Ah the immortal thread - like a god coming down from Mt. Olympus and laughing with his (or her) hands on his mighty hips (see why I chose "his"? ... "her mighty hips" ... well, I just didn't want to go there). Such threads are mind bogglingly frustrating. In actual fact, there are some requests spawned by ColdFusion that may not be able to be terminated by ColdFusion. For the long version read on McDuff.Read More
Yesterday I was doing some searches on a sick server to troubleshoot the Iframe Injection issue. A user had posted some additional information regarding a file that appeared on his server that had this issue. The file was named "fection.cfm" so we now know the hacker casually removes his prefixes (or I should say 'emoves his 'efixes). I began my search by looking for the file specifically, then moved on to look for the string "cfexecute" in all of the *.cfm files. But that got me thinking. A clever hacker might know some things about ColdFusion. He could in fact, further obscure his code with some knowledge of cfinclude and IIS. Such a technique can be used to secure your code as well. You can create code that is only runnable by ColdFusion using cfinclude. Here's the skinny.Read More
Here's a problem that will leave you scratching your head should you ever run into it. Consider a simple .NET web service that requires an "array of strings". The goal was to make use of a web service API published by Smarter Mail. I wanted a programmatic way of adding email aliases - groups of emails that function under a single address. The web service methods provided by the smarter mail API could not be simpler. Each request requires a username, password, domain and then additional stuff to make it work. For example, the "GetAlias()" function allowed me to pass in a domain and alias and get a list of emails already associated with that alias.
The problem came when it was time to add or update an alias. The argument for "addresses" to pass to the .NET service looked like "an array of strings" (that's how the help docs referred to is as well). The node in the XML looked pretty simple:
Now I can think of several ways to create an array of strings in ColdFusion so I started giving it the old college try. Unfortunately each attempt ended in failure. I could not figure out how to get a data type instantiated in CF to match the data type that .NET expected. I ended up experimenting with several different approaches to the array syntax.Read More
Thanks to Nate from CF-Talk I have a copy of the malicious VBS script that is doing the damage. If you are being victimized by this attack and you need to see the script for whatever purpose, let me know and I will make sure you get a copy. I now it goes without saying, but just don't run it :).
Meanwhile there is some consensus, given the root access of this code, that an infected server cannot be trusted even after a thorough cleaning. Dave Watts and Tom Chiverton both gave such advice. While it's not always possible and it's a huge hassle, it might be the best solution to bite the bullet and do it.
For those of you who have been following the Iframe injection attack saga (see Iframe Insertion on Index.* Home pages) I have an update. I would like to thank one of my readers named Kumar for referring me to this excellent article (a PDF File) on Black Hat. The article seems to pinpoint the origin and nature of the attack. The document describes an attack in depth with multiple steps (just as we had speculated). The first step was an SQLi attempt. But failing that the attacker compromised the server in a rather ingenious fashion.
This file that was uploaded was a CDX file. On a properly configured IIS server this attack would fail to succeed. Here's why.Read More
Coldfusion Guru and all around super geek Pete Freitag was nice enough to let me check out his new "Web Application Firewall" (see this link for more info). This product serves as a Coldfusion based security filter for all requests coming to an application. I was impressed with the approach Pete takes. After the Init the code ran smoothly and did not appreciably increase my page load time (always a concern when you are "wrapping" your application in something). If you use Pete's system you will pretty much guarantee that your site will be protected from a high percentage of known attacks. Overall I give the application an A for innovation and organization, a B+ for installation and a C- on the price. If you want to know more read on.Read More
First off, let me say that I love ColdFusion 8 on the 64 bit JVM. If you have a data driven site that requires extra processing power you should definitely move in that direction. However, there is one thing that really causes some consternation about the platform - the lack of Jet drivers for MS Access. I know I know, I have spoken with open disdain about "using Access in production" and in the words of Dan Quayle, I stand by all my misstatements. Still, there is one thing that I do use Access for in production - as a portable export utility.
Using the proxy technique I describe in my post counterintuitively titled Using a DSN Connection for Connectionless Access I have several applications that crunch numbers or develop report data, then file them away in tables in an MDB File which is zipped up for download or emailing. It works well and Access is so much more useful than Excel for some savvy corporate analysts. Now along comes 64 bit Windows and suddenly there are no (zip, nada, zilch) Jet drivers for connecting from Coldfusion.
Luckily, I have my wits about me. Also luckily I have a 32 bit server at my disposal as well (it means "available to use" - I'm not implying there is a server near my kitchen sink). So I came up with this clever solution.Read More
This question is an excellent reminder to folks like me that there are many burgeoning ColdFusion developers out there that need some help with the fundamentals. I often write about complex tuning or obscure behaviors (with the server, not that thing I have about Jell-O and a duck). But sometimes us CF Bloggers need to go back and produce material for developers who are just starting out.
Your problem here, dear reader, is that you are working in a dual environment - testing code on your desktop and deploying it to the server. That's a very good thing. In fact, I applaud you for it since most folks start out the other way around, making changes to production server code and only finding out it is a bad idea right after they create their first infinite loop. In fact there are some nuances to a dual environment that you have to think about ahead of time. In general, an application of any size will need some "global variables" that are specific to its hosted environment. That's where the Application scope usually comes in - but we can save that post for a follow up. Right now let's tackle your specific issue.Read More