Thursday, September 20, 2012

Prevent accidental manipulation of ColdFusion session cookies

In ColdFusion 9.0.2 and earlier, people needed to modify ColdFusion session cookies for adding additional cookie attributes. With ColdFusion 10, this is no longer required. (For details see here). 

So now while migrating to ColdFusion 10, this code needs to be updated. Let's see the scenario when this code is left out. The behavior is unknown. To avoid this, ColdFusion 10 comes with another setting - 

Settings -> Memory Variables -> Session Cookie Settings -> Disable updating ColdFusion internal cookies using ColdFusion tags/functions

It can also be set using Application.cfm/cfc. See this entry for details.

When enabled this will prevent CFCookie and CFHeader tags to update ColdFusion session and authorization cookies.

There is one more enhancement done for cfcookie/cfheader - In previous versions, cookie value was always encoded. However this might cause issues with a cookie value expected with some extra characters. Now you can use new attribute "preservecase" and "encodevalue" for CFCookie tag and "encoded" attribute for CFHeader tag when type=cookie.

Tuesday, September 11, 2012

Security Hot-Fix for ColdFusion - September 2012

Today, a priority 2 update is released, addressing an important vulnerability in ColdFusion 10 and earlier. It also addresses this for ColdFusion 8.0.1 and ColdFusion 8. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot-fix addresses resolves a vulnerability which could result in a Denial of Service (DoS) attack - CVE-2012-2048. You should update your sandboxes to add GetPageContext() method in disabled functions list.

For ColdFusion 10, use updater to get this update. This is update 2 and it contains previous update 1 for ColdFusion 10.
The details can be found at tech-note here.

Note: This is the last Security Hot-Fix for ColdFusion 8.0.1 & 8.

Monday, September 3, 2012

SSLV3 support in ColdFusion

Have some inputs on SSLV3 support in ColdFusion? Would like to share the SSLV3 use cases for your applications for ColdFusion?

Share it with ColdFusion team, at

Saturday, September 1, 2012

ColdFusion 10 update 1 is live

Update 1 for ColdFusion 10 is released today. This update fixes 20+ important/critical issues. The best part is, you don't need to do manual steps to install this update. You now will get a notification in Administrator in case auto check was enabled. If not, then you should check for updates using ( Hot-Fix installer ) server updates section on Administrator and install the update.

This update fixes the following issues -
Bug IDDescription
3177732Missing CGI.Redirect_* variables (for example, CGI.Redirect_URL, CGI.redirect_query_string) in ColdFusion 10.
3305486The value of CGI.path_info is an empty string when URL rewrite condition uses {PATH_INFO} in IIS.
3181617ORM 2nd level cache does not function when application is restarted after timeout.
3197628cfcompile.bat and missing from ColdFusion 10.
3209606When request debugging is enabled in "Secure Profile" mode, error template does not display correctly.
3207446Unable to send certain set of characters as a message over websocket.
3290529Unable to access Coldfusion Collections in spite of necessary permissions being granted to a user.
3306430Data overflows from columns within a table in PDFs generated using cfdocument tag.
3192032Scheduled Tasks belonging to non-default group are not archived.
3198173cfhttp fails for a URL whose response is gzipped.
3198902ExpandPath with UNC path is VERY slow.
3218452CFThread fails when called from Custom Tags.
3295296ColdFusion 10 returns multiple form fields with the same name as arrays instead of lists.
3306457ColdFusion 10 deploys incorrect DLLs when installed as a 32–bit application on a 64 bit machine, there by causing functionality such as registering CFX C++ tags to fail.
3183743When the value of action attribute of cfschedule tag is "list", incorrect interval information is returned.
3194817(ColdFusion 10 Standard Edition only) Can't create recurring scheduled jobs.
3196328An application specific task that is paused cannot be listed.
3196336Exception in the ColdFusion Administrator when viewing a task if the value of its exclude attribute is an array.
3203769Editing a paused task which has a password specified changes its status to running.
3295644Scheduled Task that executes a URL on a specific port reverts back to 80 on server restart.
3208222Error when instantiating a COM Object in ColdFusion 10.
3299932When a scheduled task is created with "Recurring" or "One-Time" option, it loses the the username and password information on server restart.

Complete details can be found at tech-note on this location -