You may or may not know that the Muse' company, CF Webtools, sponsors the Nebraska ColdFusion User's Group (NE CFUG). Actually all the real work is done by our ColdFusion and Linux Guru, Ryan Stille who's energy keeps ColdFusion thriving here in the heartland. Last night we heard a presentation by the affable and knowledgeable (and really really tall) Kevin Hoyt. He spent about 2 hours both in presentation and chatting with us afterward. He was pretty cool and called his presentation a "slide deck" and talked about how the "newbies" put in too many "transitions". Oh you Adobe people and your fancy pants lingo. What will you think of next.

Now in the interest of full disclosure, I'm a ColdFusion zealot. I know that's not news to my regular readers, but it bears mentioning in case I slip up and say something negative. All in all the Muse has been thrilled with each release of ColdFusion and I have waited with bated (or is it baited) breath for each Beta (or is it Baita) version. When CF 8 came out I rewrote our entire tracking and project management system to take advantage of the new UI features. I'm an early adopter and a CF enthusiast. Also I should note that, although I have the beta version of CF 9, I will only be talking about what was in the presentation. Here's my take.

[More]

Regular readers know I'm always on the lookout for interesting issues regarding SQL Injection and ColdFusion. This year has been a banner year for injection on ColdFusion sites and if you are not on the Cfqueryparam bandwagon yet I have one more example of a code that might seem to be inoculated but is not. It has to do with the use of val( )....

[More]

I'm glad you asked this question because it reminds me that I sometimes give advice without any follow through - which is the same problem I have with my 8 iron. Upgrading the JVM on a windows installation is pretty easy. Just remember that you will need the correct Java Runtime for your platform and ColdFusion version. Rob specified Win2k3 x64 so I assume he means he is running ColdFusion 8 enterprise 64 bit - in which case the target version is 1.6 update 14 (or 1.6.0_14). I usually start at the Sun Java download page. Once you have the right version in hand the rest is easy.

[More]

This issue was brought to my attention by Adrian Lynch on CF-Talk. It seems that if you use the new image functions in ColdFusion 8 against certain kinds of JPG images you can actually cause your JVM to crash. If you have code that uses the latest image functions to handle uploaded images you should definitely take note of this post. I cannot yet see how a user might take advantage of this bug to penetrate your server, but a malicious (or even non-malicious) user could easily perform a denial of service attack and cause your CF server to go up and down like Jack LaLanne doing jumping jacks. So if you fit into that category (handling uploaded images using CF 8 image functionality) here's the scoop.

[More]

I have not yet had this problem specifically, but it was pointed out by CFG Tom Forrest who spent some time wrangling with it. He was trying to use the connector widget to connect IIS 7 sites to ColdFusion instances (running in Multi-Server Mode). He reports as follows:

According to Tom the fix is to install the IIS 6 Management Compatibility role service. This service allows an IIS 7 server to "act like" an IIS 6 server. Once installed the configuration tool began to work.

While I haven't had this specific problem, I have noticed that a number of other things are easier and more familiar with the IIS Management Compatibility installed. Thanks Tom.

Ah the immortal thread - like a god coming down from Mt. Olympus and laughing with his (or her) hands on his mighty hips (see why I chose "his"? ... "her mighty hips" ... well, I just didn't want to go there). Such threads are mind bogglingly frustrating. In actual fact, there are some requests spawned by ColdFusion that may not be able to be terminated by ColdFusion. For the long version read on McDuff.

[More]

Like most geeks I love technology. I'm always reading about the cutting edge of research. I can become as engrossed in an online white paper about nano-technology as I am in my favorite TV Show - which is a toss up between the gritty AMC Drama Breaking Bad and the light hearted and endearing (although occasionaly gruesome) Pushing Daisies with the irrepresible Kristin Chenoweth as former Jockey-turned-waitress Olive Snook. Who else could make unrequited love seem so appealing and delicious... but I digress. This "forward leaning" interest in technology tends to create a momentum for me and even for my company (CF Webtools) that makes me prone to try new things. So when Google announces a ground breaking new paradigm for collaboration my temptation is to say "count me in". In case you missed the hype I'm talking about Google Wave which was previewed at Google I/O.

Google Wave aims to combine elements of email, chat, blogging, micro-blogging, collaboration, source control, and social networking into a single interface that claims to draw in all the best features of these tools while eliminating some of the annoying drawbacks. The paradigm for Google Wave moves away from "messages" and toward a "conversation". That might seem too abstract to matter, but such idioms are important because they give us an anchor - a point of reference for understanding something new.

Let me say at the outset that I'm positively inclined toward this product (at least, what I've seen of it). I can see how it would benefit my own team in many ways. I'm already thinking of how I might enhance our vast, custom tracking system using the Wave Protocol. One of the best things about Wave isthe protocol layer and integration strategy. So I am not against the product - indeed I'm rooting for it. I would love to get rid of our hodgepodge of tools in favor of one elegant way of collaborating. Still, I see some problems for Wave on the horizon. So if you want the contrarian view read on...

[More]

Muse readers and friends who know me well understand that I'd rather have my nether regions bitten by a Laplander than deal with sales people over the phone. However, as a (usually) caring person, I try not to let my personal ire show too forcefully when one of these hard working sales folks call. I know they are just doing their job. Recently however, one phone company has caused me to rethink my "no throttling the sales person" position. I won't say their name but it begins with a Q and ends with est - and in a twist it does not have a U in it. I guess these folks don't know how to spell NO either because they keep calling.

Usually it is pretty typical stuff like "are you happy with your phone service". I'm actually not happy with my phone service but I prefer not to discuss it with strangers over the phone. Still I'm usually pretty nice and say something like "we are not ready to make a change right now." The last 2 times however, the salesman has chosen a new tack. They are now trying to wheedle additional proprietary information out of me. Today things did not go so well....

[More]

Yesterday I was doing some searches on a sick server to troubleshoot the Iframe Injection issue. A user had posted some additional information regarding a file that appeared on his server that had this issue. The file was named "fection.cfm" so we now know the hacker casually removes his prefixes (or I should say 'emoves his 'efixes). I began my search by looking for the file specifically, then moved on to look for the string "cfexecute" in all of the *.cfm files. But that got me thinking. A clever hacker might know some things about ColdFusion. He could in fact, further obscure his code with some knowledge of cfinclude and IIS. Such a technique can be used to secure your code as well. You can create code that is only runnable by ColdFusion using cfinclude. Here's the skinny.

[More]

My nephew is 16 or 17 and wants to become an animation/game programmer. He's been working using a product called blender. It seems to be pretty polished for an open source project. I was impressed with the movie galleries on the site and especially with the "Big Buck the Bunny" and "Elephants Dream" - pretty awesome cgi stuff. Most of you who read my blog know that I am not qualified to do (or judge) anything artistic. My wife won't even let me choose which soap to put in the shower. So I thought I would be a good uncle and ask my readers if they have a take on Blender. Is it "up to snuff" for an IDE? Is there something more powerful or better he should be using (and why)?

He gave me an animation which I have converted to FLV. You can check it out at this link. Take a look and see what you think. I think he has talent. It needs audio, but it's pretty smooth and he's thought of a number of things - backlighting, reflections and shadows etc. What I don't know is if it's "out of the box" thinking or the result of working his way through tutorials. I would appreciate any comments you can muster, but please be helpful and not too critical (remember when you were just starting out :). If you have a comment you want to send without posting it "live" feel free to use the ask-a-muse box in the upper right or email me directly at mkruger at cfwebtools.com.

Here's a problem that will leave you scratching your head should you ever run into it. Consider a simple .NET web service that requires an "array of strings". The goal was to make use of a web service API published by Smarter Mail. I wanted a programmatic way of adding email aliases - groups of emails that function under a single address. The web service methods provided by the smarter mail API could not be simpler. Each request requires a username, password, domain and then additional stuff to make it work. For example, the "GetAlias()" function allowed me to pass in a domain and alias and get a list of emails already associated with that alias.

The problem came when it was time to add or update an alias. The argument for "addresses" to pass to the .NET service looked like "an array of strings" (that's how the help docs referred to is as well). The node in the XML looked pretty simple:

Now I can think of several ways to create an array of strings in ColdFusion so I started giving it the old college try. Unfortunately each attempt ended in failure. I could not figure out how to get a data type instantiated in CF to match the data type that .NET expected. I ended up experimenting with several different approaches to the array syntax.

[More]

A misconception about technical folks is that they are fully left-brained and incapable of true creativity. Anyone on the inner circle of geekdome knows this is not the case, but folks on the outside looking in often only see the engineering skills - attention to detail and minutia, obsession with systems and process, and a penchant for pocket protectors. Of course in the last 10 years you can add flip flops, body piercings and a sort of pigeon English consisting of acronyms, techno-babble and quips from Monty Python and the Princess Bride. That should tell you something in itself. There's more to IT folks than numbers and obscure discussions about the best Star Trek Movie (Khaaaan!!!!). That got me thinking.

[More]

Thanks to Nate from CF-Talk I have a copy of the malicious VBS script that is doing the damage. If you are being victimized by this attack and you need to see the script for whatever purpose, let me know and I will make sure you get a copy. I now it goes without saying, but just don't run it :).

Meanwhile there is some consensus, given the root access of this code, that an infected server cannot be trusted even after a thorough cleaning. Dave Watts and Tom Chiverton both gave such advice. While it's not always possible and it's a huge hassle, it might be the best solution to bite the bullet and do it.

For those of you who have been following the Iframe injection attack saga (see Iframe Insertion on Index.* Home pages) I have an update. I would like to thank one of my readers named Kumar for referring me to this excellent article (a PDF File) on Black Hat. The article seems to pinpoint the origin and nature of the attack. The document describes an attack in depth with multiple steps (just as we had speculated). The first step was an SQLi attempt. But failing that the attacker compromised the server in a rather ingenious fashion.

• Using an image upload capability he uploaded a file to the server that "looked" like an image but was not.
• The file (containing executable code) was then hit with GET and POST requests.
• The payload of the get and post requests was able to set up scheduled tasks to append the JS code to "index.*" files on a timed basis.

This file that was uploaded was a CDX file. On a properly configured IIS server this attack would fail to succeed. Here's why.

[More]