Fixing Application.cfm
First of all, I'm dealing with a poorly written app. I have
add a directory off the webroot called checkout. I've placed the
.cfm files to handle processing cards using a secure link. I'm able
to post the amount to charge to the page that gets the customer's
info (cc, expdate, name, etc). This page is accessed securely
through https. But when I want to post the entered card num, etc to
the following page i'm presented with a login prompt. I should be
presented with the following page where the data was posted but i'm
not. I know this has to do with some logic in the Application.cfm
file in the webroot because it has a section of code that allows
only certain requests to go through based on defined variables,
where the default action if no variable is defined is to cfinclude
the login.cfm template.
I dont' know how to get around this (much less, fix it)
without breaking other code. The reason for the logic in
Application.cfm is just to keep non-logged in users out of the
members only webpages.
Any ideas on how I can circumvent or better yet fix this
issue? Enclosed is application.cfm
My first thought, because I have made this mistake several
times is that the "A" in Application.cfm needs to be capital on
*nix systems. I am not sure if that includes Macs.
Similar Messages
-
Application.cfm and CFC's
for some reason my cfc is not seeing any of the variables set
in application.cfm. Furthermore it does not see them when I use
application.cfc. I am running 6.1MX on iis5. Any info would be
helpful.
ThanksDuke Snyder wrote:
> for some reason my cfc is not seeing any of the
variables set in
> application.cfm. Furthermore it does not see them when I
use application.cfc. I
> am running 6.1MX on iis5. Any info would be helpful.
>
> Thanks
>
In deference to Adam, I'm going to go ahead an make a guess.
Directory structure is very important here. Application.cfm
will only
apply to code that is run in the same directory or any sub
directory
there under. This applies to CFC's as well. A common idea is
to place
a CFC in some type of common folder that is outside the
normal
application structure, thus the CFC is not in the directory
structure
under which the Application.cfm file has dominion. So it will
not apply
in such a case.
If this is so, the fix is to either move the CFC so that it
is under the
Application.cfm dominion. Or to provide it it's own
<cfapplication...>
tag with the desired application name to be able to access
the desired
application scope. This can be done directly in the CFC file
or an
Application.cfm file in the CFC folder hierarchy.
Of course doing so really complicates the usefulness of
having CFCs in a
common place where they can be used by multiple applications
equally.
Thus providing a strong argument to the OOP concept of
encapsulation.
That an object (component) should not be aware of anything
outside of
itself and everything it needs to do its job should be passed
into it.
I.E. Pass the required application data into the component as
arguments
and make use of it that way. -
ODBC Error, think it's bc of Application.cfm
Ok I'm working on a small e-commerce project and it's been
about a year and a half since I've done programming with CF, so I'm
doing a lot of re-learning, basically everything and only remember
a very small bit, so basically I'm noob again.
OK I built my project, I'm using MySQL as my database
container. Everything runs perfectly fine on my local machine
server but when I go to upload it to my hosting provider. I get the
following error when I try to access the database on the hosting
provider.
Error Diagnostic Information
ODBC Error Code = S1000 (General error)
[MySQL][ODBC 3.51 Driver]Access denied for user 'ODBC'@'my IP
address' (using password: NO)
The error occurred while processing an element with a general
identifier of (CFQUERY), occupying document position (1:1) to
(1:54).
OK, my guess right now is that it has something to do with
the user and password authentication, and if that's the case, but
to be honest I have no idea whats going on, cause this problem
doesnt occur when I use PostgreSQL. I hope someone on here has been
through this and knows what's up.
Here's the code in my Application.cfm file
<cfapplication name="joecool-ecom" sessionmanagement="yes"
/>
<cfset Request.DSN = "joecool-ecom" />
<cfset REQUEST.BasePath =
GetDirectoryFromPath(GetCurrentTemplatePath())>
I'm completely lost and have been trying to figure this out
for a solid 7+ hours. I'm hoping that it's just something really
really lame and stupid that I'm doing wrong on my side and that it
can be fixed very easily, but part of me questions if my hosting
provider just plain sucks and that I may end up having to switch
providers or something.well i found a solution and yes it was a b***...
It turns out it had something to do with ODBC on my hosting
provider and MySQL. I ran a test on PostgreSQL and it worked fine,
so I just redid my entire database into PostgreSQL and then changed
all my boolean crap in my code from 1 to TRUE and 0 to FALSE. It
sucked, but at least it works now.
If anyone has any experience with using ODBC with ColdFusion
for MySQL, if you have any ideas of why this error would occur,
please let me know. It has to do with it trying to login
anonymously and not using a PW, but I have no idea how to fix that
on a hosting provider. Talked to them and its just a bunch of
foreigners that don't know anything about computers so....
whatever.
Also if anyone knows any good hosting providers that keep
their ColdFusion current, please let me know. I'm getting away from
mine once my subscription runs out in a few more months. They're
still using ColdFusion 5, which sucks -
Messy Application.cfm issue
First of all, I'm dealing with a poorly written app. I have
add a directory off the webroot called checkout. I've placed the
.cfm files to handle processing cards using a secure link. I'm able
to post the amount to charge to the page that gets the customer's
info (cc, expdate, name, etc). This page is accessed securely
through https. But when I want to post the entered card num, etc to
the following page i'm presented with a login prompt. I should be
presented with the following page where the data was posted but i'm
not. I know this has to do with some logic in the Application.cfm
file in the webroot because it has a section of code that allows
only certain requests to go through based on defined variables,
where the default action if no variable is defined is to cfinclude
the login.cfm template.
I dont' know how to get around this (much less, fix it)
without breaking other code. The reason for the logic in
Application.cfm is just to keep non-logged in users out of the
members only webpages.
Any ideas on how I can circumvent or better yet fix this
issue? Enclosed is application.cfmMy first thought, because I have made this mistake several
times is that the "A" in Application.cfm needs to be capital on
*nix systems. I am not sure if that includes Macs. -
Hacking Application.cfm
In the past couple of weeks hackers have somehow been getting access to my application.cfm file and altering it, making my website not come up properly.
Is this a known security problem and does anyone know how to protect the file from getting hacked?Hi Rene,
I would recommend looking for any unknown file and schedule task created in past few months. The files names have been mostly h.cfm and i.cfm. However it can be anything. Please also apply the recent security patches and take the steps mentioned. Fixing the application.cfm might not help completely in case back door files from previous attacks are lying in the server.
Hope this helps. -
Problem with application.cfm
I'm just getting back into coldfusion after a few years...and
i'm already running into a problem with the application.cfm
What could cause this simple error when I try to go to a
coldfusion page (the cfm page would load prior to adding the
application.cfm). Also, can the application name be pretty much
anything? Thanks!
"unknown context error reached at the end of the CFML
templateInvalid expression format. The usual cause is an error in
the expression structure. The last successfully parsed CFML
construct was the CFML template beginning occupying document
position (1:1) to (1:1)."What are your Operating System, Coldfusion version and web
server? What happens when you experiment with an application file
as simple as this one?
Application.cfm
=============
<cfapplication name="myApp"
applicationtimeout="#createtimespan(1,0,0,0)#"
sessiontimeout="#createtimespan(0,0,20,0)#"
sessionmanagement="yes"
setclientcookies="yes"> -
Trying to understand an application.cfm attack
I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms...
This past week I wanted to watch some slow page loads for performance, noting their time to execute. I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages. Prior to this, I have not utilzed an application.cfm. I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.
I soon found myself the recipient of a cross site scripting attack. I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!
I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage. The attack was only inserting javascript into my index pages via the application.cfm . Rather ingenious and it was fun to find and consider. Payday loan spam.
I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.
An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads. I have a fresh install of CF9 so this did not exist. There was a cfx folder tree with some "example" code folders. I've zipped and deleted these.
I have changed ftp to use a non-standard port. Something that I used to do, but failed to re-instate when I moved to a different host. I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).
If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically. And while I did not have one before, why did someone not just upload their own?
How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?
My question is this - can the application.cfm be tricked into modifying itself?
Thanks in advance!Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.
aotgnat wrote:
The attack was only inserting javascript into my index pages via the application.cfm .
Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368). -
Application.CFM not loading?
Hi,
I've built several sites under prior versions of CF - but
just recently installed CF MX 7. I'm also new to Linux
installations.
On a site I've built - the pages seem to be working
correctly, except that variables being set in application.cfm are
not being recognized.
When I go to the pages that are utilizing the variables and I
replace them with static values -they are working fine. So I know
the CF server is running and there are no issues from that side.
Is there some CF Admin setting that can be turned off that
I'm not aware of? I know linux is case sensitive with file names -
I have application.cfm in all lower case. Is that wrong??
Any help would be greatly appreciated. My workaround would be
to add a <CFINCLUDE> to the top of all pages that need to
reference those global variables. I'd prefer not to do that.
Thanks!!Make sure the filename is "Application.cfm" (note the capital
A). Linux is case-sensitive. -
Symbolic Links do not work for Application.cfm in CF10
I have a Web, that use a symbolic link for centralized code.
The Application.cfm, stored in the original web-root, will not read from code
in the linked directory.
Thank you for your assistance.Adam,
it seems to be a bug.
The "Application.cfc/Application.cfm lookup order" in the ColdFusion Administrator seems not functional as expected. I did several tests and it happens not only at symbolic links. This happens on every subdirectory.
Am I wrong, when I expect, that the "highest" Application.cfm found in a tree should be executed?
Example:
Application.cfm
aaa.cfm
"subdir1" "subdir2"
bbb.cfm Application.cfm
ccc.cfm
Settings in the ColdFusion Administrator
Default order:
- aaa.cfm: should execute the Application.cfm in root (/) only.
- bbb.cfm: should execute the Application.cfm in root (/) only.
- ccc.cfm: should execute the Application.cfm in subdir2 only.
Until Webroot
- aaa.cfm: should execute the Application.cfm in root (/) only.
- bbb.cfm: should execute the Application.cfm in root (/) only.
- ccc.cfm: should execute first the Application.cfm root (/) and then in subdir2
In Webroot
- aaa.cfm: should execute the Application.cfm in root (/) only.
- bbb.cfm: should execute the Application.cfm in root (/) only.
- ccc.cfm: should execute the Application.cfm in root (/) only.
Am I wrong with this?
In my case, only "In Webroot" work as expected.
Torsten -
Which to use application.cfm or application.cfc?
Hi,
Just a general question, i have been using application.cfm
for my applications so far. I came across a tag that would be used
under application.cfc, but i tried putting both templates together
in one application and boom, an error showed up.
So, which is better to use with most of the applications
application.cfm or .cfc?
Thanks for any help!
SyedIt's actually a bit easier to use session and application
scope variables with Application.cfc, I think.
Application.cfc has methods for specific "events" or states:
onApplicationStart() -- where to load application variables,
security logic, etc.
onSessionStart() -- initialize session varialbes, etc.
onRequestStart() -- runs at the start of each page request
onRequestEnd()
onSessionEnd()
onApplicationEnd()
onError() -- very nice place to get some good
Application-wide error handling code in place
onRequest() -- be sure to read the notes on this
method...it's a bit different.
Check out the MX7 reference page for Application.cfc:
http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?cont ext=ColdFusion_Documentation&file=00000692.htm
CF* (if you're using that yet)
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Part_3_CFML_Ref_1.html -
Turning off application.cfm
Hello,
not sure about this but is there a tag or method whereby I
can overwrite the CF servers automatic inclusion of an
application.cfm (.cfc). I have one page in a sub-subfolder of a
website where the application.cfm is in the top (parent) folder. I
am having problems including this page in a programme and am
looking at any possible causes for this.
One thought was that some methods in my application.cfm may
be causing the error. Without removing or altering the
application.cfm in anyway... is it possible to just deactivate it
on certain pages?
Thanks> not sure about this but is there a tag or method whereby
I can overwrite the
> CF servers automatic inclusion of an application.cfm
(.cfc).
No. There is not.
> I have one page in
> a sub-subfolder of a website where the application.cfm
is in the top (parent)
> folder.
To bypass this grandparent Application.cfm, you simply have
to a "nearer"
Application.cfm which is empty. But...
> I am having problems including this page
... Only the initial template referenced in a request
triggers the process
that seeks an Application.cfm. If you're simply including the
file,
Application.cfm plays no part in it (beyond what I already
said).
> One thought was that some methods in my application.cfm
There's no such thing as "methods" in an Application.cfm. Do
you mean
UDFs? Without you actually posting your error, it's a bit
hard to guess
WTF you're on about, to be honest.
> is it
> possible to just deactivate it on certain pages?
No.
Adam -
Passing variable from one server to another within different application.cfm
hello all.
currently , i have 3 server..
each is installed with coldfusion server.
let says,
server A,server B, and server C.
server A has the application.cfm for login.
from server A , I want to carry the login ID to server B(also
has application.cfm) or server C(also has application.cfm) without
having to login again.
Present, what I facing right now..
server A has the application.cfm login and then direct to
server B(also has application.cfm).
But at server B it will request user to relogin.
Same with server C.
should I changed and modified the application.cfm in server B
and C by removing 'cflogin statement'?
I have no idea.. :chomp: :confused:
Please anybody, help me with this..I'll admit I'm not the most educated on application/session
management but I'll try and help.
When a user logs into your CF server, it creates the session,
which is only for that server. That's probably the issue you're
running into when the user jumps from one server to the next. You
might want to try using a cookie and CFTOKEN on the login (server
A) and then use the application.cfm file on server B and C to check
for the existence of the token. If it's there (in the client
cookie) then it would allow them access.
---set the application in the application.cfm page on all 3
servers to the same name---
<cfapplication name="myappname"
sessionmanagement="Yes"
clientmanagement="Yes"
SESSIONTIMEOUT=#CreateTimeSpan(1, 0, 0, 0)#
setclientcookies="yes">
---then check for the cookie value on each server as well---
<CFIF IsDefined("Cookie.CFID") AND
IsDefined("Cookie.CFTOKEN")>
<CFSET Variables.CFID_LOCAL=Cookie.CFID>
<CFSET Variables.CFTOKEN_LOCAL=Cookie.CFTOKEN>
<CFCOOKIE NAME="CFID" VALUE="#Variables.cfid_local#">
<CFCOOKIE NAME="CFTOKEN"
VALUE="#Variables.cftoken_local#">
</cfif>
There might be some yes/no variables in the session
management you can set (yes on A, no on B and C) if the above does
not work. But with the users jumping across servers, the cookie
might be the best answer for you.
Actually, I realized something. You would want to set the
setclientcookies only on server A but have B and C check for the
cookie.
Hope some of this helps. -
Application Variables in application.cfm and asp
If anyone could provide some insight into using application
variables declared in application.cfm, but retrieved in asp code,
it would be appreciated.
GOAL: Retrieve values into an asp page from application
variables in application.cfm.
PROCESS: Defined the variables in application.cfm. On an asp
page, defined the application variable in Window -> Bindings.
The application variables defined in the source code show up.
Attempt to retrieve the application variable in the asp page by
using the command: var_destination = Application("var_name")
It seems like whatever I try, the variable is empty. After
looking around on the web, I also saw that the equivalent to
application.cfm in asp is global.asa. I also tried setting up this
file, along with the variables, did the binding, and used the same
commands, and also was not able to retrieve any application
variables.
What am I missing?What am I missing?
That ColdFusion and ASP.NET are different applications and do
not share
the same memory addresses So they are going to each have
their one
"application" variables.
Blue Dragon has implemented CFML as an ASP.NET language so
that one
could write ColdFusion that runs on the ASP.NET framework and
would then
use the same memory locations with their server.
Otherwise you are going to have to write your own sharing
tool. Some
code that can read the desired variables from one code base
and pass it
to the other code base through forms, web services or some
other manner. -
How to manage application.cfm in SVN environment
Should the application.cfm page even be committed/updated?
With all the different locals, branches and tags to take into
account, wouldn't this render the application.cfm page huge? How
are folks handling the application.cfm page?
Right now, our application.cfm page takes into consideration:
4 dev locals, 1 dev server and 1 production server. I'd like to
introduce branching into our workflow, just not sure how this will
affect this file.sk8, here goes. what we do isn't 100% what you're doing in
that we're not
dealing with different branches of code, but i'll try to
describe a way in
which i think this is easily accomodated. I'm certainly not
passing this off
as johnny-super-clever-normalized-i'm-so-smart...cause it's
not. but it has
worked for us for as long as i've been with this company and
has proven
extremely useful and extensible
first, we have two tables, applocations and applocationhosts.
applocations:
locationid | locname | webroot | codebaseroot | networkroot |
bunch of other
roots....whatver
1 | dev | / | \global\ | \\san\alpha\mysite | blah blah blah
2| test | /mysite/ | \global\ | \\san\\beta\mysite | blah
blah blah
3 | staging | /mysite | \global\ | \\someothersan\mysite |
blah blah blah
4 | prod | / | \global\ | \\prodsan\mysite\ | blah blah blah
5 | local | /mysite/ | \global\ | \\san\alpha\mysite | blah
blah blah
then applocations:
locationid | lochostname
1 | mysite.alpha.mycompany.com
2 | mysite.beta.mycompany.com
3| staging.mycompany.com
4 | mysite.com
4 | mysite2.com
4| mysite.org
5| localhost
then when the app is loaded, we have a query like this:
select * from applocations
where locationid = (select locationid from applocationhosts
where
lochostname = '#cgi.server_name#')
we then store the results in some application scoped
variables (i.e. this
query runs once until the application is reset)
then, in our code, we reference things like so:
<cfinclude
template="#application.codebaseroot#/blah/blah.cfm">
or
<img src="#application.webroot#\images\myimage.gif">
where codebaseroot is the root to the code (for cfincludes
and the like) and
webroot is used for all http-ish things like images,
cflocations, script
includes, etc.
now, in your case, with the different branches, you could
possibly just add
a few more rows onto applocations, like so:
7 | devtrunk | /mysite/trunk/ | \trunk\global\ | and so forth
8 | devtag | /mysite/tag | \tag\global\ | and so forth
and then possibly you could add another column onto
applocationhosts, like
so:
locationid | lochostname | key
8 | localhost | tag
and then your query might look something like this:
select * from applocations
where locationid = (select locationid from applocationhosts
where
lochostname = '#cgi.server_name#')
<cfif isDefined("url.key")>
and key = '#url.key#'
</cfif>
the only tricky thing about that would be that you'd
potentially have to
have a hook that recognizes that you're trying to change the
application's
variables, so you'd need to refresh the application. but that
shouldn't be
too tough.
at any rate, this works for us and has completely negated the
need to have
code that sets different paths based on environment.
Good luck Sk8!
"sk8save" <[email protected]> wrote in
message
news:[email protected]...
> That's the sort of things that I'm talking about yes.
>
> For each developer local (branch, trunk or tag), dev
server and production
> server there's an if statement that take cares of
application variables.
> There
> may only be 5-10, but I'm still curious to see how
people are dealing with
> this
> sort of thing.
> -
Setting/changing a date in application.cfm
I need to be able to set a date in the application.cfm file
for example
<CFSET APPLICATION.stopdate='10/15/2014'>
Then in my site on other pages I have code that says
<cfif reportdate GT #APPLICATION.stopdate#>Do This</cfif>
The problem is sometimes I need to change the APPLICATION.stopdate to another date during the middle of the day.
For example I need to change the APPLICATION.stopdate from 10/15/2014 to 10/25/2014
However I notice when I change the APPLICATION.stopdate in the application.cfm to another date during the middle of the day that the APPLICATION.stopdate stays the old date.
How do I make sure that the APPLICATION.stopdate changes sitewide when I change it in the application.cfm?
Do I use another variable scope?Yes, that's one use of the include directive, lets you add content inline. You missed an "@" there though. It's <%@ include...
EDIT: One word of warning; it is not mandatory for the container to recompile the including JSPs if the included resource is changed! It seems you have a smart container which detected that your included JSP had been modified and so it's reflecting the changes in the other files too. But this is not required behaviour and so you shouldn't count on it. AFAIK, Tomcat will also do the same.
Also, this is a good reason why, even though it seems like a good idea to put the DB URL into one JSP and include it everywhere so that you have only one entry to change when the DB changes, it's still risky. A better way would be to put it as a <context-param> or something similar.
Edited by: nogoodatcoding on Sep 28, 2007 10:15 PM
Maybe you are looking for
-
I am having a spawn problem.
in my game at the end you will see a target. if you hit that target the platform should show right?, wrong it won't show. in my code to fire the bubbles if the bubbles hit the target the platforms should appear. why arent they appearing? here is my g
-
Header value in data table can be fetched from managed bean.
hi My requirement is to display a report in which column headers are also retrieved from data base, it cannot be hardcoded. instead of My Column it should come from managed bean <f:facet name="header"> <h:outputText value="My Column"/> </f:facet> I a
-
Creating a private reference of type ArrayList group??
Hi everyone. I'm trying to creat a private reference of type ArrayList group. Here is the code I have, but I get an "invalid method declaration; return type required" error message. Here is the code I have. private groupList() ArrayList gro
-
Hi- when I compile the following code I receive this error message: Exception in thread "main" java.lang.NoClassDefFoundError: ConnectionPool Any ideas? Here's the code: package databaseConn; import java.awt.*; import java.io.*; import java.util.*; i
-
Help!!! What are need to be installed for VC 7?
Hi Friends, I need to install the VC 7 on EP7. When i get into the service.sap.com, i found the following : - VISUAL COMPOSER FLEX 7.00 - VISUAL COMPOSER FRAMEWORK 7.00 - VISUAL COMPOSER GP KITS 7.00 - VISUAL COMPOSER XX KITS 7.00 I Checked for the d