Ah the immortal thread - like a god coming down from Mt. Olympus and laughing with his (or her) hands on his mighty hips (see why I chose "his"? ... "her mighty hips" ... well, I just didn't want to go there). Such threads are mind bogglingly frustrating. In actual fact, there are some requests spawned by ColdFusion that may not be able to be terminated by ColdFusion. For the long version read on McDuff.

[More]

Yesterday I was doing some searches on a sick server to troubleshoot the Iframe Injection issue. A user had posted some additional information regarding a file that appeared on his server that had this issue. The file was named "fection.cfm" so we now know the hacker casually removes his prefixes (or I should say 'emoves his 'efixes). I began my search by looking for the file specifically, then moved on to look for the string "cfexecute" in all of the *.cfm files. But that got me thinking. A clever hacker might know some things about ColdFusion. He could in fact, further obscure his code with some knowledge of cfinclude and IIS. Such a technique can be used to secure your code as well. You can create code that is only runnable by ColdFusion using cfinclude. Here's the skinny.

[More]

Here's a problem that will leave you scratching your head should you ever run into it. Consider a simple .NET web service that requires an "array of strings". The goal was to make use of a web service API published by Smarter Mail. I wanted a programmatic way of adding email aliases - groups of emails that function under a single address. The web service methods provided by the smarter mail API could not be simpler. Each request requires a username, password, domain and then additional stuff to make it work. For example, the "GetAlias()" function allowed me to pass in a domain and alias and get a list of emails already associated with that alias.

The problem came when it was time to add or update an alias. The argument for "addresses" to pass to the .NET service looked like "an array of strings" (that's how the help docs referred to is as well). The node in the XML looked pretty simple:

Now I can think of several ways to create an array of strings in ColdFusion so I started giving it the old college try. Unfortunately each attempt ended in failure. I could not figure out how to get a data type instantiated in CF to match the data type that .NET expected. I ended up experimenting with several different approaches to the array syntax.

[More]

Thanks to Nate from CF-Talk I have a copy of the malicious VBS script that is doing the damage. If you are being victimized by this attack and you need to see the script for whatever purpose, let me know and I will make sure you get a copy. I now it goes without saying, but just don't run it :).

Meanwhile there is some consensus, given the root access of this code, that an infected server cannot be trusted even after a thorough cleaning. Dave Watts and Tom Chiverton both gave such advice. While it's not always possible and it's a huge hassle, it might be the best solution to bite the bullet and do it.

For those of you who have been following the Iframe injection attack saga (see Iframe Insertion on Index.* Home pages) I have an update. I would like to thank one of my readers named Kumar for referring me to this excellent article (a PDF File) on Black Hat. The article seems to pinpoint the origin and nature of the attack. The document describes an attack in depth with multiple steps (just as we had speculated). The first step was an SQLi attempt. But failing that the attacker compromised the server in a rather ingenious fashion.

• Using an image upload capability he uploaded a file to the server that "looked" like an image but was not.
• The file (containing executable code) was then hit with GET and POST requests.
• The payload of the get and post requests was able to set up scheduled tasks to append the JS code to "index.*" files on a timed basis.

This file that was uploaded was a CDX file. On a properly configured IIS server this attack would fail to succeed. Here's why.

[More]

Coldfusion Guru and all around super geek Pete Freitag was nice enough to let me check out his new "Web Application Firewall" (see this link for more info). This product serves as a Coldfusion based security filter for all requests coming to an application. I was impressed with the approach Pete takes. After the Init the code ran smoothly and did not appreciably increase my page load time (always a concern when you are "wrapping" your application in something). If you use Pete's system you will pretty much guarantee that your site will be protected from a high percentage of known attacks. Overall I give the application an A for innovation and organization, a B+ for installation and a C- on the price. If you want to know more read on.

[More]

First off, let me say that I love ColdFusion 8 on the 64 bit JVM. If you have a data driven site that requires extra processing power you should definitely move in that direction. However, there is one thing that really causes some consternation about the platform - the lack of Jet drivers for MS Access. I know I know, I have spoken with open disdain about "using Access in production" and in the words of Dan Quayle, I stand by all my misstatements. Still, there is one thing that I do use Access for in production - as a portable export utility.

Using the proxy technique I describe in my post counterintuitively titled Using a DSN Connection for Connectionless Access I have several applications that crunch numbers or develop report data, then file them away in tables in an MDB File which is zipped up for download or emailing. It works well and Access is so much more useful than Excel for some savvy corporate analysts. Now along comes 64 bit Windows and suddenly there are no (zip, nada, zilch) Jet drivers for connecting from Coldfusion.

Luckily, I have my wits about me. Also luckily I have a 32 bit server at my disposal as well (it means "available to use" - I'm not implying there is a server near my kitchen sink). So I came up with this clever solution.

[More]

This question is an excellent reminder to folks like me that there are many burgeoning ColdFusion developers out there that need some help with the fundamentals. I often write about complex tuning or obscure behaviors (with the server, not that thing I have about Jell-O and a duck). But sometimes us CF Bloggers need to go back and produce material for developers who are just starting out.

Your problem here, dear reader, is that you are working in a dual environment - testing code on your desktop and deploying it to the server. That's a very good thing. In fact, I applaud you for it since most folks start out the other way around, making changes to production server code and only finding out it is a bad idea right after they create their first infinite loop. In fact there are some nuances to a dual environment that you have to think about ahead of time. In general, an application of any size will need some "global variables" that are specific to its hosted environment. That's where the Application scope usually comes in - but we can save that post for a follow up. Right now let's tackle your specific issue.

[More]

One of the things that sometimes trips me up is the whole idea of references. I'm not talking about stuffy books in the library. I'm talking about the idea that setting one variable to another can sometimes create a pointer to that item rather than a copy. Now before we chat about it any further we should get square on the difference between a "primitive" or "simple" data type and a "complex" or "emotionally involved" data type.

Primitive Data Types

I like to think of "primitive" data types as "one level" members of any scope. I also like to think of them as little cave men in loin cloths running around and clubbing defenseless mammoths - but that is perhaps too much information. There's actually a pretty short list of primitive data types. In fact, "short" actually is one of the data types I believe. In the CF world a primitive Datatype would be a string, number or possibly a date. Of course the actual list is more like "short, long, float, double, int, string, byte" - but it is probably more useful (for the purpose of this post) to consider String, Number and Date. Check out this example.

[More]

This is an immensely complicated issue that will take you days and weeks to sort out. What you need is to know the day number you are looking for (1=Sunday, 2=Monday, etc), The month number (where 1 = January, 2 = February etc.), and the year (where 2009 = 2009, 20010 = 20010 etc.). Then you need to download this handy function from cflib.org called FirstXDayOfMonth, written by a Mr. Troy Pullis. Pass in your values and it will give you back the first occurrence of that day in the month. Add 7 to it get the second occurrence, 14 to get the third etc. Here is an example:

[More]

I've been batting this around for a few days now. Recently, Mary Jo Sminkey of CF Webstore fame posted a note to an email list about the recent requirement by Authorize.net that incoming requests to their API use SSL 3.0. I confess to being unaware of the differences between SSL 2.0 and 3.0. So I set out to discover for myself. To start with SSL 2.0 uses weaker handshaking. A requesting client can, it seems, edit the list of preferences leaving the server no choice but to hand shake with the "lowest common denominator" cipher. There are some other issues as well dealing with how the packets are constructed etc. So the consensus is that SSL 2.0 is the weak sister and should be deprecated. For its part SSL 3.0 has been around for a decade or so and is widely supported.

The question is, will my CFHTTP calls from ColdFusion 6 or Coldfusion 7 still work when Authorize.net disables SSL 2.0? To answer this question I got some great help from Scott Krebs over at Edge Web. He dug out three or four URLs that were really helpful. I've included them at the bottom of this post. I also got some guidance from the Stephen Hawking of cryptography, Mr. Dean H. Saxe (the H is for Holy Cow he knows a lot). The answer is a qualified yes. Anyway, here's what I did to test while I wait for Authorize.net to get their act together and set up a test bed.

[More]

Using ColdFusion means leveraging the power of Java. ColdFusion encapsulates a large percentage of the Java web universe and makes it available to you through native tags, but a vast array of additional functionality is also available through the use of Java Libraries. The truth is, however, that working with Java in ColdFusion can be frustrating for the non Java programmer. Sure there are some easy things you can utilize like getClass() and toString(), but what if you have some Java sample code and you just want to pull it into your Coldfusion page? How do you do that? Here's a short example I created in response to a recent CF Talk post. The setup is that Authorize.net sent a memo to everyone telling them that SSL 2.0 would no longer be supported as of late March. There was general agreement that CF 8 could handle SSL 3.0 but what about 6 and 7?

It turned out that both 6 and 7 are compatible as well (as of 1.4.02), but along the way I got the idea to grab the Java code from Authorize.net and give it a whirl in Coldfusion as a sort of test run at bypassing cfhttp. I've done this many times with other products as well (custom libraries, IBM's MQ series etc). So I wrote this post to show the process I went through to unpack Java Code into ColdFusion.

[More]

Muse reader Eric Cobb, whose CFgears blog is an great read, made an excellent point regarding my statement that the designated server for a CFMAIL tag should be a full qualified domain name instead of just an IP address.

I got to thinking about this and I wanted to be sure - so I ran a test. Here's what I found.

[More]

Recently I migrated a server from ColdFusion 6.1 to ColdFusion 8.01. Typically such migrations are a walk in the park. There are very few things that go wrong. I'll save my check list for another time, but here is one that is new to me. I had some code that utilized the UPS rate checker API. It was fairly straight forward stuff. But for some reason it began throwing a strange error soon after migrating. Here's the scoop.

[More]