My Application.cfm File creating trouble?

Similar Messages

• Why does application.cfm file not get processed first?

  I am using ColdFusion 11 on Windows2008 R2. From what I understand, if there is an application.cfm page in the root folder, that any .cfm page below the root will process this page first and then process the regular .cfm page. I noticed that it processes my regular page FIRST and then calls the application.cfm page.
  In my case I have a web page that updates a database, but in my application.cfm page, I check a session variable to see if the user is logged in. If they are not logged in, then I redirect them to a log in page, let them log in, set the session variable and then redirect them back to process the page. But I noticed, that when I run the page, the database gets updated and THEN the user gets redirected to log in, then the database gets updated again.
  Am I not using the application.cfm page correctly? I thought it was supposed to be used to check log ins and things like that. How do I ensure that it runs first?
  Btw, it is the only application.cfm page in the entire web site and I do not have any application.cfc files.
  Thanks.

  It would make things easier to see the code. In any case, from what you say, my guess is that there is no authentication check at the point where the database gets updated. So the update occurs at the start, and again when you later redirect the user to the page.
  On Coldfusion 11, you should actually switch to Application.cfc. There are at least 2 reasons.
  Firstly, recent Coldfusion versions implicitly assume you use Application.cfc by default. Secondly, Application.cfm is outdated and has much less functionality than Application.cfc. For example, Application.cfc allows you much more fine-grained control over your code at the level of request, session and application.

• Passing variable from one server to another within different application.cfm

  hello all.
  currently , i have 3 server..
  each is installed with coldfusion server.
  let says,
  server A,server B, and server C.
  server A has the application.cfm for login.
  from server A , I want to carry the login ID to server B(also
  has application.cfm) or server C(also has application.cfm) without
  having to login again.
  Present, what I facing right now..
  server A has the application.cfm login and then direct to
  server B(also has application.cfm).
  But at server B it will request user to relogin.
  Same with server C.
  should I changed and modified the application.cfm in server B
  and C by removing 'cflogin statement'?
  I have no idea.. :chomp: :confused:
  Please anybody, help me with this..

  I'll admit I'm not the most educated on application/session
  management but I'll try and help.
  When a user logs into your CF server, it creates the session,
  which is only for that server. That's probably the issue you're
  running into when the user jumps from one server to the next. You
  might want to try using a cookie and CFTOKEN on the login (server
  A) and then use the application.cfm file on server B and C to check
  for the existence of the token. If it's there (in the client
  cookie) then it would allow them access.
  ---set the application in the application.cfm page on all 3
  servers to the same name---
  <cfapplication name="myappname"
  sessionmanagement="Yes"
  clientmanagement="Yes"
  SESSIONTIMEOUT=#CreateTimeSpan(1, 0, 0, 0)#
  setclientcookies="yes">
  ---then check for the cookie value on each server as well---
  <CFIF IsDefined("Cookie.CFID") AND
  IsDefined("Cookie.CFTOKEN")>
  <CFSET Variables.CFID_LOCAL=Cookie.CFID>
  <CFSET Variables.CFTOKEN_LOCAL=Cookie.CFTOKEN>
  <CFCOOKIE NAME="CFID" VALUE="#Variables.cfid_local#">
  <CFCOOKIE NAME="CFTOKEN"
  VALUE="#Variables.cftoken_local#">
  </cfif>
  There might be some yes/no variables in the session
  management you can set (yes on A, no on B and C) if the above does
  not work. But with the users jumping across servers, the cookie
  might be the best answer for you.
  Actually, I realized something. You would want to set the
  setclientcookies only on server A but have B and C check for the
  cookie.
  Hope some of this helps.

• Hacking Application.cfm

  In the past couple of weeks hackers have somehow been getting access to my application.cfm file and altering it, making my website not come up properly.
  Is this a known security problem and does anyone know how to protect the file from getting hacked?

  Hi Rene,
  I would recommend looking for any unknown file and schedule task created in past few months. The files names have been mostly h.cfm and i.cfm. However it can be anything. Please also apply the recent security patches and take the steps mentioned. Fixing the application.cfm might not help completely in case back door files from previous attacks are lying in the server.
  Hope this helps.

• Trying to understand an application.cfm attack

  I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms... 
  This past week I wanted to watch some slow page loads for performance, noting their time to execute.  I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages.  Prior to this, I have not utilzed an application.cfm.  I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.
  I soon found myself the recipient of a cross site scripting attack.  I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!
  I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage.  The attack was only inserting javascript into my index pages via the application.cfm .  Rather ingenious and it was fun to find and consider.  Payday loan spam.
  I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.
  An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads.  I have a fresh install of CF9 so this did not exist.  There was a cfx folder tree with some "example" code folders.  I've zipped and deleted these.
  I have changed ftp to use a non-standard port.  Something that I used to do, but failed to re-instate when I moved to a different host.  I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).
  If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically.  And while I did not have one before, why did someone not just upload their own?
  How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?
  My question is this - can the application.cfm be tricked into modifying itself?
  Thanks in advance!

  Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.
  aotgnat wrote:
  The attack was only inserting javascript into my index pages via the application.cfm .
  Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368).

• Setting/changing a date in application.cfm

  I need to be able to set a date in the application.cfm file
  for example
  <CFSET APPLICATION.stopdate='10/15/2014'>
  Then in my site on other pages I have code that says
  <cfif reportdate GT #APPLICATION.stopdate#>Do This</cfif>
  The problem is sometimes I need to change the APPLICATION.stopdate to another date during the middle of the day.
  For example I need to change the APPLICATION.stopdate from 10/15/2014 to 10/25/2014
  However I notice when I change the  APPLICATION.stopdate in the application.cfm to another date during the middle of the day that the APPLICATION.stopdate stays the old date.
  How do I make sure that the APPLICATION.stopdate changes sitewide when I change it in the application.cfm?
  Do I use another variable scope?

  Yes, that's one use of the include directive, lets you add content inline. You missed an "@" there though. It's <%@ include...
  EDIT: One word of warning; it is not mandatory for the container to recompile the including JSPs if the included resource is changed! It seems you have a smart container which detected that your included JSP had been modified and so it's reflecting the changes in the other files too. But this is not required behaviour and so you shouldn't count on it. AFAIK, Tomcat will also do the same.
  Also, this is a good reason why, even though it seems like a good idea to put the DB URL into one JSP and include it everywhere so that you have only one entry to change when the DB changes, it's still risky. A better way would be to put it as a <context-param> or something similar.
  Edited by: nogoodatcoding on Sep 28, 2007 10:15 PM

• Application.cfm and CFC's

  for some reason my cfc is not seeing any of the variables set
  in application.cfm. Furthermore it does not see them when I use
  application.cfc. I am running 6.1MX on iis5. Any info would be
  helpful.
  Thanks

  Duke Snyder wrote:
  > for some reason my cfc is not seeing any of the
  variables set in
  > application.cfm. Furthermore it does not see them when I
  use application.cfc. I
  > am running 6.1MX on iis5. Any info would be helpful.
  >
  > Thanks
  >
  In deference to Adam, I'm going to go ahead an make a guess.
  Directory structure is very important here. Application.cfm
  will only
  apply to code that is run in the same directory or any sub
  directory
  there under. This applies to CFC's as well. A common idea is
  to place
  a CFC in some type of common folder that is outside the
  normal
  application structure, thus the CFC is not in the directory
  structure
  under which the Application.cfm file has dominion. So it will
  not apply
  in such a case.
  If this is so, the fix is to either move the CFC so that it
  is under the
  Application.cfm dominion. Or to provide it it's own
  <cfapplication...>
  tag with the desired application name to be able to access
  the desired
  application scope. This can be done directly in the CFC file
  or an
  Application.cfm file in the CFC folder hierarchy.
  Of course doing so really complicates the usefulness of
  having CFCs in a
  common place where they can be used by multiple applications
  equally.
  Thus providing a strong argument to the OOP concept of
  encapsulation.
  That an object (component) should not be aware of anything
  outside of
  itself and everything it needs to do its job should be passed
  into it.
  I.E. Pass the required application data into the component as
  arguments
  and make use of it that way.

• Use of % for height with application.cfm

  How comes the height in % in both tags doesn't works when an application.cfm exists. When I remove the application.cfm everything works fine.
  <iframe src="messages.cfm" width="95%" height="74%"></iframe>
  <cfform format="flash" skin="halosilver" wmode="transparent" style="backgroundAlpha:0;" height="48.3%"></cfform>

  Any Application.cfm (note the capital letter, btw), or your specific Application.cfm?  What about an Application.cfm file which simply has a CF comment in it, and nothing else?
  Adam

• Application.cfm in root and subdirectory, help.

  I cannot figure this out. I understand that an application
  will use the application.cfm file in it's current directory first
  and not search further. However, my page in a subdirectory seems to
  not see the application.cfm in it's own directory and instead uses
  the root application.cfm. Can anyone explain? And I have tried
  capitalizing the "A", etc. but I am not using Linux so I do not
  think it matters anyway. (CF MX)

  Hard to tell exactly, but in the subdirectory, is the ONLY
  line the <cfset application.dsn_test = "DiningHall">?
  If so, the subdirectory application.cfm would execute and the
  parent would not, which would cause the undefined error since from
  what I can tell, you haven't used the <cfapplication> tag in
  the subdirectory.
  What you can do is use a cfinclude in the subdirectory
  application.cfm.
  <cfinclude template="../application.cfm">
  <cfset application.dsn_test = "DiningHall">
  However.... That's a big no no if you're using this to
  actually change application scope parameters, since someone
  visiting the subdirectory would reset the DSN for someone that
  might still be navigating around in the parent directory.
  So what good is using the cfinclude method? Well, you can
  lock subdirectories to roles this way.
  <cfinclude template="../application.cfm">
  <cfif getAuthUser() eq "" or not IsUserInRole("Admin")>
  Access Denied!
  <cfabort>
  <cfif>
  Consider changing the DSN setting to use the request.scope to
  isolate the change to the user.
  <cfset Request.appDSN = "DININGHALL">

• Exclude one field from application.cfm loop

  i am using a cfloop collection tag in the application cfm file to loop through and remove special charachters from submitted forms for xss protection. I want to exclude one or two fields from this because they are date time fields so can't have all the restrictions all of the other fields can. I am picturing something like
  <cfloop collection="blah" item="blahblah">
       <cfif field name is not one of the date time fields>
  < general remove bad charachters code>
       <cfelseif field name is one of date time fields>
  <remove special charachters code>
  </cfif>
  </cfloop
  how do i get the field name to use in the condition above?

  Ummm...
  <cfloop collection="form" item="field">
  <cfif field NEQ "aDateField" AND field NEQ "bDateField" AND field NEQ "cDateField">
     Processs the non-date fields
  <cfelse>
    Process the date fields
  </cfif>
  </cfloop>
  Or slightly easier to maintain.
  <cfloop collection="form" item="field">
  <cfif NOT ListFind(field, "aDateField,bDateField,cDateField")>
     Processs the non-date fields
  <cfelse>
    Process the date fields
  </cfif>
  </cfloop>
  Or the best yet, would be to provide the list you are checking against from sometype of data repository where it is easy to maintain, like a database or configuration or something.  But I will leave that exercise to you to figure out.

• ODBC Error, think it's bc of Application.cfm

  Ok I'm working on a small e-commerce project and it's been
  about a year and a half since I've done programming with CF, so I'm
  doing a lot of re-learning, basically everything and only remember
  a very small bit, so basically I'm noob again.
  OK I built my project, I'm using MySQL as my database
  container. Everything runs perfectly fine on my local machine
  server but when I go to upload it to my hosting provider. I get the
  following error when I try to access the database on the hosting
  provider.
  Error Diagnostic Information
  ODBC Error Code = S1000 (General error)
  [MySQL][ODBC 3.51 Driver]Access denied for user 'ODBC'@'my IP
  address' (using password: NO)
  The error occurred while processing an element with a general
  identifier of (CFQUERY), occupying document position (1:1) to
  (1:54).
  OK, my guess right now is that it has something to do with
  the user and password authentication, and if that's the case, but
  to be honest I have no idea whats going on, cause this problem
  doesnt occur when I use PostgreSQL. I hope someone on here has been
  through this and knows what's up.
  Here's the code in my Application.cfm file
  <cfapplication name="joecool-ecom" sessionmanagement="yes"
  />
  <cfset Request.DSN = "joecool-ecom" />
  <cfset REQUEST.BasePath =
  GetDirectoryFromPath(GetCurrentTemplatePath())>
  I'm completely lost and have been trying to figure this out
  for a solid 7+ hours. I'm hoping that it's just something really
  really lame and stupid that I'm doing wrong on my side and that it
  can be fixed very easily, but part of me questions if my hosting
  provider just plain sucks and that I may end up having to switch
  providers or something.

  well i found a solution and yes it was a b***...
  It turns out it had something to do with ODBC on my hosting
  provider and MySQL. I ran a test on PostgreSQL and it worked fine,
  so I just redid my entire database into PostgreSQL and then changed
  all my boolean crap in my code from 1 to TRUE and 0 to FALSE. It
  sucked, but at least it works now.
  If anyone has any experience with using ODBC with ColdFusion
  for MySQL, if you have any ideas of why this error would occur,
  please let me know. It has to do with it trying to login
  anonymously and not using a PW, but I have no idea how to fix that
  on a hosting provider. Talked to them and its just a bunch of
  foreigners that don't know anything about computers so....
  whatever.
  Also if anyone knows any good hosting providers that keep
  their ColdFusion current, please let me know. I'm getting away from
  mine once my subscription runs out in a few more months. They're
  still using ColdFusion 5, which sucks

• Errors in Application.cfm

  Yes, I'm one of the few who still uses Application.cfm... perhaps this will be the final straw.
  How do I prevent cf debugging errors from showing up if there is an error in my Application.cfm???
  Every once in a while users of my site get a bizzare struct error or session error in my Application.cfm but I have no way of knowing unless they contact me.  Is there a way to prevent this?  Can I wrap my Application.cfm in a cftry?

  idesdema wrote:
  Can I wrap my Application.cfm in a cftry?
  You could, but that would only take affect of the line of code that throws the error is in the Application.cfm file.  It would have no affect for code in the template that was called.
  You could look at the <cferror....> tag.  Or the Site Wide Exception Handler that can be configured in the Administrator or any of the other exception handling options provided by ColdFusion and discussed in the documentaiton.

• Fixing Application.cfm

  First of all, I'm dealing with a poorly written app. I have
  add a directory off the webroot called checkout. I've placed the
  .cfm files to handle processing cards using a secure link. I'm able
  to post the amount to charge to the page that gets the customer's
  info (cc, expdate, name, etc). This page is accessed securely
  through https. But when I want to post the entered card num, etc to
  the following page i'm presented with a login prompt. I should be
  presented with the following page where the data was posted but i'm
  not. I know this has to do with some logic in the Application.cfm
  file in the webroot because it has a section of code that allows
  only certain requests to go through based on defined variables,
  where the default action if no variable is defined is to cfinclude
  the login.cfm template.
  I dont' know how to get around this (much less, fix it)
  without breaking other code. The reason for the logic in
  Application.cfm is just to keep non-logged in users out of the
  members only webpages.
  Any ideas on how I can circumvent or better yet fix this
  issue? Enclosed is application.cfm

  My first thought, because I have made this mistake several
  times is that the "A" in Application.cfm needs to be capital on
  *nix systems. I am not sure if that includes Macs.

• Messy Application.cfm issue

  First of all, I'm dealing with a poorly written app. I have
  add a directory off the webroot called checkout. I've placed the
  .cfm files to handle processing cards using a secure link. I'm able
  to post the amount to charge to the page that gets the customer's
  info (cc, expdate, name, etc). This page is accessed securely
  through https. But when I want to post the entered card num, etc to
  the following page i'm presented with a login prompt. I should be
  presented with the following page where the data was posted but i'm
  not. I know this has to do with some logic in the Application.cfm
  file in the webroot because it has a section of code that allows
  only certain requests to go through based on defined variables,
  where the default action if no variable is defined is to cfinclude
  the login.cfm template.
  I dont' know how to get around this (much less, fix it)
  without breaking other code. The reason for the logic in
  Application.cfm is just to keep non-logged in users out of the
  members only webpages.
  Any ideas on how I can circumvent or better yet fix this
  issue? Enclosed is application.cfm

  My first thought, because I have made this mistake several
  times is that the "A" in Application.cfm needs to be capital on
  *nix systems. I am not sure if that includes Macs.

• Protecting Application.cfm

  What security measures can we take to protect the
  Application.cfm file. We usually keep database login and password
  info obviously and other password info. Is there really nothing
  else to do except knowing that no one should access the actual
  file? thanks!

  quote:
  Originally posted by:
  Dan Bracuk
  Why do you have database login information and other
  passwords there?
  Well, the login and password must be in the <cfquery>
  tag on any given page that queries the db. We just put it in a
  application variable instead of on every single database driven
  page.
  We do the same for <cfmail> you need to put the email
  and the password in the tag so we use application variables instead
  to make changes more efficient.
  When you try accessing application.cfm from the browser you
  get:
  nvalid request of Application.cfm, Application.cfc or
  OnRequestEnd.cfm file.
  You have requested a page with the name application.cfm. This
  file name is reserved by the ColdFusion engine for the
  specification of application level settings and therefore cannot be
  directly requested from a web client.