, easy to read url's are nicer to look at, easier to remember and just > plain make sense. > > And if you think there's no such thing as SEO mojo I think you're been > sipping one too many chi teas. > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340560 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
> And when it comes to SEO mojo why risk it? That's a non-argument that I hear from so-called "SEO experts" all the time with little or no data to back it up. It's a fear-based approach that really has no validity in and of itself. Show me a controlled experiment. Show me a definitive statement from Matt Cutts. But please don't lower it to the level of insurance sales. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340559 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
I'm not going head to head with anyone. I just know I've come to my conclusions about SEO based on personal experience and the opinions of others in this community who I respect. The owner of this list being one of them. I don't really care to argue about. If DW thinks I'm wrong that's the least of my worries. And it seems we all have sites in the top ten. The one I spent three years building rank for is #1 in just about all it's keyword areas and at least top five in the rest. Just because I call it mojo doesn't mean I'm mystified by SEO. Nor does it mean that I think changing your URL is going to make you sky rocket up the charts. On Thu, Jan 6, 2011 at 10:02 PM, Mark A. Kruger wrote: > > Mike, you sure you want to go head to head with DW? Seems risky :) Plus I > think he's an Old Milwaukee guy (chi tea? Ouch!) > > > > -Original Message- > From: Michael Grant [mailto:mgr...@modus.bz] > Sent: Thursday, January 06, 2011 5:24 PM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Know it to be true? Nobody "knows" it except the people at Google. Why risk > someone's hunch that's it isn't true? At best what do you gain if you're > right? Save a few hours dev time? And at worst? You lose search engine rank > which can have disastrous effects on a company. To me it's not worth the > risk just to "prove the SEO guys wrong." Even if you take SEO right out of > it, easy to read url's are nicer to look at, easier to remember and just > plain make sense. > > And if you think there's no such thing as SEO mojo I think you're been > sipping one too many chi teas. > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340557 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Mike, you sure you want to go head to head with DW? Seems risky :) Plus I think he's an Old Milwaukee guy (chi tea? Ouch!) -Original Message- From: Michael Grant [mailto:mgr...@modus.bz] Sent: Thursday, January 06, 2011 5:24 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Know it to be true? Nobody "knows" it except the people at Google. Why risk someone's hunch that's it isn't true? At best what do you gain if you're right? Save a few hours dev time? And at worst? You lose search engine rank which can have disastrous effects on a company. To me it's not worth the risk just to "prove the SEO guys wrong." Even if you take SEO right out of it, easy to read url's are nicer to look at, easier to remember and just plain make sense. And if you think there's no such thing as SEO mojo I think you're been sipping one too many chi teas. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
I really don't think Dave has any Axe to grind, they are after all just true facts he has stated,perhaps he may have gone a bit OTT in calling SEO experts "snake oil salesmen" though. Every field has its experts, so an SEO expert is really no different than a CSS expert or a user interface expert, that is simply their trade. But like any trade there are cowboys who profess to be experts when they are not. If you are one of those that doesn't know much about SEO then it may seem like some kind of MOJO, but really it isn't. I doubt it would take more than 1 hours research to pickup the basics.But to be fair to learn all the tricks of all the search engines would take some time, but I doubt that many people care about anything beyond yahoo, Google and Bing these days, As Dave said, a bit of common sense goes a long way with this stuff, and like him I have several sites in the top 10 with very little effort. Russ On Fri, Jan 7, 2011 at 12:29 AM, Michael Grant wrote: > > So you're reacting to the word mojo? > You seem to have a personal axe to grind here. Did you get taken by an SEO > guy selling snake oil? > > On Thu, Jan 6, 2011 at 7:22 PM, Dave Watts wrote: > > > > > > Know it to be true? Nobody "knows" it except the people at Google. Why > > risk > > > someone's hunch that's it isn't true? At best what do you gain if > you're > > > right? Save a few hours dev time? And at worst? You lose search engine > > rank > > > which can have disastrous effects on a company. To me it's not worth > the > > > risk just to "prove the SEO guys wrong." > > > > Well, this is kind of silly. If you're worried about losing search > > engine rank, you have to continue doing whatever you've been doing - > > existing URLs have rank that new URLs won't. Even if you were doing > > URLs badly, you wouldn't want to simply switch to a better way of > > doing them as you'd lose the rank you've already achieved unless > > you're willing to support the old URLs as well. > > > > But in any case, you might want to subscribe to Matt Cutts' RSS feed - > > he covers a lot of this stuff pretty well, and he's at Google. He's > > discussed URL parameters' safety in searches before, although I didn't > > bother to Google it today. > > > > > And if you think there's no such thing as SEO mojo I think you're been > > > sipping one too many chi teas. > > > > "SEO mojo" is a way for charlatans to make money. There are some > > well-known, documented facts for SEO (not in any specific order): > > - content, > > - logical structure, > > - unique, readable titles, > > - readable URLs, > > - page rank from quality links to your content, > > - anything that might cause duplicated content (failure to use > > redirects or canonical URLs with multiple domains, etc) > > > > But whenever anybody starts talking about "mojo", without being able > > to point to clearly definable factors ... well, I call that something > > else. > > > > And I'm exposed to SEO stuff fairly frequently. My company relies on > > SEO for its training business. When you search for: > > > > coldfusion training > > flash training > > google search appliance training > > sencha training > > html 5 training (although not for html5 training - not sure how we'll > > deal with that yet!) > > > > you'll notice we're in the top 10 results. > > > > > Even if you take SEO right out of it, easy to read url's are nicer to > > look at, easier to > > > remember and just plain make sense. > > > > Sure, I recommend that to clients all the time. > > > > "Cool URIs don't change" > > http://www.w3.org/Provider/Style/URI > > > > But that's a different discussion. If you're going to say that people > > should use good URLs for unrelated reasons, you don't have to back > > that up with "true facts about SEO" that aren't actually true. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340552 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
So you're reacting to the word mojo? You seem to have a personal axe to grind here. Did you get taken by an SEO guy selling snake oil? On Thu, Jan 6, 2011 at 7:22 PM, Dave Watts wrote: > > > Know it to be true? Nobody "knows" it except the people at Google. Why > risk > > someone's hunch that's it isn't true? At best what do you gain if you're > > right? Save a few hours dev time? And at worst? You lose search engine > rank > > which can have disastrous effects on a company. To me it's not worth the > > risk just to "prove the SEO guys wrong." > > Well, this is kind of silly. If you're worried about losing search > engine rank, you have to continue doing whatever you've been doing - > existing URLs have rank that new URLs won't. Even if you were doing > URLs badly, you wouldn't want to simply switch to a better way of > doing them as you'd lose the rank you've already achieved unless > you're willing to support the old URLs as well. > > But in any case, you might want to subscribe to Matt Cutts' RSS feed - > he covers a lot of this stuff pretty well, and he's at Google. He's > discussed URL parameters' safety in searches before, although I didn't > bother to Google it today. > > > And if you think there's no such thing as SEO mojo I think you're been > > sipping one too many chi teas. > > "SEO mojo" is a way for charlatans to make money. There are some > well-known, documented facts for SEO (not in any specific order): > - content, > - logical structure, > - unique, readable titles, > - readable URLs, > - page rank from quality links to your content, > - anything that might cause duplicated content (failure to use > redirects or canonical URLs with multiple domains, etc) > > But whenever anybody starts talking about "mojo", without being able > to point to clearly definable factors ... well, I call that something > else. > > And I'm exposed to SEO stuff fairly frequently. My company relies on > SEO for its training business. When you search for: > > coldfusion training > flash training > google search appliance training > sencha training > html 5 training (although not for html5 training - not sure how we'll > deal with that yet!) > > you'll notice we're in the top 10 results. > > > Even if you take SEO right out of it, easy to read url's are nicer to > look at, easier to > > remember and just plain make sense. > > Sure, I recommend that to clients all the time. > > "Cool URIs don't change" > http://www.w3.org/Provider/Style/URI > > But that's a different discussion. If you're going to say that people > should use good URLs for unrelated reasons, you don't have to back > that up with "true facts about SEO" that aren't actually true. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340551 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> Know it to be true? Nobody "knows" it except the people at Google. Why risk > someone's hunch that's it isn't true? At best what do you gain if you're > right? Save a few hours dev time? And at worst? You lose search engine rank > which can have disastrous effects on a company. To me it's not worth the > risk just to "prove the SEO guys wrong." Well, this is kind of silly. If you're worried about losing search engine rank, you have to continue doing whatever you've been doing - existing URLs have rank that new URLs won't. Even if you were doing URLs badly, you wouldn't want to simply switch to a better way of doing them as you'd lose the rank you've already achieved unless you're willing to support the old URLs as well. But in any case, you might want to subscribe to Matt Cutts' RSS feed - he covers a lot of this stuff pretty well, and he's at Google. He's discussed URL parameters' safety in searches before, although I didn't bother to Google it today. > And if you think there's no such thing as SEO mojo I think you're been > sipping one too many chi teas. "SEO mojo" is a way for charlatans to make money. There are some well-known, documented facts for SEO (not in any specific order): - content, - logical structure, - unique, readable titles, - readable URLs, - page rank from quality links to your content, - anything that might cause duplicated content (failure to use redirects or canonical URLs with multiple domains, etc) But whenever anybody starts talking about "mojo", without being able to point to clearly definable factors ... well, I call that something else. And I'm exposed to SEO stuff fairly frequently. My company relies on SEO for its training business. When you search for: coldfusion training flash training google search appliance training sencha training html 5 training (although not for html5 training - not sure how we'll deal with that yet!) you'll notice we're in the top 10 results. > Even if you take SEO right out of it, easy to read url's are nicer to look > at, easier to > remember and just plain make sense. Sure, I recommend that to clients all the time. "Cool URIs don't change" http://www.w3.org/Provider/Style/URI But that's a different discussion. If you're going to say that people should use good URLs for unrelated reasons, you don't have to back that up with "true facts about SEO" that aren't actually true. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340550 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Know it to be true? Nobody "knows" it except the people at Google. Why risk someone's hunch that's it isn't true? At best what do you gain if you're right? Save a few hours dev time? And at worst? You lose search engine rank which can have disastrous effects on a company. To me it's not worth the risk just to "prove the SEO guys wrong." Even if you take SEO right out of it, easy to read url's are nicer to look at, easier to remember and just plain make sense. And if you think there's no such thing as SEO mojo I think you're been sipping one too many chi teas. On Thu, Jan 6, 2011 at 5:54 PM, Dave Watts wrote: > > > Yes they are. However I believe my original point (minus my "supporting" > > argument) is still valid. Well structured urls are better than url vars. > Or > > at least that's what I've always known to be true. And when it comes to > SEO > > mojo why risk it? > > URL parameters, by themselves, don't prevent a URL from being > well-structured. And you clearly don't know that to be true > (otherwise, the phrase "why risk it" would make no sense). And there > are specific, admittedly minor, costs to URL rewriting. And finally, > there's no such thing as "SEO mojo". This is a fraud perpetrated by > people who want to treat SEO as a black art, and position themselves > as adepts at that art. In almost all respects, search engines reward > the application of common sense. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340546 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> Yes they are. However I believe my original point (minus my "supporting" > argument) is still valid. Well structured urls are better than url vars. Or > at least that's what I've always known to be true. And when it comes to SEO > mojo why risk it? URL parameters, by themselves, don't prevent a URL from being well-structured. And you clearly don't know that to be true (otherwise, the phrase "why risk it" would make no sense). And there are specific, admittedly minor, costs to URL rewriting. And finally, there's no such thing as "SEO mojo". This is a fraud perpetrated by people who want to treat SEO as a black art, and position themselves as adepts at that art. In almost all respects, search engines reward the application of common sense. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340545 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Yes they are. However I believe my original point (minus my "supporting" argument) is still valid. Well structured urls are better than url vars. Or at least that's what I've always known to be true. And when it comes to SEO mojo why risk it? On Thu, Jan 6, 2011 at 5:03 PM, Dave Watts wrote: > > > > > It's not an issue in that Google can't crawl you. It's an issue in > that > > > > Google will rank this: > > > > > > > > mysite.com/Cars/BMW/X3 > > > > > > > > Higher than this: > > > > > > > > mysite.com?cat=cars&maker=bmw&style=x3 > > > > > > I would be a bit surprised if that's true. Both URLs contain obvious, > > > easily-read data. Google is full of smart people who are good at > > > categorization. > > > > Well it was an example case. Most url vars aren't as easy to read as my > fake > > example. It would probably be more like mysite.com?id=1345238 > > Those are two different examples, and would presumably have two > different outcomes. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340544 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
On Thu, Jan 6, 2011 at 4:58 AM, Michael Grant wrote: > It's not an issue in that Google can't crawl you. It's an issue in that > Google will rank this: > > mysite.com/Cars/BMW/X3 > > Higher than this: > > mysite.com?cat=cars&maker=bmw&style=x3 Very likely but most frameworks support basic SES URLs anyway like this: mysite.com/index.cfm/cat/cars/maker/bmw/style/x3 That works 'out of the box' with ColdBox and FW/1 at least (and probably Fusebox, I can't remember). I suspect MG and M2 can handle something like this with perhaps only a small extension. And I strongly suspect cfWheels supports this too. If you have a routes package (like ColdBox and, I think, cfWheels?), you could easily support: mysite.com/index.cfm/cars/bmw/x3 again, out of the box. If you want to eliminate /index.cfm, that's trivial with Apache (and reasonably easy with an IIS rewrite module). So there's nothing inherent about front controller frameworks that make them worse for SEO ranking. -- Sean A Corfield -- (904) 302-SEAN Railo Technologies, Inc. -- http://getrailo.com/ An Architect's View -- http://corfield.org/ "If you're not annoying somebody, you're not really alive." -- Margaret Atwood ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340543 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> > > It's not an issue in that Google can't crawl you. It's an issue in that > > > Google will rank this: > > > > > > mysite.com/Cars/BMW/X3 > > > > > > Higher than this: > > > > > > mysite.com?cat=cars&maker=bmw&style=x3 > > > > I would be a bit surprised if that's true. Both URLs contain obvious, > > easily-read data. Google is full of smart people who are good at > > categorization. > > Well it was an example case. Most url vars aren't as easy to read as my fake > example. It would probably be more like mysite.com?id=1345238 Those are two different examples, and would presumably have two different outcomes. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340542 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Well it was an example case. Most url vars aren't as easy to read as my fake example. It would probably be more like mysite.com?id=1345238 On Thu, Jan 6, 2011 at 12:09 PM, Dave Watts wrote: > > > It's not an issue in that Google can't crawl you. It's an issue in that > > Google will rank this: > > > > mysite.com/Cars/BMW/X3 > > > > Higher than this: > > > > mysite.com?cat=cars&maker=bmw&style=x3 > > I would be a bit surprised if that's true. Both URLs contain obvious, > easily-read data. Google is full of smart people who are good at > categorization. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340540 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> It's not an issue in that Google can't crawl you. It's an issue in that > Google will rank this: > > mysite.com/Cars/BMW/X3 > > Higher than this: > > mysite.com?cat=cars&maker=bmw&style=x3 I would be a bit surprised if that's true. Both URLs contain obvious, easily-read data. Google is full of smart people who are good at categorization. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340516 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
> I don't think the "SEO-unfriendliness" of running everything through > index.cfm has been an issue for a very long time. They used to have an > issue with indexing query strings / dynamic URLs, but not any more. Maybe > some of the smaller ones still do, but the major ones definitely do not. > Really, if they did, Google wouldn't really even work. :) Simple, self-describing URLs have a higher page rank than complex, non-obvious URLs. If you're trying to show up on the first page of results, good URLs do make a difference. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsit ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340515 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
I don't think google care about querystrings. I say this because I have achieved the top 3 spot for many years now for "coldfusion hosting" and don't use any SEO friendly URL's at all, it is all index.cfm?querystrings Russ -Original Message- From: Mark A. Kruger [mailto:mkru...@cfwebtools.com] Sent: 06 January 2011 14:51 To: cf-talk Subject: RE: Beta Tester Wanted for new CF (MVC) Framework Justin, I used to be in your camp but I've reversed course. I now believe that having a "semantic" url actually does matter - as opposed to simply url params. I'm basing this on working with a couple of brialliant SEO guys on a very high traffic ecommerce site where they have captured and maintained their ranking (not just through url rewriting of course :) -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Justin Scott [mailto:jscott-li...@gravityfree.com] Sent: Thursday, January 06, 2011 8:24 AM To: cf-talk Subject: RE: Beta Tester Wanted for new CF (MVC) Framework > It's not an issue in that Google can't crawl you. It's > an issue in that Google will rank this: > mysite.com/Cars/BMW/X3 > Higher than this: > mysite.com?cat=cars&maker=bmw&style=x3 I realize that is a common belief, but I have never seen any compelling evidence to back up the claim. If there's a statement from someone at Google (Matt Cutts most likely) which says that I'm certainly open to be more accepting and less skeptical when I hear that argument brought up. I agree that the former is more readable to a user (who reads URLs anyway?) but I've yet to see actual evidence that it impacts rankings. If there's an article I missed I'm certainly open to references. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340508 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Justin, I used to be in your camp but I've reversed course. I now believe that having a "semantic" url actually does matter - as opposed to simply url params. I'm basing this on working with a couple of brialliant SEO guys on a very high traffic ecommerce site where they have captured and maintained their ranking (not just through url rewriting of course :) -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Justin Scott [mailto:jscott-li...@gravityfree.com] Sent: Thursday, January 06, 2011 8:24 AM To: cf-talk Subject: RE: Beta Tester Wanted for new CF (MVC) Framework > It's not an issue in that Google can't crawl you. It's > an issue in that Google will rank this: > mysite.com/Cars/BMW/X3 > Higher than this: > mysite.com?cat=cars&maker=bmw&style=x3 I realize that is a common belief, but I have never seen any compelling evidence to back up the claim. If there's a statement from someone at Google (Matt Cutts most likely) which says that I'm certainly open to be more accepting and less skeptical when I hear that argument brought up. I agree that the former is more readable to a user (who reads URLs anyway?) but I've yet to see actual evidence that it impacts rankings. If there's an article I missed I'm certainly open to references. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340505 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
> It's not an issue in that Google can't crawl you. It's > an issue in that Google will rank this: > mysite.com/Cars/BMW/X3 > Higher than this: > mysite.com?cat=cars&maker=bmw&style=x3 I realize that is a common belief, but I have never seen any compelling evidence to back up the claim. If there's a statement from someone at Google (Matt Cutts most likely) which says that I'm certainly open to be more accepting and less skeptical when I hear that argument brought up. I agree that the former is more readable to a user (who reads URLs anyway?) but I've yet to see actual evidence that it impacts rankings. If there's an article I missed I'm certainly open to references. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340503 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
It's not an issue in that Google can't crawl you. It's an issue in that Google will rank this: mysite.com/Cars/BMW/X3 Higher than this: mysite.com?cat=cars&maker=bmw&style=x3 On Thu, Jan 6, 2011 at 6:39 AM, Scott Brady wrote: > > I don't think the "SEO-unfriendliness" of running everything through > index.cfm has been an issue for a very long time. They used to have an > issue with indexing query strings / dynamic URLs, but not any more. Maybe > some of the smaller ones still do, but the major ones definitely do not. > Really, if they did, Google wouldn't really even work. :) > > > On Wed, Jan 5, 2011 at 11:09 AM, Russ Michaels > wrote: > > > > > I can certainly see the advantage in NOT routing everything through > > index.cfm, it is more SEO friendly without having to use URL rewriting > etc, > > plus I would expect the pages to be more editable. > > This is one annoying thing with frameworks in general, if you are not > using > > a CMS then editing content can be a real pain as you can't just pop the > > page > > open in Dreamweaver and edit the layout as it won't display properly due > to > > the missing formatting and CSS which is in another file. > > And congrats for coming up with a name that does not have "cf" "cold" > > "fusion" or "fuse" in the the name :-) > > > > Russ > > > > > -- > - > Scott Brady > http://www.scottbrady.net/ > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340501 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
I don't think the "SEO-unfriendliness" of running everything through index.cfm has been an issue for a very long time. They used to have an issue with indexing query strings / dynamic URLs, but not any more. Maybe some of the smaller ones still do, but the major ones definitely do not. Really, if they did, Google wouldn't really even work. :) On Wed, Jan 5, 2011 at 11:09 AM, Russ Michaels wrote: > > I can certainly see the advantage in NOT routing everything through > index.cfm, it is more SEO friendly without having to use URL rewriting etc, > plus I would expect the pages to be more editable. > This is one annoying thing with frameworks in general, if you are not using > a CMS then editing content can be a real pain as you can't just pop the > page > open in Dreamweaver and edit the layout as it won't display properly due to > the missing formatting and CSS which is in another file. > And congrats for coming up with a name that does not have "cf" "cold" > "fusion" or "fuse" in the the name :-) > > Russ > > -- - Scott Brady http://www.scottbrady.net/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340500 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Exactly! No need to set up URL rewriting and if you want to edit content for the URL "/my-folder/my-file.cfm" then just open the file at that location and edit it. If you want to set up some URL rewriting so that the URL is "/my-folder/my-file/" (or anything else) instead, nothing in the framework will get in your way. Oh yeah, no need to modify your traffic reporting software. It was tempting to follow those CF naming conventions, but I managed to resist. :-) Steve >I can certainly see the advantage in NOT routing everything through >index.cfm, it is more SEO friendly without having to use URL rewriting etc, >plus I would expect the pages to be more editable. >This is one annoying thing with frameworks in general, if you are not using >a CMS then editing content can be a real pain as you can't just pop the page >open in Dreamweaver and edit the layout as it won't display properly due to >the missing formatting and CSS which is in another file. >And congrats for coming up with a name that does not have "cf" "cold" >"fusion" or "fuse" in the the name :-) > >Russ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340472 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
I can certainly see the advantage in NOT routing everything through index.cfm, it is more SEO friendly without having to use URL rewriting etc, plus I would expect the pages to be more editable. This is one annoying thing with frameworks in general, if you are not using a CMS then editing content can be a real pain as you can't just pop the page open in Dreamweaver and edit the layout as it won't display properly due to the missing formatting and CSS which is in another file. And congrats for coming up with a name that does not have "cf" "cold" "fusion" or "fuse" in the the name :-) Russ -Original Message- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: 05 January 2011 17:39 To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Russ, Thanks for your comment and encouragement. The scrutiny is certainly valid. I don't think the problem is as serious as it first appeared, but it is with regard to all uploaded files handled by the framework so it is a pretty significant area of concern and definitely something I am glad to have others help me think through. As to the "need" for another framework, I think I have heard that point raised about every ColdFusion framework released since Fusebox came out ("We already have Fusebox, why do we need another framework?"). In this case, I think Neptune is quite a bit different from what is out there already. For one thing, all the other major frameworks route all requests through index.cfm and Neptune doesn't. Assuming I am not the only one who dislike this paradigm then it is worth offering it for that. For another, I think (keeping in mind that I am biased) that it is much easier than any other framework. Almost every time I read about how to something in another framework I think "It is easier than that for us". For anyone even a little curious, I would recommend reading the "Getting Started" section. It includes links to how to do the same thing in ModelGlue:Unity and in CFWheels. You can imagine it in other frameworks as well. See for yourself which you think is easier. http://www.bryantwebconsulting.com/docs/neptune/installation.cfm I'm not trying to knock other frameworks here ("easier" often depends on the problems being solved, for example) - just to point out that I think Neptune does have something different to offer than what exists already. Thanks, Steve >Steve, > >I'm personally not sure if yet another framework is needed, we have >quite a few now from simple (cfwheels or FW/1) for all singing all >dancing OOP behemoths (ColdBox) but kudos for trying and I hope it works out for you. >While I think all these security concerns are valid, and it would be >gr8 if your framework handled these automatically, I think perhaps >other are being a bit harsh and jumping on your back a bit quick. I >wonder if the other frameworks and popular open source apps have been >scrutinised like this and cover all these security bases and are this >secure, I wouldn't like to bet any money on it, and I certainly know >that some of the ones I have used really do little more than use >CFPARAM or CFQUERYPARAM to protect against injection, and there is >certainly no consideration for the temp file execution scenario. I have >not read the entire conversation so I do not know the context of the >file uploads inside webroot, but if this is only for installation/setup >then I would not consider this a security concern as only the admin >will be doing this and then presumably this feature will be disabled anyway. >The most popular apps in the world with web based installers do not >even cater for this scenario, such as wordpress for example, they >simply make sure that the installer/setup no longer works once you have >completed the process so that a hacker cannot get in and mess with your site. >If that is not the context for this issue and it is uploads in general, >then I guess that is a moot point. > > >-- >Russ Michaels >www.cfmldeveloper.com - Supporting the CF community since 1999 FREE >ColdFusion/Railo hosting for developers. > >blog: www.michaels.me.uk ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340471 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Russ, Thanks for your comment and encouragement. The scrutiny is certainly valid. I don't think the problem is as serious as it first appeared, but it is with regard to all uploaded files handled by the framework so it is a pretty significant area of concern and definitely something I am glad to have others help me think through. As to the "need" for another framework, I think I have heard that point raised about every ColdFusion framework released since Fusebox came out ("We already have Fusebox, why do we need another framework?"). In this case, I think Neptune is quite a bit different from what is out there already. For one thing, all the other major frameworks route all requests through index.cfm and Neptune doesn't. Assuming I am not the only one who dislike this paradigm then it is worth offering it for that. For another, I think (keeping in mind that I am biased) that it is much easier than any other framework. Almost every time I read about how to something in another framework I think "It is easier than that for us". For anyone even a little curious, I would recommend reading the "Getting Started" section. It includes links to how to do the same thing in ModelGlue:Unity and in CFWheels. You can imagine it in other frameworks as well. See for yourself which you think is easier. http://www.bryantwebconsulting.com/docs/neptune/installation.cfm I'm not trying to knock other frameworks here ("easier" often depends on the problems being solved, for example) - just to point out that I think Neptune does have something different to offer than what exists already. Thanks, Steve >Steve, > >I'm personally not sure if yet another framework is needed, we have quite a >few now from simple (cfwheels or FW/1) for all singing all dancing OOP >behemoths (ColdBox) but kudos for trying and I hope it works out for you. >While I think all these security concerns are valid, and it would be gr8 if >your framework handled these automatically, I think perhaps other are being >a bit harsh and jumping on your back a bit quick. I wonder if the other >frameworks and popular open source apps have been scrutinised like this and >cover all these security bases and are this secure, I wouldn't like to bet >any money on it, and I certainly know that some of the ones I have used >really do little more than use CFPARAM or CFQUERYPARAM to protect against >injection, and there is certainly no consideration for the temp file >execution scenario. I have not read the entire conversation so I do not know >the context of the file uploads inside webroot, but if this is only for >installation/setup then I would not consider this a security concern as only >the admin will be doing this and then presumably this feature will be >disabled anyway. >The most popular apps in the world with web based installers do not even >cater for this scenario, such as wordpress for example, they simply make >sure that the installer/setup no longer works once you have completed the >process so that a hacker cannot get in and mess with your site. >If that is not the context for this issue and it is uploads in general, then >I guess that is a moot point. > > >-- >Russ Michaels >www.cfmldeveloper.com - Supporting the CF community since 1999 >FREE ColdFusion/Railo hosting for developers. > >blog: www.michaels.me.uk ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Steve, I'm personally not sure if yet another framework is needed, we have quite a few now from simple (cfwheels or FW/1) for all singing all dancing OOP behemoths (ColdBox) but kudos for trying and I hope it works out for you. While I think all these security concerns are valid, and it would be gr8 if your framework handled these automatically, I think perhaps other are being a bit harsh and jumping on your back a bit quick. I wonder if the other frameworks and popular open source apps have been scrutinised like this and cover all these security bases and are this secure, I wouldn't like to bet any money on it, and I certainly know that some of the ones I have used really do little more than use CFPARAM or CFQUERYPARAM to protect against injection, and there is certainly no consideration for the temp file execution scenario. I have not read the entire conversation so I do not know the context of the file uploads inside webroot, but if this is only for installation/setup then I would not consider this a security concern as only the admin will be doing this and then presumably this feature will be disabled anyway. The most popular apps in the world with web based installers do not even cater for this scenario, such as wordpress for example, they simply make sure that the installer/setup no longer works once you have completed the process so that a hacker cannot get in and mess with your site. If that is not the context for this issue and it is uploads in general, then I guess that is a moot point. -- Russ Michaels www.cfmldeveloper.com - Supporting the CF community since 1999 FREE ColdFusion/Railo hosting for developers. blog: www.michaels.me.uk ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340462 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Yeah, not being able to disable "execute" permissions would be annoying, but I think the other protections should still cover the possibilities pretty well. Nonetheless, that probably does deserve a note in the docs (including "we would recommend finding another host"). Just to clarify, I do think the temporary directory for processing file uploads during validation should be outside the web root. I am confident I can accomplish that without impact to the user of the framework. Thanks, Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340458 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Not to mention that if there is any hosting provider that doesn't allow for this, then they should be avoided at all costs. It would be within their best interests to stop all exploits, so if they have a customer that does file uploads and that customer can't have a folder not accessible from the web, then not only is the customer at risk, but all other shares/customers and not to mention the hosting provider is at serious risk. Any decent hosting provider does set this up, for this exact reason. So I really don't see that as an argument for not being able to move the temp directory away from the URL. Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Mark A. Kruger [mailto:mkru...@cfwebtools.com] > Sent: Wednesday, 5 January 2011 3:04 PM > To: cf-talk > Subject: RE: Beta Tester Wanted for new CF (MVC) Framework > > > Steve, > > Ok... given your arguments I buy it. As long as you fully document the > nuances involved. I would point out however that folks who are using a > shared host with limited access to folders may also not be able to "tighten > down" the folder's execute permissions... but you can't think of everything > eh :) > > -mark > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Steve, Ok... given your arguments I buy it. As long as you fully document the nuances involved. I would point out however that folks who are using a shared host with limited access to folders may also not be able to "tighten down" the folder's execute permissions... but you can't think of everything eh :) -mark -Original Message- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 9:43 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Mark, Good to know. I certainly understand about future threats, but I think this is sufficient to keep my current approach (with the modifications outlined) with only a relatively mild warning about putting files outside the web root (but a major one about white listing extensions). Maybe I will even require an extensions attribute for files so that you have to specify extensions="" if you want to allow all extensions. That does potentially have a backward compatibility issue for existing code, but still probably worth it (if we have any open file uploads, I want to know anyway). As to why I am trying to stay with this approach, it comes down to easy installation and set-up. Neptune sites should be super-easy to set up and get going and should run in as wide a variety of platforms as possible (some hosts, for example, don't give you space outside of your own web root). Even where it can be done, it is an extra step (if only a small one). Everything about the framework is supposed to be brain-dead easy to use. Any place where I move away from "obvious and blindingly easy to use" I want to have a really compelling reason to do so. Even a small step away from this goal should have a compelling reason. In other news, this is just the sort of feedback I was hoping for. It has been really helpful and I appreciate you guys taking the time to help me out with this. If anyone has more thoughts or suggestions, I would love to hear them. Thanks! Steve >Steve, > >I'd say you've protected against conceivable threats with that approach - >but I still always store files outside the web root. My problem is that my >conceiver isn't always that great and ornery hackers have better conceivers >than I do. Can I ask what you are trying to save with this approach? What's >the point of doing it this way as opposed to outside of the web root? > >-Mark > >P.S. Thanks for the comments about my blog - always nice to hear! > > > >Mark, > >I actually remember reading that blog post when it came out (I always love >your blog, by the way). To be honest, I don't remember if I am doing that >validation in place or not. Certainly this does demonstrate that it >shouldn't be done in place - and I will address that if it is. > >I am curious, however, about the following scenario: > >- The files are temporarily uploaded to another location and then validated >and then moved to their final destination. >- Server side checking on both mime-type AND extension >- A black list of file extensions is maintained for file fields that do not >have a white list of extensions (with docs advising that all files should). >- Read/Write access but no execute access for upload folders >- Application.cfm in the root of the uploaded folders > >With all of that, how serious is the threat of having the default upload >location be inside the web root? > >Keeping in mind that the goal is dead-simple set up and development (though >security, of course, cannot be ignored). > >Thanks, > >Steve > >>Steve, >> >>This is one off, but this post explains how you can exploit the latency >>between storing the file and handling or deleting it IF you store your temp >>file in a web root accessible folder: >> >>http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack. v >ector >> >>-Mark ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340455 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Mark, Good to know. I certainly understand about future threats, but I think this is sufficient to keep my current approach (with the modifications outlined) with only a relatively mild warning about putting files outside the web root (but a major one about white listing extensions). Maybe I will even require an extensions attribute for files so that you have to specify extensions="" if you want to allow all extensions. That does potentially have a backward compatibility issue for existing code, but still probably worth it (if we have any open file uploads, I want to know anyway). As to why I am trying to stay with this approach, it comes down to easy installation and set-up. Neptune sites should be super-easy to set up and get going and should run in as wide a variety of platforms as possible (some hosts, for example, don't give you space outside of your own web root). Even where it can be done, it is an extra step (if only a small one). Everything about the framework is supposed to be brain-dead easy to use. Any place where I move away from "obvious and blindingly easy to use" I want to have a really compelling reason to do so. Even a small step away from this goal should have a compelling reason. In other news, this is just the sort of feedback I was hoping for. It has been really helpful and I appreciate you guys taking the time to help me out with this. If anyone has more thoughts or suggestions, I would love to hear them. Thanks! Steve >Steve, > >I'd say you've protected against conceivable threats with that approach - >but I still always store files outside the web root. My problem is that my >conceiver isn't always that great and ornery hackers have better conceivers >than I do. Can I ask what you are trying to save with this approach? What's >the point of doing it this way as opposed to outside of the web root? > >-Mark > >P.S. Thanks for the comments about my blog - always nice to hear! > > > >Mark, > >I actually remember reading that blog post when it came out (I always love >your blog, by the way). To be honest, I don't remember if I am doing that >validation in place or not. Certainly this does demonstrate that it >shouldn't be done in place - and I will address that if it is. > >I am curious, however, about the following scenario: > >- The files are temporarily uploaded to another location and then validated >and then moved to their final destination. >- Server side checking on both mime-type AND extension >- A black list of file extensions is maintained for file fields that do not >have a white list of extensions (with docs advising that all files should). >- Read/Write access but no execute access for upload folders >- Application.cfm in the root of the uploaded folders > >With all of that, how serious is the threat of having the default upload >location be inside the web root? > >Keeping in mind that the goal is dead-simple set up and development (though >security, of course, cannot be ignored). > >Thanks, > >Steve > >>Steve, >> >>This is one off, but this post explains how you can exploit the latency >>between storing the file and handling or deleting it IF you store your temp >>file in a web root accessible folder: >> >>http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.v >ector >> >>-Mark ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340454 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Steve, I'd say you've protected against conceivable threats with that approach - but I still always store files outside the web root. My problem is that my conceiver isn't always that great and ornery hackers have better conceivers than I do. Can I ask what you are trying to save with this approach? What's the point of doing it this way as opposed to outside of the web root? -Mark P.S. Thanks for the comments about my blog - always nice to hear! -Original Message- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 6:45 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Mark, I actually remember reading that blog post when it came out (I always love your blog, by the way). To be honest, I don't remember if I am doing that validation in place or not. Certainly this does demonstrate that it shouldn't be done in place - and I will address that if it is. I am curious, however, about the following scenario: - The files are temporarily uploaded to another location and then validated and then moved to their final destination. - Server side checking on both mime-type AND extension - A black list of file extensions is maintained for file fields that do not have a white list of extensions (with docs advising that all files should). - Read/Write access but no execute access for upload folders - Application.cfm in the root of the uploaded folders With all of that, how serious is the threat of having the default upload location be inside the web root? Keeping in mind that the goal is dead-simple set up and development (though security, of course, cannot be ignored). Thanks, Steve >Steve, > >This is one off, but this post explains how you can exploit the latency >between storing the file and handling or deleting it IF you store your temp >file in a web root accessible folder: > >http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.v ector > >-Mark ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340453 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Hmmm I think you are contradicting the scenario here. > - The files are temporarily uploaded to another location and then validated > With all of that, how serious is the threat of having the default upload > location be inside the web root? If the temp file is accessible before validation, a hacker can run the file that is how serious it is. But if you follow your first point, then it is mute. Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 11:45 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Mark, > > I actually remember reading that blog post when it came out (I always love > your blog, by the way). To be honest, I don't remember if I am doing that > validation in place or not. Certainly this does demonstrate that it shouldn't be > done in place - and I will address that if it is. > > I am curious, however, about the following scenario: > > - The files are temporarily uploaded to another location and then validated > and then moved to their final destination. > - Server side checking on both mime-type AND extension > - A black list of file extensions is maintained for file fields that do not have a > white list of extensions (with docs advising that all files should). > - Read/Write access but no execute access for upload folders > - Application.cfm in the root of the uploaded folders > > With all of that, how serious is the threat of having the default upload > location be inside the web root? > > Keeping in mind that the goal is dead-simple set up and development > (though security, of course, cannot be ignored). > > Thanks, > > Steve > > >Steve, ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340452 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Mark, I actually remember reading that blog post when it came out (I always love your blog, by the way). To be honest, I don't remember if I am doing that validation in place or not. Certainly this does demonstrate that it shouldn't be done in place - and I will address that if it is. I am curious, however, about the following scenario: - The files are temporarily uploaded to another location and then validated and then moved to their final destination. - Server side checking on both mime-type AND extension - A black list of file extensions is maintained for file fields that do not have a white list of extensions (with docs advising that all files should). - Read/Write access but no execute access for upload folders - Application.cfm in the root of the uploaded folders With all of that, how serious is the threat of having the default upload location be inside the web root? Keeping in mind that the goal is dead-simple set up and development (though security, of course, cannot be ignored). Thanks, Steve >Steve, > >This is one off, but this post explains how you can exploit the latency >between storing the file and handling or deleting it IF you store your temp >file in a web root accessible folder: > >http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.vector > >-Mark ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340451 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
On Tue, Jan 4, 2011 at 8:27 AM, Steve Bryant wrote: > I think it is quite a bit unlike any other ColdFusion framework out there. It > isn't hub-and-spoke (where all requests are routed through index.cfm, for > example). It doesn't require OO. It does, however, provide pretty significant > automation and allow for very concise (but still expressive) code. I notice that layouts are provided through CFCs that output HTML. The example shows the convolutions needed to avoid extraneous whitespace, such as running functions together: ... ... (and I believe your example still generates unwanted whitespace since you have a blank line between your opening tag and the first tag?). This seems to be worst of both worlds to me. Have you considered using custom tags or plain old include files for the elements of the layout instead? -- Sean A Corfield -- (904) 302-SEAN Railo Technologies, Inc. -- http://getrailo.com/ An Architect's View -- http://corfield.org/ "If you're not annoying somebody, you're not really alive." -- Margaret Atwood ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340448 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Yeah... I second this... Anyone who sets up to create something more than a random assortment of code, deserves a nod. -Dave Oyova Software, LLC www.oyova.com On Tue, Jan 4, 2011 at 6:23 PM, Mark A. Kruger wrote: > > Steve, > > In spite of the small hornet's nest you stepped in let me congradulate you > on your framework and thank you for putting yourself out there. As a > blogger > who has to accept every criticism with a smile (or perhaps I should say > "chooses" to accept)... and a sense of humor, I appreciate what it takes to > let the community - even a nice one like CF - see and work with your stuff. > Thanks from all of us :) > > -mark > > > > Mark A. Kruger, MCSE, CFG > (402) 408-3733 ext 105 > Skype: markakruger > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > > > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Tuesday, January 04, 2011 4:53 PM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Ian, > > I'm not sure that is exactly accurate. A mime-type can certainly be > spoofed, > no debate there. A file extension can be *changed*, but (unless I > understand > incorrectly), the server is going to decide how to handle a file based on > the extension. > > So, for example, you may save a ColdFusion file as .png. At which point you > can upload as an image in my framework. When it is requested in the URL, > however, it is just an invalid image. CFAS will never process it because > .png isn't on the list of file types for it to process. Even if it was, > Application.cfm would run first and abort the process. > > Even if you did that with a .exe, the client computer wouldn't try to > execute the code. It would just see it as an invalid image. > > If I am wrong on any of this, of course, I would love to know. > > I suppose I should bring up at the point why I have the default location > where it is. It comes down to this: Easy installation and set-up. Neptune > sites should be super-easy to set up and get going and should run in as > wide > a variety of platforms as possible (some hosts, for example, don't give you > space outside of your own web root). > > If the security implications of this are truly horrifying, of course, I > could reconsider, but everything about the framework is supposed to be > brain-dead easy to use. Any place where I move away from "blindingly easy > to > use" I want to have a really compelling reason to do so. > > Thanks, > > Steve > > >Both mime types and file extensions can be spoofed by a hacker as both > >are just data that hackers can manipulate on their end of the > >client-server relationship. Unless you are running code that actually > >inspects the content of the file to confirm that it matches the file > >type and the mime type reported by the http headers (which are trivial > >to set by users who know how from the client) in the request, you are > >opening a vulnerability here. Even if you do check, the file is > >already uploaded while the checking is occurring, and a hacker can take > >advantage of the delay to execute his code before your validation has a > >chance to reject the file. > > > >And ALL of this is based on what the hackers are doing today with > >today's vulnerabilities. Why leave your framework in a position where > >it would be at risk if hackers figure out tomorrow some other way to > >hide code in innocent looking files and execute it if the file is under > >a web root. > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340447 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Steve, In spite of the small hornet's nest you stepped in let me congradulate you on your framework and thank you for putting yourself out there. As a blogger who has to accept every criticism with a smile (or perhaps I should say "chooses" to accept)... and a sense of humor, I appreciate what it takes to let the community - even a nice one like CF - see and work with your stuff. Thanks from all of us :) -mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 4:53 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Ian, I'm not sure that is exactly accurate. A mime-type can certainly be spoofed, no debate there. A file extension can be *changed*, but (unless I understand incorrectly), the server is going to decide how to handle a file based on the extension. So, for example, you may save a ColdFusion file as .png. At which point you can upload as an image in my framework. When it is requested in the URL, however, it is just an invalid image. CFAS will never process it because .png isn't on the list of file types for it to process. Even if it was, Application.cfm would run first and abort the process. Even if you did that with a .exe, the client computer wouldn't try to execute the code. It would just see it as an invalid image. If I am wrong on any of this, of course, I would love to know. I suppose I should bring up at the point why I have the default location where it is. It comes down to this: Easy installation and set-up. Neptune sites should be super-easy to set up and get going and should run in as wide a variety of platforms as possible (some hosts, for example, don't give you space outside of your own web root). If the security implications of this are truly horrifying, of course, I could reconsider, but everything about the framework is supposed to be brain-dead easy to use. Any place where I move away from "blindingly easy to use" I want to have a really compelling reason to do so. Thanks, Steve >Both mime types and file extensions can be spoofed by a hacker as both >are just data that hackers can manipulate on their end of the >client-server relationship. Unless you are running code that actually >inspects the content of the file to confirm that it matches the file >type and the mime type reported by the http headers (which are trivial >to set by users who know how from the client) in the request, you are >opening a vulnerability here. Even if you do check, the file is >already uploaded while the checking is occurring, and a hacker can take >advantage of the delay to execute his code before your validation has a >chance to reject the file. > >And ALL of this is based on what the hackers are doing today with >today's vulnerabilities. Why leave your framework in a position where >it would be at risk if hackers figure out tomorrow some other way to >hide code in innocent looking files and execute it if the file is under >a web root. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340446 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Steve, This is one off, but this post explains how you can exploit the latency between storing the file and handling or deleting it IF you store your temp file in a web root accessible folder: http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.ve ctor -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 4:15 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework David, That is certainly another point altogether. As I said, the framework does allow you to configure location and URL path for uploaded files which *should* allow a URL path like "/file.cfm?file=". I have added testing that as a relatively high-priority task for my next round of work on the framework. Thanks, Steve >To further Andrews Point, >We typically create a script to deliver the requested file so we can run a >bit of CF to properly name the file and ensure the user has a valid >permission to even request it. So with our basic framework we usually have >a download.cfm script which will serve it up if all looks good. Of course >this isn't going to work for public sites where you want to take advantage >of SEO spidering and all that. However, as far as a base framework >concept, I think they are on the right track, and someone needs to submit an >improvement to the core and address this issue... Ahh the power of Open >Source Development... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340445 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
As long as you are aware that while your code is doing the validation a hacker can still run the uploaded file. Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 10:06 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Andrew, > > Definitely a good point which is why I mentioned modifying the framework > to have black-listed file extensions that would have to be explicitly allowed > for a field. > > I do think, however, that I should have a note on the section about uploading > files that a list of allowed extensions should *always* be used. That, to me, is > the real point of vulnerability where I should have bug red letters say "Look > out!". > > As to Pete's link, I had read that one and I still believe that it is a warning > primarily about mime-type but I think it would make a great page to link to > from the documentation. > > Thanks, > > Steve > > >What about *.jsp files, or even aspx or asp files? > > > > > >Regards, > >Andrew Scott > >http://www.andyscott.id.au/ > > > > > > > >> Ian, > >> > >> Even if it was, Application.cfm > >> would run first and abort the process. > >> > > ~~ > ~~~| > Order the Adobe Coldfusion Anthology now! > http://www.amazon.com/Adobe-Coldfusion- > Anthology/dp/1430272155/?tag=houseoffusion > Archive: http://www.houseoffusion.com/groups/cf- > talk/message.cfm/messageid:340443 > Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm > Unsubscribe: http://www.houseoffusion.com/groups/cf- > talk/unsubscribe.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340444 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Andrew, Definitely a good point which is why I mentioned modifying the framework to have black-listed file extensions that would have to be explicitly allowed for a field. I do think, however, that I should have a note on the section about uploading files that a list of allowed extensions should *always* be used. That, to me, is the real point of vulnerability where I should have bug red letters say "Look out!". As to Pete's link, I had read that one and I still believe that it is a warning primarily about mime-type but I think it would make a great page to link to from the documentation. Thanks, Steve >What about *.jsp files, or even aspx or asp files? > > >Regards, >Andrew Scott >http://www.andyscott.id.au/ > > > >> Ian, >> >> Even if it was, Application.cfm >> would run first and abort the process. >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340443 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Right, Andrew is spot on, you don't want someone writing a CFM script, or any script which can do a cffile action on your website... By ensuring the files which are uploaded from users residing outsite the webroot, IIS won't even prompt CF to execute the script, therefore it's just a text file with a .cfm extension. So, with all these back and forth, just re-factor your framework to, By Default, be configured to upload to a non web root folder. On Tue, Jan 4, 2011 at 6:01 PM, Andrew Scott wrote: > > What about *.jsp files, or even aspx or asp files? > > > Regards, > Andrew Scott > http://www.andyscott.id.au/ > > > > > -Original Message- > > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > > Sent: Wednesday, 5 January 2011 9:53 AM > > To: cf-talk > > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > > > > Ian, > > > > Even if it was, Application.cfm > > would run first and abort the process. > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340442 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
What about *.jsp files, or even aspx or asp files? Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 9:53 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Ian, > > Even if it was, Application.cfm > would run first and abort the process. > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340441 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
I think the fear would be if an EXE was uploaded as a "CFM" file... Regards, David @ Oyova - http://www.oyova.com On Tue, Jan 4, 2011 at 5:52 PM, Steve Bryant wrote: > > Ian, > > I'm not sure that is exactly accurate. A mime-type can certainly be > spoofed, no debate there. A file extension can be *changed*, but (unless I > understand incorrectly), the server is going to decide how to handle a file > based on the extension. > > So, for example, you may save a ColdFusion file as .png. At which point you > can upload as an image in my framework. When it is requested in the URL, > however, it is just an invalid image. CFAS will never process it because > .png isn't on the list of file types for it to process. Even if it was, > Application.cfm would run first and abort the process. > > Even if you did that with a .exe, the client computer wouldn't try to > execute the code. It would just see it as an invalid image. > > If I am wrong on any of this, of course, I would love to know. > > I suppose I should bring up at the point why I have the default location > where it is. It comes down to this: Easy installation and set-up. Neptune > sites should be super-easy to set up and get going and should run in as wide > a variety of platforms as possible (some hosts, for example, don't give you > space outside of your own web root). > > If the security implications of this are truly horrifying, of course, I > could reconsider, but everything about the framework is supposed to be > brain-dead easy to use. Any place where I move away from "blindingly easy to > use" I want to have a really compelling reason to do so. > > Thanks, > > Steve > > >Both mime types and file extensions can be spoofed by a hacker as both > >are just data that hackers can manipulate on their end of the > >client-server relationship. Unless you are running code that actually > >inspects the content of the file to confirm that it matches the file > >type and the mime type reported by the http headers (which are trivial > >to set by users who know how from the client) in the request, you are > >opening a vulnerability here. Even if you do check, the file is > >already uploaded while the checking is occurring, and a hacker can take > >advantage of the delay to execute his code before your validation has a > >chance to reject the file. > > > >And ALL of this is based on what the hackers are doing today with > >today's vulnerabilities. Why leave your framework in a position where > >it would be at risk if hackers figure out tomorrow some other way to > >hide code in innocent looking files and execute it if the file is under > >a web root. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340440 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
http://www.petefreitag.com/item/701.cfm And take special note of "Always upload to a temp directory outside of the Web Root" Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 9:45 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Andrew, > > You just hit me with a "You should know that" and a "Steve needs to > understand...". I get that you have a headache, but I am not trying to fight > you on this. I am really just trying to get a feel for the threat-level so I can > decide on the appropriate action(s) to take. > > It sounds like (and correct me if I am wrong here) a warning is not currently > needed to recommend storing files outside of the web root but some note > advising about the implications could be helpful. > > I should probably have a page on the topic that covers security implications of > changes of the kind discussed here as well as some comments in > Application.cfm to the effect of "Hey! Don't delete me unless you want to > take some heavy risks!". > > > David, > > I didn't take it as you knocking me. I thought it was a good point and yet > another reason that I need to verify that you can configure to use a .cfm file > as part of the URL path for uploaded files. > > > Thanks, > > Steve > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340439 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Ian, I'm not sure that is exactly accurate. A mime-type can certainly be spoofed, no debate there. A file extension can be *changed*, but (unless I understand incorrectly), the server is going to decide how to handle a file based on the extension. So, for example, you may save a ColdFusion file as .png. At which point you can upload as an image in my framework. When it is requested in the URL, however, it is just an invalid image. CFAS will never process it because .png isn't on the list of file types for it to process. Even if it was, Application.cfm would run first and abort the process. Even if you did that with a .exe, the client computer wouldn't try to execute the code. It would just see it as an invalid image. If I am wrong on any of this, of course, I would love to know. I suppose I should bring up at the point why I have the default location where it is. It comes down to this: Easy installation and set-up. Neptune sites should be super-easy to set up and get going and should run in as wide a variety of platforms as possible (some hosts, for example, don't give you space outside of your own web root). If the security implications of this are truly horrifying, of course, I could reconsider, but everything about the framework is supposed to be brain-dead easy to use. Any place where I move away from "blindingly easy to use" I want to have a really compelling reason to do so. Thanks, Steve >Both mime types and file extensions can be spoofed by a hacker as both >are just data that hackers can manipulate on their end of the >client-server relationship. Unless you are running code that actually >inspects the content of the file to confirm that it matches the file >type and the mime type reported by the http headers (which are trivial >to set by users who know how from the client) in the request, you are >opening a vulnerability here. Even if you do check, the file is >already uploaded while the checking is occurring, and a hacker can take >advantage of the delay to execute his code before your validation has a >chance to reject the file. > >And ALL of this is based on what the hackers are doing today with >today's vulnerabilities. Why leave your framework in a position where >it would be at risk if hackers figure out tomorrow some other way to >hide code in innocent looking files and execute it if the file is under >a web root. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340438 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Andrew, You just hit me with a "You should know that" and a "Steve needs to understand...". I get that you have a headache, but I am not trying to fight you on this. I am really just trying to get a feel for the threat-level so I can decide on the appropriate action(s) to take. It sounds like (and correct me if I am wrong here) a warning is not currently needed to recommend storing files outside of the web root but some note advising about the implications could be helpful. I should probably have a page on the topic that covers security implications of changes of the kind discussed here as well as some comments in Application.cfm to the effect of "Hey! Don't delete me unless you want to take some heavy risks!". David, I didn't take it as you knocking me. I thought it was a good point and yet another reason that I need to verify that you can configure to use a .cfm file as part of the URL path for uploaded files. Thanks, Steve >Yeah I think I got myself confused there, have a blinding headache and >wasn't thinking on that one. > >The point Steve needs to understand is that this is changeable, and that >means that someone can easily come along and change the framework. That >means there should be a warning of some degree that by making these changes >they could be potentially putting a security risk into the framework. > >Whether he does that or not is up to him, but I think that a warning should >be applied to this because it is accessible from the URL. I think that he >has done enough to secure it at the base level, but remember someone who >doesn't understand can come along and remove the application.cfm and not >think twice about the security put in place. > >Does that make my position a little clearer? > >Regards, >Andrew Scott >http://www.andyscott.id.au/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340437 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Both mime types and file extensions can be spoofed by a hacker as both are just data that hackers can manipulate on their end of the client-server relationship. Unless you are running code that actually inspects the content of the file to confirm that it matches the file type and the mime type reported by the http headers (which are trivial to set by users who know how from the client) in the request, you are opening a vulnerability here. Even if you do check, the file is already uploaded while the checking is occurring, and a hacker can take advantage of the delay to execute his code before your validation has a chance to reject the file. And ALL of this is based on what the hackers are doing today with today's vulnerabilities. Why leave your framework in a position where it would be at risk if hackers figure out tomorrow some other way to hide code in innocent looking files and execute it if the file is under a web root. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340435 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Yeah I think I got myself confused there, have a blinding headache and wasn't thinking on that one. The point Steve needs to understand is that this is changeable, and that means that someone can easily come along and change the framework. That means there should be a warning of some degree that by making these changes they could be potentially putting a security risk into the framework. Whether he does that or not is up to him, but I think that a warning should be applied to this because it is accessible form the URL. I think that he has done enough to secure it at the base level, but remember someone who doesn't understand can come along and remove the application.cfm and not think twice about the security put in place. Does that make my position a little clearer? Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: David McGraw [mailto:david.mcg...@gmail.com] > Sent: Wednesday, 5 January 2011 9:31 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > How would CF server know to process a .cfm file unless you pre-configured > your IIS or Apache to tell CF to process and execute PNGs? I'm honestly > asking. > > I agree that your files should not be in the webroot, but it sounds like you can > easily use a dynamic loader script, and configure the framework to save and > load files in anything location you would like. I don't think anyone is NOT > agreeing with you about the security. > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340432 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
How would CF server know to process a .cfm file unless you pre-configured your IIS or Apache to tell CF to process and execute PNGs? I'm honestly asking. I agree that your files should not be in the webroot, but it sounds like you can easily use a dynamic loader script, and configure the framework to save and load files in anything location you would like. I don't think anyone is NOT agreeing with you about the security. On Tue, Jan 4, 2011 at 5:25 PM, Andrew Scott wrote: > > Checking the mime-type and the extension is not secure. > > I can write a CFML name it as a PNG and try to display the image, but > instead the code will be executed. You should know that. > > > Regards, > Andrew Scott > http://www.andyscott.id.au/ > > > > > -Original Message- > > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > > Sent: Wednesday, 5 January 2011 9:12 AM > > To: cf-talk > > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > > > > Andrew, > > > > Correct me if I am mistaken, but I thought that was if the system was > > checking *only* mime-type. The framework checks both mime-type AND file > > extension. I did check on that at the time of that exploit and ensured > that our > > framework was protected from that exploit. If I have missed something on > > that, do let me know. > > > > The folder is set to allow reading and writing, but not execution. It has > > Application.cfm protection. I can ensure that the uploads are protected > from > > unwanted files by BOTH mime-type and extension. > > > > The location can be configured to a location outside of the web root. I > think, > > however, that it can be made safe enough to obviate the need for a severe > > warning on that front. > > > > If there is a specific threat that I have not addressed, however, I would > > certainly like to know. > > > > I have Googled this topic in the past, so a specific unaddressed > vulnerability > > would be helpful if there is something that I have missed. > > > > Thanks, > > > > Steve > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340431 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Checking the mime-type and the extension is not secure. I can write a CFML name it as a PNG and try to display the image, but instead the code will be executed. You should know that. Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 9:12 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Andrew, > > Correct me if I am mistaken, but I thought that was if the system was > checking *only* mime-type. The framework checks both mime-type AND file > extension. I did check on that at the time of that exploit and ensured that our > framework was protected from that exploit. If I have missed something on > that, do let me know. > > The folder is set to allow reading and writing, but not execution. It has > Application.cfm protection. I can ensure that the uploads are protected from > unwanted files by BOTH mime-type and extension. > > The location can be configured to a location outside of the web root. I think, > however, that it can be made safe enough to obviate the need for a severe > warning on that front. > > If there is a specific threat that I have not addressed, however, I would > certainly like to know. > > I have Googled this topic in the past, so a specific unaddressed vulnerability > would be helpful if there is something that I have missed. > > Thanks, > > Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340430 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Yeah, I wasn't knocking it... On Tue, Jan 4, 2011 at 5:15 PM, Steve Bryant wrote: > > David, > > That is certainly another point altogether. As I said, the framework does > allow you to configure location and URL path for uploaded files which > *should* allow a URL path like "/file.cfm?file=". > > I have added testing that as a relatively high-priority task for my next > round of work on the framework. > > Thanks, > > Steve > > >To further Andrews Point, > >We typically create a script to deliver the requested file so we can run a > >bit of CF to properly name the file and ensure the user has a valid > >permission to even request it. So with our basic framework we usually > have > >a download.cfm script which will serve it up if all looks good. Of course > >this isn't going to work for public sites where you want to take advantage > >of SEO spidering and all that. However, as far as a base framework > >concept, I think they are on the right track, and someone needs to submit > an > >improvement to the core and address this issue... Ahh the power of Open > >Source Development... > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340429 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
David, That is certainly another point altogether. As I said, the framework does allow you to configure location and URL path for uploaded files which *should* allow a URL path like "/file.cfm?file=". I have added testing that as a relatively high-priority task for my next round of work on the framework. Thanks, Steve >To further Andrews Point, >We typically create a script to deliver the requested file so we can run a >bit of CF to properly name the file and ensure the user has a valid >permission to even request it. So with our basic framework we usually have >a download.cfm script which will serve it up if all looks good. Of course >this isn't going to work for public sites where you want to take advantage >of SEO spidering and all that. However, as far as a base framework >concept, I think they are on the right track, and someone needs to submit an >improvement to the core and address this issue... Ahh the power of Open >Source Development... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340428 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Andrew, Correct me if I am mistaken, but I thought that was if the system was checking *only* mime-type. The framework checks both mime-type AND file extension. I did check on that at the time of that exploit and ensured that our framework was protected from that exploit. If I have missed something on that, do let me know. The folder is set to allow reading and writing, but not execution. It has Application.cfm protection. I can ensure that the uploads are protected from unwanted files by BOTH mime-type and extension. The location can be configured to a location outside of the web root. I think, however, that it can be made safe enough to obviate the need for a severe warning on that front. If there is a specific threat that I have not addressed, however, I would certainly like to know. I have Googled this topic in the past, so a specific unaddressed vulnerability would be helpful if there is something that I have missed. Thanks, Steve >Yes but if you understand the problems with that then you would know that a >file can be uploaded that is pretending to be a png or whatever it wants to >be, and actually be a cfml or any other executable file. > >There has been enough discussion on this matter to adhere to the fact that >the uploads directory should never, ever be in the webroot or even >accessible from the URL. Google it, and you will see what I mean and refer >too. > >fckEditor was a victim of this and as was Adobe and anyone one else who used >this exploitation. > > >Regards, >Andrew Scott >http://www.andyscott.id.au/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340425 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
To further Andrews Point, We typically create a script to deliver the requested file so we can run a bit of CF to properly name the file and ensure the user has a valid permission to even request it. So with our basic framework we usually have a download.cfm script which will serve it up if all looks good. Of course this isn't going to work for public sites where you want to take advantage of SEO spidering and all that. However, as far as a base framework concept, I think they are on the right track, and someone needs to submit an improvement to the core and address this issue... Ahh the power of Open Source Development... Regards, Dave @ Oyova Software - http://www.oyova.com On Tue, Jan 4, 2011 at 4:50 PM, Andrew Scott wrote: > > Yes but if you understand the problems with that then you would know that a > file can be uploaded that is pretending to be a png or whatever it wants to > be, and actually be a cfml or any other executable file. > > There has been enough discussion on this matter to adhere to the fact that > the uploads directory should never, ever be in the webroot or even > accessible from the URL. Google it, and you will see what I mean and refer > too. > > fckEditor was a victim of this and as was Adobe and anyone one else who > used > this exploitation. > > > Regards, > Andrew Scott > http://www.andyscott.id.au/ > > > > > -Original Message- > > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > > Sent: Wednesday, 5 January 2011 7:38 AM > > To: cf-talk > > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > > > > Andrew, > > > > I'll have to ponder that. > > > > Right now the following XML would create a table with two file fields, > one > of > > which would accept only images and the other would accept only vcard > files. > > > > > >> folder="images" /> > >> accept="text/x-vcard" extensions="vcf" /> > > > > This limitation would provide JavaScript checks for any forms using the > built- > > in form tags and server-side checks for the service component checking > both > > mime-type and file extension. > > > > It makes it really easy to limit file types. > > > > I could probably change the framework a bit so that it also has a > built-in > set of > > mime-types and file extensions to refuse unless they are explicitly > allowed in > > those attributes. > > > > Do you think that would be enough to leave off the warning or at least > make > > it a bit more mild? > > > > Thanks, > > > > Steve > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340423 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Yes but if you understand the problems with that then you would know that a file can be uploaded that is pretending to be a png or whatever it wants to be, and actually be a cfml or any other executable file. There has been enough discussion on this matter to adhere to the fact that the uploads directory should never, ever be in the webroot or even accessible from the URL. Google it, and you will see what I mean and refer too. fckEditor was a victim of this and as was Adobe and anyone one else who used this exploitation. Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 7:38 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Andrew, > > I'll have to ponder that. > > Right now the following XML would create a table with two file fields, one of > which would accept only images and the other would accept only vcard files. > > >folder="images" /> >accept="text/x-vcard" extensions="vcf" /> > > This limitation would provide JavaScript checks for any forms using the built- > in form tags and server-side checks for the service component checking both > mime-type and file extension. > > It makes it really easy to limit file types. > > I could probably change the framework a bit so that it also has a built-in set of > mime-types and file extensions to refuse unless they are explicitly allowed in > those attributes. > > Do you think that would be enough to leave off the warning or at least make > it a bit more mild? > > Thanks, > > Steve > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340422 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Duane, Good question. I would think so, but I am not expert enough on the topic to be confident of that. I believe I have that set already in the folder in the zip as well as in the download created from the generator. If not, I will correct. Anyone know a reason why that would not be sufficient? Thanks, Steve > Wouldn't it be sufficient to make the folder write and read only > leaving off the public execute privilege? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340421 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Wouldn't it be sufficient to make the folder write and read only leaving off the public execute privilege? -Original Message- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 4:38 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework Andrew, I'll have to ponder that. Right now the following XML would create a table with two file fields, one of which would accept only images and the other would accept only vcard files. This limitation would provide JavaScript checks for any forms using the built-in form tags and server-side checks for the service component checking both mime-type and file extension. It makes it really easy to limit file types. I could probably change the framework a bit so that it also has a built-in set of mime-types and file extensions to refuse unless they are explicitly allowed in those attributes. Do you think that would be enough to leave off the warning or at least make it a bit more mild? Thanks, Steve >You can never assume limiting by file types when it comes to adding >files to your webroot, through a web uploader. You might want to list >in the docs the risk of leaving it in the webroot, and that it is >extremely advisable to move the folder outside of the webroot. > >Regards, >Andrew Scott >http://www.andyscott.id.au/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340420 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Andrew, I'll have to ponder that. Right now the following XML would create a table with two file fields, one of which would accept only images and the other would accept only vcard files. This limitation would provide JavaScript checks for any forms using the built-in form tags and server-side checks for the service component checking both mime-type and file extension. It makes it really easy to limit file types. I could probably change the framework a bit so that it also has a built-in set of mime-types and file extensions to refuse unless they are explicitly allowed in those attributes. Do you think that would be enough to leave off the warning or at least make it a bit more mild? Thanks, Steve >You can never assume limiting by file types when it comes to adding files to >your webroot, through a web uploader. You might want to list in the docs the >risk of leaving it in the webroot, and that it is extremely advisable to >move the folder outside of the webroot. > >Regards, >Andrew Scott >http://www.andyscott.id.au/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340419 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
You can never assume limiting by file types when it comes to adding files to your webroot, through a web uploader. You might want to list in the docs the risk of leaving it in the webroot, and that it is extremely advisable to move the folder outside of the webroot. Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 7:01 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Andrew, > > The default folder for uploading files has a Application.cfm that just contains > to help mitigate that risk. Assuming the uploads themselves limit > file types allowed, how serious a risk do you think that is? > > Also, yes, easy to configure. Just change the "UploadPath" setting in > _config/config.cfm to whatever location you want and change the > "UploadURL" appropriately. I think the UploadURL could be something like > "/file.cfm?file=", but I haven't tested that yet. > > Thanks, > > Steve > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340415 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Andrew, The default folder for uploading files has a Application.cfm that just contains to help mitigate that risk. Assuming the uploads themselves limit file types allowed, how serious a risk do you think that is? Also, yes, easy to configure. Just change the "UploadPath" setting in _config/config.cfm to whatever location you want and change the "UploadURL" appropriately. I think the UploadURL could be something like "/file.cfm?file=", but I haven't tested that yet. Thanks, Steve >You are promoting a security risk with the uploaded files folder as being >under the webroot, I hope this is configurable. > >Regards, >Andrew Scott >http://www.andyscott.id.au/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340413 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Beta Tester Wanted for new CF (MVC) Framework
Open Source Code = 100% Configurable. :) Thanks, Eric Cobb ECAR Technologies, LLC http://www.ecartech.com http://www.cfgears.com On 1/4/2011 1:44 PM, Andrew Scott wrote: > You are promoting a security risk with the uploaded files folder as being > under the webroot, I hope this is configurable. > > Regards, > Andrew Scott > http://www.andyscott.id.au/ > > >> -Original Message- >> From: Steve Bryant [mailto:st...@bryantwebconsulting.com] >> Sent: Wednesday, 5 January 2011 3:28 AM >> To: cf-talk >> Subject: Beta Tester Wanted for new CF (MVC) Framework >> >> >> Hello fellow CFers, >> >> I just released a beta of a new ColdFusion framework called Neptune and I >> would love to get some beta testers to help me find bugs or make >> suggestions on how it could be improved. We have been using it internally >> for a few years on several projects, so I am curious to see if it works as > well >> for others as it has for us. >> >> I think it is quite a bit unlike any other ColdFusion framework out there. > It >> isn't hub-and-spoke (where all requests are routed through index.cfm, for >> example). It doesn't require OO. It does, however, provide pretty > significant >> automation and allow for very concise (but still expressive) code. >> >> It is free and open source for any use. >> >> Documentation (currently 36 web pages, 43 printed pages): >> http://www.bryantwebconsulting.com/docs/neptune/ >> >> Download: >> http://neptune.riaforge.org/ >> >> Blog Entry: >> http://www.bryantwebconsulting.com/blog/index.cfm/2011/1/3/Neptune- >> New-Framework-for-the-New-Year >> >> Any feedback would be greatly appreciated. >> >> Thanks, >> >> Steve >> > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340411 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
You are promoting a security risk with the uploaded files folder as being under the webroot, I hope this is configurable. Regards, Andrew Scott http://www.andyscott.id.au/ > -Original Message- > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > Sent: Wednesday, 5 January 2011 3:28 AM > To: cf-talk > Subject: Beta Tester Wanted for new CF (MVC) Framework > > > Hello fellow CFers, > > I just released a beta of a new ColdFusion framework called Neptune and I > would love to get some beta testers to help me find bugs or make > suggestions on how it could be improved. We have been using it internally > for a few years on several projects, so I am curious to see if it works as well > for others as it has for us. > > I think it is quite a bit unlike any other ColdFusion framework out there. It > isn't hub-and-spoke (where all requests are routed through index.cfm, for > example). It doesn't require OO. It does, however, provide pretty significant > automation and allow for very concise (but still expressive) code. > > It is free and open source for any use. > > Documentation (currently 36 web pages, 43 printed pages): > http://www.bryantwebconsulting.com/docs/neptune/ > > Download: > http://neptune.riaforge.org/ > > Blog Entry: > http://www.bryantwebconsulting.com/blog/index.cfm/2011/1/3/Neptune- > New-Framework-for-the-New-Year > > Any feedback would be greatly appreciated. > > Thanks, > > Steve > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340410 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Beta Tester Wanted for new CF (MVC) Framework
Steve, Nice job on the documentation. -mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 10:28 AM To: cf-talk Subject: Beta Tester Wanted for new CF (MVC) Framework Hello fellow CFers, I just released a beta of a new ColdFusion framework called Neptune and I would love to get some beta testers to help me find bugs or make suggestions on how it could be improved. We have been using it internally for a few years on several projects, so I am curious to see if it works as well for others as it has for us. I think it is quite a bit unlike any other ColdFusion framework out there. It isn't hub-and-spoke (where all requests are routed through index.cfm, for example). It doesn't require OO. It does, however, provide pretty significant automation and allow for very concise (but still expressive) code. It is free and open source for any use. Documentation (currently 36 web pages, 43 printed pages): http://www.bryantwebconsulting.com/docs/neptune/ Download: http://neptune.riaforge.org/ Blog Entry: http://www.bryantwebconsulting.com/blog/index.cfm/2011/1/3/Neptune-New-Frame work-for-the-New-Year Any feedback would be greatly appreciated. Thanks, Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340389 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm