Tuesday, December 13, 2011

New Security hot-fix for ColdFusion

Today, an important Security hot-fix was released for ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot-fix addresses the following issues -

1. XSS attack with cfform tag (CVE-2011-2463): When action attribute was not specified for cfform tag, there is a possibility for XSS attack.

2. XSS attack with RDS (CVE-2011-4368)

Friday, September 16, 2011

bug 83514 Session is Invalid fixed & CHF2 for CF9.0.1 released

We have released an update for Security Hot-fix released in June. We have fixed "Session is invalid" issue with it. This error comes randomly when j2ee sessions are enabled. If you have already applied the security Hot-fix of June, you can install individual fix for this issue. If you have not yet applied the Security Hot-fix, you can take the complete package.

Complete instructions can be found at - http://kb2.adobe.com/cps/907/cpsid_90784.html

For CF9.0.1, Cumulative Hot-fix 2 is also released. This CHF2 contains CHF1, previous security hot-fixes and new bug fixes as well. Complete instructions can be found at - http://kb2.adobe.com/cps/918/cpsid_91836.html

Wednesday, September 14, 2011

Recorded Sessions from Coldfusion Developer Week

In case you have missed any sessions, you can catch the recorded sessions at http://www.adobe.com/devnet/coldfusion/events.html

There are more sessions to come this week.


Session Title
Getting Started with Web Application Development Using ColdFusion
Working with PDFs Made Easy with ColdFusion
Introduction to ColdFusion Components (CFCs)
Improve Your ColdFusion Code Through Unit Testing
Using ColdFusion Frameworks for Application Development
Understanding and Using the ColdFusion Server Monitor
ColdFusion Builder: The Professional IDE to Boost Your Productivity
Expand Functionality with ColdFusion Builder Extensions
Developing Your First Application Using ColdFusion 9 and ORM
Speed Up Your Apps with Caching in ColdFusion
ColdFusion and Mobile - Browser-Based Applications Made Easy
Become ColdFusion Empowered in Under an Hour 
Accessing ColdFusion Services From Flex Applications
Securing your ColdFusion Applications
Make Your Site Searchable with Solr
Bringing ColdFusion to Java SpringMVC

Tuesday, September 13, 2011

ColdFusion Developer Week is going on


This week (September 12-16 2011) is ColdFusion Developer Week over at Adobe.com:
 ColdFusion Developer Week is a series of free, live webinars hosted by seasoned ColdFusion experts who will cover a wide range of topics from what ColdFusion is, how to code it, all the way through to more in depth topics such as ORM and ColdFusion Builder Extensions. If you are a new developer, someone with little or no ColdFusion experience, or even if you have been using ColdFusion all your life, this event is ideal for you. The ColdFusion Developer Week provides something for everyone, so sign up now! 
Here's the schedule of webinars which are yet to come -

Tuesday
  • Improve Your ColdFusion Code Through Unit Testing - Jamie Krug (10AM PT / 1PM ET)
  • Using ColdFusion Frameworks for Application Development - Mark Mandel (1PM PT / 4PM ET)
  • Understanding and Using the ColdFusion Server Monitor - Charlie Arehart (4PM PT / 7PM ET)
Wednesday
  • ColdFusion Builder: The Professional IDE to Boost Your Productivity - Sagar Ganatra (10AM PT / 1PM ET)
  • Expand Functionality with ColdFusion Builder Extensions - Simon Free (1PM PT / 4PM ET)
Thursday
  • Developing Your First Application Using ColdFusion 9 and ORM - Bob Silverberg (10AM PT / 1PM ET)
  • Speed Up Your Apps with Caching in ColdFusion (11:30AM PT / 2:30PM ET)
  • ColdFusion and Mobile - Browser-Based Applications Made Easy - Dave Ferguson (1PM PT / 4PM ET)
  • Become ColdFusion Empowered in Under an Hour - Nic Tunney (4PM PT / 7PM ET)
Friday
  • Accessing ColdFusion Services From Flex Applications - Matt Gifford (10AM PT / 1PM ET)
  • Securing your ColdFusion Applications - Pete Freitag (me) (11:30AM PT / 2:30PM ET)
  • Make Your Site Searchable with Solr - Scott Stroz (1PM PT / 4PM ET)
  • Bringing ColdFusion to Java SpringMVC (4PM PT / 7PM ET)
Register at  http://adobe.com/go/cfdeveloperweek

Following sessions were delivered yesterday -
  • Getting Started with Web Application Developement Using ColdFusion - Terry Ryan (10AM PT / 1PM ET)
  • Working with PDFs Made Easy with ColdFusion - Tim Cunningham (1PM PT / 4PM ET)
  • Introduction to ColdFusion Components (CFCs) - Raymond Camden (4PM PT / 7PM ET)

Wednesday, July 20, 2011

Update on June ColdFusion Security Hot-fix

There is an update on security hot-fix released in June. Tech note

The hot-fix bundle is updated with the changes for those who are applying this hot-fix for the first time. If one has already applied the June Hot-fix, see update section.

Wednesday, June 15, 2011

Important Security update for ColdFusion 8 and above is released

An important Security update was released yesterday for ColdFusion 8 and above. This update includes fixes for issues like - 


1. Cross-site request forgery (CSRF) vulnerability (CVE-2011-0629).
2. Remote denial-of-service vulnerability (CVE-2011-2091).

3. Also incorporates the BlazeDS security update as noted in Security Bulletin APSB11-15.
For details of update for ColdFusion security update, see the Security Bulletin APSB11-14.

Sunday, May 22, 2011

CFCookie vs CFHeader for Session Cookies

A lot of times we re-write ColdFusion session cookies to add some additional flags. Flags like Secure, HttpOnly which were not present in the earlier releases. HttpOnly support was added in ColdFusion 9.0.1.

When one doesn't use J2EE session management, ColdFusion managed sessions are used. In This two cookies, CFID and CFTOKEN are set. There are additional authentication cookies added when is used. By default till CF9.0 they were not marked as secure and HttpOnly. With CF9.0.1, support for HttpOnly was added. 

Today, I am going to talk about, how to set these additional flags on these cookies. This is talked about a lot of times, but I would like to add my 2 cents to this. To add these additional flags (these flags provide additional security), one can use CFCookie or CFHeader. And here is the difference which I thought was worth mentioning.

With, CFCookie, the cookie name is always converted to Upper Case, and Value is encoded. This is not a problem for CFID or CFTOKEN but might not work with Authorization cookie, or even if you want to set some flags for JSessionID cookie.

CFHeader on the other hand will be handy to set any of these flags. So the preferred choice should be CFHeader while doing this.

For setting these cookie at your own, you must set sessionmanagement = true, clientclientcookie = false in Application.cfc/cfm as appropriate. Here is an example of an application with application name "test"

Using CFCookie

<cfif NOT StructKeyExists( cookie,"CFID" ) OR ( cookie.CFID NEQ session.CFID )>

      <!---using the CFID and CFTOKEN cookies again with same values but making them secure--->
      <cfcookie name="CFID" value="#session.CFID#" secure="true" httponly="true">


      <cfcookie name="CFTOKEN" value="#session.CFTOKEN#" secure="true" httponly="true">
</cfif>

<cfcookie name="CFAUTHORIZATION_test" value="#cookie.CFAUTHORIZATION_test#"  secure="true">

Note: cfccokie tag for Authorization cookie, here will create another cookie with same name but in different case, rather than updating the original one.




Using CFHeader


<cfif NOT StructKeyExists( cookie,"CFID" ) OR ( cookie.CFID NEQ session.CFID )>

      <!---using the CFID and CFTOKEN cookies again with same values but making them secure--->
      <cfheader name="Set-Cookie" value="CFID=#session.CFID#;SECURE;HttpOnly;"/>
      <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;SECURE;HttpOnly;"/>
</cfif>
<!---cfheader tag will update the original cookie generated by cflogin and will make it secure--->
<cfheader name="Set-Cookie" value="CFAUTHORIZATION_test=#cookie.CFAUTHORIZATION_test#;SECURE;HttpOnly;"/>



Hope this was helpful.


Wednesday, May 4, 2011

ColdFusion Builder 2.0 is released


ColdFusion Builder 2.0 is released with loads of great features. Features like -: Advanced Search/Replace, Keyboard Shortcuts, Quick fix, Task Management, Tag Replace, Enhanced Navigation, Code Assist, Code Formatting, Code Folding are great for faster and better application development. 

ColdFusion builder 2.0 is also coming with a Limited feature Express Edition.  - One can use  ColdFusion Builder trial version of the full-featured for 60 days. After the trial expires, you need to purchase a license to continue using all the features. If not, ColdFusion Builder switches to a feature-limited Express Edition. With the Express Edition, you continue to use ColdFusion Builder with basic features such as editor, code assist, and syntax highlighting. But the key features such as code assist for extensions, code insight, extension callbacks, connection to remote server, quick fix, debugging remote projects, refactoring, ColdFusion search, code formatting, FTP support, log viewer, local file browser, code hyper-links, and hover help are not available in the Express Edition of ColdFusion Builder. You can convert the Express Edition to a full-featured version by purchasing the license and specifying the product serial number.

For more information see Adobe ColdFusion builder 2.0 and ColdFusion Builder Blog.

Tuesday, March 8, 2011

Update on Security Hot-Fix Feb 2011


There is an update on Security Hot-Fix released in Feb 2011.

List of issues addressed are as follows:

  1. Session is lost for an application accessed within same domain *.
  2. Formatting problem for ResponseTime table on debug template.
  3. A minor fix for CFIDE/wizards/common/_logintowizard.cfm


With Session Fixation vulnerability attacker fixate (set) another person's session identifier (SID) and, once the user authenticates, the attacker has access to the authenticated session.

In ColdFusion's affected versions,any given CFID/CFTOKEN values of ColdFusion Session identifiers was used to create a new session. After the fix for the same, Applications being accessed with in same domain and having client cookie based session Management enabled started mis-functioning. This happened as the cookie was overwritten by later application when accessed in same browser.

With the current update to the patch, all above problems are fixed. ColdFusion will still accept such tokens but after validations.

In case someone still wants to completely swtich off the fix for Session Fixation issue  they can add the following JVM property –Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.


Latest hotfixes containing the fixes for the above issues are updated in the technote. Instructions to apply the hotfix remain same. All the users should re-apply the hotfixes if they have applied it already. Security Bulletin can be found here.

Thursday, February 10, 2011

Security Hot-Fix update for ColdFusion and Session

With the recent Security Hot-Fix for ColdFusion, an important vulnerability is fixed - Session Fixation.


Previous behavior with out the Hot-Fix - One can create a ColdFusion session with self provided CFID and CFTOKEN and then mail a victim customer a URL with those tokens. Now both of them can use same session.


Earlier if one has two different Applications in sub directories for both the applications Session tokens for ColdFusion Session used to be same thus both Applications will work fine with in the same browser.


Now after applying the hot-fix,  If user wants to support such different Applications with sub directories, they can set session Cookies with Domain and path.


Example: 


For second application in sub Directory do this in OnSessionStart - 


 <cfcookie name="CFID" value="SESSION.CFID" path="/subdir">
 <cfcookie name="CFTOKEN" value="SESSION.CFTOKEN" path="/subdir"> 




Hope this was helpful.

Monday, January 3, 2011

My first MockTail Receipe - Khas Rooh Cool crusher



Making time: 5 mins
For making 4 glasses
Ingedrients:
Rooh Afhsa 1/2 glass
Khas Sharbat: 1/4 glass
Sugar Syrup
Lime Juice
Masala
Soda
Crushed Ice
Method:
add Khas and rooh Afhsa syrup mixture equally in 4 glass, add Lime juice and sugar syrup as per taste. Now add soda, crushed ice, toss it with a little masala and serve immediately