Doing that on everything.
If you're parametrizing everything on the queries then what is the concern?
-Justin
~|
Order the Adobe Coldfusion Anthology now!
Does anyone have a copy of this custom tag lying around? We were
using it on a server that recently crashed and am having some trouble
locating a copy of it. Thanks!
-Justin
~|
Order the Adobe Coldfusion Anthology now!
I was able to locate a copy on our network, please disregard. Thanks!
On Thu, Jul 10, 2014 at 6:30 PM, Justin Scott leviat...@darktech.org wrote:
Does anyone have a copy of this custom tag lying around? We were
using it on a server that recently crashed and am having some trouble
locating
I have never been a fan of the sync in CFB, I have always used
Scooters Beyond Compare. ...
+1 for Beyond Compare, it's awesome.
On an unrelated note, is there something I'm missing during the CF
Builder 3 setup process to import settings and projects and such from
Builder 2? I have
I just don't get Adobe at all. I'm so disappointed in them.
The tone of the announcement blog entry pretty much sums it up... the
new features don't excite me. They list mobile development, language
enhancements, new PDF engine, and security enhancements as the big new
features. The mobile
...@michaels.me.uk wrote:
it felt that way with CF10 as well, I have not even bothered with CF10, and
that was before I moved to Railo.
On Tue, Apr 29, 2014 at 4:03 PM, Justin Scott leviat...@darktech.orgwrote:
I just don't get Adobe at all. I'm so disappointed in them.
The tone of the announcement blog
I listened to the latest (last) CF-Hour podcast this afternoon and
wanted to give a big THANK YOU do Dave and Scott for their efforts and
time for the CF-Hour podcast. It had its ups and downs, but overall
was one of the crown jewels of the CF community. It will be missed.
-Justin Scott
Hi, I discoverd today that MSIE 11 is putting ...
Trident/7.0; rv:11.0 still gives it away as IE 11. If you look for
that prior to the Mozilla check then it will still catch it
properly.
-Justin
~|
Order the Adobe
I am picturing a 2-fold system. A web-based scan for common
vulnerabilities from outside, and a more detailed scan the system from
inside.
Hi Jerry, you basically just described HackMyCF.com and their security
scanner and monitoring tool.
-Justin
OMG You mean ColdFusion 11 is public :P
I'm hearing Stroz in the back of my head... 10.5 10.5 have a
great weekend!
-Justin
~|
Order the Adobe Coldfusion Anthology now!
Also, QA and debugging are usually paid positions, except for open
source software. If Adobe wants to make CF open source, I will be
happy to volunteer some time to help fix it. Otherwise, not my job.
Bugs happen... as a developer I'm sure you've had clients bring bugs
to you and you've
http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
Patch your servers people. Follow the lockdown guide while you're at it.
CF 10:
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf
CF 9:
The adobe document which describes what to
do is dated Mai 2010, almost 4 years old.
Indeed, and yet people still install the base server, run credit card
transactions through it without patching the server, following the
lockdown guide, or otherwise following good security practices and
then
On another hand, why Adobe hasn't change the way CF
is installed if its not safe?
Layers... it's all about layers. If a vulnerability is found in the
CF admin or some other exposed piece, you don't want an attacker to be
able to take over the whole operating system. The lockdown guide
shows
First: assuming that you have a finite amount of time - I think that's
a safe assumption - you would be far better served optimizing your
SQL and your asynchronous processing. I've been working with CF
for many years, and I've looked at a lot of applications, and it's very
rare that I find
cfif(serializeJSON(qry1) eq serializeJSON(qry2))
to compare 2 queries
or
sticking the queries into an array and then
cfif #qryArray1.equals(qryArray2)# IS YES
TryCF.com is great for stuff like this. Plug this code into TryCF.com
and give it a whirl...
cfscript
qry1 = queryNew(x,y,z);
I am using SmarterMail to deliver my email from CF. However,
emails that are generated don't seem to have the DKIM signing
attached.
Do you have a username and password entered into the Mail settings
in the ColdFusion administrator for the connection to your mail
server?
-Justin
Can anyone provide assistance as to why CF 8.0.1 isn't happy
with this certificate?
It sounds like they're using a certificate with multiple embedded
hostnames (known as alternative names) which is not supported by Java
6. Importing the cert into the java cert cache won't help. You will
need
Enterprise, but aside from that everything else
should be smooth sailing.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
being called. Java will only check against the
primary hostname and not the alternative names listed in the
certificate. Calling the primary hostname on the certificate and
using a hosts entry to override the DNS entry to direct it to the
right IP is the only workaround in this instance.
-Justin
OS version matters little with PCI compliance. If anything 2012
should be more up-to-date and secure (HA, Windows joke contained
within).
I'd add that this will depend on your QSA. Some are beginning to
nitpick the SSL cipher sort order which older versions don't allow you
to specify.
FYI, I tried things out on CF 10, and it appears to accept these types of
certificates without issue.
What's the JVM version you're using on that installation?
-Justin
~|
Order the Adobe Coldfusion Anthology now!
It's not a question of 'if', but 'when'. -Ancient Security Proverb
On Thu, Oct 3, 2013 at 5:54 PM, John Lyons tyrsbl...@gmail.com wrote:
Excellent time to open source, no?
I think there's a better chance of Jesus rising out of the retention
pond in my back yard. Companies have had their source code stolen
before without a lot of impact. If anything, someone will examine
their source code and identify half a dozen new security
boo, being all logical and stuff :)
It's all part of the show folks. :)
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
cfformprotect will help you with stuff like this
I'll second that... it's become a standard for me to implement on
public-facing forms to prevent automated submissions.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
cfmldeveloper.com
cflive.net
cfsearch.com
On 22 Jul 2013 04:45, Justin Scott leviat...@darktech.org wrote:
There was some discussion about a very similar injection on Stack
Overflow which may be useful:
http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection
-Justin
Which brings up another security question. How does other sites
handle something like this automatically? I mean, if I see an
attack from an IP address, is it even worth blocking at the firewall?
What I do is a combination of input sanitizing and using cfqueryparam
to the point where it's
There was some discussion about a very similar injection on Stack
Overflow which may be useful:
http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection
-Justin
On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote:
We had someone trying to
recommendations on a
CF-based solution, or even a Java or .Net solution I can import if
available. Thanks in advance, and have a great weekend!
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe
By default the form field will only exist if the checkbox is checked,
so you could do:
Subscribe to newsletter?
cfoutput#yesNoFormat(isDefined(form.mailList))#/cfoutput
As an aside, in the anti-spam and e-mail deliverability communities it
is generally considered a bad practice to have these
What do you mean? You mean like variables.thevalue... or do you
mean like thisinstance.thisvalue, so each subsequent run has different
values?
The info that Ray pointed to gives a lot of great information. The
short version is that you can define those variables to be private and
local
http://developers.slashdot.org/story/13/06/08/051235/
Not directly CF-related, but could impact those that rely on accurate
time information around the world.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
successfully)?
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid
Are you sure, this is from cf8 docs showing key and passphrase in one
call...
Thanks, the passphrase argument goes with the private key (e.g. if
the private key file itself is protected with a password, this would
be the password to unlock the key file so CF can read and use it).
This is
You'll want to check what mode your page is being rendered in and
which version of HTML it's applying. In HTML 5 the required
attribute is binary meaning that if it's present, the field will be
treated as required regardless of the attribute's value (e.g.
require=no doesn't make the field
The current concept is for me to get another server specifically
for their email delivery, and to move their app to my CF machine...
First, the volumes of e-mail you're talking about may sound like a
lot, but they're really not. We have CF apps that do close to half a
million messages a day
The iis smtp service is ok for absolute no frills, don't care at all what
happens to the emails. But the logging is pretty rubbish, so tracking
down causes of failures is often very hard or impossible.
That hasn't been my experience, though I agree the logs could use some
improving. I don't
but aren't they scanning the interface from a public network? If so,
you should have a very small number of listening ports. Maybe just
two: TCP/80 and TCP/443. There is no reason why you'd expose
TCP/135 to a public network (especially if you're running Windows).
Good advice; in my
Most (if not all) PCI scanning vendors will remove it from your report if
you explain that the session is based on BOTH the CFID and CFTOKEN values,
not just one, as long as you have Use UUID for CFTOKEN enabled (which in
CF9/10 is more than just a UUID).
I can second that, we've run into
... Problem: new ones all come with Windows 8 so it looks
like I'll be buying (unless I can find freebies) some new
development tools.
If you poke around on eBay you can find new surplus and business
systems that come with Windows 7 Pro. I bought a brand new Dell
Vostro 270s for my parents,
... You can do anything with anything. There's nothing I can
build in one that I can't build in another. At that point, it largely
becomes a matter of personal preference.
I largely agree with your assessment. From many that I've spoken with
the biggest challenge facing CF isn't that the
For those of u on this list that have experience with both, can I
please get your feedback on the Pros and Cons of going to the
.NET framework from ColdFusion?
Hi Dave, that will depend on what you're doing with it. I don't have
anything against .NET and have done some coding with it. The
With regard to a CFML engine running on .NET, New Atlanta has a
BlueDragon .NET edition that does exactly that.
Thanks Carl, I knew they had a Java version but wasn't aware of the
.NET edition. Good to know if I ever run across one of those types of
clients.
-Justin
When I performed this same task a few months ago, I basically wrote a page
that did all the salting and updating as a loop. Obviously I had decided
on the actual process for login and tested it to make sure it worked. I
just increased the size of the password column, added a salt column and
I guess I didn't make myself clear. I wrote a routine that salted and
hashed all of the plain text passwords that were in the system.
Ah, that is a good thing then. I took it that you were adding salts
to an existing hash like the original poster.
-Justin
The original poster never said they were adding salts to existing hashes.
They laid out the same scenario of converting plaintext passwords to
salted hashes.
I'm just on a roll of misreading today. When she said adding salt
my brain stopped there and didn't register the /hash after that.
I tried updating the JVK to version 7, latest available. After changing the
JVM path the CF server would not start, so I am wondering which is the
latest version of the JDK that Coldfusion 7 will support, please?
Java 7 support for ColdFusion 9 and 10 was just announced with a patch
released
It's great to see this in CF8, but unfortunately it doesn't provide all the
metadata I would need,
If you have ever used Photoshop or Lightroom, you can edit the File Info.
This means the photog can add a lot of information to the image, such as
Description, keywords, copyright, etc. When
Not looking to spend on a CF upgrade over one site :)
I'd normally say there's always Railo it cost is an issue, but it
looks like Railo has implemented imageGetEXIFMetaData() but not
imageGetIPTCMetaData() (it's not listed in their documentation,
haven't actually tested code on Railo to
even if you upgraded not sure you'd get a whole lot of EXIF data
out of imageInfo anyway beyond the very basics (height, width,
etc.). if you don't mind dipping down into java can add a java
lib to your cf classpath that's probably your best bet. maybe:
http://drewnoakes.com/code/exif/
100% of the time this little bit of regex has served me well until now.
^[\w\.-]{1,}\@([\da-zA-Z-]{1,}\.){1,}[\da-zA-Z-]+$
Is there a reason you're not using the built in isValid(email,
variable) function instead of a regex?
-Justin
Pretty sure isValid() incorrectly flags emails with apostrophes as invalid.
Nope, at least not with CF9 (checked last night before I posted).
There are two or three bugs with isValid() and emails.
I was about to ask if anyone had details on where isValid() might fail
on e-mail addresses when
cfif len(editUser.CreditCardNumber)
cfparam name=form.decrypted default=
cfset theKey = GenerateSecretKey(AES, 256)
cfset decrypted = decrypt(form.CreditCardNumber, theKey, AES, UU)
/cfif
Since the only place where the decrypted variable is being set is
within the CFIF block, I'd check to
Hmm. I am still getting error Variable DECRYPTED is undefined. which is
weird since I have defined it -- in scope FORM.
Hi Eric, I'd recommend throwing the whole file up to somewhere like
pastebin and posting a URL so we can see what all is going on in there
(make sure to remove any sensitive
http://pastebin.com/3xtt3b8k
At first glance I'm not sure why it wouldn't find the form variable.
You might try explicitly setting the scope in all instances of that
variable. Also, why are you paraming it in the form scope? Your form
doesn't have a variable called decrypted so it will always
We had another run of someone trying yesterday.. I detected it on
the 3rd attmept (all of which failed).. then he (or she) tried about
30 more times where I just sent the fake failure notice without
letting it hit the credit card processor.
I like this approach on two fronts. First it
Forget the form page the bots/humans are not even seeing it they are
attacking your processing cfc directly. Your protection has to be server
side since any JavaScript on the form page is ignored. They are
submitting form data directly to your CFC processing page.
Part of the
Good morning/afternoon, one of the companies I work with is interested
in integrating some IP geolocation information. I am seeking
recommendations for a service with a decent API that others have used.
There are so many to choose from. This will be for commercial use so
a paid service is
I'm confused - what kind of service are you looking for? The browser itself
supports geolocation. Google Maps is its own API. What else are you
looking for?
A service where you take any IP address as input and it passes out
location (and possibly other) information. For example, if we have a
If you're doing it later rather than real time you can probably
get that information from Google Analytics.
That isn't applicable to the situation we're working with. If anyone
has experience with a IP-to-location services that I can pass an IP
into and get location information back, I'd
What about using geolocation on the client itself? Roughly 82%
of your audience will support it.
The situation I'm working with is dealing with historical data.
-Justin
~|
Order the Adobe Coldfusion Anthology now!
If you have a budget available I would recommend
http://www.maxmind.com/en/geolocation_landing. We use the downloadable
database.
Thanks Donnie, that is exactly the kind of service I am looking for.
-Justin
~|
Order the
I'd argue that Google's Geocode API (...) would provide
it for a user along with geolocation if you wanted it for the
current user.
Indeed, we are actually using the Google Geocoder for getting lat/long
info for street addresses so that they can be mixed in where available
as well.
-Justin
p.p.s. here's the (psuedo) C# code that i need to replicate that I've been
given, along with the comment pay specific attention on how the base 64
string are directly converted to byte arrays.
I'd recommend pasting that code into pastebin or other code-sharing
site which can retain formatting
Ah so they were just checking to see if they could get something to work
before possibly trying anything real.
That's a pretty standard approach. If they can get the response to
delay then they can mark that URL as a potential entry point to come
back and explore more later.
-Justin
cfif not IsDefined(LoggedIn) !--- this logic added to ---
This line is getting triggered on every page load, so when it
redirects and reloads the page it's getting triggered again in an
endless cycle. You'll need to add logic to tell it not to redirect
when you're actually loading the login
I am looking for 2 to 4 rack-spaces of affordable co-location on the
east coast, with decent quality transit.
East Coast is a lot of territory. Do you have any more specific
requirements? Bandwidth, IP addressing, electrical, firewall, remote
hands-on needs? Most data centers I have worked
The file itself is some tool designed to be used by developers, probably
not developed by rhe hacker himself. He just found a way to store it on
servers.
I've seen this tool make the rounds before through other attack
vectors. It's been around since at least ColdFusion MX 6. The
i have a table that has two date fields (dateinx and dateoutx) and i
need to find all the results for todays date that both fall between
and on that date for a given customer: cID.
This should be fairly simple to add to your existing query...
AND GETDATE() BETWEEN dateinx AND dateoutx
I suppose all the information about scheduled tasks is
stocked in some XML file, but where?
Take a look in the neo-cron.xml file in the lib folder for your
ColdFusion instance.
-Justin
~|
Order the Adobe Coldfusion
with SQL Server (even
the Express edition which we have deployed in production in a few
places) and back up your databases locally and off-site as well.
Works out pretty well.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology
injection just based on your initial post. I suppose I should read
the rest of the thread before I go on too long though. :)
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion
to the client, so
when a search engine sees the content it will show up in the HEAD
section regardless of where in the code you make the call to
CFHTMLHEAD.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com
... So this brings up the question now of what's the full
purpose of the CFAdmin setting and it's use with the IIS
setting for Details vs Custom IIS error pages?
Basically IIS is looking at the response codes from an application and
when it sees anything other than normal 200 (OK) code (and
Not sure about CF10 but on Railo I think you have to set Error
Reporting to Detailed in IIS7 to get the error.
In IIS 7 this setting would be in the site properties, Error Pages
under the IIS settings category, then the Edit Feature Settings...
link on the right side menu. From there you can
I recently had to help with some code with really
outlandish variable and field names.
cfset mawkishbbt = GNOME.barakish (not really, but a good paraphrase)
That reminds me of my days writing vScript for the Virtual Advanced
BBS (way back in 1995) where all of the variables were predefined
Everything between cfoutput tags needs to be parsed. So a big
page would slow performance, by how much is prob negligible
but worth testing to find out.
Remember that this would only be a hit once each time the file was
changed, as once it's compiled down to bytecode it doesn't have to be
remember this being a big deal back in 1999
under CF4, but in current versions it doesn't appear to matter from a
performance standpoint which cfoutput approach is used.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http
well considering it was not announced it seems it was perhaps
not an official release, as it was ust found by accident, ...
When I first posted, it wasn't an accident. Ben Forta had posted an
announcement on his blog and I happened to see it within a few minutes
in my RSS news reader and
This is a post from the CF Server Team Blog that I thought worthy of
passing along. If you believe you will need to install CF8 or CF9
with Verity bundled in the future and do not already have the
installers, go grab them now...
---
From:
Problem is, I don't have access to the server other than to reference
it. They have a server that hosts the photographs, and another server
that hosts the html. So I can only reference the photos using a full
URL from another server entirely.
Sounds like MLXchange if that's the
ColdFusion 10 has been released...
http://www.adobe.com/products/coldfusion-family.html
-Justin
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
I can't seem to get the encrypt function to take an initialization
vector. It doesn't matter what I put there. It returns the exact
same result as if there is no initialization vector.
Hi there, please post the line of code where you're calling the
encryption function as that will help with
a similar result (e.g.
cfset useasiv = left(hash(anotherkey), 16)).
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http
The problem with IP blocking is that 99% of the time the IP
is a fake IP, and that means that legitimate IP's are and do
get blocked for no good reason.
It really depends on the type of attack. If they're just flodding as
part of a DDOS attack then spoofing is viable, but for something like
I would think there would be some way these functions would
work to prevent passing invalid data to a cfsqlparam with type
cf_sql_integer but I couldn't find a way that didn't allow something
illegal through.
If I know a variable is supposed to be an integer (usually a primary
key), I will
I just find it weird that isValid(integer) would consider $123,123
as a valid integer valuesuch that I have to fix it in the first place!
I agree that seems a little wonky. I ran the code below to test some
values with ColdFusion 9 and the results are included in the inline
comments:
Yeah unfortunately IsValid(integer) ignores non-numeric
characters.
It seems more complex than that, as some it will ignore and others it
won't. Dollar signs and commas appear to be ignored but others are
not (results as run on ColdFusion 9).
cfoutput
123,,123 = #isvalid(integer, 123,,123)#
An IP from the Ukraine was attacking my contact form with name values like:
John 1) declare @q varchar(8000) select @q =
0x57414954464F522044454C4159202730303A30303A313527 exec(@q) --
Indeed, this looks like an initial reconnaissance injection to see if
other commands would work (that hex
It's a video streaming site for members. I can't believe my only
option is to stream video across ssl. There must be another
solution.
There is: take the main site out of scope for compliance. The only
parts of a system that have to be PCI compliant are the ones that
handle credit card
Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly. There must be a
fairly quick solution to this problem. Surely, I can't be the first to
deal with this.
Another option might be to ask your scanning vendor for
Justin, I don't think that would work though, depending on the level of
compliance and the SAQ being completed I don't think any vendor will
allow that exemption regardless of if credit card information is visible or
not. If an attacker is allowed any access to a user session and can
harvest
good coverage.
-Justin Scott
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm
On a related subject: is there a way to make the jsessionid cookie
secure without making the jrun change? I ask because doing so
affects all sites on the server, and I had planed to run other sites
on this particular server.
Be careful with this... if your billing system is on this server
Difference between cfcontent and cfheader in terms its usage?
Generally, cfcontent is used to serve up a file from the server
through ColdFusion (could be a generated PDF document, tracking image,
or any other file you want to have ColdFusion serve up for you through
the code). You can also
@Mack - Thanks for the confirmation, that lets me know it's possible
which is a good start.
@Steve - Interesting, I will take a look at that as soon as I can. If
it's just a wrapper for ffmpeg I can probably extend it to handle
stitching if needed.
@Ray - Thanks for the suggestion. I had
Hi all, I am curious if anyone has hands-on experience with processing
video that they might be willing to share? I have a potential project
which will need video transcoding services as well as stitching
parts of videos together to form new videos. From looking around I
saw the ffmpeg library
Highlighted on the YouTube homepage, they trash CF in
the first line of the song...
Yeah, sometimes the code looks a little trashy, but this ain't
ColdFusion so stop talkin' sassy.
Sounds like a compliment to me (e.g. ColdFusion code looks less trashy
than PHP). I'm with Dave on this one. :)
I don't think that is accurate. Yes you can use array/struct functions
on them, but they are not array/structs. Consider this example:
I saw your post and ran the code, and you are correct, CF is
representing them as an xml document rather than arrays and structs.
It's been a while since I
1 - 100 of 628 matches
Mail list logo