Today, an important Security hot-fix was released for ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin
This hot-fix addresses the following issues -
1. XSS attack with cfform tag (CVE-2011-2463): When action attribute was not specified for cfform tag, there is a possibility for XSS attack.
2. XSS attack with RDS (CVE-2011-4368)
Tuesday, December 13, 2011
Friday, September 16, 2011
bug 83514 Session is Invalid fixed & CHF2 for CF9.0.1 released
We have released an update for Security Hot-fix released in June. We have fixed "Session is invalid" issue with it. This error comes randomly when j2ee sessions are enabled. If you have already applied the security Hot-fix of June, you can install individual fix for this issue. If you have not yet applied the Security Hot-fix, you can take the complete package.
Complete instructions can be found at - http://kb2.adobe.com/cps/907/cpsid_90784.html
For CF9.0.1, Cumulative Hot-fix 2 is also released. This CHF2 contains CHF1, previous security hot-fixes and new bug fixes as well. Complete instructions can be found at - http://kb2.adobe.com/cps/918/cpsid_91836.html
Complete instructions can be found at - http://kb2.adobe.com/cps/907/cpsid_90784.html
For CF9.0.1, Cumulative Hot-fix 2 is also released. This CHF2 contains CHF1, previous security hot-fixes and new bug fixes as well. Complete instructions can be found at - http://kb2.adobe.com/cps/918/cpsid_91836.html
Wednesday, September 14, 2011
Recorded Sessions from Coldfusion Developer Week
In case you have missed any sessions, you can catch the recorded sessions at http://www.adobe.com/devnet/coldfusion/events.html
There are more sessions to come this week.
There are more sessions to come this week.
Session Title |
Getting Started with Web Application Development Using ColdFusion |
Working with PDFs Made Easy with ColdFusion |
Introduction to ColdFusion Components (CFCs) |
Improve Your ColdFusion Code Through Unit Testing |
Using ColdFusion Frameworks for Application Development |
Understanding and Using the ColdFusion Server Monitor |
ColdFusion Builder: The Professional IDE to Boost Your Productivity |
Expand Functionality with ColdFusion Builder Extensions |
Developing Your First Application Using ColdFusion 9 and ORM |
Speed Up Your Apps with Caching in ColdFusion |
ColdFusion and Mobile - Browser-Based Applications Made Easy |
Become ColdFusion Empowered in Under an Hour |
Accessing ColdFusion Services From Flex Applications |
Securing your ColdFusion Applications |
Make Your Site Searchable with Solr |
Bringing ColdFusion to Java SpringMVC |
Tuesday, September 13, 2011
ColdFusion Developer Week is going on
This week (September 12-16 2011) is ColdFusion Developer Week over at Adobe.com:
ColdFusion Developer Week is a series of free, live webinars hosted by seasoned ColdFusion experts who will cover a wide range of topics from what ColdFusion is, how to code it, all the way through to more in depth topics such as ORM and ColdFusion Builder Extensions. If you are a new developer, someone with little or no ColdFusion experience, or even if you have been using ColdFusion all your life, this event is ideal for you. The ColdFusion Developer Week provides something for everyone, so sign up now!Here's the schedule of webinars which are yet to come -
Tuesday
- Improve Your ColdFusion Code Through Unit Testing - Jamie Krug (10AM PT / 1PM ET)
- Using ColdFusion Frameworks for Application Development - Mark Mandel (1PM PT / 4PM ET)
- Understanding and Using the ColdFusion Server Monitor - Charlie Arehart (4PM PT / 7PM ET)
- ColdFusion Builder: The Professional IDE to Boost Your Productivity - Sagar Ganatra (10AM PT / 1PM ET)
- Expand Functionality with ColdFusion Builder Extensions - Simon Free (1PM PT / 4PM ET)
- Developing Your First Application Using ColdFusion 9 and ORM - Bob Silverberg (10AM PT / 1PM ET)
- Speed Up Your Apps with Caching in ColdFusion (11:30AM PT / 2:30PM ET)
- ColdFusion and Mobile - Browser-Based Applications Made Easy - Dave Ferguson (1PM PT / 4PM ET)
- Become ColdFusion Empowered in Under an Hour - Nic Tunney (4PM PT / 7PM ET)
- Accessing ColdFusion Services From Flex Applications - Matt Gifford (10AM PT / 1PM ET)
- Securing your ColdFusion Applications - Pete Freitag (me) (11:30AM PT / 2:30PM ET)
- Make Your Site Searchable with Solr - Scott Stroz (1PM PT / 4PM ET)
- Bringing ColdFusion to Java SpringMVC (4PM PT / 7PM ET)
Following sessions were delivered yesterday -
- Getting Started with Web Application Developement Using ColdFusion - Terry Ryan (10AM PT / 1PM ET)
- Working with PDFs Made Easy with ColdFusion - Tim Cunningham (1PM PT / 4PM ET)
- Introduction to ColdFusion Components (CFCs) - Raymond Camden (4PM PT / 7PM ET)
Wednesday, July 20, 2011
Update on June ColdFusion Security Hot-fix
There is an update on security hot-fix released in June. Tech note
The hot-fix bundle is updated with the changes for those who are applying this hot-fix for the first time. If one has already applied the June Hot-fix, see update section.
The hot-fix bundle is updated with the changes for those who are applying this hot-fix for the first time. If one has already applied the June Hot-fix, see update section.
Wednesday, June 15, 2011
Important Security update for ColdFusion 8 and above is released
An important Security update was released yesterday for ColdFusion 8 and above. This update includes fixes for issues like -
1. Cross-site request forgery (CSRF) vulnerability (CVE-2011-0629).
2. Remote denial-of-service vulnerability (CVE-2011-2091).
1. Cross-site request forgery (CSRF) vulnerability (CVE-2011-0629).
2. Remote denial-of-service vulnerability (CVE-2011-2091).
3. Also incorporates the BlazeDS security update as noted in Security Bulletin APSB11-15.
For details of update for ColdFusion security update, see the Security Bulletin APSB11-14.
Sunday, May 22, 2011
CFCookie vs CFHeader for Session Cookies
A lot of times we re-write ColdFusion session cookies to add some additional flags. Flags like Secure, HttpOnly which were not present in the earlier releases. HttpOnly support was added in ColdFusion 9.0.1.
When one doesn't use J2EE session management, ColdFusion managed sessions are used. In This two cookies, CFID and CFTOKEN are set. There are additional authentication cookies added when is used. By default till CF9.0 they were not marked as secure and HttpOnly. With CF9.0.1, support for HttpOnly was added.
With, CFCookie, the cookie name is always converted to Upper Case, and Value is encoded. This is not a problem for CFID or CFTOKEN but might not work with Authorization cookie, or even if you want to set some flags for JSessionID cookie.
CFHeader on the other hand will be handy to set any of these flags. So the preferred choice should be CFHeader while doing this.
For setting these cookie at your own, you must set sessionmanagement = true, clientclientcookie = false in Application.cfc/cfm as appropriate. Here is an example of an application with application name "test"
Using CFCookie
<cfif NOT StructKeyExists( cookie,"CFID" ) OR ( cookie.CFID NEQ session.CFID )>
<!---using the CFID and CFTOKEN cookies again with same values but making them secure--->
<cfcookie name="CFID" value="#session.CFID#" secure="true" httponly="true">
<cfcookie name="CFTOKEN" value="#session.CFTOKEN#" secure="true" httponly="true">
</cfif>
<cfcookie name="CFAUTHORIZATION_test" value="#cookie.CFAUTHORIZATION_test#" secure="true">
Note: cfccokie tag for Authorization cookie, here will create another cookie with same name but in different case, rather than updating the original one.
Using CFHeader
<cfif NOT StructKeyExists( cookie,"CFID" ) OR ( cookie.CFID NEQ session.CFID )>
Hope this was helpful.
When one doesn't use J2EE session management, ColdFusion managed sessions are used. In This two cookies, CFID and CFTOKEN are set. There are additional authentication cookies added when
Today, I am going to talk about, how to set these additional flags on these cookies. This is talked about a lot of times, but I would like to add my 2 cents to this. To add these additional flags (these flags provide additional security), one can use CFCookie or CFHeader. And here is the difference which I thought was worth mentioning.
With, CFCookie, the cookie name is always converted to Upper Case, and Value is encoded. This is not a problem for CFID or CFTOKEN but might not work with Authorization cookie, or even if you want to set some flags for JSessionID cookie.
CFHeader on the other hand will be handy to set any of these flags. So the preferred choice should be CFHeader while doing this.
For setting these cookie at your own, you must set sessionmanagement = true, clientclientcookie = false in Application.cfc/cfm as appropriate. Here is an example of an application with application name "test"
Using CFCookie
<cfif NOT StructKeyExists( cookie,"CFID" ) OR ( cookie.CFID NEQ session.CFID )>
<!---using the CFID and CFTOKEN cookies again with same values but making them secure--->
<cfcookie name="CFID" value="#session.CFID#" secure="true" httponly="true">
<cfcookie name="CFTOKEN" value="#session.CFTOKEN#" secure="true" httponly="true">
</cfif>
<cfcookie name="CFAUTHORIZATION_test" value="#cookie.CFAUTHORIZATION_test#" secure="true">
Note: cfccokie tag for Authorization cookie, here will create another cookie with same name but in different case, rather than updating the original one.
Using CFHeader
<cfif NOT StructKeyExists( cookie,"CFID" ) OR ( cookie.CFID NEQ session.CFID )>
<!---using the CFID and CFTOKEN cookies again with same values but making them secure--->
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;SECURE;HttpOnly;"/>
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;SECURE;HttpOnly;"/>
</cfif>
<!---cfheader tag will update the original cookie generated by cflogin and will make it secure--->
<cfheader name="Set-Cookie" value="CFAUTHORIZATION_test=#cookie.CFAUTHORIZATION_test#;SECURE;HttpOnly;"/>
Hope this was helpful.
Wednesday, May 4, 2011
ColdFusion Builder 2.0 is released
ColdFusion Builder 2.0 is released with loads of great features. Features like -: Advanced Search/Replace, Keyboard Shortcuts, Quick fix, Task Management, Tag Replace, Enhanced Navigation, Code Assist, Code Formatting, Code Folding are great for faster and better application development.
ColdFusion builder 2.0 is also coming with a Limited feature Express Edition. - One can use ColdFusion Builder trial version of the full-featured for 60 days. After the trial expires, you need to purchase a license to continue using all the features. If not, ColdFusion Builder switches to a feature-limited Express Edition. With the Express Edition, you continue to use ColdFusion Builder with basic features such as editor, code assist, and syntax highlighting. But the key features such as code assist for extensions, code insight, extension callbacks, connection to remote server, quick fix, debugging remote projects, refactoring, ColdFusion search, code formatting, FTP support, log viewer, local file browser, code hyper-links, and hover help are not available in the Express Edition of ColdFusion Builder. You can convert the Express Edition to a full-featured version by purchasing the license and specifying the product serial number.
For more information see Adobe ColdFusion builder 2.0 and ColdFusion Builder Blog.
Tuesday, March 8, 2011
Update on Security Hot-Fix Feb 2011
There is an update on Security Hot-Fix released in Feb 2011.
List of issues addressed are as follows:
- Session is lost for an application accessed within same domain *.
- Formatting problem for ResponseTime table on debug template.
- A minor fix for CFIDE/wizards/common/_logintowizard.cfm
With Session Fixation vulnerability attacker fixate (set) another person's session identifier (SID) and, once the user authenticates, the attacker has access to the authenticated session.
In ColdFusion's affected versions,any given CFID/CFTOKEN values of ColdFusion Session identifiers was used to create a new session. After the fix for the same, Applications being accessed with in same domain and having client cookie based session Management enabled started mis-functioning. This happened as the cookie was overwritten by later application when accessed in same browser.
With the current update to the patch, all above problems are fixed. ColdFusion will still accept such tokens but after validations.
In case someone still wants to completely swtich off the fix for Session Fixation issue they can add the following JVM property –Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.
Latest hotfixes containing the fixes for the above issues are updated in the technote. Instructions to apply the hotfix remain same. All the users should re-apply the hotfixes if they have applied it already. Security Bulletin can be found here.
Thursday, February 10, 2011
Security Hot-Fix update for ColdFusion and Session
With the recent Security Hot-Fix for ColdFusion, an important vulnerability is fixed - Session Fixation.
Previous behavior with out the Hot-Fix - One can create a ColdFusion session with self provided CFID and CFTOKEN and then mail a victim customer a URL with those tokens. Now both of them can use same session.
Earlier if one has two different Applications in sub directories for both the applications Session tokens for ColdFusion Session used to be same thus both Applications will work fine with in the same browser.
Now after applying the hot-fix, If user wants to support such different Applications with sub directories, they can set session Cookies with Domain and path.
Example:
For second application in sub Directory do this in OnSessionStart -
Hope this was helpful.
Previous behavior with out the Hot-Fix - One can create a ColdFusion session with self provided CFID and CFTOKEN and then mail a victim customer a URL with those tokens. Now both of them can use same session.
Earlier if one has two different Applications in sub directories for both the applications Session tokens for ColdFusion Session used to be same thus both Applications will work fine with in the same browser.
Now after applying the hot-fix, If user wants to support such different Applications with sub directories, they can set session Cookies with Domain and path.
Example:
For second application in sub Directory do this in OnSessionStart -
<cfcookie name="CFID" value="SESSION.CFID" path="/subdir">
<cfcookie name="CFTOKEN" value="SESSION.CFTOKEN" path="/subdir">
Hope this was helpful.
Wednesday, February 9, 2011
Security fix alert for JVM Hang issue by Oracle
Oracle released a fix for security alert CVE-2010-4476 — the “Java Hangs on 2.2250738585072012e-308 bug.” The fix comes as FPUpdater Tool, which updates rt.jar.
ColdFusion Security hotfix released
ColdFusion Security hotfix released for CF8.0, 8.0.1,9.0,9.0.1. See bulletin for details.
Monday, January 3, 2011
My first MockTail Receipe - Khas Rooh Cool crusher
Making time: 5 mins
For making 4 glasses
Ingedrients:
Rooh Afhsa 1/2 glass
Khas Sharbat: 1/4 glass
Sugar Syrup
Lime Juice
Masala
Soda
Crushed Ice
Method:
add Khas and rooh Afhsa syrup mixture equally in 4 glass, add Lime juice and sugar syrup as per taste. Now add soda, crushed ice, toss it with a little masala and serve immediately
Subscribe to:
Posts (Atom)