[Looking for Charlie's main web site?]

Part 2: Serious security threat for ColdFusion servers [now covered by a hotfix]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Since I posted my entry earlier today about a Serious security threat for #ColdFusion servers [not now covered by a hotfix], I have had many questions and discussions which lead me to share more info.

At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here.

[Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.]

Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering.

[....Continue Reading....]

Serious security threat for ColdFusion servers [now covered by a hotfix]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Hey folks, there's a fairly serious security threat out in the wild, and you may want to check if your server's been hit. (It may be old news to some, but for now it's hitting people in the past week or so.) It's been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverages the Admin API.

And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)

There's quite a bit for you to consider regarding this recent threat, as I discuss here.

[....Continue Reading....]

Clearing the ColdFusion template cache programmatically

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I was asked today how one might clear the template cache ColdFusion template cache programmatically, as opposed to clicking the button in the CF Admin (Caching) page. The good news is that pretty much anything done in the CF Admin can be done programmatically, via the CF Adminapi, since CF 7. And there is in fact an AdminAPI method to clear the template cache. I'll show the code in a moment.

[....Continue Reading....]

What's the situation with ColdFusion and Java 7, Java 6 updates, Windows 8, and OS X Mountain Lion?

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I see the above questions all the time on lists, forums, twitter, etc., and while I point out the following when I see them, I wanted to share them here as well, in case others have missed them or might find them by searching.

[....Continue Reading....]

The built-in web server in ColdFusion 10: enabling it, configuring it, reconsidering it

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
You may have noticed during installation of CF 10 (as with previous releases) that you are offered the option to either connect CF to an external web server if you have one installed (such as Apache or IIS), or you can use an offered "built-in web server" (or what is also sometimes referred to as the internal web server).

That's not really new news, as the same option was offered in CF 6-9. But there are some new things in CF10 to consider about that option, and that's what I'd like to share here.

First, I want to show how if you chose NOT to enable the built-in web server, you CAN enable it after the fact, with just a simple modification to a single xml file (which is a different one in CF10, and I want to show where that is, share some tips on changing it, and point out where to learn more.)

But there are also still more things about the built-in web server that you can control, which you may not readily discern even from the docs, and I provide here additional info with respect to that.

Finally, while in previous releases the built-in web server (which was really the JRun web server) was something generally regarded (even warned in the installer) to be used only for development and testing, the built-in web server in ColdFusion 10 is in fact the Tomcat web server (Coyote), which is a much better web server out of the box, so you may want to consider it even for production.

I realize that last point will be "pushing it" for some. :-) Hey, I'm not saying that you should change anything, just letting you know that some might reconsider things. Hear me out, please. I'm just sharing documented info that might not be so readily found about a relatively new subject for the CF community (so don't shoot the messenger!) I'll point later to other Tomcat references making the same point, such as this 2010 article (no longer available via its original link, http://www.tomcatexpert.com/blog/2010/03/24/myth-or-truth-one-should-always-use-apache-httpd-front-apache-tomcat-improve-perform, but archived here: Myth or truth: One should always use Apache httpd in front of Apache Tomcat to improve performance?.

Background

[....Continue Reading....]

CF10 Hidden Gem: New method to obtain ColdFusion instance name via CFML code

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
One of the many hidden gems in CF10 is that there's a new way to programmatically obtain the current instance name. In CF 6-9, we had to call a method in a JRun class. In CF10, they've added a new method in the Admin API.

The quick answer is that there's a getInstanceName method in the runtime.cfc of the Admin API. And yes, any user can execute this code. They do not need to BE an admin. You can use this in production code. For more, see below.

If that's enough to get you going, have at it. For more info, read on.

[....Continue Reading....]

How to identify what jvm.config a ColdFusion instance uses (and vice-versa)

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you run ColdFusion in its Multiserver mode (multiple instances), you may know that you can configure things so that different instances use different jvm.config files, otherwise by default, all instances share just one. (If you didn't know how to change that, particularly if running CF as Windows Services, I'll offer some references explaining more.)

But have you ever wondered which jvm.config is used by a given instance? Or perhaps found multiple jvm.configs in your [jrun4]\bin directory and wondered which instance each went with? The answer isn't as straightforward as it may seem, when you're running CF as Windows Services. There's no single CF feature that reports this, but I do offer a solution here.

The simple answer is that one can find the information in the registry. The longer answer, including how to find that, as well as how to get that info more easily from the command line if you may prefer, follows.

[....Continue Reading....]

How to tell what, if any, hotfixes have been applied to ColdFusion (9 and earlier)

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I often see people struggling with confusion over what hotfixes have been applied to CF. They may wonder "which have we applied?", or worse, they may not have applied any and just don't know "how to know" whether they have. I have good news, but it may not be the answer most would suspect.

The common answer offered is that one should use the "system info" page in the CF Admin, and its available "update level" field.

But I will assert that's not the "right answer" after all, or certainly not the "best answer" to really know what hotfixes (plural) have been applied. Know why? If not, I'll explain here, and I'll show what I would say is the "right" answer to "what hotfixes have you applied?"

[....Continue Reading....]

Have you noticed the ColdFusion 10 admin allows only one login at a time? It's by design

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Someone raised a question on one of the Adobe forums saying that they kept getting kicked out of (logged off) the CF Admin in CF10.

Ultimately, he realized it was that when one of his colleagues logged into CF 10 Admin, he got logged out, and vice-versa. Certainly frustrating.

And yes, it's by design in CF10, as part of various security enhancements. The issue is that only one person can be logged in to a given account name in the CF Admin (by default, it's "admin"). There is a solution: create new logins for each person needing to access the Admin. I discuss this and much more below.

Update 1: Since I wrote this entry back in June '12, I did a video for Adobe about a year later where I walk through this in several minutes. You may want to check that out.

Update 2: Great news for those using CF11: CF11 addresses this problem with a new feature in the CF Admin. You may want to read ahead to understand the problem to appreciate the point of this solution. Anyway, see the Security > Administrator page and its option, "Allow Concurrent Login Sessions for Administrator Console". The docs say that it will be disabled by default, allowing multipel logings, unless you choose the "securee profile" option during installation or via the admin (the ability to change that in the Admin is another new feature of CF11), in which case concurrent access by a given account it will be disabled.

Where's is this change in CF10 documented?

[....Continue Reading....]

Recordings from ColdFusion Dev Week (cfdevweek) 2012 Now Posted

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
[If you're finding this page as a result of searching for recordings from later years, I have a new post on the 2017 recordings.]

If you missed any of the sessions from last week's ColdFusion Dev Week, or want to watch them again, you can now see the recordings for all of them. Just click the link for your desired session on this page.

Note that you do still need to use an Adobe account login to view them.

For my two talks, the direct links (still requiring your Adobe account login) are:

Three little niggles

[....Continue Reading....]

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting