Tuesday, December 11, 2012

Security HotFix for ColdFusion 9 and above- December 2012

A priority 2 update addressing an important vulnerability in ColdFusion 9 and above is released today. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot fix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment 
- CVE-2012-5676. As a result to this fix named application scope will not be available in servlet context. This might affect applications using JSP interoperability. 


In case you want to revert to old behavior you can add JVM flag                                                             -Dcoldfusion.allowappdatainservletcontext=true

For ColdFusion 10, use updater to get this update. This is update 6 and it contains previous updates for  ColdFusion 10.
The details can be found at tech-note here.

Friday, November 30, 2012

Security guide & ColdFusion 10

Recently lot of useful resources are made available for faster, better and secure development with ColdFusion 10. Security lock-down guide is latest addition to ColdFusion 10 resources. 

Loaded with useful tips and best practices, this guide will help users secure their ColdFusion servers. you can find the guide located here

The guide talks about installation related best practices, administrator settings for configuring server, adding protection for administrator and other internal resources and a lot more.Using this guide with other best practices and security enhancements, you can write secure application and protect ColdFusion server environment.

Tuesday, November 20, 2012

ColdFusion 10 update 5 released

Update 5 for ColdFusion 10 is released to fix an important vulnerability  By exploiting this vulnerability one could crash app pool for IIS. This fix is windows specific. More details can be found here.

Note that this update is only required for ColdFusion 10 update 1 and above.

Tuesday, October 16, 2012

ColdFusion 10 update 3 released with critical fixes

Yes, the title says it all, Update 3 for ColdFusion 10 is released today. This fixes connector related important issues. ColdFusion blog and technote lists all details about this. T

Note: Don't forget to apply mandatory update before installing this.

Note: [02-11-2012]: Update 4 is released fixing some important issues. See full details here.

Thursday, September 20, 2012

Prevent accidental manipulation of ColdFusion session cookies


In ColdFusion 9.0.2 and earlier, people needed to modify ColdFusion session cookies for adding additional cookie attributes. With ColdFusion 10, this is no longer required. (For details see here). 

So now while migrating to ColdFusion 10, this code needs to be updated. Let's see the scenario when this code is left out. The behavior is unknown. To avoid this, ColdFusion 10 comes with another setting - 

Settings -> Memory Variables -> Session Cookie Settings -> Disable updating ColdFusion internal cookies using ColdFusion tags/functions




It can also be set using Application.cfm/cfc. See this entry for details.

When enabled this will prevent CFCookie and CFHeader tags to update ColdFusion session and authorization cookies.

There is one more enhancement done for cfcookie/cfheader - In previous versions, cookie value was always encoded. However this might cause issues with a cookie value expected with some extra characters. Now you can use new attribute "preservecase" and "encodevalue" for CFCookie tag and "encoded" attribute for CFHeader tag when type=cookie.

Tuesday, September 11, 2012

Security Hot-Fix for ColdFusion - September 2012


Today, a priority 2 update is released, addressing an important vulnerability in ColdFusion 10 and earlier. It also addresses this for ColdFusion 8.0.1 and ColdFusion 8. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot-fix addresses resolves a vulnerability which could result in a Denial of Service (DoS) attack - CVE-2012-2048. You should update your sandboxes to add GetPageContext() method in disabled functions list.


For ColdFusion 10, use updater to get this update. This is update 2 and it contains previous update 1 for ColdFusion 10.
The details can be found at tech-note here.

Note: This is the last Security Hot-Fix for ColdFusion 8.0.1 & 8.

Monday, September 3, 2012

SSLV3 support in ColdFusion

Have some inputs on SSLV3 support in ColdFusion? Would like to share the SSLV3 use cases for your applications for ColdFusion?

Share it with ColdFusion team, at http://blogs.coldfusion.com/post.cfm/coldfusion-sslv3-support


Saturday, September 1, 2012

ColdFusion 10 update 1 is live

Update 1 for ColdFusion 10 is released today. This update fixes 20+ important/critical issues. The best part is, you don't need to do manual steps to install this update. You now will get a notification in Administrator in case auto check was enabled. If not, then you should check for updates using ( Hot-Fix installer ) server updates section on Administrator and install the update.

This update fixes the following issues -
Bug IDDescription
3177732Missing CGI.Redirect_* variables (for example, CGI.Redirect_URL, CGI.redirect_query_string) in ColdFusion 10.
3305486The value of CGI.path_info is an empty string when URL rewrite condition uses {PATH_INFO} in IIS.
3181617ORM 2nd level cache does not function when application is restarted after timeout.
3197628cfcompile.bat and cfcompile.sh missing from ColdFusion 10.
3209606When request debugging is enabled in "Secure Profile" mode, error template does not display correctly.
3207446Unable to send certain set of characters as a message over websocket.
3290529Unable to access Coldfusion Collections in spite of necessary permissions being granted to a user.
3306430Data overflows from columns within a table in PDFs generated using cfdocument tag.
3192032Scheduled Tasks belonging to non-default group are not archived.
3198173cfhttp fails for a URL whose response is gzipped.
3198902ExpandPath with UNC path is VERY slow.
3218452CFThread fails when called from Custom Tags.
3295296ColdFusion 10 returns multiple form fields with the same name as arrays instead of lists.
3306457ColdFusion 10 deploys incorrect DLLs when installed as a 32–bit application on a 64 bit machine, there by causing functionality such as registering CFX C++ tags to fail.
3183743When the value of action attribute of cfschedule tag is "list", incorrect interval information is returned.
3194817(ColdFusion 10 Standard Edition only) Can't create recurring scheduled jobs.
3196328An application specific task that is paused cannot be listed.
3196336Exception in the ColdFusion Administrator when viewing a task if the value of its exclude attribute is an array.
3203769Editing a paused task which has a password specified changes its status to running.
3295644Scheduled Task that executes a URL on a specific port reverts back to 80 on server restart.
3208222Error when instantiating a COM Object in ColdFusion 10.
3299932When a scheduled task is created with "Recurring" or "One-Time" option, it loses the the username and password information on server restart.


Complete details can be found at tech-note on this location - http://helpx.adobe.com/coldfusion/kb/coldfusion10-update-01.html

Sunday, August 19, 2012

Slides & Recording of e-seminar on ColdFusion 10 & security enhancements


Recording for e-seminar on ColdFusion 10 Security enhancements with Title: Securing applications with ColdFusion 10 Security Enhancements is available now. Due to bad voice quality we have re-recorded it and made it available for you. See the complete session here.

You can also get the slides here.

Tuesday, August 14, 2012

ColdFusion Roadmap is available

ColdFusion roadmap for next two major releases is available Here. This provides high level themes, directions for the product. 


Note: The intended future features/directions described in this document are under consideration by Adobe Systems and are not commitments for future products, technologies, or services. The roadmap is subject to change at Adobe Systems’ sole discretion and Adobe Systems does not guarantee the features or release dates. 

Wednesday, July 25, 2012

ColdFusion e-Seminar on Securing Application

Securing applications with ColdFusion 10 security enhancements

July 25, 2012
 The session will include best practices for writing secure applications. It will discuss the new APIs and features added in ColdFusion 10. We will do hands on/Examples of each category. The session will also include brief about hot-fix installer and Secure profile features. We will end with discussing some of the configurations which can help largely protect an application.
There are more e-seminar upcoming this month. For complete list check out this 

Tuesday, June 12, 2012

Security Hot-Fix released for ColdFusion - June 2012

Today, a priority 2 update is released, addressing an important vulnerability in ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin


This hot-fix addresses HTTP response splitting vulnerability in ColdFusion component browser - CVE-2012-2041


The details can be found at tech-note here.



Note: This issue does not affect ColdFusion 9.0.2 and 10

Tuesday, June 5, 2012

ColdFusion 10 & Image Enhancements

With ColdFusion 10 there are some image enhancements done. Here is a list of those enhancements -


1. Image Resize and interpolation: With ImageResize and ImageScaleToFit , interpolation is one of the parameters. This Interpolation argument control quality of resultant image. This has an impact on performance.  Higher the quality, slower the response time will be. Possible value for this argument are  highestQuality (default), highQuality, mediumQuality, highestPerformance, highPerformance, mediumPerformance, nearest, bilinear, bicubic, bessel, blackman, hamming, hanning, hermite, lanczos, mitchell, quadratic.  

With ColdFusion 10, this support is added in cfimage tag as well. Now for cfimage action="resize", interpolation is one of the possible attribute.  Default value is kept in sync with the function equivalents of this action.

2. ImageDrawText: ImageDrawText method will now return a struct containing the width of the text drawn and the height of the text drawn.


3. CMYK Image support: CMYK Images were not working for Mac and 64bit OS. we have added support for the same.


4. Fixed a bug in ImageGrayScale with TiFF images.


5. Captcha Creation: ImageCreateCaptcha method support is added. 
      
      ImageCreateCaptcha(int height, int width, String text)
      ImageCreateCaptcha(int height, int width, String text, String difficulty)
      ImageCreateCaptcha(int height, int width, String text, String difficulty, String fonts,  int fontSize)


6, Change in behavior for action="captcha":  Added name attribute to action="captcha" for cfimage tag. This new attribute name will contain the image variable object.Now inline captcha will be rendered only when name and destination are not specified. Else if name is specified, image will be saved in variable like other image functions. If destination is specified, captcha image will be saved at the location mentioned.




7. For cfimage action = "captcha", if user specified font is not found, it will fall back to system fonts


8. ImageMakeColorTransparent: New method ImageMakeColorTransparent  is added. This will create an image and set a transparent color
    
    ImageColorTransparent(imgcolor)


9. ImageMakeTranslucent: New method  ImageMakeTranslucent  is added. This will create a new translucent imagewith given percentage of translucence
    
     ImageMakeTranslucent (imgpercent)


10. New Parameters for ImageOverlay: New parameters rule and alpha are added for the function ImageOverlay.
    
     ImageOverlay(source1, source2, [rule, alpha]))


For detailed information on all these APIs refer to ColdFusion 10 documentation.


If you see memory leak you can explore using memory leak fix done by Jpedal for JAI. You can read about it and download from here.

Sunday, June 3, 2012

WebSphere & Cookie Expires Format


On IBM Websphere 7.0 all session cookie related test cases might fail. This happens because of the following bug in Websphere 

Here are some details : 
Based on RFCs, the cookie expire date format is  DD-Mon-YYYY HH:MM:SS GMT. (RFC 822RFC 850RFC 1036, and RFC 1123)

But in WebSphere 7 it comes as  DD-Mon-YY HH:MM:SS GMT

So on the browsers which doesn't recognize this expire date format, ColdFusion administrator and other session related stuffs (which uses session cookies) may break.

Friday, June 1, 2012

ColdFusion 9.0.2 is released


ColdFusion 9.0.2 is released this week. It is mainly to remove Verity bits. It also contains all hot-fixes ( Cumulative and Security ), so to me it sounds a great deal. You can download from here
Other supporting documentation can be found at - 

Wednesday, May 30, 2012

ColdFusion Developer week is back


Want to learn all new ColdFusion 10 features??? Liked Developer week which happened last year??? So here is your chance to attend this year's ColdFusion Developer Week between the 4th and 8th June.

With the launch of ColdFusion 10, 2nd ColdFusion Developer Week, a series of free, live webinars hosted by seasoned ColdFusion experts is being organized. The webinars will cover a wide range of topics, from what ColdFusion is and how to code it, to more in-depth topics related to CF10- HTML5, REST, ORM, Security enhancements and more.

If you are a new developer, someone with little or no ColdFusion experience, or even if you have been using ColdFusion all your life, these sessions are ideal for you. The ColdFusion Developer Week provides something for everyone so signup now.

Details of this year’s session list is :



Title
CF/ CF10/ Generic
Getting Started with Web Application Development Using ColdFusion
Generic
What's new in CF10
CF10
RESTful WebServices made easy in ColdFusion 10
CF10
Power your ColdFusion 10 apps with HTML5 WebSockets
CF10/ HTML5
Hidden gems in ColdFusion 10
CF10
Improve your apps through unit testing
Generic
Building applications using ColdFusion 10 and ORM
CF10
Using ColdFusion frameworks for Application development
Generic
ColdFusion Builder: The professional IDE to Boost Your Productivity
CF10
Everything that you need to know about Tomcat in ColdFusion 10
CF10
Get productive using the language enhancements in ColdFusion 10
CF10
Leverage the productivity of ColdFusion within Java SpringMVC
Generic/Java
Secure your apps using ColdFusion 10
CF10
User Experience upgrade through HTML5 charts and videos
CF10/ HTML5
Make Your Site Searchable with ColdFusion 10 and Solr
CF10
What's new in CF10

Speed your websites using Caching in ColdFusion 10
CF10
Adobe ColdFusion : The most popular server side platform for PDFs
Generic
Revamped Scheduled Tasks in ColdFusion 10
CF10

Tuesday, May 22, 2012

ColdFusion 10 Security Improvements on Adobe Developer Connect

Find how to protect against XSS, CSRF, Session Handling, Clickjacking and much more with ColdFusion 10 in the detailed article by me.

Tuesday, May 15, 2012

ColdFusion 10 & ColdFusion Builder 2.0.1 is released

After much wait, today ColdFusion 10 and ColdFusion Builder 2.0.1 are released. Loaded with features like HTML5, REST, Security enhancements, Hot-Fix installer, Client Side chart and much much more, i find it like a dynamite. Check out more details at -

ColdFusion 10 & ColdFusion Builder 2.0.1

Monday, April 16, 2012

Troubleshooting with JBoss 7

Recently I coming across a lot of configurations that are required for new servers like JBoss 6 & 7. So I thought of jotting them at a single place. I may be mentioning them in brief sometimes and sometimes I would provide as much detail as I can.

  • JBoss & Cookie Expiry : With JBoss 6 and 7, cookies by default specify the expiration time of cookie as "Max-Age" header attribute instead of "Expires". I have written a detail about this here.
  • Random number generation and server start up is slow on Unix platforms for some of the servers. This is because of /dev/random is used in Unix platforms for random number generation. I have added a detail entry explaining the problem and solution here.
  • JBoss 7 AS, has modular class loading. It provides true application isolation, hiding server implementation classes from application and only loading the classes your application needs. Modules, packaged as collections of classes, are peers that remain isolated unless explicitly defined as a dependency of another module. These visibility rules  can be customized. 

    Due to this design, JBoss modules does not load everything from rt.jar and many other system jars by default. As a result you may get ClassNotFoundException or NoClassDefFounfError for a lot of classes. Read here for solution and workarounds available for this.
  • When running Jsafe library on JBoss, if you get error like java.lang.NoClassDefFoundError put the jsafe (CryptoJ) jars to <JAVA_HOME>/jre/lib/ext directory. This mostly occurs on Unix platforms.
  • In JBoss version 7 or above if open office is not working start JBoss with flag -Djava.ext.dirs=<jboss-deployment-dir>/cfusion.ear/cfusion.war/WEB-INF/cfusion/lib/oosdk/:<java-home>/lib/ext/ .

I will keep updating this space as and when i will find more.

JBoss 7 & Sandbox

JBoss 7 AS, has modular class loading. It provides true application isolation, hiding server implementation classes from application and only loading the classes your application needs. Modules, packaged as collections of classes, are peers that remain isolated unless explicitly defined as a dependency of another module. These visibility rules  can be customized. 

Due to this design, JBoss modules does not load everything from rt.jar and many other system jars by default. As a result you may get ClassNotFoundException or NoClassDefFounfError for a lot of classes. 

Example: 
com.sun.imageio.*
javax.annotation.processing.*
com.aqua.LookAndFeel
Open Office, web services tests might fail

Solution: jboss-deployment-structure.xml  -

To Fix this the solution is to, use a jboss-deployment-structure.xml in your war as explained here https://docs.jboss.org/author/display/AS7/Class+Loading+in+AS7

Example:

<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">
    <deployment>
        <dependencies>
         <module name="deployment.system"/>
        </dependencies>
    </deployment>
    <module name="deployment.system">
     <dependencies>
         <system export="true">
             <paths>
                 <path name="com/sun/net/ssl/internal/ssl"/>
             </paths>
         </system>
     </dependencies>
    </module>
</jboss-deployment-structure>


However if for some reason you can't add jboss-deployment-structure.xml quickly in your application following are 2 workarounds.

Workarounds 1: For JRE System classes, There is a modue named "sun.jdk" that depdends on module "system". Here are defined all packages jboss loads from rt.jar.

In this module.xml of /sun/jdk/main directory add the required packages as -
                        <path name="com/sun/imageio/spi"/>
                        <path name="javax/annotation/processing"/>
etc, according to the need of application.

Example:
<module xmlns="urn:jboss:module:1.0" name="sun.jdk">
    <resources>
        <resource-root path="service-loader-resources"/>
    </resources>
    <dependencies>
        <module name="system" export="false" services="import">
            <exports>
                <include-set>

                    <!-- extra packages -->
                    <path name="javax/annotation/processing"/>

                    <path name="com/sun/script/javascript"/>
                    <path name="com/sun/imageio/spi"/>
                    <path name="com/sun/jndi/dns"/>
                    <path name="com/sun/jndi/ldap"/>
                    <path name="com/sun/security/auth"/>
                    <path name="com/sun/security/auth/module"/>
                    <path name="sun/misc"/>
                    <path name="sun/nio"/>
                    <path name="sun/nio/ch"/>
                    <path name="sun/util"/>
                    <path name="sun/util/calendar"/>
                    <path name="META-INF/services"/>
                </include-set>
            </exports>
        </module>
    </dependencies>
</module>

Workaround 2:

Add jboss.modules.system.pkgs system property with comma separated list of packages to load. 

-Djboss.modules.system.pkgs=com.sun.imageio.spi,javax.annotation.processing

Additional Information:

Related issues - 

JBoss cfusion.ear/war deployment timeout:

If cfusion.ear is not deployed within the deployment timeout for jboss you can change the deployment timeout of jboss in standalone.xml
<subsystem xmlns="urn:jboss:domain:deployment-scanner:1.0">
   <deployment-scanner scan-interval="5000"
      relative-to="jboss.server.base.dir" path="deployments"   deployment-timeout=”120”,/>
</subsystem>

Profiling:

Performance tuning is an important part any application development.  In order to use JProfiler ofor jboss 7, first you need to add the following to your standalone.conf file:

JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=com.jprofiler -agentlib:jprofilerti -Xbootclasspath/a:/path/to/jprofiler/bin/agent.jar"

The "jboss.modules.system.pkgs" property tells JBoss Modules to allow the "com.profiler" classes to be found from any class loader, which is essential to allow the JProfiler agent to run. It is easier to then just set up your jprofiler sessio nas "Remote", and start the server and profiler.