ColdFusion Muse

Surviving Poodle - ColdFusion and SSL 3

There's been a great deal of buzz about poodle. Poodle is an SSL exploit capable of highjacking a session using a browser's ability to "negotiate downward" the level of SSL it uses. It's recent prolifieration has put some urgency into the efforts to force existing applications and platforms to deny the use of any standard of SSL less than version 3.0. Super guru Wil Genovese ( recently did some troubleshooting on a ColdFusion server with an issue related to this necessary configuration step. Wil writes:

We ran into an issue when a company contacted us at CF Webtools because ColdFusion was suddenly no longer able to connect to their email providers mail servers. One day ColdFusion was sending emails to their clients just fine and the next day it was failing. As you know these issues are usually best resolved by asking "What changed?" As far as the client knew, nothing had changed - but we knew enough not to stop digging.


Side-by-side Configuration Error installing CF 11 on Win2008r2

One of my colleagues, Chris Tierney, was installing a pristine copy of ColdFusion 11 on a Windows 2008 server. He followed our standard protocol which is to install the server using the "built in" Web server, then create instances (we typically use multi-server mode) then use wsconfig.exe to connect the instances to IIS. It all went as planned until he tried to run wsconfig.exe (FYI - you must always run this as administrator). He got an error as follows: Cannot run program "C:\Users\ADMINI~1.CFW\AppData\Local\Tem
p\2\\ExecuteAppCmd\ExecuteAppCmd.exe": CreateProcess error=14001, The applicatio
n has failed to start because its side-by-side configuration is incorrect.

Followed by an odd stack trace. After experimenting with permissions and googling he stumbled on Bug 3761543 in the ColdFusion bugbase. The issue is not very well documented. Apparently the MS C++ package installed on 08 is 32 bit. I'm not clear if we installed it or it shipped with 08, but remember, you need the MS C++ 64bit SP1 Redistributable. Here's the download link from Microsoft so you don't have to hunt it down.

The Fix

Microsoft Visual C++ 2008 SP1 Redistributable Package (x64)

One more time: This download fixes the "side-by-side configuration" when installing ColdFusion 11 on Windows 2008r2.

Business Referral - don't forget

A week ago, in my post, The Muse Has Cash... I started a new program to reward community members for leads. Thank you for all the input and for the many leads generated already. We really appreciate it and we'll make you proud! After a quarter or so I will report on the success of the program.

Meanwhile, a few have pointed out that the previous post is lengthy so I wanted to put up the "express checkout" version. It's simple, if you refer a lead to us (email that results in new business, we will pay back to you 8% of the gross revenue from that customer in the first 10 months of working with the customer. If the customer spends 10k with us, you make $800.00. Simple and easy. So hook the Muse up. We are looking for another record year!

Note: In the past the Muse has offered bonuses for referring developers to us. This program is for new business, not developers - although as always if you are looking for work send me your resume. We typically hire several times a year.

Running ColdFusion 10 in Distributed Mode

A recent discussion on CF-Talk had a member trying to find instructions for setting up ColdFusion in "Distributed mode" on a CF 11 server. If you have never heard of "distributed mode" you are not alone among CF developers. It's not a common setup in my experience. Here's a quick 101. Many processes and daemons on a given server communicate using the TCP stack. TCP provides a predictable, high capacity, mature protocol for piping requests and data in and out of server processes. In this case, IIS or Apache communicate with CF through the local loopback (localhost or IP address and a port - usually 8012 (or 8013 or 8014) chosen at installation. Naturally you can alter the IP address to which you are connecting, changing it from the loopback to... well any IP that's listening on 8012. That means you can set up your ColdFusion servers separately from your web servers. After all it's just IP networking. Why would you do that? The Muse will let his guest handle that question.

Meanwhile, to preempt (or perhaps spur) discussion, the Muse will note that this process is similar to something called "Reverse proxy" which functions in much the same way. The difference being with CF distributed, IIS on the front end handles all the "http stuff" and passes the request to CF just like it was a local engine, whereas with reverse proxy the HTTP request is simply redirected to the alternate server. That means the alternate server needs to be a full webserver plus application server. While that increases the overhead a bit, it has some advantages - but that's a topic for a different post.

Back to our CF-Talk question, it quickly became apparent that not many folks actually knew how to accomplish this task on a CF 10 (or 11) server due to the underlying platform switch to Tomcat. After some back and forth Byron Mann chimed in with some very specific instructions on how to get this done. Byron is a lead engineer at HostMySite - which makes the Muse feel better about their ColdFusion support. :) Here's his tutorial.


IIS Vulnerability Steals Payment Information (By Wil Genovese - CFG)

Super guru Wil Genovese ( is back to describe an IIS vulnerability that was inserted using a long-known (and patched) CF vulnerability. The Muse will make 2 points. First, if you are hit with this one call us! We will gladly put our shoulder to the wheel and help you dig out. Second, don't forget to patch your servers and keep up on the latest security news. No matter what your chosen platform you need to be vigilant and attentive. Take it away Wil.

First let me point out that the vulnerability that was found has a patch that has been available since January of 2013. So as the Muse said, patch your servers! I first read about this attack in a PC World article titled, PCWorld - Attackers exploited ColdFusion vulnerability to install Microsoft IIS malware. I spent hours reading all the linked websites and blog posts by the security researcher that discovered the IIS Malware (see this Trustwave post) trying in vain to learn the name of said DLL that gets installed, where it gets installed and how to detect the file(s). The few details I found were not completely useful. While I learned the behavior of the malware I never learned how to find the offending DLL or even the file name. I did discover that no existing anti-malware or anti-virus software would detect this rogue DLL. I repeated my futile search every few weeks to see if anything new was being reported.

Since knowing how to locate and expunge such things is part of my job I needed a way to find it, but how? I could search any of the servers at CF Webtools until the cows come home, but if none of them have been hit with this malware I will never find it. What I needed was a server that had been exploited to examine. Over the past year with the slightly larger than usual number of security holes discovered in ColdFusion we've had a few new clients come to us for help in patching and repairing servers. None of the IIS modules on those servers stood out to me as 'unusual', but I wasn't looking directly for this. Finally we had a company come to us for help with a breach.


Building a Robust Error Handler

If you have been around the ColdFusion world as long as the Muse you have heard of Mary Jo Sminkey. Mary Jo built a popular ColdFusion ecommerce platform called CFWebstore. She has vast experience in ColdFusion and a seemingly boundless fountain of energy. Her eclectic interests range from technology to baking to dog training. As far as CF Webtools and the Muse can tell, Mary Jo excels at everything she does. We frankly suspect she is actually twins or triplets pretending to be only one person :) The following article is by Mary Jo and details her approach to application specific error handling. She has a detailed and thorough knowledge of the topic. Using this approach she has been able to reduce the number of errors on a very high traffic E-commerce site to practically nil. In the first of 2 articles MJ (as we call her with great affection) details the structure and usage of the handler.

Building a Robust Error Handler (by Mary Jo Sminkey)

Let's face it, sometimes we put less effort into the error handler than into the rest of our code. We might put something in place that throws up a "user friendly" page, and maybe email a dump of the catch or error structure, but when the site goes live, and we are deluged with errors due to search bots, hack attempts and poorly coded pages we turn it off or send all those emails to a seldom-visited mailbox. Sometimes we implement error handling as cftry/cfcatch blocks that do little more than preventing errors from being thrown, instead of helping us track down the issue.

I look at the error handler as a way to help make a site as bug-free as possible. By having it email me as much information as possible about errors, I troubleshoot, fix and patch, and get to a point where errors are the exception rather than the rule. In this article, we'll look at building a single-page, comprehensive error handler. In a future article, we'll look at integrating that error handler with the open source bug tracker BugLogHQ. Before we begin with our error handler let's talk about our error handling strategy.


email connection crossover workarounds

As a follow up to yesterday's post (regarding sending mail and having it end up in someone else's "sent" folder) I thought I might put some flesh on the workaround suggested both in the bug report and on CF-Talk. The suggestion is to:

Create a CNAME to point to the SMTP server address so that both websites were looking at different domain names.
This idea is workable up to a point so I thought I would explore it for my readers.


ColdFusion email security Bug: Your mail in the wrong sent folder?

A recent conversation on CF-Talk piqued my interest. It turns out there is a tricky bug with regard to sending authenticated mail. Here at CF Webtools we have internal relays (protected, internal only IPs, listed in SPF and handling domain keys) whose sole purpose is to relay mail from our web servers - so we do not have "authenticated" email per se. But in the case of this bug (you can see the report here) it's possible for email from one user to wind up in the "Sent" folder of email from an entirely different user. Needless to say this is a security concern for those of you on shared servers especially.

Here are the conditions that need to be met for this to occur (as I understand it).


A Frank Discussion About Protection

I know it's an uncomfortable topic. I understand that you would like to keep your validation private. You would probably rather learn about this from your friends at the coffee shop, Jeremy who is two cubes down from you, or some guy on a forum (shudder). Still, the Muse has an assignment in life to point these things out and make sure you are well informed and prepared when temptation strikes. Oh I know what you say now. I know what I'm doing. The risk factor is slight. I'm too small... I mean... my application is too small to need it. But take it from me - you will need to understand how to use protection or bad things will happen. So let's talk about it.


Muse Abroad - the Ugly ColdFusian

Muse readers - next week I'll be in Minneapolis MN at the Cf.objective conference. I'll be waxing eloquent in the ad hoc room (TBD) about 2 topics near to my heard. The first is web sockets and the second is consulting. It seems like that's something these conferences could do well to address as the employment landscape changes. Indeed if you are a consultant, freelancer, company owner or whatever and you want Muse tips on getting paid, landing contracts, selling yourself and your technologies, saving troubled customers, getting beyond your skill set, hiring your first and tenth employee etc. - come to that one for a lively discussion. If you are a corporate lackey you can come too, but we may look at you suspiciously out of the corner of one eye.

I also have a new plan for cfobjective this year. Since I actually don't do a lot of hard core programming any more I'm not going to dig into a specific topic and try to gain a lion's share of expertise. Instead my plan is to:

  • Flit from room to rom and booth to booth and pick up as much general knowledge and witty banter as I can.
  • Tweet copiously from the conference about everything and anything of interest to me. My twitter handle is @cfwebtools and the hash tag for cf.objective is #cfobjective.
  • Blog a few times per day. Naturally these will not be my typical wordy tomes of dubious length. Instead I plan on a few paragraphs highlighting various workshops or interesting thoughts or even people I've met who are blog-worthy.
Of course I will mention names and companies so if you want to give me a heads up about your workshop so I can stop in and say something nice (and the Muse is always positive - no worries there), let me know. I'll be happy to oblige.

If you are going to be at CF Objective and would like to chat about consulting, working for CFWT, the next big thing, why CF is dead (again - Lord Beric eat your heart out), or anything else I'd be thrilled to meet you and hear about your latest project or pet mice or see your knitting or whatever. I'll make it a point to wear a RED SHIRT every day. I'm 6', a little pudgy, balding, with lovely blue eyes (says my wife), a little too verbal and over-confident, and I'll be hanging around everywhere like a ubiquitous traveling salesman. So don't be shy - if you see me give a shout! Let's have a drink, pants Ray, make fun of Mark Drew's accent or at least put soap in the hotel fountain or something. Don't leave me hanging.

Datasource Attribute in Application.cfc

You may know about the "datasource" property in ColdFusion 9. It allows you to create a variable in your Application.cfc file called "datasource" and then skip the "datasource" attribute of your query tags. That's pretty neato. Here's how it works. In the Application.cfc properties...

<cfscript> = 'mort';
    this.sessionmanagement = true;
    this.datasource = 'myDsn';
Then in any component that is "inside" of my application "mort" above I can do something like this:
<!--- myMethods.cfc --->
<cffunction name="getAllUsers">
    <cfset var 'myQry = ''/>
    <cfquery name="myQry">
        SELECT username, email
        FROM     users
    <cfreturn myQry/>
Do you notice what is missing? There's no "datasource" attribute in the cfquery tag. ColdFusion automatically picks up the datasource from the Application.cfc instead. It's a nice time saving effort that reduces code and allows for fewer mistakes. Good for multi-tenant code too.

A Minor Detail

There is one issue that I was made aware of with this approach. Super genius guru Phillip Senn had a head scratching problem where he would set this variable in Application.cfc. Periodically he began getting and error which said:

The value of the attribute datasource, which is currently "" is invalid.
He tried some different things - working with the application names and extended properties of the Application.cfc but nothing seemed to help. Finally he ran the var scope checker which identifies places where un'varred variables exist inside of CFCs. He found several un'varred variables. After he fixed them the problem went away.

So if you are using this Application based this.datasource approach and you get some random errors where the variable seems undefined - or seems defined as a blank string - start looking for vars that are not properly scoped within your components. It may just fix you right up.

Able Commerce 5 on CF - Email Problem

A while back a product called "Able Commerce Builder" (ACB) was a popular (or pseudo popular) platform for CF folks. This would have been as far back as 1999. At some point they hired one of those developers who believe his technology choices are up there with the Scripture and the Holy Grail – but "he chose poorly".

He rewrote the entire application in Java with a ColdFusion facade. He moved everything into objects and the code became a byzantine maze of object instantiation and java arrays and objects and looping. Of course none of ColdFusion's strengths were on display (easy to read code, modifiable queries, list handling, looping and outputing, query objects etc. Thankfully ACB moved on to .NET and left CF behind - and good riddance! They were giving it a bad name. I trust their new platform was written by actual .NET developers - let's hope anyway. I wish them well.

Over the past couple of days ACB on CF has risen its ugly head again. I've been trying (with the help of super Tech Kevin Fatkin at Edge Web) to fix an issue with an ACB server. After an upgrade of the JVM and some hotfixes on a CF server running ACB, the customer discovered email had suddenly stopped going out. The fix for that is simple right? Check out the cfmail tags, double-check resolution, run a few telnets etc. Install a cert etc. Ah... if it were only that easy. In fact ACB under the hood (in keeping with its face melting decision making) reinvented the wheel and deployed its own Java based mail classes. Something changed, email is not going out, and we can't modify it the code in any real way. It's enough to make me want to have my leg chewed off by a Laplander. Fortunately if you have this problem we actually did find a solution.


Class Compiling Fun with ColdFusion

ColdFusion is Java - most people know this in the abstract sense. In sales meetings with the non-initiated I speak about ColdFusion as a layer of Java Services like mail, networking, jdbc, and compiling coupled with a language and syntax that offers faster development and better maintenance. I keep the conversation firmly rooted in Java because in reality this description is spot on. With the advent of ColdFusion 10 my case will be bolstered by TomCat as well - making it even easier to sell (and frankly it's not very hard if you know what you are doing).

Since it is Java you probably already know that ColdFusion takes your CFML code and compiles it down into Java Classes. In the days of CF 6 (back when I had more hair) you could use a command line to pre-compile CFML and even save off the .JAVA files. I'm not sure if you can still do that but it was a neat trick. Every time you run a cfm or cfc file ColdFusion checks (assuming trusted cache is off) to see if the file has changed and recompiles it if needed. You can see this happening with a little effort. The easiest way is to go to the /cfclasses folder for the instance you are using and delete all the class files that are there. Then run a CF page. You should see class files show up for every page and each function within the page.

Knowing (or not knowing) how things really work is very important to a high skill set developer. It amazes me to no end when developers profess they are "uninterested" in certain things regarding the technology they work with. I can't imagine Tony Stewart being uninterested in the bore size of his cylinders or the torque of 4rth gear or whatever. I'm sure Tiger Woods has more than a passing knowledge of how golf balls and clubs are made and customized. Indeed the more broad your knowledge and the more eclectic your skill set the more likely it is that you are an effective troubleshooter. The Muse (for example) has more than a little networking, hardware and server config experience. Often this is the difference between many hours of fruitless searching and a fast "Aha!" moment. With that in mind I'd like to share a little tidbit I picked up along the way (on StackOverflow from ColdFusion/Flex developer Sean Coyne of having to do with compiling. It started with an error I have seen many times... "Routines cannot be declared more than once". I'm sharing this because I thought the work around was unique and I had not seen it before.


Web Sockets - Going Where No Muse Has Gone Before

You might wonder where I've been holed up for more than a month. Never fear - I'm still slogging away. My current project is a dashboard for CF Webtools that tracks all of our consulting activity. CF Webtools runs a custom tracking and management system as a core component of our business. This system has many cool features that have evolved over the years for tracking hours, performance, tasks, groups of tasks, assignments, productivity, estimates, deadlines etc. Myself and my VP, Jason Herbolsheimer (a brilliant programmer and manager who you would all know and love if he would ever blog), have spent thousands of hours on it to make it fit our business model of transparency, measurable productivity and cash positive block hours.

The reports and features it contains are useful, but a bit of a hodgepodge. Meanwhile, over time my role has changed considerably. Other than troubleshooting, mentoring and experimentation I'm not involved in day to day tasks directly with our clients any more. But I still monitor our overall productivity closely. Indeed, now that I'm a step back from the work I have a much better sense of what we are accomplishing and where our weak spots are. In the past I have used cfcharts called up on internal pages to show hours and individual developer performance but 3 things had changed.

  1. We now have many more developers to track (29 at last count).
  2. With 3000+ consulting hours per month the system receives a constant stream of updates, notes etc.
  3. I have a fancy new set up with 3x27 inch monitors plus a 46 inch wall mounted monitor that looked lonely and I wanted some fancy-pants dashboard to display
Ok, that last reason is simple hubris but still, it was good enough to boot me down the path. But I had some decisions to make.


Fun and Games With Googlebot

When planning for scalability one of the things that is sometimes left out is the impact of indexing bots on your site. If you have a news or ecommerce site that is constantly changing, you definitely want bots to be indexing your site. How else are the latest and greatest products or stories going to show up in organic searches after all? But you also want bots to be well behaved. It would great if you could greet the bots at the door and say "Hey... it's 2:00am, not much going on so index to your heart's content." Or, "Whoa there fella - do you have a reservation? This is Cyber Monday and I'm afraid all our seats are full for paying customers. Can you come back in 12 hours?" But that sort of smart interaction is sadly not in the cards. Some bots have defined rules, some do not. Some honor things you put in the robots.txt file others do not. So here are some tips that might save you some time.


More Entries

Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.