Messy Application.cfm issue

Similar Messages

• Trying to understand an application.cfm attack

  I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms... 
  This past week I wanted to watch some slow page loads for performance, noting their time to execute.  I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages.  Prior to this, I have not utilzed an application.cfm.  I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.
  I soon found myself the recipient of a cross site scripting attack.  I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!
  I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage.  The attack was only inserting javascript into my index pages via the application.cfm .  Rather ingenious and it was fun to find and consider.  Payday loan spam.
  I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.
  An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads.  I have a fresh install of CF9 so this did not exist.  There was a cfx folder tree with some "example" code folders.  I've zipped and deleted these.
  I have changed ftp to use a non-standard port.  Something that I used to do, but failed to re-instate when I moved to a different host.  I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).
  If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically.  And while I did not have one before, why did someone not just upload their own?
  How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?
  My question is this - can the application.cfm be tricked into modifying itself?
  Thanks in advance!

  Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.
  aotgnat wrote:
  The attack was only inserting javascript into my index pages via the application.cfm .
  Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).

• Application.CFM not loading?

  Hi,
  I've built several sites under prior versions of CF - but
  just recently installed CF MX 7. I'm also new to Linux
  installations.
  On a site I've built - the pages seem to be working
  correctly, except that variables being set in application.cfm are
  not being recognized.
  When I go to the pages that are utilizing the variables and I
  replace them with static values -they are working fine. So I know
  the CF server is running and there are no issues from that side.
  Is there some CF Admin setting that can be turned off that
  I'm not aware of? I know linux is case sensitive with file names -
  I have application.cfm in all lower case. Is that wrong??
  Any help would be greatly appreciated. My workaround would be
  to add a <CFINCLUDE> to the top of all pages that need to
  reference those global variables. I'd prefer not to do that.
  Thanks!!

  Make sure the filename is "Application.cfm" (note the capital
  A). Linux is case-sensitive.

• Passing variable from one server to another within different application.cfm

  hello all.
  currently , i have 3 server..
  each is installed with coldfusion server.
  let says,
  server A,server B, and server C.
  server A has the application.cfm for login.
  from server A , I want to carry the login ID to server B(also
  has application.cfm) or server C(also has application.cfm) without
  having to login again.
  Present, what I facing right now..
  server A has the application.cfm login and then direct to
  server B(also has application.cfm).
  But at server B it will request user to relogin.
  Same with server C.
  should I changed and modified the application.cfm in server B
  and C by removing 'cflogin statement'?
  I have no idea.. :chomp: :confused:
  Please anybody, help me with this..

  I'll admit I'm not the most educated on application/session
  management but I'll try and help.
  When a user logs into your CF server, it creates the session,
  which is only for that server. That's probably the issue you're
  running into when the user jumps from one server to the next. You
  might want to try using a cookie and CFTOKEN on the login (server
  A) and then use the application.cfm file on server B and C to check
  for the existence of the token. If it's there (in the client
  cookie) then it would allow them access.
  ---set the application in the application.cfm page on all 3
  servers to the same name---
  <cfapplication name="myappname"
  sessionmanagement="Yes"
  clientmanagement="Yes"
  SESSIONTIMEOUT=#CreateTimeSpan(1, 0, 0, 0)#
  setclientcookies="yes">
  ---then check for the cookie value on each server as well---
  <CFIF IsDefined("Cookie.CFID") AND
  IsDefined("Cookie.CFTOKEN")>
  <CFSET Variables.CFID_LOCAL=Cookie.CFID>
  <CFSET Variables.CFTOKEN_LOCAL=Cookie.CFTOKEN>
  <CFCOOKIE NAME="CFID" VALUE="#Variables.cfid_local#">
  <CFCOOKIE NAME="CFTOKEN"
  VALUE="#Variables.cftoken_local#">
  </cfif>
  There might be some yes/no variables in the session
  management you can set (yes on A, no on B and C) if the above does
  not work. But with the users jumping across servers, the cookie
  might be the best answer for you.
  Actually, I realized something. You would want to set the
  setclientcookies only on server A but have B and C check for the
  cookie.
  Hope some of this helps.

• Verity search results return application.cfm

  We've got a couple of sites using verity collections to
  search cfml, html, and some mime documents. This is generally
  successful. However, we do see coldfusion script-only pages
  returning in the search results, including application.cfm, and
  other cfm pages that do not display content to the end-user. Since
  there is no HTML renderable content in these pages, why do they get
  included in the results?
  How can I control this behavior? I've looked at the verity
  documentation, and am trying to use the mkvdk utility to delete
  application.cfm from the collection documents, but am getting an
  error. If I can get the syntax down correctly, is this the proper
  way of addressing the problem?
  For instance, I am using the command string:
  mkvdk -delete -collection
  C:\CFusionMX\verity\collections\intranet\file application.cfm
  on my local development machine to try and test this, but get
  an error BadKeys: application.cfm
  I don't understand why these types of files get included in
  the collection in the first place. Oh, we are running CFMX6.1.
  Thanks for any help.
  Kris

  The issue is not how to remove all CFM files from the
  collection. We just want CFM files that do not output anything to
  the user to be excluded from the search index. Most of the files in
  this site are CFM files. Most importantly would be application.cfm,
  form action pages, and other included files.
  Certainly we could parse the results for a filename in a
  predefined list, but we are trying to avoid defining this
  programmatically; thinking that it is odd that these files get
  included in the results at all. In the past we have segmented sites
  using .cfm and .cfml as a way of excluding specific files from the
  index (in the collection definition, we would not include the
  specific extension as required). But this site has been in
  production for some time, and is just now adding a search feature.
  We don't want to rename files, and have to recheck every single
  page and link in the entire site.
  Does that explain what we're trying to do better?
  Cheers,
  Kris

• Fixing Application.cfm

  First of all, I'm dealing with a poorly written app. I have
  add a directory off the webroot called checkout. I've placed the
  .cfm files to handle processing cards using a secure link. I'm able
  to post the amount to charge to the page that gets the customer's
  info (cc, expdate, name, etc). This page is accessed securely
  through https. But when I want to post the entered card num, etc to
  the following page i'm presented with a login prompt. I should be
  presented with the following page where the data was posted but i'm
  not. I know this has to do with some logic in the Application.cfm
  file in the webroot because it has a section of code that allows
  only certain requests to go through based on defined variables,
  where the default action if no variable is defined is to cfinclude
  the login.cfm template.
  I dont' know how to get around this (much less, fix it)
  without breaking other code. The reason for the logic in
  Application.cfm is just to keep non-logged in users out of the
  members only webpages.
  Any ideas on how I can circumvent or better yet fix this
  issue? Enclosed is application.cfm

  My first thought, because I have made this mistake several
  times is that the "A" in Application.cfm needs to be capital on
  *nix systems. I am not sure if that includes Macs.

• Problem with application.cfm

  I'm just getting back into coldfusion after a few years...and
  i'm already running into a problem with the application.cfm
  What could cause this simple error when I try to go to a
  coldfusion page (the cfm page would load prior to adding the
  application.cfm). Also, can the application name be pretty much
  anything? Thanks!
  "unknown context error reached at the end of the CFML
  templateInvalid expression format. The usual cause is an error in
  the expression structure. The last successfully parsed CFML
  construct was the CFML template beginning occupying document
  position (1:1) to (1:1)."

  What are your Operating System, Coldfusion version and web
  server? What happens when you experiment with an application file
  as simple as this one?
  Application.cfm
  =============
  <cfapplication name="myApp"
  applicationtimeout="#createtimespan(1,0,0,0)#"
  sessiontimeout="#createtimespan(0,0,20,0)#"
  sessionmanagement="yes"
  setclientcookies="yes">

• Regarding Sun Java System Application Server Issue with JVM

  Regarding Sun Java System Application Server Issue with JVM
  Hi
  I have installed SJSAS9.1 on solaris system. I m trying to deploy war file which i compiled in windows enviorment by jdk1.5.0_05. Every time i got the following error :
  type Exception report
  message
  descriptionThe server encountered an internal error () that prevented it from fulfilling this request.
  exception
  org.apache.jasper.JasperException: PWC6033: Unable to compile class for JSP
  PWC6199: Generated servlet error:
  [javac] javac: invalid target release: 1.5
  [javac] Usage: javac
  [javac] where possible options include:
  [javac] -g Generate all debugging info
  [javac] -g:none Generate no debugging info
  [javac] -g:{lines,vars,source} Generate only some debugging info
  [javac] -nowarn Generate no warnings
  [javac] -verbose Output messages about what the compiler is doing
  [javac] -deprecation Output source locations where deprecated APIs are used
  [javac] -classpath Specify where to find user class files
  [javac] -sourcepath Specify where to find input source files
  [javac] -bootclasspath Override location of bootstrap class files
  [javac] -extdirs Override location of installed extensions
  [javac] -d Specify where to place generated class files
  [javac] -encoding Specify character encoding used by source files
  [javac] -source Provide source compatibility with specified release
  [javac] -target Generate class files for specific VM version
  [javac] -help Print a synopsis of standard options
  note The full stack traces of the exception and its root causes are available in the Sun Java System Application Server 9.1 logs.
  I have cheked jvm version on both system the only difference is :
  Solaris points to jdk 1.5.0_09
  Windows point to jdk1.5.0_05
  Even i tried to run blank jsp also but again i got the same error.
  Can any help me to sort out the problem or give me any idea so i can do something by my own.
  Thanks in Advance
  Gagan

  Do you have ANT installed and available?
  Thanks,
  Kedar

• Application Deloyment issue...

  hi,
  i am getting this Deployment error...
  we got two servers one for developers at offshore and
  one at the onsite...
  the strange thing is that it is deploying n running fine on the offshore server.
  but not getting deployed on the onsite server!!!
  i have put the required references required and
  checked them too...!!!
  regards,
  -Amol Gupta
  Oct 18, 2007 11:11:04 AM /userOut/deploy (com.sap.ide.eclipse.sdm.threading.DeployThreadManager) [Thread[Deploy Thread,5,main]] ERROR:
  [004]Deployment aborted
  Settings
  SDM host : bp1xeuaa558
  SDM port : 50018
  URL to deploy : file:/C:/DOCUME1/amolg/LOCALS1/Temp/temp26291bp.comexmplsupplier_lds_create_adobe.ear
  Result
  => deployment aborted : file:/C:/DOCUME1/amolg/LOCALS1/Temp/temp26291bp.comexmplsupplier_lds_create_adobe.ear
  Aborted: development component 'exmpl/supplier_lds_create_adobe'/'bp.com'/'LOKAL'/'0.2007.10.18.11.10.17'/'0':
  Caught exception during application deployment from SAP J2EE Engine's deploy service:
  java.rmi.RemoteException: Cannot deploy application bp.com/exmplsupplier_lds_create_adobe.. Reason: Clusterwide exception: Failed to deploy application bp.com/exmplsupplier_lds_create_adobe. Check causing exception for details (trace file). Hint: Are all referenced components deployed and available on the engine?; nested exception is: com.sap.engine.services.deploy.container.DeploymentException: Clusterwide exception: Failed to deploy application bp.com/exmpl~supplier_lds_create_adobe. Check causing exception for details (trace file). Hint: Are all referenced components deployed and available on the engine?
  (message ID: com.sap.sdm.serverext.servertype.inqmy.extern.EngineApplOnlineDeployerImpl.performAction(DeploymentActionTypes).REMEXC)
  Deployment exception : The deployment of at least one item aborted

  >
  I have oracle PL/SQL application performance issue. To open a screen populated with 7,000 records takes 5 minutes.
  I have used SQL Analyze to get Index recomendation. Indexing did not help that much.Switch on a trace on a user who is just about to run that screen - let them rip.
  Stop your trace. Get your trace file. Run it through TKProf.
  Read the book by Cary Millsap that Sybrand recommends (or take a look
  at Chris Lawson) - i.e. read up on trace files and looking at them.
  Get the SQL that is run by the user and try running it from SQLPlus
  on the server (no network or app issues) - set timing on.
  That would be my approach.
  Do you think upgrading or replacing with newer machine can improve performance? Getting a newer machine often satisfies the geek's primeval urge to
  get his grubby little paws onto fancy shiny hardware - it may well
  work for a while, however you're not tackling the underlying cause
  of your problem, and it will (probably) reappear when the limits
  of the new RAM/CPU have been hit.
  If you what is suggested above, at least you'll be able to say
  to your management - "well, if we get a new server, performance
  will improve by this much, until we have (say) 14.000 records in
  the table, when performance will go back to the way it was before".
  Until you run a trace, you will have no idea if the problem will
  scale linearly with the no. of records or how it will
  behave into the future.
  You cannon manage what you cannot measure.
  Paul...
  Taf

• Symbolic Links do not work for Application.cfm in CF10

  I have a Web, that use a symbolic link for centralized code.
  The Application.cfm, stored in the original web-root, will not read from code
  in the linked directory.
  Thank you for your assistance.

  Adam,
  it seems to be a bug.
  The "Application.cfc/Application.cfm lookup order" in the ColdFusion Administrator seems not functional as expected. I did several tests and it happens not only at symbolic links. This happens on every subdirectory.
  Am I wrong, when I expect, that the "highest" Application.cfm found in a tree should be executed?
  Example:
  Application.cfm
  aaa.cfm
  "subdir1"                                 "subdir2"
  bbb.cfm                                   Application.cfm
                                                  ccc.cfm
  Settings in the ColdFusion Administrator
  Default order:
  - aaa.cfm: should execute the Application.cfm in root (/) only.
  - bbb.cfm: should execute the Application.cfm in root (/) only.
  - ccc.cfm: should execute the Application.cfm in subdir2 only.
  Until Webroot
  - aaa.cfm: should execute the Application.cfm in root (/) only.
  - bbb.cfm: should execute the Application.cfm in root (/) only.
  - ccc.cfm: should execute first the Application.cfm root (/) and then in subdir2
  In Webroot
  - aaa.cfm: should execute the Application.cfm in root (/) only.
  - bbb.cfm: should execute the Application.cfm in root (/) only.
  - ccc.cfm: should execute the Application.cfm in root (/) only.
  Am I wrong with this?
  In my case, only "In Webroot" work as expected.
  Torsten

• Which to use application.cfm or application.cfc?

  Hi,
  Just a general question, i have been using application.cfm
  for my applications so far. I came across a tag that would be used
  under application.cfc, but i tried putting both templates together
  in one application and boom, an error showed up.
  So, which is better to use with most of the applications
  application.cfm or .cfc?
  Thanks for any help!
  Syed

  It's actually a bit easier to use session and application
  scope variables with Application.cfc, I think.
  Application.cfc has methods for specific "events" or states:
  onApplicationStart() -- where to load application variables,
  security logic, etc.
  onSessionStart() -- initialize session varialbes, etc.
  onRequestStart() -- runs at the start of each page request
  onRequestEnd()
  onSessionEnd()
  onApplicationEnd()
  onError() -- very nice place to get some good
  Application-wide error handling code in place
  onRequest() -- be sure to read the notes on this
  method...it's a bit different.
  Check out the MX7 reference page for Application.cfc:
  http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?cont ext=ColdFusion_Documentation&file=00000692.htm
  CF* (if you're using that yet)
  http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Part_3_CFML_Ref_1.html

• Turning off application.cfm

  Hello,
  not sure about this but is there a tag or method whereby I
  can overwrite the CF servers automatic inclusion of an
  application.cfm (.cfc). I have one page in a sub-subfolder of a
  website where the application.cfm is in the top (parent) folder. I
  am having problems including this page in a programme and am
  looking at any possible causes for this.
  One thought was that some methods in my application.cfm may
  be causing the error. Without removing or altering the
  application.cfm in anyway... is it possible to just deactivate it
  on certain pages?
  Thanks

  > not sure about this but is there a tag or method whereby
  I can overwrite the
  > CF servers automatic inclusion of an application.cfm
  (.cfc).
  No. There is not.
  > I have one page in
  > a sub-subfolder of a website where the application.cfm
  is in the top (parent)
  > folder.
  To bypass this grandparent Application.cfm, you simply have
  to a "nearer"
  Application.cfm which is empty. But...
  > I am having problems including this page
  ... Only the initial template referenced in a request
  triggers the process
  that seeks an Application.cfm. If you're simply including the
  file,
  Application.cfm plays no part in it (beyond what I already
  said).
  > One thought was that some methods in my application.cfm
  There's no such thing as "methods" in an Application.cfm. Do
  you mean
  UDFs? Without you actually posting your error, it's a bit
  hard to guess
  WTF you're on about, to be honest.
  > is it
  > possible to just deactivate it on certain pages?
  No.
  Adam

• Application Variables in application.cfm and asp

  If anyone could provide some insight into using application
  variables declared in application.cfm, but retrieved in asp code,
  it would be appreciated.
  GOAL: Retrieve values into an asp page from application
  variables in application.cfm.
  PROCESS: Defined the variables in application.cfm. On an asp
  page, defined the application variable in Window -> Bindings.
  The application variables defined in the source code show up.
  Attempt to retrieve the application variable in the asp page by
  using the command: var_destination = Application("var_name")
  It seems like whatever I try, the variable is empty. After
  looking around on the web, I also saw that the equivalent to
  application.cfm in asp is global.asa. I also tried setting up this
  file, along with the variables, did the binding, and used the same
  commands, and also was not able to retrieve any application
  variables.
  What am I missing?

  What am I missing?
  That ColdFusion and ASP.NET are different applications and do
  not share
  the same memory addresses So they are going to each have
  their one
  "application" variables.
  Blue Dragon has implemented CFML as an ASP.NET language so
  that one
  could write ColdFusion that runs on the ASP.NET framework and
  would then
  use the same memory locations with their server.
  Otherwise you are going to have to write your own sharing
  tool. Some
  code that can read the desired variables from one code base
  and pass it
  to the other code base through forms, web services or some
  other manner.

• How to manage application.cfm in SVN environment

  Should the application.cfm page even be committed/updated?
  With all the different locals, branches and tags to take into
  account, wouldn't this render the application.cfm page huge? How
  are folks handling the application.cfm page?
  Right now, our application.cfm page takes into consideration:
  4 dev locals, 1 dev server and 1 production server. I'd like to
  introduce branching into our workflow, just not sure how this will
  affect this file.

  sk8, here goes. what we do isn't 100% what you're doing in
  that we're not
  dealing with different branches of code, but i'll try to
  describe a way in
  which i think this is easily accomodated. I'm certainly not
  passing this off
  as johnny-super-clever-normalized-i'm-so-smart...cause it's
  not. but it has
  worked for us for as long as i've been with this company and
  has proven
  extremely useful and extensible
  first, we have two tables, applocations and applocationhosts.
  applocations:
  locationid | locname | webroot | codebaseroot | networkroot |
  bunch of other
  roots....whatver
  1 | dev | / | \global\ | \\san\alpha\mysite | blah blah blah
  2| test | /mysite/ | \global\ | \\san\\beta\mysite | blah
  blah blah
  3 | staging | /mysite | \global\ | \\someothersan\mysite |
  blah blah blah
  4 | prod | / | \global\ | \\prodsan\mysite\ | blah blah blah
  5 | local | /mysite/ | \global\ | \\san\alpha\mysite | blah
  blah blah
  then applocations:
  locationid | lochostname
  1 | mysite.alpha.mycompany.com
  2 | mysite.beta.mycompany.com
  3| staging.mycompany.com
  4 | mysite.com
  4 | mysite2.com
  4| mysite.org
  5| localhost
  then when the app is loaded, we have a query like this:
  select * from applocations
  where locationid = (select locationid from applocationhosts
  where
  lochostname = '#cgi.server_name#')
  we then store the results in some application scoped
  variables (i.e. this
  query runs once until the application is reset)
  then, in our code, we reference things like so:
  <cfinclude
  template="#application.codebaseroot#/blah/blah.cfm">
  or
  <img src="#application.webroot#\images\myimage.gif">
  where codebaseroot is the root to the code (for cfincludes
  and the like) and
  webroot is used for all http-ish things like images,
  cflocations, script
  includes, etc.
  now, in your case, with the different branches, you could
  possibly just add
  a few more rows onto applocations, like so:
  7 | devtrunk | /mysite/trunk/ | \trunk\global\ | and so forth
  8 | devtag | /mysite/tag | \tag\global\ | and so forth
  and then possibly you could add another column onto
  applocationhosts, like
  so:
  locationid | lochostname | key
  8 | localhost | tag
  and then your query might look something like this:
  select * from applocations
  where locationid = (select locationid from applocationhosts
  where
  lochostname = '#cgi.server_name#')
  <cfif isDefined("url.key")>
  and key = '#url.key#'
  </cfif>
  the only tricky thing about that would be that you'd
  potentially have to
  have a hook that recognizes that you're trying to change the
  application's
  variables, so you'd need to refresh the application. but that
  shouldn't be
  too tough.
  at any rate, this works for us and has completely negated the
  need to have
  code that sets different paths based on environment.
  Good luck Sk8!
  "sk8save" <[email protected]> wrote in
  message
  news:[email protected]...
  > That's the sort of things that I'm talking about yes.
  >
  > For each developer local (branch, trunk or tag), dev
  server and production
  > server there's an if statement that take cares of
  application variables.
  > There
  > may only be 5-10, but I'm still curious to see how
  people are dealing with
  > this
  > sort of thing.
  >

• Setting/changing a date in application.cfm

  I need to be able to set a date in the application.cfm file
  for example
  <CFSET APPLICATION.stopdate='10/15/2014'>
  Then in my site on other pages I have code that says
  <cfif reportdate GT #APPLICATION.stopdate#>Do This</cfif>
  The problem is sometimes I need to change the APPLICATION.stopdate to another date during the middle of the day.
  For example I need to change the APPLICATION.stopdate from 10/15/2014 to 10/25/2014
  However I notice when I change the  APPLICATION.stopdate in the application.cfm to another date during the middle of the day that the APPLICATION.stopdate stays the old date.
  How do I make sure that the APPLICATION.stopdate changes sitewide when I change it in the application.cfm?
  Do I use another variable scope?

  Yes, that's one use of the include directive, lets you add content inline. You missed an "@" there though. It's <%@ include...
  EDIT: One word of warning; it is not mandatory for the container to recompile the including JSPs if the included resource is changed! It seems you have a smart container which detected that your included JSP had been modified and so it's reflecting the changes in the other files too. But this is not required behaviour and so you shouldn't count on it. AFAIK, Tomcat will also do the same.
  Also, this is a good reason why, even though it seems like a good idea to put the DB URL into one JSP and include it everywhere so that you have only one entry to change when the DB changes, it's still risky. A better way would be to put it as a <context-param> or something similar.
  Edited by: nogoodatcoding on Sep 28, 2007 10:15 PM