Doing that on everything.
If you're parametrizing everything on the queries then what is the concern?
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag
Does anyone have a copy of this custom tag lying around? We were
using it on a server that recently crashed and am having some trouble
locating a copy of it. Thanks!
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
I was able to locate a copy on our network, please disregard. Thanks!
On Thu, Jul 10, 2014 at 6:30 PM, Justin Scott leviat...@darktech.org wrote:
Does anyone have a copy of this custom tag lying around? We were
using it on a server that recently crashed and am having some trouble
locating
The following code worked great in CF9/10, now it doesn't work in CF11. All
we're trying to do here is serve up an email tracking image, after logging the
it. Before, it would render in the email/browser as the image file. Now, it
looks like a missing image link. Any ideas?
cfscript
// log
Wait, never mind... That was too easy. Just remove all the fun stuff!
Solution: location( url=/email/img.jpg, addToken=false );
-Original Message-
From: Justin Hansen [mailto:jhan...@uhlig.com]
Sent: Monday, July 07, 2014 11:16 AM
To: cf-talk
Subject: Serving up an image w/ cf11
in the project
list (used the folder name and refuses to let me rename the project
with an error). I like Builder, but the move from 2 to 3 could be a
lot smoother.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
a hard deadline and had to ship
regardless. I'm glad Adobe is continuing to support the product, but
I've never felt so meh about a release (and I've been using CF since
version 4).
-Justin
~|
Order the Adobe Coldfusion
...@michaels.me.uk wrote:
it felt that way with CF10 as well, I have not even bothered with CF10, and
that was before I moved to Railo.
On Tue, Apr 29, 2014 at 4:03 PM, Justin Scott leviat...@darktech.orgwrote:
I just don't get Adobe at all. I'm so disappointed in them.
The tone of the announcement blog
I listened to the latest (last) CF-Hour podcast this afternoon and
wanted to give a big THANK YOU do Dave and Scott for their efforts and
time for the CF-Hour podcast. It had its ups and downs, but overall
was one of the crown jewels of the CF community. It will be missed.
-Justin Scott
Hi, I discoverd today that MSIE 11 is putting ...
Trident/7.0; rv:11.0 still gives it away as IE 11. If you look for
that prior to the Mozilla check then it will still catch it
properly.
-Justin
~|
Order the Adobe
I am picturing a 2-fold system. A web-based scan for common
vulnerabilities from outside, and a more detailed scan the system from
inside.
Hi Jerry, you basically just described HackMyCF.com and their security
scanner and monitoring tool.
-Justin
OMG You mean ColdFusion 11 is public :P
I'm hearing Stroz in the back of my head... 10.5 10.5 have a
great weekend!
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion
properly, so we did what was needed to help them fix
it. Sorry, I get annoyed whenever I hear people say not my job.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155
/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
week unless it's in the vein of wow,
these CF people really got their s*** together!.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive
cards companies bang the PCI-DSS drum
so hard... they want multiple layers of security and access controls
so that the failure of any one of those layers will not leave the
entire system out in the open.
-Justin
~|
Order
, tuning the queries
themselves, and so on has had far more impact on performance than
anything in the CF code.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag
cfif(serializeJSON(qry1) eq serializeJSON(qry2))
to compare 2 queries
or
sticking the queries into an array and then
cfif #qryArray1.equals(qryArray2)# IS YES
TryCF.com is great for stuff like this. Plug this code into TryCF.com
and give it a whirl...
cfscript
qry1 = queryNew(x,y,z);
I am using SmarterMail to deliver my email from CF. However,
emails that are generated don't seem to have the DKIM signing
attached.
Do you have a username and password entered into the Mail settings
in the ColdFusion administrator for the connection to your mail
server?
-Justin
their DNS entry in the hosts file you'll also need to
monitor their DNS entry for changes so you can update your hosts file
accordingly if they move something. Loads of fun.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
Enterprise, but aside from that everything else
should be smooth sailing.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
being called. Java will only check against the
primary hostname and not the alternative names listed in the
certificate. Calling the primary hostname on the certificate and
using a hosts entry to override the DNS entry to direct it to the
right IP is the only workaround in this instance.
-Justin
. Fortunately most of them are not being ultra-strict about
that... yet.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
FYI, I tried things out on CF 10, and it appears to accept these types of
certificates without issue.
What's the JVM version you're using on that installation?
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
It's not a question of 'if', but 'when'. -Ancient Security Proverb
On Thu, Oct 3, 2013 at 5:54 PM, John Lyons tyrsbl...@gmail.com wrote:
their customer records and possibly passwords and
financial info being exfiltrated.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
boo, being all logical and stuff :)
It's all part of the show folks. :)
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive
cfformprotect will help you with stuff like this
I'll second that... it's become a standard for me to implement on
public-facing forms to prevent automated submissions.
-Justin
~|
Order the Adobe Coldfusion Anthology now
.
-Justin
On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels r...@michaels.me.uk wrote:
You can run cast function on the hex string to see the actual sql it
generates, which I thought was required anyway so not sure that query would
even execute otherwise.
Russ Michaels
www.michaels.me.uk
priority to investigate how they were able to do so and
patch the code so that the condition can be handled gracefully.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp
There was some discussion about a very similar injection on Stack
Overflow which may be useful:
http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection
-Justin
On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote:
We had someone trying
recommendations on a
CF-based solution, or even a Java or .Net solution I can import if
available. Thanks in advance, and have a great weekend!
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe
these sorts of options
checked by default.
-Justin
On Fri, Jun 28, 2013 at 9:16 AM, Robert Sneed robertsn...@rhsneed.com wrote:
I hope someone can help me with this. I'm kind of stuck on the conditional.
I have a newsletter signup form that includes a check box that is check by
default.
label
defined you refer to them normally within the
function code.
In newer versions (9 and 10) you can use the local scope within the
function instead, such as:
cfset local.tempImage_path=#rootpath#\assets\project_gallery\temp
This will accomplish the same thing as using the var attribute.
-Justin
http://developers.slashdot.org/story/13/06/08/051235/
Not directly CF-related, but could impact those that rely on accurate
time information around the world.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
successfully)?
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid
it).
This is different from the password argument which would be sent to
the remote server.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
meaning and will enforce an input requirement if present.
-Justin
On Tue, May 21, 2013 at 6:30 PM, Jeff F cftalk_l...@fongemie.com wrote:
Hey everyone,
I have a very old site that has a basic form. All of a sudden, the form is
requiring all form form fields to be filled out? The form
delivery. Simple and no extra hardware needed.
All of this assumes you're running Windows, of course. If you're on a
*nix platform look at Exim as it can also handle low volume like that
without breaking a sweat.
-Justin
~|
Order
to Exim on CentOS because it
gives us better control of outgoing mail, routing, etc. than IIS does
and still keeps up. For 100k messages a month though it's probably
overkill.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
than the costs of dealing with all the
network/server security and maintenance required to satisfy the
compliance requirements.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion
into this before and any QSA who knows
what they're doing will put an exception in place for this scenario.
Frankly I'm surprised more of them haven't built this in as a rule by
default when cfid and cftoken are both present.
-Justin
There is a bit of a debate going on, I was hoping the community could chime
in...
What is a reasonable limit for the postSizeLimit and postParameterLimit
settings (aka maximum number of form fields)?
100, 1,000, 10,000?
On the one hand, we have a dynamic form with LOTS of fields. This is/was
older remote sites I still use
Homesite+ in Windows XP mode without any trouble.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
that, there is no shortage of CF work out there to be
done. Adding other tools and technologies to your toolbelt can create
new opportunities and provide a safety net as well, but for the time
being CF is still my primary source of income and probably will
continue to be for many years to come.
-Justin
something another company did is pretty
short-sighted.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com
With regard to a CFML engine running on .NET, New Atlanta has a
BlueDragon .NET edition that does exactly that.
Thanks Carl, I knew they had a Java version but wasn't aware of the
.NET edition. Good to know if I ever run across one of those types of
clients.
-Justin
to the end of the hash value stored
in the database (e.g. hash(pw)+salt) then it is not adding any
additional security.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155
I guess I didn't make myself clear. I wrote a routine that salted and
hashed all of the plain text passwords that were in the system.
Ah, that is a good thing then. I took it that you were adding salts
to an existing hash like the original poster.
-Justin
that.
Coffee. Yes, more coffee is the solution. Coffee shall make it all
better. :)
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
in the tooth.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354776
the file is uploaded to Flickr,
for example, this information is read and it saves any need to rekey. It
means where ever the image lands up, this information doesn't get detached.
In that case you would use imageGetIPTCMetaData() instead (on CF8 and
above, of course).
-Justin
). Ah well!
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354734
with an example at
http://www.petefreitag.com/item/657.cfm.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups
100% of the time this little bit of regex has served me well until now.
^[\w\.-]{1,}\@([\da-zA-Z-]{1,}\.){1,}[\da-zA-Z-]+$
Is there a reason you're not using the built in isValid(email,
variable) function instead of a regex?
-Justin
it'll just get better in future patches/versions.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf
with.
As an aside, you shouldn't be generating a new key just before you run
the decrypt() call. You would need to use the same key that was used
with the encrypt() call when the number was first encrypted in order
to decrypt successfully.
-Justin
information before posting, but
seeing the whole file will help troubleshoot).
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
the information there. Storing credit card data is serious business
and not to be taken lightly.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
it protects you and your
merchant account, and second it gives the attacker a false negative on
card numbers that may have been otherwise valid which could help save
the cardholder from a lot of bogus charges down the line.
-Justin
been accidentally rejected can be contacted again later to
recapture their donation if needed. Abuse can be a hard problem to
solve.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion
, though a free one that allows commercial use
can be considered as well. Specifically they're looking to take a
group of IPs, get a location, and then put markers on a map via the
Google maps API. Any recommendations would be appreciated. Thanks!
-Justin
a
table of comments and we collect the IP addresses where those comments
were posted from and later want to put them all up on a map.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion
appreciate any feedback on
experiences with those services. There are a number of them out there
and I'm looking for specific recommendations on which ones are good,
bad, etc. before I go out and try all of them. Hopefully that will
clarify my request a bit. Thanks!
-Justin
What about using geolocation on the client itself? Roughly 82%
of your audience will support it.
The situation I'm working with is dealing with historical data.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
If you have a budget available I would recommend
http://www.maxmind.com/en/geolocation_landing. We use the downloadable
database.
Thanks Donnie, that is exactly the kind of service I am looking for.
-Justin
~|
Order
I'd argue that Google's Geocode API (...) would provide
it for a user along with geolocation if you wanted it for the
current user.
Indeed, we are actually using the Google Geocoder for getting lat/long
info for street addresses so that they can be mixed in where available
as well.
-Justin
and provide for color coding and such
and share the link back here. Unfortunately the sample would require
a lot of reformatting to be useful as-is.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com
Ah so they were just checking to see if they could get something to work
before possibly trying anything real.
That's a pretty standard approach. If they can get the response to
delay then they can mark that URL as a potential entry point to come
back and explore more later.
-Justin
recommend finding a different
login example to work with as this one is going to lead you places you
really don't want to go.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp
with will ask for a
contract for at least half a rack but I know of a few smaller players
in the Tampa market who can handle individual servers for co-location.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
. The
undocumented servicefactory it's calling to get datasources only works
on CF 6 but was deprecated in 7, if I remember correctly, which is why
the datasource list is blank on more modern versions where this is
dropped in. The script is old, but the insertion method is new.
-Justin
#) AND
Also make sure you put a CFQUERYPARAM tag around that cID variable as
well to prevent SQL injection, among other benefits.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp
I suppose all the information about scheduled tasks is
stocked in some XML file, but where?
Take a look in the neo-cron.xml file in the lib folder for your
ColdFusion instance.
-Justin
~|
Order the Adobe Coldfusion
with SQL Server (even
the Express edition which we have deployed in production in a few
places) and back up your databases locally and off-site as well.
Works out pretty well.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology
...lax server security. We've got a boatload of stuff on this site
to prevernt SQL injection, including Justin D. Scott's application
script, carefully checking anything to goes into the database, ...
I haven't looked at the rest of the thread yet, but I would note that
the script I wrote
to the client, so
when a search engine sees the content it will show up in the HEAD
section regardless of where in the code you make the call to
CFHTMLHEAD.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com
and allows it through.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid
that for you.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351779
based on letters and numbers, so: a0, a1 ... z8, z9. Talk about
torture... and you'd better not need more than 260 of them in any one
script either. Shudder.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http
to be
parsed again. Back in the CF5 days the code was parsed with each page
view, but that hasn't been the case since CFMX 6.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp
remember this being a big deal back in 1999
under CF4, but in current versions it doesn't appear to matter from a
performance standpoint which cfoutput approach is used.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http
well considering it was not announced it seems it was perhaps
not an official release, as it was ust found by accident, ...
When I first posted, it wasn't an accident. Ben Forta had posted an
announcement on his blog and I happened to see it within a few minutes
in my RSS news reader and
This is a post from the CF Server Team Blog that I thought worthy of
passing along. If you believe you will need to install CF8 or CF9
with Verity bundled in the future and do not already have the
installers, go grab them now...
---
From:
Problem is, I don't have access to the server other than to reference
it. They have a server that hosts the photographs, and another server
that hosts the html. So I can only reference the photos using a full
URL from another server entirely.
Sounds like MLXchange if that's the
ColdFusion 10 has been released...
http://www.adobe.com/products/coldfusion-family.html
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
with troubleshooting. What
encryption algorithm are you using? Not all of them will use an IV.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
a similar result (e.g.
cfset useasiv = left(hash(anotherkey), 16)).
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
Is anyone using the CF9/OpenOffice to convert Word/Excel documents to PDF? How
well is it working? What sort of issues did you run into? How did you get
around them?
Trying to evaluate this option before diving in...
Thanks,
Justin
Excellent! I will go ahead and give it a shot. Thanks for the input Dave!
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: Friday, May 04, 2012 9:27 AM
To: cf-talk
Subject: Re: CF9/OpenOffice for Word to PDF
Is anyone using the CF9/OpenOffice to convert
a SQL injection attack the IP can't be spoofed per se. In those cases
the biggest problem, in my opinion, is that it is ridiculously easy to
reroute (think TOR) and come from a different, unrelated IP in a
matter of seconds.
-Justin
Quick poll... How much memory have you allocated to CF on your production
servers?
We are running Win 2008 R2, CF 9.0.1x Enterprise, w/ 3GB of RAM allocated to
the CF/JVM
How say you?
~|
Order the Adobe Coldfusion Anthology
as the parameters to keep
the value in range, though I haven't seen that for a while, but
something to keep in mind if you see an error like that come up.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe
beginning to wonder what problems exist in that algorithm, if any.
Hmm...
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
/cfoutput
Personally, I don't consider either to be part of an integer value and
I don't think it should ignore any non-numeric characters, but I
suppose they have their reasons for implementing it this way (unless
it's a long-standing bug that too much code is dependent upon to fix).
-Justin
For those of you using virtual servers, how much CPU/RAM are you allocating to
run your CF applications?
The IT department says we don't need more power because, statistically
(according to the VM tools), we don't need it. However, it is my believe the
apps will run much faster and CF/Java
That is too general a question to get a useful answer.
I know... just introducing the issue at hand. It depends, right? :)
Are you running 32- or 64-bit OSs? If 64-bit, are you also running a 64-bit
version of CF?
Yes: 64-bit Windows 2008 R2, and 64-bit CF.
It sounds like you have some
value decodes to WAITFOR DELAY
'00:00:15'). This would cause a page load to be delayed a short
period so they know the command executed on the database server before
moving on to more interesting attacks.
-Justin
~|
Order
of scope and then
you can do whatever you want with your cookies on the main part of the
site. Keep the billing system isolated and your headaches will be
greatly reduced.
-Justin Sco
~|
Order the Adobe Coldfusion Anthology now
Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly. There must be a
fairly quick solution to this problem. Surely, I can't be the first to
deal with this.
Another option might be to ask your scanning vendor
1 - 100 of 1291 matches
Mail list logo
