Trying to understand an application.cfm attack

I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms...
This past week I wanted to watch some slow page loads for performance, noting their time to execute. I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages. Prior to this, I have not utilzed an application.cfm. I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.
I soon found myself the recipient of a cross site scripting attack. I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!
I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage. The attack was only inserting javascript into my index pages via the application.cfm . Rather ingenious and it was fun to find and consider. Payday loan spam.
I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.
An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads. I have a fresh install of CF9 so this did not exist. There was a cfx folder tree with some "example" code folders. I've zipped and deleted these.
I have changed ftp to use a non-standard port. Something that I used to do, but failed to re-instate when I moved to a different host. I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).
If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically. And while I did not have one before, why did someone not just upload their own?
How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?
My question is this - can the application.cfm be tricked into modifying itself?
Thanks in advance!

Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.
aotgnat wrote:
The attack was only inserting javascript into my index pages via the application.cfm .
Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).

Similar Messages

Trying to understand flash.media.Microphone

Hi,
I am new to flash/AS3 and currently trying to understand how to use flash.media.Microphone in my application.
I have the following code to activate the microphone:
var mic:Microphone = Microphone.getMicrophone();
Security.showSettings("2");
mic.setLoopBack(true);
mic.setUseEchoSuppression(true);
mic.addEventListener(StatusEvent.STATUS,micStatus);
mic.addEventListener(ActivityEvent.ACTIVITY, activityHandler);
This seems to be working fine and I get the "allow the use of the microphone" dialogue when I run the flash application.
However, I go and add some other code in and after while I no longer get "allow the use of the microphone" when running my application. The microphone is still loaded can micStatus gets called, but the microphone just stays muted, so I don't get the echo back as configured with mic.setLoopBack(true).
Initially I thought that maybe this is because something in my code, so I went back to my initial code again, but still get no "allow the use of the microphone" dialogue and the microphone stays muted.
If I create a new AS3 project and copy the code there is works again. This makes me think that maybe I am missing something. Do I need to release the microphone somehow after use. Saying that if I restart my computer, the projects that stopped displaying "allow the use of the microphone" will still not display them.
Really confused about this. Anyone have any pointers what I am doing wrong?
regards,
Olli

Hi,
Are you trying to download Adobe Flash Media Live Encoder 3.2? Could you please try again from here : https://www.adobe.com/cfusion/entitlement/index.cfm?e=fmle3 ?
Hope this helps.
Thanks,
Apurva

Verity search results return application.cfm

We've got a couple of sites using verity collections to
search cfml, html, and some mime documents. This is generally
successful. However, we do see coldfusion script-only pages
returning in the search results, including application.cfm, and
other cfm pages that do not display content to the end-user. Since
there is no HTML renderable content in these pages, why do they get
included in the results?
How can I control this behavior? I've looked at the verity
documentation, and am trying to use the mkvdk utility to delete
application.cfm from the collection documents, but am getting an
error. If I can get the syntax down correctly, is this the proper
way of addressing the problem?
For instance, I am using the command string:
mkvdk -delete -collection
C:\CFusionMX\verity\collections\intranet\file application.cfm
on my local development machine to try and test this, but get
an error BadKeys: application.cfm
I don't understand why these types of files get included in
the collection in the first place. Oh, we are running CFMX6.1.
Thanks for any help.
Kris

The issue is not how to remove all CFM files from the
collection. We just want CFM files that do not output anything to
the user to be excluded from the search index. Most of the files in
this site are CFM files. Most importantly would be application.cfm,
form action pages, and other included files.
Certainly we could parse the results for a filename in a
predefined list, but we are trying to avoid defining this
programmatically; thinking that it is odd that these files get
included in the results at all. In the past we have segmented sites
using .cfm and .cfml as a way of excluding specific files from the
index (in the collection definition, we would not include the
specific extension as required). But this site has been in
production for some time, and is just now adding a search feature.
We don't want to rename files, and have to recheck every single
page and link in the entire site.
Does that explain what we're trying to do better?
Cheers,
Kris

Application.cfm in root and subdirectory, help.

I cannot figure this out. I understand that an application
will use the application.cfm file in it's current directory first
and not search further. However, my page in a subdirectory seems to
not see the application.cfm in it's own directory and instead uses
the root application.cfm. Can anyone explain? And I have tried
capitalizing the "A", etc. but I am not using Linux so I do not
think it matters anyway. (CF MX)

Hard to tell exactly, but in the subdirectory, is the ONLY
line the <cfset application.dsn_test = "DiningHall">?
If so, the subdirectory application.cfm would execute and the
parent would not, which would cause the undefined error since from
what I can tell, you haven't used the <cfapplication> tag in
the subdirectory.
What you can do is use a cfinclude in the subdirectory
application.cfm.
<cfinclude template="../application.cfm">
<cfset application.dsn_test = "DiningHall">
However.... That's a big no no if you're using this to
actually change application scope parameters, since someone
visiting the subdirectory would reset the DSN for someone that
might still be navigating around in the parent directory.
So what good is using the cfinclude method? Well, you can
lock subdirectories to roles this way.
<cfinclude template="../application.cfm">
<cfif getAuthUser() eq "" or not IsUserInRole("Admin")>
Access Denied!
<cfabort>
<cfif>
Consider changing the DSN setting to use the request.scope to
isolate the change to the user.
<cfset Request.appDSN = "DININGHALL">

Hello, World - trying to understand the steps

Hello, Experts!
I am pretty new to Flash Development, so I am trying to understand how to implement the following steps using Flash environment
http://pdfdevjunkie.host.adobe.com/00_helloWorld.shtml
Step 1: Create the top level object. Use a "Module" rather than an "Application" and implement the "acrobat.collection.INavigator" interface. The INavigator interface enables the initial hand shake with the Acrobat ActionScript API. Its only member is the set host function, which your application implements. During the initialize cycle, the Acrobat ActionScript API invokes your set host function. Your set host function then initializes itself, can add event listeners, and performs other setup tasks.Your code might look something like this.
<mx:Module xmlns:mx="http://www.adobe.com/2006/mxml" implements="acrobat.collection.INavigator" height="100%" width="100%" horizontalScrollPolicy="off" verticalScrollPolicy="off" >
Step 2: Create your user interface elements. In this example, I'm using a "DataGrid" which is overkill for a simple list but I'm going to expand on this example in the future. Also notice that I'm using "fileName" in the dataField. The "fileName" is a property of an item in the PDF Portfolio "items" collection. Later when we set the dataProvider of the DataGrid, the grid will fill with the fileNames of the files in the Portfolio.
<mx:DataGrid id="itemList" initialize="onInitialize()" width="350" rowCount="12"> <mx:columns> <mx:DataGridColumn dataField="fileName" headerText="Name"/> </mx:columns> </mx:DataGrid>
Step 3: Respond to the "initialize" event during the creation of your interface components. This is important because there is no coordination of the Flash Player's initialization of your UI components and the set host(), so these two important milestone events in your Navigator's startup phase could occur in either order. The gist of a good way to handler this race condition is to have both your INavigator.set host() implementation and your initialize() or creationComplete() handler both funnel into a common function that starts interacting with the collection only after you have a non-null host and an initialized UI. You'll see in the code samples below and in step 4, both events funnel into the "startEverything()" function. I'll duscuss that function in the 5th step.
               private function onInitialize():void { _listInitialized = true; startEverything(); }

Hello, Experts!
I am pretty new to Flash Development, so I am trying to understand how to implement the following steps using Flash environment
http://pdfdevjunkie.host.adobe.com/00_helloWorld.shtml
Step 1: Create the top level object. Use a "Module" rather than an "Application" and implement the "acrobat.collection.INavigator" interface. The INavigator interface enables the initial hand shake with the Acrobat ActionScript API. Its only member is the set host function, which your application implements. During the initialize cycle, the Acrobat ActionScript API invokes your set host function. Your set host function then initializes itself, can add event listeners, and performs other setup tasks.Your code might look something like this.
<mx:Module xmlns:mx="http://www.adobe.com/2006/mxml" implements="acrobat.collection.INavigator" height="100%" width="100%" horizontalScrollPolicy="off" verticalScrollPolicy="off" >
Step 2: Create your user interface elements. In this example, I'm using a "DataGrid" which is overkill for a simple list but I'm going to expand on this example in the future. Also notice that I'm using "fileName" in the dataField. The "fileName" is a property of an item in the PDF Portfolio "items" collection. Later when we set the dataProvider of the DataGrid, the grid will fill with the fileNames of the files in the Portfolio.
<mx:DataGrid id="itemList" initialize="onInitialize()" width="350" rowCount="12"> <mx:columns> <mx:DataGridColumn dataField="fileName" headerText="Name"/> </mx:columns> </mx:DataGrid>
Step 3: Respond to the "initialize" event during the creation of your interface components. This is important because there is no coordination of the Flash Player's initialization of your UI components and the set host(), so these two important milestone events in your Navigator's startup phase could occur in either order. The gist of a good way to handler this race condition is to have both your INavigator.set host() implementation and your initialize() or creationComplete() handler both funnel into a common function that starts interacting with the collection only after you have a non-null host and an initialized UI. You'll see in the code samples below and in step 4, both events funnel into the "startEverything()" function. I'll duscuss that function in the 5th step.
               private function onInitialize():void { _listInitialized = true; startEverything(); }

Trying to Understand the PostSyncCleanup parameter

I've got a problem with running my application on the Australian version of Windows. We have a "test" application built around SQL Server Compact Merge Replication Library (thanks ErikEJ) and that works but our application doesn't.
One of the main differences with our application code is that we do not set the PostSyncCleanup value to anything and the library sets it to 2 per this link:
http blogs.msdn.com/b/sqlblog/archive/2009/04/15/sql-compact-performance-postsynccleanup-to-turn-off-updatestatistics-during-initial-download-of-sql-compact-replication.aspx (put the :// back to get the link)
I'm trying to understand the impact of making that our "production" configuration since we haven't been using it. The description looks harmless enough but I don't really understand what statistics I'm turning off and what the impact
would be and what even the default setting is. Anything that could enlighten me would be appreciated along with a guess as to why that might be causing a problem on the Australian version of Windows would be appreciated.

So we've been running with the default value (0) and have not really had any "problems". I haven't done any testing but I'm ok with faster, like everyone would be, but am also a bit risk averse so want to know what exactly I'm turning off.
I also saw this advice from Rob Tiffany:
Use the appropriate x64, x86 or ARM version of SQL Server Compact 3.5 SP2 to take advantage of the
PostSyncCleanup property of the SqlCeReplication object that can reduce the time it takes to perform an initial synchronization. Set the
PostSyncCleanup property equal to 3 where neither
UpdateStats nor CleanByRetention are performed.
Here: http robtiffany.com/microsoft-sql-server-compact-3-5-sp2-has-arrived/
So, is the best advice to use that parameter and set the value to 3 or 2
I don't really know what I'm losing to "not performing" UpdateStats or CleanByRetention and does making that change need I need to do something else on the server or client to "clear out" or "clean up" something that this is
doing.

Which to use application.cfm or application.cfc?

Hi,
Just a general question, i have been using application.cfm
for my applications so far. I came across a tag that would be used
under application.cfc, but i tried putting both templates together
in one application and boom, an error showed up.
So, which is better to use with most of the applications
application.cfm or .cfc?
Thanks for any help!
Syed

It's actually a bit easier to use session and application
scope variables with Application.cfc, I think.
Application.cfc has methods for specific "events" or states:
onApplicationStart() -- where to load application variables,
security logic, etc.
onSessionStart() -- initialize session varialbes, etc.
onRequestStart() -- runs at the start of each page request
onRequestEnd()
onSessionEnd()
onApplicationEnd()
onError() -- very nice place to get some good
Application-wide error handling code in place
onRequest() -- be sure to read the notes on this
method...it's a bit different.
Check out the MX7 reference page for Application.cfc:
http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?cont ext=ColdFusion_Documentation&file=00000692.htm
CF* (if you're using that yet)
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Part_3_CFML_Ref_1.html

Application Variables in application.cfm and asp

If anyone could provide some insight into using application
variables declared in application.cfm, but retrieved in asp code,
it would be appreciated.
GOAL: Retrieve values into an asp page from application
variables in application.cfm.
PROCESS: Defined the variables in application.cfm. On an asp
page, defined the application variable in Window -> Bindings.
The application variables defined in the source code show up.
Attempt to retrieve the application variable in the asp page by
using the command: var_destination = Application("var_name")
It seems like whatever I try, the variable is empty. After
looking around on the web, I also saw that the equivalent to
application.cfm in asp is global.asa. I also tried setting up this
file, along with the variables, did the binding, and used the same
commands, and also was not able to retrieve any application
variables.
What am I missing?

What am I missing?
That ColdFusion and ASP.NET are different applications and do
not share
the same memory addresses So they are going to each have
their one
"application" variables.
Blue Dragon has implemented CFML as an ASP.NET language so
that one
could write ColdFusion that runs on the ASP.NET framework and
would then
use the same memory locations with their server.
Otherwise you are going to have to write your own sharing
tool. Some
code that can read the desired variables from one code base
and pass it
to the other code base through forms, web services or some
other manner.

How to manage application.cfm in SVN environment

Should the application.cfm page even be committed/updated?
With all the different locals, branches and tags to take into
account, wouldn't this render the application.cfm page huge? How
are folks handling the application.cfm page?
Right now, our application.cfm page takes into consideration:
4 dev locals, 1 dev server and 1 production server. I'd like to
introduce branching into our workflow, just not sure how this will
affect this file.

sk8, here goes. what we do isn't 100% what you're doing in
that we're not
dealing with different branches of code, but i'll try to
describe a way in
which i think this is easily accomodated. I'm certainly not
passing this off
as johnny-super-clever-normalized-i'm-so-smart...cause it's
not. but it has
worked for us for as long as i've been with this company and
has proven
extremely useful and extensible
first, we have two tables, applocations and applocationhosts.
applocations:
locationid | locname | webroot | codebaseroot | networkroot |
bunch of other
roots....whatver
1 | dev | / | \global\ | \\san\alpha\mysite | blah blah blah
2| test | /mysite/ | \global\ | \\san\\beta\mysite | blah
blah blah
3 | staging | /mysite | \global\ | \\someothersan\mysite |
blah blah blah
4 | prod | / | \global\ | \\prodsan\mysite\ | blah blah blah
5 | local | /mysite/ | \global\ | \\san\alpha\mysite | blah
blah blah
then applocations:
locationid | lochostname
1 | mysite.alpha.mycompany.com
2 | mysite.beta.mycompany.com
3| staging.mycompany.com
4 | mysite.com
4 | mysite2.com
4| mysite.org
5| localhost
then when the app is loaded, we have a query like this:
select * from applocations
where locationid = (select locationid from applocationhosts
where
lochostname = '#cgi.server_name#')
we then store the results in some application scoped
variables (i.e. this
query runs once until the application is reset)
then, in our code, we reference things like so:
<cfinclude
template="#application.codebaseroot#/blah/blah.cfm">
or
<img src="#application.webroot#\images\myimage.gif">
where codebaseroot is the root to the code (for cfincludes
and the like) and
webroot is used for all http-ish things like images,
cflocations, script
includes, etc.
now, in your case, with the different branches, you could
possibly just add
a few more rows onto applocations, like so:
7 | devtrunk | /mysite/trunk/ | \trunk\global\ | and so forth
8 | devtag | /mysite/tag | \tag\global\ | and so forth
and then possibly you could add another column onto
applocationhosts, like
so:
locationid | lochostname | key
8 | localhost | tag
and then your query might look something like this:
select * from applocations
where locationid = (select locationid from applocationhosts
where
lochostname = '#cgi.server_name#')
<cfif isDefined("url.key")>
and key = '#url.key#'
</cfif>
the only tricky thing about that would be that you'd
potentially have to
have a hook that recognizes that you're trying to change the
application's
variables, so you'd need to refresh the application. but that
shouldn't be
too tough.
at any rate, this works for us and has completely negated the
need to have
code that sets different paths based on environment.
Good luck Sk8!
"sk8save" <[email protected]> wrote in
message
news:[email protected]...
> That's the sort of things that I'm talking about yes.
>
> For each developer local (branch, trunk or tag), dev
server and production
> server there's an if statement that take cares of
application variables.
> There
> may only be 5-10, but I'm still curious to see how
people are dealing with
> this
> sort of thing.
>

Application.cfm - Should I use queries or set session variables?

Hi,
I have an application that has many users for many different
companies logged in at the same time using the system. I use the
application.cfm to call and set a bunch of variables that make the
system work, such as preferences and things. Would it be better to
use 5 or 6 queries all pulling one record, or call the queries only
once at the start of the session and set 30 to 50 session variables
based on the query results? Which method would bog the system down
less? It seems that session variables use quite a bit of memory.
I'm just trying to get the "simple answer" for this, if that's even
possible.
Please let me know your thoughts and experience on this.
Thanks much,
Jeff W!

In order to give you a simple "do it this way" answer, more
information is needed.
How long does it take to run those 5-6 queries on each
request? How many users are logged in at peak times? How much data
would you be storing in the session for each user? How much RAM do
you have on your server?
On one application, we've decided to go the session variable
route. The size for each users' session maxes out at 2.5 KB. We
have 512 MB dedicated to CF, but can easily scale up on the
hardware we have to 1.5 GB or more. At 512 MB, 2.5 KB per user
session, we can handle a little over 200,000 concurrent users
(assuming all CF memory could be utilized for session variables,
which isn't true). There are only 6,000 users total in our system,
so we have quite a bit of headroom.
Are you on CF8? If so, open up the server monitor, start
monitoring, profiling, and memory tracking, and log in with a
couple users (with your code setup to store all that info in the
session). See how much storage each session takes. Then look at
your server. How much RAM do you have? what do you currently have
allocated to ColdFusion? What's your peak concurrent user level? Do
you have headroom? Also, see if the benefits of storing it in the
session are even worth it (how long do those 5-6 queries add to
each requst?)

Verity returning application.cfm

We've got a couple of sites using verity collections to
search cfml, html, and some mime documents. This is generally
successful. However, we do see coldfusion script-only pages
returning in the search results, including application.cfm, and
other cfm pages that do not display content to the end-user. Since
there is no HTML renderable content in these pages, why do they get
included in the results?
How can I control this behavior? I've looked at the verity
documentation, and am trying to use the mkvdk utility to delete
application.cfm from the collection documents, but am getting an
error. If I can get the syntax down correctly, is this the proper
way of addressing the problem?
For instance, I am using the command string:
mkvdk -delete -collection
C:\CFusionMX\verity\collections\intranet\file application.cfm
on my local development machine to try and test this, but get
an error BadKeys: application.cfm
I still think it's retarded that these types of files
included in the collection in the first place. Oh, we are running
CFMX6.1.
Thanks for any help.
Kris

My first thought, because I have made this mistake several
times is that the "A" in Application.cfm needs to be capital on
*nix systems. I am not sure if that includes Macs.

Mac newbie trying to understand

I haven't learned to think in Mac yet. I'm trying to understand what actually happens to the files that I have imported from my memory card into iphoto and then exported to another folder on my hard drive for use in other applications or on a Windows PC. Are the files moved from the iphoto library and then tracked in iphoto or are they copied to the new folder thus creating two copies on the hard drive? Any of the above?
I am trying to avoid creating duplicates of the originals in order to save space and would like to understand this before I go much further and wind up with a huge mess. I'm thinking maybe I should use image capture to get the photos from the card to a folder and then import into iphoto so the originals would be more readily available for burning cds/dvds for use use in Windows as I will be doing that a lot. How would that work?
That's probably about as clear as mud. Anybody understand and can educate me? By the way, love my iMac.
Thanks.

Lonr
Welcome to the Apple user to user assistance forums
And welcome to the Mac
while you will find the Mac very intuitive and easy to use it is different from a PC and there is a learning curve - the Apple tutorials are very helpful - see the right hand column for a list by major topic - http://www.apple.com/startpage/
I'm trying to understand what actually happens to the files that I have imported from my memory card into iphoto and then exported to another folder on my hard drive for use in other applications or on a Windows PC. Are the files moved from the iphoto library
By default (and strongly recommended) the imported photos are copied to the iPhoto library -- there is an option not to do this but it can be extremely problematic and unless you are a very experienced user it is strongly recommended that you use the default of copying all imported photos to the iPhoto library
and then tracked in iphoto
Yes - by default
or are they copied to the new folder thus creating two copies on the hard drive?
The original is left alone unless you choose to have iPhoto delete the photos form the camera after importing (it is best not to have iPhoto do this but to use the camera to reformat the card once everything is firmly in iPhoto and the camera is properly disconnected. Once you have imported the photos to iPhoto you can delete the original that is outside of iPhoto
I am trying to avoid creating duplicates of the originals in order to save space and would like to understand this before I go much further and wind up with a huge mess. I'm thinking maybe I should use image capture to get the photos from the card to a folder and then import into iphoto so the originals would be more readily available for burning cds/dvds for use use in Windows as I will be doing that a lot. How would that work?
This will create two copies of each original and is unnecessary - it is better to export the photos you want to use and delete the exported versions after you use them.
LN

Why does application.cfm file not get processed first?

I am using ColdFusion 11 on Windows2008 R2. From what I understand, if there is an application.cfm page in the root folder, that any .cfm page below the root will process this page first and then process the regular .cfm page. I noticed that it processes my regular page FIRST and then calls the application.cfm page.
In my case I have a web page that updates a database, but in my application.cfm page, I check a session variable to see if the user is logged in. If they are not logged in, then I redirect them to a log in page, let them log in, set the session variable and then redirect them back to process the page. But I noticed, that when I run the page, the database gets updated and THEN the user gets redirected to log in, then the database gets updated again.
Am I not using the application.cfm page correctly? I thought it was supposed to be used to check log ins and things like that. How do I ensure that it runs first?
Btw, it is the only application.cfm page in the entire web site and I do not have any application.cfc files.
Thanks.

It would make things easier to see the code. In any case, from what you say, my guess is that there is no authentication check at the point where the database gets updated. So the update occurs at the start, and again when you later redirect the user to the page.
On Coldfusion 11, you should actually switch to Application.cfc. There are at least 2 reasons.
Firstly, recent Coldfusion versions implicitly assume you use Application.cfc by default. Secondly, Application.cfm is outdated and has much less functionality than Application.cfc. For example, Application.cfc allows you much more fine-grained control over your code at the level of request, session and application.

Trying to Deploy an application on Cloud with openrdf-sesame-2.2.4.jar

Hi,
I am trying to deploy an application which has dependency on openrdf-sesame-2.2.4.jar (which I can't remove from the app). I am getting the following white list validation errors:
ERROR : There are 4,495 error(s) found for D:\Oracle\temp\RemoteAgent\resources\openrdf-sesame-2.2.4.jar
ERROR : Path:D:\Oracle\temp\RemoteAgent\resources\openrdf-sesame-2.2.4.jar (365 Errors)
ERROR : Path:D:\Oracle\temp\RemoteAgent\resources\openrdf-sesame-2.2.4.jar (365 Errors)
ERROR : Class:info.aduna.concurrent.ConfigurableThreadFactory (2 Errors)
ERROR : 1:Type "java.lang.SecurityManager" not allowed.
ERROR : (Line No:26 Method Name:java.lang.SecurityManager->getThreadGroup())
ERROR : 2:Type "java.lang.SecurityManager" not allowed.
ERROR : (Line No:25 Variable Name:java.lang.SecurityManager s ->OnClassSignature:java.lang.SecurityManager)
ERROR : Class:info.aduna.io.ResourceUtil.CallerResolver (3 Errors)
ERROR : 1:Type "java.lang.SecurityManager" not allowed.
ERROR : (OnClassSignature:info.aduna.io.ResourceUtil.CallerResolver ->Base type)
ERROR : 2:Type "java.lang.SecurityManager" not allowed.
ERROR : (Line No:266 Constructor:java.lang.SecurityManager() ->Class Extension?..)
ERROR : 3:Type "java.lang.SecurityManager" not allowed.
ERROR : (Line No:280 Method Name:java.lang.SecurityManager->getClassContext())
ERROR : Class:info.aduna.platform.ProcessLauncher (29 Errors)
ERROR : 1:Type "java.lang.Process" not allowed.
ERROR : (Signature for field:subProcess ->OnClassSignature:java.lang.Process)
ERROR : 2:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:193 Method Name:java.lang.Runtime->getRuntime())
ERROR : 3:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:193 Method Name:java.lang.Runtime->exec(java.lang.String[], java.lang.String[], java.io.File))
ERROR : 4:Type "java.lang.Process" not allowed.
ERROR : (Line No:193 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 5:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:196 Method Name:java.lang.Runtime->getRuntime())
ERROR : 6:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:196 Method Name:java.lang.Runtime->exec(java.lang.String, java.lang.String[], java.io.File))
ERROR : 7:Type "java.lang.Process" not allowed.
ERROR : (Line No:196 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 8:Type "java.lang.Process" not allowed.
ERROR : (Line No:198 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 9:Type "java.lang.Process" not allowed.
ERROR : (Line No:198 Method Name:java.lang.Process->getInputStream())
ERROR : 10:Type "java.lang.Process" not allowed.
ERROR : (Line No:199 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 11:Type "java.lang.Process" not allowed.
ERROR : (Line No:199 Method Name:java.lang.Process->getErrorStream())
ERROR : 12:Type "java.lang.Process" not allowed.
ERROR : (Line No:203 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 13:Type "java.lang.Process" not allowed.
ERROR : (Line No:203 Method Name:java.lang.Process->waitFor())
ERROR : 14:Type "java.lang.Process" not allowed.
ERROR : (Line No:219 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 15:Type "java.lang.Process" not allowed.
ERROR : (Line No:220 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 16:Type "java.lang.Process" not allowed.
ERROR : (Line No:220 Method Name:java.lang.Process->destroy())
ERROR : 17:Type "java.lang.Process" not allowed.
ERROR : (Line No:221 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 18:Type "java.lang.Process" not allowed.
ERROR : (Line No:219 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 19:Type "java.lang.Process" not allowed.
ERROR : (Line No:220 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 20:Type "java.lang.Process" not allowed.
ERROR : (Line No:220 Method Name:java.lang.Process->destroy())
ERROR : 21:Type "java.lang.Process" not allowed.
ERROR : (Line No:221 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 22:Type "java.lang.Process" not allowed.
ERROR : (Line No:219 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 23:Type "java.lang.Process" not allowed.
ERROR : (Line No:220 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 24:Type "java.lang.Process" not allowed.
ERROR : (Line No:220 Method Name:java.lang.Process->destroy())
ERROR : 25:Type "java.lang.Process" not allowed.
ERROR : (Line No:221 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 26:Type "java.lang.Process" not allowed.
ERROR : (Line No:238 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 27:Type "java.lang.Process" not allowed.
ERROR : (Line No:239 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : 28:Type "java.lang.Process" not allowed.
ERROR : (Line No:239 Method Name:java.lang.Process->destroy())
ERROR : 29:Type "java.lang.Process" not allowed.
ERROR : (Line No:240 Field Name:info.aduna.platform.ProcessLauncher->subProcess ->OnClassSignature:java.lang.Process)
ERROR : Class:info.aduna.webapp.util.FilePart (1 Error)
ERROR : 1:Type "javax.activation.DataSource" not allowed.
ERROR : (OnClassSignature:info.aduna.webapp.util.FilePart ->Base type)
ERROR : Class:org.openrdf.console.Console (5 Errors)
ERROR : 1:Method "exit" not allowed from "java.lang.System".
ERROR : (Line No:202 Method Name:java.lang.System->exit(int))
ERROR : 2:Method "exit" not allowed from "java.lang.System".
ERROR : (Line No:207 Method Name:java.lang.System->exit(int))
ERROR : 3:Method "exit" not allowed from "java.lang.System".
ERROR : (Line No:216 Method Name:java.lang.System->exit(int))
ERROR : 4:Method "exit" not allowed from "java.lang.System".
ERROR : (Line No:231 Method Name:java.lang.System->exit(int))
ERROR : 5:Method "exit" not allowed from "java.lang.System".
ERROR : (Line No:240 Method Name:java.lang.System->exit(int))
ERROR : Class:org.openrdf.query.resultio.binary.BinaryQueryResultParser (5 Errors)
ERROR : 1:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:325 Method Name:java.nio.ByteBuffer->wrap(byte[]))
ERROR : 2:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:326 Method Name:java.nio.charset.CharsetDecoder->decode(java.nio.ByteBuffer))
ERROR : 3:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:328 Method Name:java.nio.CharBuffer->toString())
ERROR : 4:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:325 Variable Name:java.nio.ByteBuffer byteBuf ->OnClassSignature:java.nio.ByteBuffer)
ERROR : 5:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:326 Variable Name:java.nio.CharBuffer charBuf ->OnClassSignature:java.nio.CharBuffer)
ERROR : Class:org.openrdf.query.resultio.binary.BinaryQueryResultWriter (6 Errors)
ERROR : 1:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:279 Method Name:java.nio.CharBuffer->wrap(java.lang.CharSequence))
ERROR : 2:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:279 Method Name:java.nio.charset.CharsetEncoder->encode(java.nio.CharBuffer))
ERROR : 3:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:280 Method Name:java.nio.ByteBuffer->remaining())
ERROR : 4:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:281 Method Name:java.nio.ByteBuffer->array())
ERROR : 5:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:281 Method Name:java.nio.ByteBuffer->remaining())
ERROR : 6:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:279 Variable Name:java.nio.ByteBuffer byteBuf ->OnClassSignature:java.nio.ByteBuffer)
ERROR : Class:org.openrdf.sail.helpers.DirectoryLockManager.1 (9 Errors)
ERROR : 1:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Signature for field:val$fileLock ->OnClassSignature:java.nio.channels.FileLock)
ERROR : 2:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Argument signature at index (starting with 0):1 for method:<init> ->OnClassSignature:java.nio.channels.FileLock)
ERROR : 3:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:206 Field Name:org.openrdf.sail.helpers.DirectoryLockManager.1->val$fileLock ->OnClassSignature:java.nio.channels.FileLock)
ERROR : 4:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:217 Method Name:java.lang.Runtime->getRuntime())
ERROR : 5:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:217 Method Name:java.lang.Runtime->addShutdownHook(java.lang.Thread))
ERROR : 6:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:226 Method Name:java.lang.Runtime->getRuntime())
ERROR : 7:Type "java.lang.Runtime" not allowed.
ERROR : (Line No:226 Method Name:java.lang.Runtime->removeShutdownHook(java.lang.Thread))
ERROR : 8:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:232 Field Name:org.openrdf.sail.helpers.DirectoryLockManager.1->val$fileLock ->OnClassSignature:java.nio.channels.FileLock)
ERROR : 9:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:232 Method Name:java.nio.channels.FileLock->release())
ERROR : Class:org.openrdf.sail.helpers.DirectoryLockManager (10 Errors)
ERROR : 1:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:89 Method Name:java.nio.channels.FileChannel->lock())
ERROR : 2:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:90 Method Name:org.openrdf.sail.helpers.DirectoryLockManager->createLock(java.io.RandomAccessFile, java.nio.channels.FileLock))
ERROR : 3:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:89 Variable Name:java.nio.channels.FileLock fileLock ->OnClassSignature:java.nio.channels.FileLock)
ERROR : 4:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:163 Method Name:java.nio.channels.FileChannel->tryLock())
ERROR : 5:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:167 Method Name:java.nio.channels.FileLock->release())
ERROR : 6:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:163 Variable Name:java.nio.channels.FileLock fileLock ->OnClassSignature:java.nio.channels.FileLock)
ERROR : 7:Type "java.nio.channels.OverlappingFileLockException" not allowed.
ERROR : (Line No:171 Variable Name:java.nio.channels.OverlappingFileLockException exc ->OnClassSignature:java.nio.channels.OverlappingFileLockException)
ERROR : 8:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Argument signature at index (starting with 0):1 for method:createLock ->OnClassSignature:java.nio.channels.FileLock)
ERROR : 9:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:206 Constructor:org.openrdf.sail.helpers.DirectoryLockManager.1(org.openrdf.sail.helpers.DirectoryLockManager, java.nio.channels.FileLock, java.io.RandomAccessFile))
ERROR : 10:Type "java.nio.channels.FileLock" not allowed.
ERROR : (Line No:206 Variable Name:java.nio.channels.FileLock fileLock ->OnClassSignature:java.nio.channels.FileLock)
ERROR : Class:org.openrdf.sail.memory.FileIO (11 Errors)
ERROR : 1:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:358 Method Name:java.nio.CharBuffer->wrap(java.lang.CharSequence))
ERROR : 2:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:358 Method Name:java.nio.charset.CharsetEncoder->encode(java.nio.CharBuffer))
ERROR : 3:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:359 Method Name:java.nio.ByteBuffer->remaining())
ERROR : 4:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:360 Method Name:java.nio.ByteBuffer->array())
ERROR : 5:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:360 Method Name:java.nio.ByteBuffer->remaining())
ERROR : 6:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:358 Variable Name:java.nio.ByteBuffer byteBuf ->OnClassSignature:java.nio.ByteBuffer)
ERROR : 7:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:400 Method Name:java.nio.ByteBuffer->wrap(byte[]))
ERROR : 8:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:401 Method Name:java.nio.charset.CharsetDecoder->decode(java.nio.ByteBuffer))
ERROR : 9:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:403 Method Name:java.nio.CharBuffer->toString())
ERROR : 10:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:400 Variable Name:java.nio.ByteBuffer byteBuf ->OnClassSignature:java.nio.ByteBuffer)
ERROR : 11:Type "java.nio.CharBuffer" not allowed.
ERROR : (Line No:401 Variable Name:java.nio.CharBuffer charBuf ->OnClassSignature:java.nio.CharBuffer)
ERROR : Class:org.openrdf.sail.nativerdf.SequentialRecordCache.RecordCacheIterator (11 Errors)
ERROR : 1:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:99 Field Name:org.openrdf.sail.nativerdf.SequentialRecordCache->fileChannel ->OnClassSignature:java.nio.channels.FileChannel)
ERROR : 2:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:99 Method Name:java.nio.channels.FileChannel->size())
ERROR : 3:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:101 Method Name:java.nio.ByteBuffer->wrap(byte[]))
ERROR : 4:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:103 Field Name:org.openrdf.sail.nativerdf.SequentialRecordCache->fileChannel ->OnClassSignature:java.nio.channels.FileChannel)
ERROR : 5:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:103 Method Name:java.nio.channels.FileChannel->read(java.nio.ByteBuffer, long))
ERROR : 6:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:101 Variable Name:java.nio.ByteBuffer buf ->OnClassSignature:java.nio.ByteBuffer)
ERROR : 7:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:120 Field Name:org.openrdf.sail.nativerdf.SequentialRecordCache->fileChannel ->OnClassSignature:java.nio.channels.FileChannel)
ERROR : 8:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:120 Method Name:java.nio.channels.FileChannel->size())
ERROR : 9:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:121 Field Name:org.openrdf.sail.nativerdf.SequentialRecordCache->fileChannel ->OnClassSignature:java.nio.channels.FileChannel)
ERROR : 10:Type "java.nio.ByteBuffer" not allowed.
ERROR : (Line No:121 Method Name:java.nio.ByteBuffer->wrap(byte[]))
ERROR : 11:Type "java.nio.channels.FileChannel" not allowed.
ERROR : (Line No:121 Method Name:java.nio.channels.FileChannel->write(java.nio.ByteBuffer, long))
ERROR : Class:org.openrdf.sail.nativerdf.SequentialRecordCache (9 Errors)

opola,
Hi. it looks like you have run into at least the limitations on HD/IO access, security restrictions and running/viewing native processes - see the whitelist exclusion in the following link.
Understanding Java Cloud Service Whitelist Criteria
http://docs.oracle.com/cloud/CSJSU/dev_app.htm#CSJSU7121
ERROR : 1:Type "java.lang.SecurityManager" not allowed.
Overriding Java Security Manager
ERROR : 17:Type "java.lang.Process" not allowed.
Executing a new Process
ERROR : 8:Type "java.nio.channels.FileLock" not allowed
Java non-blocking IO
Also see the unsupported API list
http://docs.oracle.com/cloud/CSJSU/dev_app.htm#CEGEADDC
thank you
/Michael
https://forums.oracle.com/forums/profile.jspa?userID=609861
https://forums.oracle.com/forums/profile.jspa?userID=849227

My Application.cfm File creating trouble?

I am creating a AForums username/pasword from the admin
panel, and when i try to login into the forums through the main
admin panel it sets the sessions up aas i have dumped into ans seen
their value. The I am redirecting the page the home page like
www.website.com/forums/admin/home.cfm
but i dumped over there and sessions get lossed. i have not
included any application.cfm differenly in the forums, all my
website uses only 1 cfm file and in this applciation file.
i have did the dfault sessting for the forum as
session.forums eq false, and when i login, it just goes true.
When i locate from admin page to forums admin page, the
sessions get lost.
HAs there any workaround for this. i am trying for the last
couple of hours but did not find anything specific to this.

Your "scriptprotect" parameter value in your cfapplication
should be "none", "all", or a comma-delimited list of variable
scopes(CGI,FORM,URL, etc.) in CF. You might want to check on that
value.
Anyway, where do you put your application.cfm in relation to
your directories "main admin" and "forum admin"? can you show us
maybe a little info in your directory structure?
I'll give you an example(directory structure) where a session
variable(which is enabled in application.cfm) is not recognized in
another page:
appRootDir\someDir\admin_panel\home.cfm -> for your main
admin panel
appRootDir\someDir\application.cfm -> for your
application.cfm
appRootDir\forum\forum_admin\home.cfm -> for your forum
admin home
In the above structure, only
"appRootDir\someDir\admin_panel\home.cfm" can access the
application.cfm since your main admin panel and application.cfm are
both under the directory "appRootDir\someDir\".
Another structure similar above will be like this:
appRootDir\someDir\admin_panel\home.cfm -> for your main
admin panel
appRootDir\forum\application.cfm -> for your
application.cfm
appRootDir\forum\forum_admin\home.cfm -> for your forum
admin home
In the above structure, only
"appRootDir\forum\forum_admin\home.cfm" can access the
application.cfm since your forum admin and application.cfm are both
under the directory "appRootDir\forum\".
To make both directories access the same application.cfm, you
should have a similar directory structure below which both
directories can access application.cfm from it's current directory
as below:
appRootDir\someDir\admin_panel\home.cfm -> for your main
admin panel
appRootDir\application.cfm -> for your application.cfm
appRootDir\forum\forum_admin\home.cfm -> for your forum
admin home
For the above structure, both main admin panel and forum
admin can see/access your application.cfm since the application.cfm
is accessible in "appRootDir\".
Maybe your directory structure is already similar to this but
you might want to check it again. Also, are there any clearing of
session variables in any of your files?

Trying to understand an application.cfm attack

Similar Messages

Maybe you are looking for