ColdFusion Muse

IIS Vulnerability Steals Payment Information (By Wil Genovese - CFG)

Super guru Wil Genovese (Trunkful.com) is back to describe an IIS vulnerability that was inserted using a long-known (and patched) CF vulnerability. The Muse will make 2 points. First, if you are hit with this one call us! We will gladly put our shoulder to the wheel and help you dig out. Second, don't forget to patch your servers and keep up on the latest security news. No matter what your chosen platform you need to be vigilant and attentive. Take it away Wil.

First let me point out that the vulnerability that was found has a patch that has been available since January of 2013. So as the Muse said, patch your servers! I first read about this attack in a PC World article titled, PCWorld - Attackers exploited ColdFusion vulnerability to install Microsoft IIS malware. I spent hours reading all the linked websites and blog posts by the security researcher that discovered the IIS Malware (see this Trustwave post) trying in vain to learn the name of said DLL that gets installed, where it gets installed and how to detect the file(s). The few details I found were not completely useful. While I learned the behavior of the malware I never learned how to find the offending DLL or even the file name. I did discover that no existing anti-malware or anti-virus software would detect this rogue DLL. I repeated my futile search every few weeks to see if anything new was being reported.

Since knowing how to locate and expunge such things is part of my job I needed a way to find it, but how? I could search any of the servers at CF Webtools until the cows come home, but if none of them have been hit with this malware I will never find it. What I needed was a server that had been exploited to examine. Over the past year with the slightly larger than usual number of security holes discovered in ColdFusion we've had a few new clients come to us for help in patching and repairing servers. None of the IIS modules on those servers stood out to me as 'unusual', but I wasn't looking directly for this. Finally we had a company come to us for help with a breach.

[More]

Building a Robust Error Handler

If you have been around the ColdFusion world as long as the Muse you have heard of Mary Jo Sminkey. Mary Jo built a popular ColdFusion ecommerce platform called CFWebstore. She has vast experience in ColdFusion and a seemingly boundless fountain of energy. Her eclectic interests range from technology to baking to dog training. As far as CF Webtools and the Muse can tell, Mary Jo excels at everything she does. We frankly suspect she is actually twins or triplets pretending to be only one person :) The following article is by Mary Jo and details her approach to application specific error handling. She has a detailed and thorough knowledge of the topic. Using this approach she has been able to reduce the number of errors on a very high traffic E-commerce site to practically nil. In the first of 2 articles MJ (as we call her with great affection) details the structure and usage of the handler.

Building a Robust Error Handler (by Mary Jo Sminkey)

Let's face it, sometimes we put less effort into the error handler than into the rest of our code. We might put something in place that throws up a "user friendly" page, and maybe email a dump of the catch or error structure, but when the site goes live, and we are deluged with errors due to search bots, hack attempts and poorly coded pages we turn it off or send all those emails to a seldom-visited mailbox. Sometimes we implement error handling as cftry/cfcatch blocks that do little more than preventing errors from being thrown, instead of helping us track down the issue.

I look at the error handler as a way to help make a site as bug-free as possible. By having it email me as much information as possible about errors, I troubleshoot, fix and patch, and get to a point where errors are the exception rather than the rule. In this article, we'll look at building a single-page, comprehensive error handler. In a future article, we'll look at integrating that error handler with the open source bug tracker BugLogHQ. Before we begin with our error handler let's talk about our error handling strategy.

[More]

email connection crossover workarounds

As a follow up to yesterday's post (regarding sending mail and having it end up in someone else's "sent" folder) I thought I might put some flesh on the workaround suggested both in the bug report and on CF-Talk. The suggestion is to:

Create a CNAME to point to the SMTP server address so that both websites were looking at different domain names.
This idea is workable up to a point so I thought I would explore it for my readers.

[More]

ColdFusion email security Bug: Your mail in the wrong sent folder?

A recent conversation on CF-Talk piqued my interest. It turns out there is a tricky bug with regard to sending authenticated mail. Here at CF Webtools we have internal relays (protected, internal only IPs, listed in SPF and handling domain keys) whose sole purpose is to relay mail from our web servers - so we do not have "authenticated" email per se. But in the case of this bug (you can see the report here) it's possible for email from one user to wind up in the "Sent" folder of email from an entirely different user. Needless to say this is a security concern for those of you on shared servers especially.

Here are the conditions that need to be met for this to occur (as I understand it).

[More]

A Frank Discussion About Protection

I know it's an uncomfortable topic. I understand that you would like to keep your validation private. You would probably rather learn about this from your friends at the coffee shop, Jeremy who is two cubes down from you, or some guy on a forum (shudder). Still, the Muse has an assignment in life to point these things out and make sure you are well informed and prepared when temptation strikes. Oh I know what you say now. I know what I'm doing. The risk factor is slight. I'm too small... I mean... my application is too small to need it. But take it from me - you will need to understand how to use protection or bad things will happen. So let's talk about it.

[More]

Muse Abroad - the Ugly ColdFusian

Muse readers - next week I'll be in Minneapolis MN at the Cf.objective conference. I'll be waxing eloquent in the ad hoc room (TBD) about 2 topics near to my heard. The first is web sockets and the second is consulting. It seems like that's something these conferences could do well to address as the employment landscape changes. Indeed if you are a consultant, freelancer, company owner or whatever and you want Muse tips on getting paid, landing contracts, selling yourself and your technologies, saving troubled customers, getting beyond your skill set, hiring your first and tenth employee etc. - come to that one for a lively discussion. If you are a corporate lackey you can come too, but we may look at you suspiciously out of the corner of one eye.

I also have a new plan for cfobjective this year. Since I actually don't do a lot of hard core programming any more I'm not going to dig into a specific topic and try to gain a lion's share of expertise. Instead my plan is to:

  • Flit from room to rom and booth to booth and pick up as much general knowledge and witty banter as I can.
  • Tweet copiously from the conference about everything and anything of interest to me. My twitter handle is @cfwebtools and the hash tag for cf.objective is #cfobjective.
  • Blog a few times per day. Naturally these will not be my typical wordy tomes of dubious length. Instead I plan on a few paragraphs highlighting various workshops or interesting thoughts or even people I've met who are blog-worthy.
Of course I will mention names and companies so if you want to give me a heads up about your workshop so I can stop in and say something nice (and the Muse is always positive - no worries there), let me know. I'll be happy to oblige.

If you are going to be at CF Objective and would like to chat about consulting, working for CFWT, the next big thing, why CF is dead (again - Lord Beric eat your heart out), or anything else I'd be thrilled to meet you and hear about your latest project or pet mice or see your knitting or whatever. I'll make it a point to wear a RED SHIRT every day. I'm 6', a little pudgy, balding, with lovely blue eyes (says my wife), a little too verbal and over-confident, and I'll be hanging around everywhere like a ubiquitous traveling salesman. So don't be shy - if you see me give a shout! Let's have a drink, pants Ray, make fun of Mark Drew's accent or at least put soap in the hotel fountain or something. Don't leave me hanging.

Datasource Attribute in Application.cfc

You may know about the "datasource" property in ColdFusion 9. It allows you to create a variable in your Application.cfc file called "datasource" and then skip the "datasource" attribute of your query tags. That's pretty neato. Here's how it works. In the Application.cfc properties...

<!---Application.cfc--->
<cfscript>
    this.name = 'mort';
    this.sessionmanagement = true;
    this.datasource = 'myDsn';
</cfscript>
....
Then in any component that is "inside" of my application "mort" above I can do something like this:
<!--- myMethods.cfc --->
<cffunction name="getAllUsers">
    <cfset var 'myQry = ''/>
    <cfquery name="myQry">
        SELECT username, email
        FROM     users
    </cfquery>
    <cfreturn myQry/>
</cffunction>
Do you notice what is missing? There's no "datasource" attribute in the cfquery tag. ColdFusion automatically picks up the datasource from the Application.cfc instead. It's a nice time saving effort that reduces code and allows for fewer mistakes. Good for multi-tenant code too.

A Minor Detail

There is one issue that I was made aware of with this approach. Super genius guru Phillip Senn had a head scratching problem where he would set this variable in Application.cfc. Periodically he began getting and error which said:

The value of the attribute datasource, which is currently "" is invalid.
He tried some different things - working with the application names and extended properties of the Application.cfc but nothing seemed to help. Finally he ran the var scope checker which identifies places where un'varred variables exist inside of CFCs. He found several un'varred variables. After he fixed them the problem went away.

So if you are using this Application based this.datasource approach and you get some random errors where the variable seems undefined - or seems defined as a blank string - start looking for vars that are not properly scoped within your components. It may just fix you right up.

Able Commerce 5 on CF - Email Problem

A while back a product called "Able Commerce Builder" (ACB) was a popular (or pseudo popular) platform for CF folks. This would have been as far back as 1999. At some point they hired one of those developers who believe his technology choices are up there with the Scripture and the Holy Grail – but "he chose poorly".

He rewrote the entire application in Java with a ColdFusion facade. He moved everything into objects and the code became a byzantine maze of object instantiation and java arrays and objects and looping. Of course none of ColdFusion's strengths were on display (easy to read code, modifiable queries, list handling, looping and outputing, query objects etc. Thankfully ACB moved on to .NET and left CF behind - and good riddance! They were giving it a bad name. I trust their new platform was written by actual .NET developers - let's hope anyway. I wish them well.

Over the past couple of days ACB on CF has risen its ugly head again. I've been trying (with the help of super Tech Kevin Fatkin at Edge Web) to fix an issue with an ACB server. After an upgrade of the JVM and some hotfixes on a CF server running ACB, the customer discovered email had suddenly stopped going out. The fix for that is simple right? Check out the cfmail tags, double-check resolution, run a few telnets etc. Install a cert etc. Ah... if it were only that easy. In fact ACB under the hood (in keeping with its face melting decision making) reinvented the wheel and deployed its own Java based mail classes. Something changed, email is not going out, and we can't modify it the code in any real way. It's enough to make me want to have my leg chewed off by a Laplander. Fortunately if you have this problem we actually did find a solution.

[More]

Class Compiling Fun with ColdFusion

ColdFusion is Java - most people know this in the abstract sense. In sales meetings with the non-initiated I speak about ColdFusion as a layer of Java Services like mail, networking, jdbc, and compiling coupled with a language and syntax that offers faster development and better maintenance. I keep the conversation firmly rooted in Java because in reality this description is spot on. With the advent of ColdFusion 10 my case will be bolstered by TomCat as well - making it even easier to sell (and frankly it's not very hard if you know what you are doing).

Since it is Java you probably already know that ColdFusion takes your CFML code and compiles it down into Java Classes. In the days of CF 6 (back when I had more hair) you could use a command line to pre-compile CFML and even save off the .JAVA files. I'm not sure if you can still do that but it was a neat trick. Every time you run a cfm or cfc file ColdFusion checks (assuming trusted cache is off) to see if the file has changed and recompiles it if needed. You can see this happening with a little effort. The easiest way is to go to the /cfclasses folder for the instance you are using and delete all the class files that are there. Then run a CF page. You should see class files show up for every page and each function within the page.

Knowing (or not knowing) how things really work is very important to a high skill set developer. It amazes me to no end when developers profess they are "uninterested" in certain things regarding the technology they work with. I can't imagine Tony Stewart being uninterested in the bore size of his cylinders or the torque of 4rth gear or whatever. I'm sure Tiger Woods has more than a passing knowledge of how golf balls and clubs are made and customized. Indeed the more broad your knowledge and the more eclectic your skill set the more likely it is that you are an effective troubleshooter. The Muse (for example) has more than a little networking, hardware and server config experience. Often this is the difference between many hours of fruitless searching and a fast "Aha!" moment. With that in mind I'd like to share a little tidbit I picked up along the way (on StackOverflow from ColdFusion/Flex developer Sean Coyne of n42designs.com) having to do with compiling. It started with an error I have seen many times... "Routines cannot be declared more than once". I'm sharing this because I thought the work around was unique and I had not seen it before.

[More]

Web Sockets - Going Where No Muse Has Gone Before

You might wonder where I've been holed up for more than a month. Never fear - I'm still slogging away. My current project is a dashboard for CF Webtools that tracks all of our consulting activity. CF Webtools runs a custom tracking and management system as a core component of our business. This system has many cool features that have evolved over the years for tracking hours, performance, tasks, groups of tasks, assignments, productivity, estimates, deadlines etc. Myself and my VP, Jason Herbolsheimer (a brilliant programmer and manager who you would all know and love if he would ever blog), have spent thousands of hours on it to make it fit our business model of transparency, measurable productivity and cash positive block hours.

The reports and features it contains are useful, but a bit of a hodgepodge. Meanwhile, over time my role has changed considerably. Other than troubleshooting, mentoring and experimentation I'm not involved in day to day tasks directly with our clients any more. But I still monitor our overall productivity closely. Indeed, now that I'm a step back from the work I have a much better sense of what we are accomplishing and where our weak spots are. In the past I have used cfcharts called up on internal pages to show hours and individual developer performance but 3 things had changed.

  1. We now have many more developers to track (29 at last count).
  2. With 3000+ consulting hours per month the system receives a constant stream of updates, notes etc.
  3. I have a fancy new set up with 3x27 inch monitors plus a 46 inch wall mounted monitor that looked lonely and I wanted some fancy-pants dashboard to display
Ok, that last reason is simple hubris but still, it was good enough to boot me down the path. But I had some decisions to make.

[More]

Fun and Games With Googlebot

When planning for scalability one of the things that is sometimes left out is the impact of indexing bots on your site. If you have a news or ecommerce site that is constantly changing, you definitely want bots to be indexing your site. How else are the latest and greatest products or stories going to show up in organic searches after all? But you also want bots to be well behaved. It would great if you could greet the bots at the door and say "Hey... it's 2:00am, not much going on so index to your heart's content." Or, "Whoa there fella - do you have a reservation? This is Cyber Monday and I'm afraid all our seats are full for paying customers. Can you come back in 12 hours?" But that sort of smart interaction is sadly not in the cards. Some bots have defined rules, some do not. Some honor things you put in the robots.txt file others do not. So here are some tips that might save you some time.

[More]

Compiling Java With ColdFusion - Development Tip

One of the things that separate advanced developers from intermediate (at least around here) is the use of Java. Most advanced CF developers know that if ColdFusion doesn't provide precisely the functionality you are looking for you can usually find something in Java that will do the job. Now I am not talking about petulant PHP or Java developers who are being "forced" to write in ColdFusion. Such developers tend to write rather awful code that jumps through hoops in order to make ColdFusion do something the PHP way or the Java way. These folks never figure out how to take advantage of ColdFusion strengths and they are often left with code that must be refactored. Still, ColdFusion and Java are blood brothers. It's axiomatic that if CF can't do what you want, Java can usually come to the rescue. In this post we will discuss a method to treat your Java development just like your ColdFusion development - compiling it automatically at at application refresh for easy development. But first, let's talk about why working with Java can be a bit tricky for ColdFusion folks.

[More]

ASK-A-Muse: Checking for Site Availability

Muse Reader James Asks:
I have the following situation. I need to run a .cfm page that has a redirect in it to another server that serves Joomla pages. I need to find a way to test and see if that server is down or not serving pages. If it is down or not serving pages, I want to stop the redirect to that server and send the user to a page on my server. Any suggestions?

This is fairly easily accomplished using CFHTTP. When the page loads you can hit your Joomla server with a CFHTTP call and a timeout value. You could, for example, use code like this:

[More]

CF Objective Presentation Resource List

I went to cf.objective in Minneapolis last week. I was really impressed by the breadth and depth of knowledge presented by the conference. If you are looking for a conference without fluff and marketing - pure education - this is it. Virtually every seminar was in depth and included tons of resources and information. However, when I went to find the "resource" page on the cf.objective web site I was a little disappointed there was no resource portal or page. You have to "click through" to the seminar descriptions on the sessions to get to any of them. So I created this post to help myself and my staff (and others like me) who want a single page to access those presentations and resources provided by e the excellent presenters. When I dove into this I found that only about 40-50 percent of the presenters actually had their presentations online - at least from the links on the "sessions" page. So if you presented and you want a link on my resource page send me your link and I'll make sure and include it. I don't want to leave anyone out - the more the merrier. Here are the links:

[More]

Local Function Scope in ColdFusion 8

I was frustrated yesterday by the inability to get at the "local function" scope in ColdFusion 8. In ColdFusion 9 each function has a scope called "local" that functions like the various other scopes in ColdFusion. You can loop through its keys and do things with its properties. In ColdFusion 7 and 8 a great many developers actually created a pseudo local scope by doing something like "CFSET var local = structNew()" and then appending all the needed vars to this structure. In CF 9 the "local" scope was already set up for you so if you did "CFSET var x = 10" you had a var called "local.x" to work with as a member of the local object.

In the ColdFusion 8 code I was working with yesterday I had a rather long and involved function that I was trying to modify. I needed to loop through the "local" scope for one reason or another and the there was not "pseudo" local scope created. I did not want to go back and re-engineer the entire function. I was just reviewing and prototyping and there were around 25 local vars declared. So I asked the question to my list - how do I get at that local function scope without refactoring the whole function?

ColdFusion Guru Jared Rypka-Hauer came up with this undocumented solution.

<cfset var localScope = getPageContext().getActiveFunctionLocalScope()>

Sure enough, this code creates an object with all the local scope vars in it. There are a couple of caveats.

  • The Arguments structure is a part of the local scope (stands to reason right?)
  • This object (as written above) will also belong to the local scope. If you take out the "var" you've added it to the component scope.
  • Since ColdFusion 9 has created a local scope for you, this function and approach will break on a CF 9 server. so if you use it make sure you make a note that you need to modify this bit of code if you move to ColdFusion 9.

Finally, here's a little test function you can use to demonstrate to yourself how this works.

<Cffunction name="checkVarScope">
    
    <cfscript>
        var thisvar = 10;
        var thatvar = 12;
        var theOtherthing = 'Sister Sally';
        localScope = getPageContext().getActiveFunctionLocalScope();
    
</cfscript>
    
    <Cfdump var="#localScope#">

</Cffunction>

<Cfset checkVarScope()>

Here's that function in action - Local Scope.

More Entries




Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.