Cold Fusion Website Admin Security

Similar Messages

• Cold Fusion Websites fails

  I have site on a Cold Fusion MX Version: 6,1,0,hf45343_611
  running on A Windows 2000 server and IIS5 using a Microsoft SQL
  2000 Cluster in the backend. When ever the cluster fails over the
  websites fail. I then have to restart the 3 Cold Fusion Services
  and do an IIS reset. Is there a setting that I can use to avoid
  having to reset the services on the webserver?

  Hi Upen,
  Thanks for your response. It is a 64 bit machine and the setup is also 64 bit.
  I would like to mention some points related to my deployment scenario:
  We have a Windows server 2008 R2 Standard edition on Server machine.
  I have a .net website appliaction deployed and running on this.
  One of our third party vendor is developing Cold fusion application.
  This Cold fusion application will be integrated in our .net website.
  Deployment and configuration of Cold Fusion application and server wil be done by Third Party vendor.
  I need to install Cold fusion and give access to Third party.
  Issue when I install cold Fusion using default settings, my .net Website does not get loaded.
  In Mozila and Chrome Browser I get blank Page with only Background image given in Body tab of page is getting displayed.
  In IE Browser Page with background image given in Body tab of plus this text ' <script> src="" 'is getting displayed.
  Regards,
  Sarfaraj Shaikh

• How to register Rest web services in Cold Fusion 9 administration console?

  I am building a Rest web service using Cold Fusion 9 and Cold Fusion Builder 3 and now I want to register it on Cold Fusion 9 admin console, but I didn't see any option there as in CF 10 and CF 11 Data Services ---> Rest Web service. So, please tell me how to register my Rest web service in CF 9 either through admin console or through code?

  Simple answer: you can't.  REST services were a new feature released with CF10.  Alternatively, you can use a community-supported framework to provide REST services, such as:
  Taffy (a dedicated REST framework)
  FW/1 (an MVC framework with REST capabilities)
  ColdBox (an MVC framework with REST capabilities)
  -Carl V.

• How to register Rest web services in Cold Fusion 9 ?

  I am building a Rest web service using Cold Fusion 9 and Cold Fusion Builder 3 and now I want to register it on Cold Fusion 9 admin console, but I didn't see any option there as in CF 10 and CF 11 Data Services ---> Rest Web service. So, please tell me how to register my Rest web service in CF 9 either through admin console or through code?

  You've posted this question twice.  Please delete this one and people can respond to the other one.
  -Carl V.

• Cold fusion 9 Installation on Windows server 2008 (IIS 7.0) - IIS websites not working ?

  I am having a 64 bit machine on which windows server 2008 R2 is installed. IIS 7.0 is configured and running on it. on which I have my organisations main website. I have to install Cold fusion on this machine as some of my site pages are designed with CF.
  I used all the default settings for installing cold fusion 9. It got completed succefully. But after I restarted my system and tried accesing my ASP.net website it was not loading the page. Text getting displayed was only as follows '<script> src="'. Later I unsistalled CF and my site was working fine.
  Please can any one guide me to successfully install Cold fusion without disturbing my main site deployed on IIS ?

  Sarfarajms, I don't recognize what about the CF install would conflict with ASP.NET, but I'll note this:
  If you downloaded CF 9 recently, you are still running 9.0--which does NOT formally support IIS 7. If you followed the steps about enabling IIS 6 compatibility and such (in the install guide or some blog entry), perhaps that caused the conflict.
  Instead, you will want to install 9.0.1 (CF 9 Updater 1, which is NOT provided in the current 9.0 install). THAT is the first release to formally support IIS 7. And if you read the updater installation guide (http://www.adobe.com/support/documentation/en/coldfusion/901/cf901install.pdf), it discusses how to deal with the upgrade depending on what you had done with respect to IIS, starting at the bottom of its page 8.
  Hope that helps.
  /charlie

• Cold Fusion MX 7 MultiServer Cluster Question

  Hey all,
  I've configured 2 Cold Fusion MX 7 servers running 2
  instances each. I've configured a cluster between them and have the
  Proxy Listener up and running.
  When I access the page, everything comes up just fine... but
  when I round robin between them, I'm losing my session.
  I've enabled J2EE Session variables, I enabled the load
  balancing of sessions in the JRun admin console on the machines.
  What am I doing wrong? I know the session is being written
  the machine(s) because I can see them in the directories on the
  servers.

  We've been having a similar issue, with occasional pages
  hanging for hundreds of seconds at that same
  JrppBufferedOutputStream, which SeeFusion identifies as "Writing
  completed page back to the Web server".
  This happens randomly throughout the day, more often when
  there's more traffic, but also in the wee hours with relatively few
  visitors; nothing else appears to be going on, often with the
  long-running thread the only active thread.
  Our setup is pretty similar to yours, CFMX7, MSSQL2000,
  Win2k3 Server, but with dual Xeons instead of single-CPU. We've
  applied the significant hotfixes, including the DST update to the
  1.4.2_11 JVM. I'm not positive we've updated to the latest IIS
  connector (as mentioned in
  http://www.adobe.com/support/security/bulletins/apsb07-02.html),
  but will be checking, just to be sure. If you also don't have the
  newest connector installed, that would be an interesting
  commonality.
  We had problems in the past with CF locking up completely
  during one of these hung threads, but after some tweaking to
  stabilize memory usage below 80%, the lockups are rare.
  So I have no answer, but will be sure to share any solution
  we do find with you, and hope you'll do the same! :*)

• What's happening with cold fusion?!

  first, this very page is throwing js errors in both ie8 and firefox 24.0  , i can't reply to any posts
  then, with all this flurry of security breaches on gov websites running cold fusion, do we have a comprehensive white paper showing how to plug all the security holes that were uncovered?

  Thanks Carl,
  when clicking the reply link on the forum, in ie8 i get:
  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
  Trident/4.0; (R1 1.6); .NET CLR 2.0.50727; .NET CLR 3.0.04506.30;
  .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;
  InfoPath.3)
  Timestamp: Mon, 18 Nov 2013 15:26:45 UTC
  Message: Not implemented
  Line: 1616
  Char: 13546
  Code: 0
  URI:
  http://forums.adobe.com/4.5.6/resources/scripts/gen/220b1b06a29f901e1d24252ac800883e.js
  and in fireFox:
  ReferenceError: $ is not defined
  https://www.adobe.com/account/sign-in.adobedotcom.html?returnURL=%2Fcfusion%2Fmembership%2 Findex%2Ecfm%3Floc%3Den%5Fus%26nl%3D1%26ref%3Dlogin
  Line 70
  ion amariutei | [email protected] | 212-578-1011
  From:
  Carl Von Stetten <[email protected]>
  To:
  ion <[email protected]>
  Date:
  11/18/2013 11:19 AM
  Subject:
  what's happening with cold fusion?!
  Re: what's happening with cold fusion?!
  created by Carl Von Stetten in Advanced Techniques - View the full
  discussion
  Site seems to be working fine for me.  As to plugging security holes,
  there are two things you need to do:
  1.      Keep your servers updated with the latest patch(es).  If you are
  on CF10, use the built-in automatic updater.  If on CF8 or CF9, take a
  look at David Epler's Unofficial Updater project.
  2.      Follow the appropriate ColdFusion lockdown guide for the version
  you are running.
  For CF9:
  http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/910
  25512-cf9-lockdownguide-wp-ue.pdf
  For CF10:
  http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf1
  0/cf10-lockdown-guide.pdf
  -Carl V.
  Please note that the Adobe Forums do not accept email attachments. If you
  want to embed a screen image in your message please visit the thread in
  the forum to embed the image at
  http://forums.adobe.com/message/5851524#5851524
  Replies to this message go to everyone subscribed to this thread, not
  directly to the person who posted the message. To post a reply, either
  reply to this email or visit the message page: [
  http://forums.adobe.com/message/5851524#5851524]
  To unsubscribe from this thread, please visit the message page at [
  http://forums.adobe.com/message/5851524#5851524]. In the Actions box on
  the right, click the Stop Email Notifications link.
  Start a new discussion in Advanced Techniques at Adobe Community
  For more information about maintaining your forum email notifications
  please go to http://forums.adobe.com/thread/416458?tstart=0.
  The information contained in this message may be CONFIDENTIAL and is for the intended addressee only.  Any unauthorized use, dissemination of the information, or copying of this message is prohibited.  If you are not the intended addressee, please notify the sender immediately and delete this message.

• Need to dial a phone number from Cold Fusion

  My boss asked me if there was any way that a phone number
  could be dialed from Cold Fusion. We have a website where at some
  point we want to just click a button and dial that phone number. My
  guess is that the conversation will then be carried through the
  computer's microphone and speakers and using the computer's modem.
  Let me know if there is a way, or what would be the easiest
  way to accomplish this, even if it has to be using VOIP, since
  that's an option for this project.
  Thanks!

  Is this an internal site or an public-facing site? If you are
  talking about using this tool in your intranet and you have a
  modern phone system in place, there may be an API to interfacing
  with your phone system. We use a TAPI interface to create a phone
  dialer so our callcenter agents can dial a phone number on their
  phone just by clicking on a link. I'm pretty sure there are a bunch
  of freeware/shareware TAPI COM objects you can use floating around
  the interwebs (If your phone system supports TAPI).
  If you are talking about a public-facing website, then I'm
  afraid I can't offer much advice other than to check out the Java
  Communications lead that Ted gave you.

• Modifying cold fusion script not picked up by iis

  We are running coldfusion 7, using iis6 on windows 2003 server. I am not a cold fusion developer and this is the only coldfusion script we have created by a previous developer. I needed to make some simple modifications to the script, including a change in the title. After having restarted IIS the modified script is still not showing the new title. What do I need to do for iis to show the changes in the cfm file?

  It's in the CF Administrator, which is separate from the JRun Admin Console. You can often get to the CF Administrator with a URL like this:
  http://your_server/CFIDE/administrator/
  Dave Watts, CTO, Fig Leaf Software
  http://www.figleaf.com/
  http://training.figleaf.com/
  Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
  GSA Schedule, and provides the highest caliber vendor-authorized
  instruction at our training centers, online, or onsite.
  Read this before you post:
  http://forums.adobe.com/thread/607238

• There is a problem with this website's security certificate.

  There is a problem with this website's security certificate.
  Error this morning on xxx.emea.acrobat.com

  You attempted to reach admin.emea.acrobat.com, but the server presented an expired certificate. No information is available to indicate whether that certificate has been compromised since its expiry. This means that Google Chrome cannot guarantee that you are communicating with admin.emea.acrobat.com and not an attacker. You should not proceed.

• Cannot browse server following installation of hotfix 4 to Cold Fusion 9.0.1

  Hi
  I've been tasked with updating a ColdFusion 9.0.1 installation to the latest patches.  I've started with Hotfix 4.  The installation appeared to go OK, and the services started after I applied the update.  However, when I went to moved onto the next update (APSB13-10) starting by browsing to the update file I ran into a problem.  When I click on the "browse server" button to locate the .jar file for the next update I encounter an error:  "Unable to authenticate on RDS server using current security information".  I've also found that if I try to put the full path into the Update File line and hit "Submit Changes" it errors.
  This seems to be the same problem as http://forums.adobe.com/message/5256752#5256752, but there's no solution to the problem in that discussion.
  I've checked the RDS settings, and RDS is unchecked.  I notice that this screen is different from the pre-upgrade screen, but this seems to be as a result of, I think, APSB13-03, which is included in HotFix 4.  If I try to make any changes on this screen it errors and logs me out of the Cold Fusion administrator.  I've tried commenting out the RDS section in the web.xml file, but this gives me a different error.
  I'm doing this on an isolated test server which has no access to the network.  If I revert to the snapshot I took before the upgrade attempt ColdFusion runs as expected.
  Any ideas what might be the problem?  Thanks in advance.

  In case it helps anyone I've realised what I was doing wrong here.
  The main “problem” was that one of the updates included in Cumulative Hotfix 4 is APSB13-03 (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html).  I knew this changed the behaviour of RDS but my knowledge prior to this work of ColdFusion and in particular RDS was very limited, and so I didn't understand the implications of this hotfix.  What this update does is disable RDS by default; I wasn't really aware what the RDS status of my server was prior to the update, partly because before this update there is no "disable RDS" tick box to show whether it is enabled or disabled.  With RDS disabled, you can't browse as the update instructions require you to do.  Obviously RDS was enabled on my setup without me realising it.
  My understanding of this wasn't helped by the fact that when I tried to paste a path into the box and hit the "update" button I got a different error, which I described in my original post.  Similarly if I tried to change RDS settings, or do pretty much anything in the administrator, it failed and logged me out in the same way.  It seemed to me that the whole thing was broken by the updates and I didn't know how to fix it.
  So, following the excellent advice of Charlie Arehart in two articles: http://www.carehart.org/blog/client/index.cfm/2010/12/12/cfmyths_cumulative_hotfixes and http://www.carehart.org/blog/client/index.cfm/2011/10/21/why_chfs_may_break, I went back to the start and installed the cumulative hotfixes one by one.  Although I don't think I actually needed to do this, as Hotfix 4 seems to contain all the previous hotfixes, it did help me realise that the browsing/RDS issue and the error and logout when I tried to do anything in the administrator were two different problems. After further bit of googling I found people suggesting that you should use https to access the administrator, but the shortcut I had was taking me to http (as far as I know I was using the default shortcut).  I found that by going to https the problem of being logged out when trying to do anything disappeared and I could put a UNC path in to update the .jar file for the next update.  I also was now able to enable RDS for single password and could browse like the hotfix instructions advise.  I've since disabled RDS and accepted the inability to browse as a "feature", happy that it's more secure as a result.
  So my “problems” were largely self-inflicted due to my own ignorance of the product, but it wasn’t helped by Adobe’s apparent inability to grasp that there may be similarly ignorant people attempting these updates.  It would have been nice to see some guidance from them.  Furthermore, the cumulative hotfix 4 page (http://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-4-coldfusion-901.html) doesn’t even mention RDS, let alone that the default behaviour changes.  It’s only when you check the individual hotfix information that you can see the information that helped me to realise where I was going wrong.
  As for using https not http; great, but if I’m right that my shortcut is the default out-of-the-box shortcut, where’s the information to advise to change to using https as a result of one of the hotfixes included in hotfix 4 (originally, I think, hotfix 2)?  It’s certainly not mentioned on the page for cumulative hotfix 4. 

• Email a form without Cold Fusion

  Hi everyone,
  I have a client whose hosting doesn't provide Cold Fusion. on
  his website, there is a form that the content must be emailed to
  him after customer submission. Is there anyway to do it without
  cold fusion, Cfmail command?
  thanks in advance.

  you can just use a regular mailto with a form, and it will
  send. However the
  formatting on the receiving end is somewhat of a pain in the
  "Shida" <[email protected]> wrote in message
  news:eo1cgi$s0o$[email protected]..
  > is there any way other than CF or ASP or PHP?
  > I have heard of some kinds of web forms, but I don't
  know about them
  > either.

• What can be done when Cold Fusion 9 ODBC Services will not install?

  What can be done when 64-bit Cold Fusion 9 ODBC Service will not install on a Windows Server 2008-R2 64-bit machine? Yes, most of the things in other discussions have been tried.

  Hi GDMVU,
  Save the below code as CF9_RemoveOdbc.cfm
  <cfscript>
    //login using admin 
    //createObject("component","cfide.adminapi.administrator").login("administrator_password" );
    createObject("component","cfide.adminapi.administrator").login("admin");            
    //instantiate datasource object
    myObj = createObject("component","cfide.adminapi.datasource");
  </cfscript>
  <cfscript> 
       writeOutput("Removing ODBC Services...<br>"); 
       returnValue = myObj.removeODBCservice(); 
       writeOutput("ODBC Services removed"); 
  </cfscript>
  Save the below code as CF9_InstallOdbc.cfm
  <cfscript>
    //login using admin 
    //createObject("component","cfide.adminapi.administrator").login("administrator_password" );
    createObject("component","cfide.adminapi.administrator").login("admin");
    //instantiate datasource object
    myObj = createObject("component","cfide.adminapi.datasource");
  </cfscript>
  <cfscript> 
           writeOutput("Installing ODBC Services...<br>"); 
           returnValue = myObj.installODBCservice(); 
           writeOutput("ODBC Services installed"); 
  </cfscript>
  Now try the following steps:-
  Change admin password in above .cfm pages for your CF 9 server.
  Use RemoveObdc cfm page first to remove any existing faulty/corrupted Odbc services.
  Use InstallOdbc Odbc services to install Odbc services there.
  Hope this helps.
  Regards,
  Anit Kumar

• Cold Fusion Application Server

  Hello all,
  I'm having the weirdest issue with our CF server. They do not
  run. However when I start Cold Fusion Application Server, I cannot
  login to any of my backend admins. I suspect that it is because it
  tries to set an application variable. Then I check for to see if
  there the app var is set, if not it redirects to the login page.
  I am guessing that the app var is not being set. If I stop
  Cold Fusion Application Server, everything works fine.
  I don't want to have reinstall CF 5 (on Windows 2000 srv).
  Any ideas???
  thanks

  DettCom,
  I had a similar problem to this, but I don't know if you have
  the same configuration (it was on CF 6.1). I don't know a whole lot
  on CF 5.
  I was storing client variables in the cdata/cglobal tables,
  and one variable's string ended up longer than I had planned for
  (although it was, in fact, correct). I had to increase the size of
  the "data" field in CDATA.
  Also, anything in the logs? (I know you probably would have
  mentioned if there were).
  - Mike

• Cold fusion 9 500 - Internal server error.

  all of a sudden none of our cfm web pages work on a windows 8 server running iis 7 .... the server shows no errors in the event viewer .... occasionally functionality comes back w/o doing anything ...... cold fusion did have all the hotfixes updated a few months ago but i cant get to the admin page to give what the version is
  thxs

  Well if you got over your misplaced indignation for a moment, let's see:
  ColdFusion is what people will google for, so in the spirit of helping others who might have the same question as you later on, spelling it right will help the community.
  Jason's observation that you give us absolutely nothing to go on so it's basically impossible to help you is a fairly poignant observation, right? You do want help? Right, so here's some suggestions:
  Articulate your issue clearly, with sufficient detail that we can help you. Read this:
  http://www.catb.org/esr/faqs/smartquestions.html
  Secondly... being rude to someone like Jason who really is one of the most helpful people on
  these forums is a pretty stupid idea. And just serves to make you look a bit of a [profanity edited out]. Esp. with the caps lock on.
  But anyway, let's call that a false start. Give us the details of your issue, and we'll try to help.
  Cheers.
  Adam
  Message was edited by: m.m.murphy