Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Should you? What do you gain? what do you lose? what are some gotchas? That's what this blog entry is about, answering the following questions:

• First, what is ColdFusion 9.0.2? Why did Adobe create it?
• What about the 9.0.1 updater? Can we still get that? Yes.
• So what all does 9.0.2 add and remove?
• If I download CF 9 today, what do I get?
• "But if I download 9.0.2 today, I get the latest version of it available, right? I don't need to add hotfixes, do I?" Wrong.
• Warning: DO NOT install 9.0.1 atop 9.0.2 (nothing will stop you)
• If I am on 9.0 or 9.0.1, how can I get to 9.0.2?
• Why might I want to get to 9.0.2 from 9.0 or 9.0.1?
• How did i miss this? Was 9.0.2 discussed? Yes it was.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Anyway, here is the answer I wanted to offer to that question...

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

As an update since I first wrote this, it turns out this issue may or may not affect you depending on a couple of variables, which I will discuss, with a prefix of "update:" below. But don't dismiss this thinking you are not affected. I would propose that still far more CF servers may be exposed than not, as I will explain.

The CF Admin has (for several releases) offered an option called, "Use UUID for cftoken" (in the "Settings" section), and it's been intended as a security measure. Its purpose is to cause CF to use a UUID value (a long, complex string of numbers and letters) for the CFTOKEN cookie (and session variable) that CF generates, versus what used to be a simple, 8-digit value. This cookie, along with the simpler and incrementing CFID, is used to connect users to the session and/or client scope values created for that user in CF code.

Some may be surprised to learn, though, that while this setting DOES cause CF to *create* such UUID-formatted CFTOKEN values for requests that do not already present a CFTOKEN cookie, it does NOT necessarily cause CF to block any continued use of such simple, 8-digit cftoken cookies.

In other words, browsers which had visited your site before you turned on "use uuid for cftoken" would still send the 8 character cftoken they already had, not a uuid, and that could be accepted as valid by CF, even with that setting on, under certain conditions. (And the user will not be sent any new cftoken cookie in a UUID format, in CF's response, in those conditions.)

There's good and bad news related to this fact, which I will elaborate on below.

Update: Since writing this entry, I learned of a couple of factors that influence if and when this is a problem.

1. It turns out that if you are using CF10, or CF9 or 8 with the "session fixation" hotfix (APSB11-04), then the problem only happens until you restart CF. The Admin does not currently warn you of this, so beware that you will have the exposure below until you do restart. (If you have added one of the later security hotfixes or cumulative hotfixes that came out since then, then you have gotten the fix.) This fix causes CF to create a new UUID-based CFTOKEN, if you turn on this feature at least (and after a restart) when a browser presents a previously created 8-digit cftoken.
2. On the other hand, even if you are running CF 10, or running 8 or 9 and HAVE applied that hotfix, note that if you TURN OFF that fixation protection (by adding the -Dcoldfusion.session.protectfixation=false value to your jvm.config, as discussed in that technote), then you are back to the state that I discuss below.
3. And of course, if you are on CF 8 or 9 and have NOT yet applied that APSB11-04 hotfix (or a later cumulative one that includes it), then you are indeed still vulnerable.

So that leaves still many people who could be affected by this. Even if it seems you may not be, you may want to continue reading this entry to understand what the issue is about, for you and others who may be impacted by it.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

• Updating/Hotfixing #ColdFusion 10, 9 and 8: Tips and Traps
• Locking down the #ColdFusion Administrator: Your First Line of Defense Against Hackers

For more details on the talks, or to get the slides once I post them (likely right after the meeting), please see the links for the two sessions above.

And if you may want to attend, please RSVP.

I may offer these later on the Online ColdFusion Meetup or perhaps one of the remaining CF conferences this year, if I may be selected to speak.

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Important hotfix-related notes for ColdFusion 9 and ColdFusion 10

What is this about? and why is it important? Read on below, as the document itself and current links from Adobe don't quite convey its significance, I think. For more perspective, I discuss below both what has happened to many folks after applying ColdFusion security hotfixes in recent years, and how this document helps.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Summary: There is a reasonable explanation and a rather simple solution: update the MySQL driver that CF is using to at least version 5.1.22 of the driver, the first to support MySQL 5.6, because the one built into CF 10 (driver version 5.1.17) not only does not. More important, that older driver uses something that causes the failure above in 5.6.

That explanation of the "solution" may be enough for some to take the ball and run with it (and if not, I will offer more details on how to do that), though it should be noted that updating the driver is not formally supported, nor is MySQL 5.6 technically supported at all in CF10 (or 9). But for those who will press on knowing that risk, you now know what you need to do.

But as often, there's much more to this than meets the eye, so I hope you will follow along to learn more. I have broken this into two parts:

• the problem (with what I hope is helpful explanation of what the real root of the problem is),
• who's to blame (not Adobe, I will argue)
• and the solution (with some caveats that even experienced folks, or those who don't care about "the problem", should still read.

And again, while I discuss this in the context of CF10, where I've seen the problem happen, it could apply also to CF9 (and it seems reasonable that it would), so all the information still applies, it would seem.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Those who know the value of common Windows shortcuts, like alt+tab, ctrl+escape, alt+home, etc., will know those work against your local machine, unless you open a maximized remote desktop in which case they then work against the remote machine. And that's great, of course.

But what if you have a remote desktop opened as a window (one of many apps visible on your local desktop)? You may find it frustrating, if you mean to be doing the equivalent of an alt+tab WITHIN the remote desktop, while viewing it as a windowed app. The keys will again work against your local machine, like with any app.

Is there a way to do such common keyboard shortcut actions against the "windowed" remote desktop? Yes there is. I find that relatively few people know about these, and most are delighted to learn of them! :-)

Summary

See below for more discussion on these, but briefly...

Note first that you can use ctrl+alt+break to toggle a Remote Desktop between full-screen and windowed mode. (If that or these don't seem to work, read the paragraph after the list.) That helps make these shortcuts all the more valuable, once you are viewing the "windowed" remote desktop, where you can use:

• alt+pageUp: to switch application windows on the remote (equivalent of alt+tab)
• alt+pageDown: to switch "backward" through applications (equivalent of alt+shift+tab)
• alt+home: to show Windows "start" menu on the remote (equivalent of ctrl+escape)
• alt+shift+home: to show Windows Task Manager on the remote (equivalent of ctrl+shift+escape)
• alt+del: to show Window menu (top left menu) in current app (equivalent of alt+space)
• ctrl+alt+end: to do the equivalent of ctrl+alt+delete on the remote
• ctrl+alt+plus (the + key): to save screenshot of current remote screen to clipboard (equivalent of PrtSc, the "print screen" button)
• ctrl+alt+minus (the - key): to save screenshot of current remote window to clipboard (equivalent of alt+prtSc)
• alt+ins: to cycle through your remote desktop applications, one app at a time (equivalent of alt+escape)

Again, these shortcuts are for using when you are in a *windowed* remote desktop. Beware also that if any don't seem to "work" for you:

• note that on some keyboards (especially more modern laptops), you may need to press a "function" (or "fn") key to execute the equivalent of one of the keys listed here. For instance, the "break" key may require fn+end, which means that first shortcut above can be a cumbersome four-fingered salute: ctrl+alt+fn+break
• As an update in 2021, on my Asus Zenbook laptops, the break key requires fn-b (and I see the same is true for some Dell laptops), so again it's a four-fingered solute: ctrl+alt+fn+b
• similarly, you may find that you have more than one set of the needed keys, such as pgup/pgdn, on your keyboard. One pair may appear on the top right, and another on the lower right, and/or within the numeric keypad. Be sure to try both, before giving up.
• it could be that you don't have the the keyboard "focus" on the windowed remote desktop session. Click within the remote desktop to be sure
• It may be that your keyboard (especially some modern laptops) may have the pageup, pagedn, home, and other keys used here mapped to some other keycode that Remote Desktop doesn't recognize (even though the keys may "work fine" for you for their normal use on your laptop). I have found a solution to that in 2018 and I intend to do a blog post with more on the solution (until then, check out the tool sharpkeys)

For still more detail and discussion on these keyboard shortcuts, read on.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

There is a new Adobe CF blog entry pointing to the new hotfix, and I point that out rather than the technote for the hotfix itself, because as often is the case, there has been some useful discussion related to applying the fix. Indeed, there's a warning I've shared there about a problem (hopefully temporary) with the hotfix file for users of ColdFusion 9.0.2. (Update: the confusion about 9.0.2 is resolved. The technote has been corrected. See the comments in the Adobe blog entry for more details.)

Users of ColdFusion 10, 9.0.2, 9.0.1, and 9.0 should certainly proceed to implement the fix.

I address several questions and other observations about this hotfix below.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here.

[Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.]

Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)

There's quite a bit for you to consider regarding this recent threat, as I discuss here.

[....Continue Reading....]