I agree with Ben and Dave
There was a point, where I was siding with Adam on this. But Ben you make a
good point, which I think Dave was trying to get at. SysAdmins by default
are the type that want to do everything, they need to know what it is they
have control over. Therefore, if Adobe in
pretty much everywhere is
install open with lockdown options and give direction on how to secure it more.
-Original Message-
From: Andrew Scott [mailto:andr...@andyscott.id.au]
Sent: Wednesday, March 26, 2014 11:46 AM
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
I agree
I think it is that simple, CF can be installed secure or not secure
regardless of someone's understand of the server or how it works.
that is no different than saying, it is impossible for windows or Linux to
be installed securely by default, of course they can, and are.
Some of the most basic
Well that goes without saying
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+: http://plus.google.com/113032480415921517411
On Thu, Mar 27, 2014 at 3:16 AM, DURETTE, STEVEN J sd1...@att.com wrote:
How about this issue. You lock down ColdFusion to the max and CFFile
Ill weigh in on this for a few reasons. One of the servers in the Krebs
article is one that I was called in to fix. Ive had to investigate/fix several
other breached servers over the past year. All were new to us clients that came
to us with a breached server. Another reason is that I
+ 1
-Original Message-
From: Wil Genovese [mailto:jugg...@trunkful.com]
Sent: Wednesday, March 26, 2014 12:56 PM
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
I'll weigh in on this for a few reasons. One of the servers in the Krebs
article is one that I was called
I won't try to re-hash the entirely valid points Dave, Ben and others make
regarding the needed skill set that a server admin should have, nor where
the blame lies if a server is left unprotected/unpatched etc.
Consider this counterpoint: When a situation like the current one
arises... what do
I like this analogy... You buy a new Ford Fusion. Ford tells you about how
closing the doors and locking it is a security feature.
Then, you go park in a high crime area with the car running, keys in the
ignition and the doors wide open.
Except that in your analogy, it is obvious that one
Except that in your analogy, it is obvious that one need to open the doors
from time to time in order to
be able to use the car.
With CF, there is never a good reason to leave the server unlocked.
Sure there is. Development servers don't need a secure setup if
they're not exposed to
On Wed, Mar 26, 2014 at 3:58 PM, Dave Watts dwa...@figleaf.com wrote:
Except that in your analogy, it is obvious that one need to open the
doors from time to time in order to
be able to use the car.
With CF, there is never a good reason to leave the server unlocked.
Sure there is.
On Wed, Mar 26, 2014 at 5:21 PM, Raymond Camden raymondcam...@gmail.comwrote:
On Wed, Mar 26, 2014 at 3:58 PM, Dave Watts dwa...@figleaf.com wrote:
Except that in your analogy, it is obvious that one need to open the
doors from time to time in order to
be able to use the car.
+1
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: 17 March 2014 22:40
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
CF should install locked down out of the box, there really should be no need
to follow a complex lockdown guide to make it secure
: Re: The long tail of ColdFusion fail
and then when their site gets owned, CF gets the blame.
On another hand, why Adobe hasn't change the way CF is installed if its not
safe?
~|
Order the Adobe Coldfusion Anthology now!
http
bit of Adobe PR coming out
https://twitter.com/coldfusion/status/446212052982321152
https://twitter.com/coldfusion/status/446211830839402496
The majority of attacks we are seeing are exploiting software that are not
up-to-date on the latest security updates.
or..use mod rewrite to change the .cfm extension to .php !! should confuse
a lot of hackers and might even help the sales guys!
Charlie Arehart has a relevant piece here:
http://www.carehart.org/blog/client/index.cfm/2011/10/14/coldfusion_processing_html_or_other_file_extensions
Andrew
Primarily because it is tag based, so some people think it is not real code
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 18 Mar 2014 04:06, Gerald Guido gerald.gu...@gmail.com wrote:
On Mon, Mar 17, 2014 at 3:18 PM, Robert Harrison
rob...@austin-williams.com
Yeah, because no PHP site has ever been hacked.
Your clients would be much smarter to spend their money on a secure
host than refactoring into a language that doesn't buy them one ounce
more security.
On Mon, Mar 17, 2014 at 12:08 PM, Robert Harrison
rob...@austin-williams.com wrote:
We're
Ditto. I can code PHP fluently, but I charge twice as much as for CF
coding and it takes twice as long.
On Mon, Mar 17, 2014 at 2:52 PM, wrote:
And I will add the PHP is the uglyest language I've ever seen in about a 40
years career.
no come on guys be fair, he is just the developer and he has stated that he
has no control over this.
Most developers are in the same boat, the management have no interest in
their advice or opinion, I have worked/contracted at many such places over
the years and it is very frustrating to watch
The worst part of any Adobe software is the install process. Always
has been. Not sure who determines how the installers work but would
love to stake them out on an anthill. I've postponed new hardware
purchases simply because I don't have time to reinstall all the Abode
software I use for
Hating CF is like hating a hammer. Hating PHP is like hating a huge
rock you are forced to use on the nails because the client won't let
you use a hammer.
On Mon, Mar 17, 2014 at 9:09 PM, AJ Mercer ajmer...@gmail.com wrote:
CFers are just as bad - take a look back on the PHP comments in this
On 18 March 2014 10:05, Maureen mamamaur...@gmail.com wrote:
Hating CF is like hating a hammer. Hating PHP is like hating a huge
rock you are forced to use on the nails because the client won't let
you use a hammer.
Fantastic.
That's put a smile on my face today.
Thanks.
To be fair, I posted that before I saw his post about it not being his
choice. My statement however, stands. ROI on a conversion from CF to
PHP simply for security reasons trends to nil. The only good reason
I've ever heard for the switch is the cost of CF server software, and
now that Railo
You don't find the CC installer to be a heck of a lot simpler? Click the
menu - click a product - download - and done.
On Tue, Mar 18, 2014 at 5:03 AM, Maureen mamamaur...@gmail.com wrote:
The worst part of any Adobe software is the install process. Always
has been. Not sure who determines
I haven't found it to be simple or quick. But it's been a while since
I did the last install. Perhaps they have improved it.
On Tue, Mar 18, 2014 at 4:38 AM, Raymond Camden raymondcam...@gmail.com wrote:
You don't find the CC installer to be a heck of a lot simpler? Click the
menu - click a
If you haven't done CC, then you haven't seen the latest installer. It is
literally - click a button to see a list of stuff, click download, and
done.
On Tue, Mar 18, 2014 at 6:52 AM, Maureen mamamaur...@gmail.com wrote:
I haven't found it to be simple or quick. But it's been a while since
This is probably not the thread for this discussion but yes I have CC
but I installed it when it was first released and have only done
updates as notified since. It's been over a year, and what I was
remember was a messy install that required me to install a tool to do
the downloads, did not
If you haven't done CC, then you haven't seen the latest installer. It is
literally - click a button to see a list of stuff, click download, and
done.
I just switched to CC last week, and Ray is absolutely right. I was
kind of dreading the install, but it was very smooth. And it's easy to
go
Well I think if you say you want to stake the developers to the ant hill,
then that is kind of bold, and I'm going to defend my coworkers. ;)
Seriously - I'd consider trying it again. As for being able to select an
install location, I'll give you that, but honestly, I can't remember the
last time
Gerald Guido gerald.gu...@gmail.com wrote:
On Mon, Mar 17, 2014 at 3:18 PM, Robert Harrison rob...@austin-williams.com
wrote:
their IT departments are flat out refusing CF technology.
What is the deal with the bias and, at times, the flat out bigotry toward
CF? Could someone
On Tue, Mar 18, 2014 at 12:04 AM, Gerald Guido wrote:
What is the deal with the bias and, at times, the flat out bigotry toward
CF? Could someone explain this to me?
Everything makes more sense when you think of programming languages as
religions. Each has it's own moderates and some have
For us, what we've encountered include:
1. It's more expensive to host CF and there are few host (somewhat
true)
2. CF is an old and outdated (not true)
3. CF has little future left and is a dying technology (possibly
true... even if it's a self-fulfilling prophecy)
so some people think it is not real code
... and these people are real morons ;-)
Being tag oriented, compatible with HTML, makes CF the most developper friendly
language ever.
~|
Order the Adobe Coldfusion Anthology now!
You don't find the CC installer to be a heck of a lot simpler?
Excuse my ignorance, but what is CC?
~|
Order the Adobe Coldfusion Anthology now!
Creative Cloud.
On Tue, Mar 18, 2014 at 9:21 AM, wrote:
You don't find the CC installer to be a heck of a lot simpler?
Excuse my ignorance, but what is CC?
~|
Order the Adobe Coldfusion Anthology now!
On Tue, Mar 18, 2014 at 10:21 AM, wrote:
Excuse my ignorance, but what is CC?
Creative Cloud. Adobe's software rental program.
-Cameron
...
~|
Order the Adobe Coldfusion Anthology now!
Someone has to say it: I came across my first ColdFusion is dying thread
when I was considering upgrading my server to ... CF 3.1. That was here I
think. Maybe it was the Allaire forum. Too many dead brain cells between
then and now to be sure.
--
--m@Robertson--
Janitor, The Robertson Team
It's unfortunate, and I've tried to fight it for years, but CF is clearly
experiencing a slow, painful death. At this point almost all of our CF sites
have been hacked repeatedly (and before you point me to the lockout guide - we
don't host CF, we just build (built) the sites).
We're not
Let me add this:
Who Patches Your ColdFusion Servers?
http://www.trunkful.com/index.cfm/2014/3/7/Who-Patches-Your-ColdFusion-Servers
Many companies dont have dedicated server IT staff and are either hoping their
internally hosted servers are being updated by one or more of their devs.
We're not releasing any more CF sites and are converting those site we can
to PHP.
Oh yeah. Change from a closed source to an open source. What can possibly
go wrong. :)
~|
Order the Adobe Coldfusion Anthology now!
...@trunkful.com
Sent: Monday, March 17, 2014 3:10 PM
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: The long tail of ColdFusion fail
Let me add this:
Who Patches Your ColdFusion Servers?
http://www.trunkful.com/index.cfm/2014/3/7/Who-Patches-Your-ColdFusion-Servers
Many companies dont have
Oh yeah. Change from a closed source to an open source. What can possibly go
wrong. :)
The decision to abandon CF is not mine. It was made above my head. It's become
more and more difficult to sell CF solutions to potential new clients and they
and their IT departments are flat out refusing
On Mon, Mar 17, 2014 at 3:11 PM, Phillip Vector
vec...@mostdeadlygame.comwrote:
We're not releasing any more CF sites and are converting those site we can
to PHP.
Oh yeah. Change from a closed source to an open source. What can possibly
go wrong. :)
That has to be one of the most
PHP isnt safer. Just different.
And just because youre not hosting the servers does not me you are not
responsible for them and you certainly are responsible for the damage caused by
the hack. Go to http://www.securityfocus.com/vulnerabilities and look up PHP
vulnerabilities.
Regards,
Robert,
Well, I'm sorry to hear that. I always hate to hear it when people throw
away perfectly good code. Many applications typically take a good bit of
money, time, and blood, sweat and tears to write, so deciding to retire
them is generally a costly affair. That said, I can understand your
Well, I'm sorry to hear that. I always hate to hear it when people throw away
perfectly good code.
Me too. I have CF solutions for almost every issue that's reared its' head in
the last 15 years and tons of great code built into highly configurable
CFC's... nonetheless, CF technology has
I think this hack is known since a long time ago. I remember having installed
my CF administrator in a safe place at least 2 or 3 years ago.
The adobe document which describes what to do is dated Mai 2010, almost 4 years
old.
There are a ton of sites out there with insecure CFAdmins, some running
CFMX6!!!
Google for inurl:cfide/administrator to find a few.
-Cameron
...
On Mon, Mar 17, 2014 at 4:30 PM, wrote:
I think this hack is known since a long time ago. I remember having
installed my CF administrator in
Google for inurl:cfide/administrator to find a few.
Hmmm - Our new prospective client list! Time to starting pitching services.
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com
wilg...@trunkful.com
www.trunkful.com
On Mar 17, 2014, at
The adobe document which describes what to
do is dated Mai 2010, almost 4 years old.
Indeed, and yet people still install the base server, run credit card
transactions through it without patching the server, following the
lockdown guide, or otherwise following good security practices and
then
+1 for Vivio and patches
*Bryan Stevenson*B.Comm.
President CEO
Electric Edge Systems Group Inc. - makers of FACTS^(TM)
phone: 250.480.0642
cell: 250.920.8830
e-mail: br...@electricedgesystems.com mailto:br...@electricedgesystems.com
web: www.electricedgesystems.com
On Mar 17, 2014, at 3:26 PM, Wil Genovese jugg...@trunkful.com wrote:
PHP isnt safer. Just different.
And just because youre not hosting the servers does not me you are not
responsible for them and you certainly are responsible for the damage caused
by the hack. Go to
and then when their site gets owned, CF gets the blame.
On another hand, why Adobe hasn't change the way CF is installed if its not
safe?
~|
Order the Adobe Coldfusion Anthology now!
I love developing in CF as I can build complex apps in 1/2 the time as it
takes in PHP.
And I will add the PHP is the uglyest language I've ever seen in about a 40
years career!
~|
Order the Adobe Coldfusion Anthology
And to follow that up, yes php has its fair share of security issues too
but this is mainly directed at the uber popular apps because there are 100s
of thousands of sites using them not because it is foss.
Yes cf has been hacked but it has not been targeted anywhere near as many
times as php
+infinity
On Mon, Mar 17, 2014 at 5:57 PM, Russ Michaels r...@michaels.me.uk wrote:
And to follow that up, yes php has its fair share of security issues too
but this is mainly directed at the uber popular apps because there are 100s
of thousands of sites using them not because it is foss.
You mean like with the secure profile option during install?
On Mon, Mar 17, 2014 at 4:49 PM, wrote:
and then when their site gets owned, CF gets the blame.
On another hand, why Adobe hasn't change the way CF is installed if its
not safe?
On another hand, why Adobe hasn't change the way CF
is installed if its not safe?
Layers... it's all about layers. If a vulnerability is found in the
CF admin or some other exposed piece, you don't want an attacker to be
able to take over the whole operating system. The lockdown guide
shows
Most new clients see CF as old and outdated technology with no future...
I recently lost a client because the sales folks from that approached
them told them Your site is using an ancient language called
'Coldfusion' that nobody is supporting any more, and it's /*KILLING YOUR
SEARCH
+... err... one.
On 17 March 2014 19:21, Matt Quackenbush quackfu...@gmail.com wrote:
On Mon, Mar 17, 2014 at 3:11 PM, Phillip Vector
vec...@mostdeadlygame.comwrote:
We're not releasing any more CF sites and are converting those site we
can
to PHP.
Oh yeah. Change from a closed
On 17 March 2014 21:49, wrote:
and then when their site gets owned, CF gets the blame.
On another hand, why Adobe hasn't change the way CF is installed if its
not safe?
backwards compatibility, and general lack of taking security seriously.
They offer lipservice to security, but are too
CF should install locked down out of the box, there really should be no
need to follow a complex lockdown guide to make it secure.
On Mon, Mar 17, 2014 at 10:12 PM, Justin Scott leviat...@darktech.orgwrote:
On another hand, why Adobe hasn't change the way CF
is installed if its not safe?
I'm a plank, you're a plank, everyone's a plank, plank...
Adam Cameron dacc...@gmail.com wrote:
But I will swing back towards Adobe (and Macromedia before them) being to
blame here for engendering this idea that one can be a plank and still use
CF. So now we have a community full of
On Mon, Mar 17, 2014 at 3:18 PM, Robert Harrison rob...@austin-williams.com
wrote:
their IT departments are flat out refusing CF technology.
What is the deal with the bias and, at times, the flat out bigotry toward
CF? Could someone explain this to me?
I deal with this all the time. CF is a
CFers are just as bad - take a look back on the PHP comments in this thread
:-P
But you are right, the focus on this article should have been about keeping
your systems upgraded and patched - irrespective of language used.
On 18 March 2014 12:04, Gerald Guido gerald.gu...@gmail.com wrote:
On Tue, Mar 18, 2014 at 12:09 AM, AJ Mercer ajmer...@gmail.com wrote:
CFers are just as bad - take a look back on the PHP comments in this thread
:-P
I agree, but this is MUCH more deep seated than that.
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg
I laughed so hard I hurt my knee as I fell off the chair
PHP is the most attacked and hacked language on the planet... In fact there
are so many sites running these bots written in PHP, that seek known and
not so well know exploits... I see on average 98% PHP attempts on hacking
in my logs,
You don't see it as anything other than a service, if done right the person
won't even know what technology is running on the server.
Sales teams should be selling it as a Java solution, because the byte code
running is technically Java. Secondly if they are selling it as a language
rather than
In cases like this you turn the tables, turn the negativity of it being old
and turn it around to being positive for example.
Customer: Isn't ColdFusion and old out dated language.
Sales: Not at all, yes it is roughly older or same age as PHP. But the team
at Adobe have made leaps and bounds in
101 - 169 of 169 matches
Mail list logo