My Application.cfm File creating trouble?
I am creating a AForums username/pasword from the admin
panel, and when i try to login into the forums through the main
admin panel it sets the sessions up aas i have dumped into ans seen
their value. The I am redirecting the page the home page like
www.website.com/forums/admin/home.cfm
but i dumped over there and sessions get lossed. i have not
included any application.cfm differenly in the forums, all my
website uses only 1 cfm file and in this applciation file.
i have did the dfault sessting for the forum as
session.forums eq false, and when i login, it just goes true.
When i locate from admin page to forums admin page, the
sessions get lost.
HAs there any workaround for this. i am trying for the last
couple of hours but did not find anything specific to this.
Your "scriptprotect" parameter value in your cfapplication
should be "none", "all", or a comma-delimited list of variable
scopes(CGI,FORM,URL, etc.) in CF. You might want to check on that
value.
Anyway, where do you put your application.cfm in relation to
your directories "main admin" and "forum admin"? can you show us
maybe a little info in your directory structure?
I'll give you an example(directory structure) where a session
variable(which is enabled in application.cfm) is not recognized in
another page:
appRootDir\someDir\admin_panel\home.cfm -> for your main
admin panel
appRootDir\someDir\application.cfm -> for your
application.cfm
appRootDir\forum\forum_admin\home.cfm -> for your forum
admin home
In the above structure, only
"appRootDir\someDir\admin_panel\home.cfm" can access the
application.cfm since your main admin panel and application.cfm are
both under the directory "appRootDir\someDir\".
Another structure similar above will be like this:
appRootDir\someDir\admin_panel\home.cfm -> for your main
admin panel
appRootDir\forum\application.cfm -> for your
application.cfm
appRootDir\forum\forum_admin\home.cfm -> for your forum
admin home
In the above structure, only
"appRootDir\forum\forum_admin\home.cfm" can access the
application.cfm since your forum admin and application.cfm are both
under the directory "appRootDir\forum\".
To make both directories access the same application.cfm, you
should have a similar directory structure below which both
directories can access application.cfm from it's current directory
as below:
appRootDir\someDir\admin_panel\home.cfm -> for your main
admin panel
appRootDir\application.cfm -> for your application.cfm
appRootDir\forum\forum_admin\home.cfm -> for your forum
admin home
For the above structure, both main admin panel and forum
admin can see/access your application.cfm since the application.cfm
is accessible in "appRootDir\".
Maybe your directory structure is already similar to this but
you might want to check it again. Also, are there any clearing of
session variables in any of your files?
Similar Messages
-
Why does application.cfm file not get processed first?
I am using ColdFusion 11 on Windows2008 R2. From what I understand, if there is an application.cfm page in the root folder, that any .cfm page below the root will process this page first and then process the regular .cfm page. I noticed that it processes my regular page FIRST and then calls the application.cfm page.
In my case I have a web page that updates a database, but in my application.cfm page, I check a session variable to see if the user is logged in. If they are not logged in, then I redirect them to a log in page, let them log in, set the session variable and then redirect them back to process the page. But I noticed, that when I run the page, the database gets updated and THEN the user gets redirected to log in, then the database gets updated again.
Am I not using the application.cfm page correctly? I thought it was supposed to be used to check log ins and things like that. How do I ensure that it runs first?
Btw, it is the only application.cfm page in the entire web site and I do not have any application.cfc files.
Thanks.It would make things easier to see the code. In any case, from what you say, my guess is that there is no authentication check at the point where the database gets updated. So the update occurs at the start, and again when you later redirect the user to the page.
On Coldfusion 11, you should actually switch to Application.cfc. There are at least 2 reasons.
Firstly, recent Coldfusion versions implicitly assume you use Application.cfc by default. Secondly, Application.cfm is outdated and has much less functionality than Application.cfc. For example, Application.cfc allows you much more fine-grained control over your code at the level of request, session and application. -
Passing variable from one server to another within different application.cfm
hello all.
currently , i have 3 server..
each is installed with coldfusion server.
let says,
server A,server B, and server C.
server A has the application.cfm for login.
from server A , I want to carry the login ID to server B(also
has application.cfm) or server C(also has application.cfm) without
having to login again.
Present, what I facing right now..
server A has the application.cfm login and then direct to
server B(also has application.cfm).
But at server B it will request user to relogin.
Same with server C.
should I changed and modified the application.cfm in server B
and C by removing 'cflogin statement'?
I have no idea.. :chomp: :confused:
Please anybody, help me with this..I'll admit I'm not the most educated on application/session
management but I'll try and help.
When a user logs into your CF server, it creates the session,
which is only for that server. That's probably the issue you're
running into when the user jumps from one server to the next. You
might want to try using a cookie and CFTOKEN on the login (server
A) and then use the application.cfm file on server B and C to check
for the existence of the token. If it's there (in the client
cookie) then it would allow them access.
---set the application in the application.cfm page on all 3
servers to the same name---
<cfapplication name="myappname"
sessionmanagement="Yes"
clientmanagement="Yes"
SESSIONTIMEOUT=#CreateTimeSpan(1, 0, 0, 0)#
setclientcookies="yes">
---then check for the cookie value on each server as well---
<CFIF IsDefined("Cookie.CFID") AND
IsDefined("Cookie.CFTOKEN")>
<CFSET Variables.CFID_LOCAL=Cookie.CFID>
<CFSET Variables.CFTOKEN_LOCAL=Cookie.CFTOKEN>
<CFCOOKIE NAME="CFID" VALUE="#Variables.cfid_local#">
<CFCOOKIE NAME="CFTOKEN"
VALUE="#Variables.cftoken_local#">
</cfif>
There might be some yes/no variables in the session
management you can set (yes on A, no on B and C) if the above does
not work. But with the users jumping across servers, the cookie
might be the best answer for you.
Actually, I realized something. You would want to set the
setclientcookies only on server A but have B and C check for the
cookie.
Hope some of this helps. -
Hacking Application.cfm
In the past couple of weeks hackers have somehow been getting access to my application.cfm file and altering it, making my website not come up properly.
Is this a known security problem and does anyone know how to protect the file from getting hacked?Hi Rene,
I would recommend looking for any unknown file and schedule task created in past few months. The files names have been mostly h.cfm and i.cfm. However it can be anything. Please also apply the recent security patches and take the steps mentioned. Fixing the application.cfm might not help completely in case back door files from previous attacks are lying in the server.
Hope this helps. -
Trying to understand an application.cfm attack
I have a site that I've been running without issue, for years now - I sniff and block for cross site scripting, sql injection, executable file uploads, and employ honeypot fields on forms...
This past week I wanted to watch some slow page loads for performance, noting their time to execute. I chose to use an application.cfm and an onrequestend.cfm to set a timestamp and to place it on the end of my pages. Prior to this, I have not utilzed an application.cfm. I'm pragmattic and look upon the application.cfm as a catch-all to do things that I should be planning better for in my application.
I soon found myself the recipient of a cross site scripting attack. I realised easily that I opened myself wide to this because the application.cfm runs _before_ everything, including my sniffer code. Derrrr!
I deleted the application.cfm and onrequestend.cfm and cleanded up my files having caught it same day and experiencing little damage. The attack was only inserting javascript into my index pages via the application.cfm . Rather ingenious and it was fun to find and consider. Payday loan spam.
I've been google'ing and reading on uploading vulnerabilities, but I can only find one instance where someone described their application.cfm file having been modified in similar fashion, the vector being a vulnerability in fckeditor - which I do not use. Nor do I use any other third party editor plugin.
An article I found mentions vulnerable files in legacy CFDOCS folder that allow access and uploads. I have a fresh install of CF9 so this did not exist. There was a cfx folder tree with some "example" code folders. I've zipped and deleted these.
I have changed ftp to use a non-standard port. Something that I used to do, but failed to re-instate when I moved to a different host. I have a ticket submitted to get help in blocking CFIDE path requests to the outside world (so that it will only be accessable locally via RDP).
If someone/something could modify the application.cfm file, why look for just it, unless it was just a lazy scripted attack looking for application.cfm files specifically. And while I did not have one before, why did someone not just upload their own?
How and why was my application.cfm changed, and why not the index.cfm files directly if they had some other avenue of access?
My question is this - can the application.cfm be tricked into modifying itself?
Thanks in advance!Sorry about that - a misunderstanding. When you said you "deleted the application.cfm and onrequestend.cfm and cleanded up my files...", I took that to mean you only deleted the code. I assumed the files to still be on the file system. For, to run a ColdFusion application of any substance, you do need an Application file.
aotgnat wrote:
The attack was only inserting javascript into my index pages via the application.cfm .
Not necessarily via the application file. What the attacker may very likely have exploited is a ColdFusion Cross Site Scripting (XSS) vulnerability. This link shows you that a cfform, user-agent HTTP header, etc. may be used in an XSS attack. (See the XSS vulnerabilities relevant to CF9, which include CVE-2009-3467, CVE-2010-1293, CVE-2011-0583, CVE-2011-0733, CVE-2011-0734, CVE-2011-0735, CVE-2011-2463, CVE-2011-4368). -
Setting/changing a date in application.cfm
I need to be able to set a date in the application.cfm file
for example
<CFSET APPLICATION.stopdate='10/15/2014'>
Then in my site on other pages I have code that says
<cfif reportdate GT #APPLICATION.stopdate#>Do This</cfif>
The problem is sometimes I need to change the APPLICATION.stopdate to another date during the middle of the day.
For example I need to change the APPLICATION.stopdate from 10/15/2014 to 10/25/2014
However I notice when I change the APPLICATION.stopdate in the application.cfm to another date during the middle of the day that the APPLICATION.stopdate stays the old date.
How do I make sure that the APPLICATION.stopdate changes sitewide when I change it in the application.cfm?
Do I use another variable scope?Yes, that's one use of the include directive, lets you add content inline. You missed an "@" there though. It's <%@ include...
EDIT: One word of warning; it is not mandatory for the container to recompile the including JSPs if the included resource is changed! It seems you have a smart container which detected that your included JSP had been modified and so it's reflecting the changes in the other files too. But this is not required behaviour and so you shouldn't count on it. AFAIK, Tomcat will also do the same.
Also, this is a good reason why, even though it seems like a good idea to put the DB URL into one JSP and include it everywhere so that you have only one entry to change when the DB changes, it's still risky. A better way would be to put it as a <context-param> or something similar.
Edited by: nogoodatcoding on Sep 28, 2007 10:15 PM -
Application.cfm and CFC's
for some reason my cfc is not seeing any of the variables set
in application.cfm. Furthermore it does not see them when I use
application.cfc. I am running 6.1MX on iis5. Any info would be
helpful.
ThanksDuke Snyder wrote:
> for some reason my cfc is not seeing any of the
variables set in
> application.cfm. Furthermore it does not see them when I
use application.cfc. I
> am running 6.1MX on iis5. Any info would be helpful.
>
> Thanks
>
In deference to Adam, I'm going to go ahead an make a guess.
Directory structure is very important here. Application.cfm
will only
apply to code that is run in the same directory or any sub
directory
there under. This applies to CFC's as well. A common idea is
to place
a CFC in some type of common folder that is outside the
normal
application structure, thus the CFC is not in the directory
structure
under which the Application.cfm file has dominion. So it will
not apply
in such a case.
If this is so, the fix is to either move the CFC so that it
is under the
Application.cfm dominion. Or to provide it it's own
<cfapplication...>
tag with the desired application name to be able to access
the desired
application scope. This can be done directly in the CFC file
or an
Application.cfm file in the CFC folder hierarchy.
Of course doing so really complicates the usefulness of
having CFCs in a
common place where they can be used by multiple applications
equally.
Thus providing a strong argument to the OOP concept of
encapsulation.
That an object (component) should not be aware of anything
outside of
itself and everything it needs to do its job should be passed
into it.
I.E. Pass the required application data into the component as
arguments
and make use of it that way. -
Use of % for height with application.cfm
How comes the height in % in both tags doesn't works when an application.cfm exists. When I remove the application.cfm everything works fine.
<iframe src="messages.cfm" width="95%" height="74%"></iframe>
<cfform format="flash" skin="halosilver" wmode="transparent" style="backgroundAlpha:0;" height="48.3%"></cfform>Any Application.cfm (note the capital letter, btw), or your specific Application.cfm? What about an Application.cfm file which simply has a CF comment in it, and nothing else?
Adam -
Application.cfm in root and subdirectory, help.
I cannot figure this out. I understand that an application
will use the application.cfm file in it's current directory first
and not search further. However, my page in a subdirectory seems to
not see the application.cfm in it's own directory and instead uses
the root application.cfm. Can anyone explain? And I have tried
capitalizing the "A", etc. but I am not using Linux so I do not
think it matters anyway. (CF MX)Hard to tell exactly, but in the subdirectory, is the ONLY
line the <cfset application.dsn_test = "DiningHall">?
If so, the subdirectory application.cfm would execute and the
parent would not, which would cause the undefined error since from
what I can tell, you haven't used the <cfapplication> tag in
the subdirectory.
What you can do is use a cfinclude in the subdirectory
application.cfm.
<cfinclude template="../application.cfm">
<cfset application.dsn_test = "DiningHall">
However.... That's a big no no if you're using this to
actually change application scope parameters, since someone
visiting the subdirectory would reset the DSN for someone that
might still be navigating around in the parent directory.
So what good is using the cfinclude method? Well, you can
lock subdirectories to roles this way.
<cfinclude template="../application.cfm">
<cfif getAuthUser() eq "" or not IsUserInRole("Admin")>
Access Denied!
<cfabort>
<cfif>
Consider changing the DSN setting to use the request.scope to
isolate the change to the user.
<cfset Request.appDSN = "DININGHALL"> -
Exclude one field from application.cfm loop
i am using a cfloop collection tag in the application cfm file to loop through and remove special charachters from submitted forms for xss protection. I want to exclude one or two fields from this because they are date time fields so can't have all the restrictions all of the other fields can. I am picturing something like
<cfloop collection="blah" item="blahblah">
<cfif field name is not one of the date time fields>
< general remove bad charachters code>
<cfelseif field name is one of date time fields>
<remove special charachters code>
</cfif>
</cfloop
how do i get the field name to use in the condition above?Ummm...
<cfloop collection="form" item="field">
<cfif field NEQ "aDateField" AND field NEQ "bDateField" AND field NEQ "cDateField">
Processs the non-date fields
<cfelse>
Process the date fields
</cfif>
</cfloop>
Or slightly easier to maintain.
<cfloop collection="form" item="field">
<cfif NOT ListFind(field, "aDateField,bDateField,cDateField")>
Processs the non-date fields
<cfelse>
Process the date fields
</cfif>
</cfloop>
Or the best yet, would be to provide the list you are checking against from sometype of data repository where it is easy to maintain, like a database or configuration or something. But I will leave that exercise to you to figure out. -
ODBC Error, think it's bc of Application.cfm
Ok I'm working on a small e-commerce project and it's been
about a year and a half since I've done programming with CF, so I'm
doing a lot of re-learning, basically everything and only remember
a very small bit, so basically I'm noob again.
OK I built my project, I'm using MySQL as my database
container. Everything runs perfectly fine on my local machine
server but when I go to upload it to my hosting provider. I get the
following error when I try to access the database on the hosting
provider.
Error Diagnostic Information
ODBC Error Code = S1000 (General error)
[MySQL][ODBC 3.51 Driver]Access denied for user 'ODBC'@'my IP
address' (using password: NO)
The error occurred while processing an element with a general
identifier of (CFQUERY), occupying document position (1:1) to
(1:54).
OK, my guess right now is that it has something to do with
the user and password authentication, and if that's the case, but
to be honest I have no idea whats going on, cause this problem
doesnt occur when I use PostgreSQL. I hope someone on here has been
through this and knows what's up.
Here's the code in my Application.cfm file
<cfapplication name="joecool-ecom" sessionmanagement="yes"
/>
<cfset Request.DSN = "joecool-ecom" />
<cfset REQUEST.BasePath =
GetDirectoryFromPath(GetCurrentTemplatePath())>
I'm completely lost and have been trying to figure this out
for a solid 7+ hours. I'm hoping that it's just something really
really lame and stupid that I'm doing wrong on my side and that it
can be fixed very easily, but part of me questions if my hosting
provider just plain sucks and that I may end up having to switch
providers or something.well i found a solution and yes it was a b***...
It turns out it had something to do with ODBC on my hosting
provider and MySQL. I ran a test on PostgreSQL and it worked fine,
so I just redid my entire database into PostgreSQL and then changed
all my boolean crap in my code from 1 to TRUE and 0 to FALSE. It
sucked, but at least it works now.
If anyone has any experience with using ODBC with ColdFusion
for MySQL, if you have any ideas of why this error would occur,
please let me know. It has to do with it trying to login
anonymously and not using a PW, but I have no idea how to fix that
on a hosting provider. Talked to them and its just a bunch of
foreigners that don't know anything about computers so....
whatever.
Also if anyone knows any good hosting providers that keep
their ColdFusion current, please let me know. I'm getting away from
mine once my subscription runs out in a few more months. They're
still using ColdFusion 5, which sucks -
Errors in Application.cfm
Yes, I'm one of the few who still uses Application.cfm... perhaps this will be the final straw.
How do I prevent cf debugging errors from showing up if there is an error in my Application.cfm???
Every once in a while users of my site get a bizzare struct error or session error in my Application.cfm but I have no way of knowing unless they contact me. Is there a way to prevent this? Can I wrap my Application.cfm in a cftry?idesdema wrote:
Can I wrap my Application.cfm in a cftry?
You could, but that would only take affect of the line of code that throws the error is in the Application.cfm file. It would have no affect for code in the template that was called.
You could look at the <cferror....> tag. Or the Site Wide Exception Handler that can be configured in the Administrator or any of the other exception handling options provided by ColdFusion and discussed in the documentaiton. -
First of all, I'm dealing with a poorly written app. I have
add a directory off the webroot called checkout. I've placed the
.cfm files to handle processing cards using a secure link. I'm able
to post the amount to charge to the page that gets the customer's
info (cc, expdate, name, etc). This page is accessed securely
through https. But when I want to post the entered card num, etc to
the following page i'm presented with a login prompt. I should be
presented with the following page where the data was posted but i'm
not. I know this has to do with some logic in the Application.cfm
file in the webroot because it has a section of code that allows
only certain requests to go through based on defined variables,
where the default action if no variable is defined is to cfinclude
the login.cfm template.
I dont' know how to get around this (much less, fix it)
without breaking other code. The reason for the logic in
Application.cfm is just to keep non-logged in users out of the
members only webpages.
Any ideas on how I can circumvent or better yet fix this
issue? Enclosed is application.cfmMy first thought, because I have made this mistake several
times is that the "A" in Application.cfm needs to be capital on
*nix systems. I am not sure if that includes Macs. -
Messy Application.cfm issue
First of all, I'm dealing with a poorly written app. I have
add a directory off the webroot called checkout. I've placed the
.cfm files to handle processing cards using a secure link. I'm able
to post the amount to charge to the page that gets the customer's
info (cc, expdate, name, etc). This page is accessed securely
through https. But when I want to post the entered card num, etc to
the following page i'm presented with a login prompt. I should be
presented with the following page where the data was posted but i'm
not. I know this has to do with some logic in the Application.cfm
file in the webroot because it has a section of code that allows
only certain requests to go through based on defined variables,
where the default action if no variable is defined is to cfinclude
the login.cfm template.
I dont' know how to get around this (much less, fix it)
without breaking other code. The reason for the logic in
Application.cfm is just to keep non-logged in users out of the
members only webpages.
Any ideas on how I can circumvent or better yet fix this
issue? Enclosed is application.cfmMy first thought, because I have made this mistake several
times is that the "A" in Application.cfm needs to be capital on
*nix systems. I am not sure if that includes Macs. -
Protecting Application.cfm
What security measures can we take to protect the
Application.cfm file. We usually keep database login and password
info obviously and other password info. Is there really nothing
else to do except knowing that no one should access the actual
file? thanks!quote:
Originally posted by:
Dan Bracuk
Why do you have database login information and other
passwords there?
Well, the login and password must be in the <cfquery>
tag on any given page that queries the db. We just put it in a
application variable instead of on every single database driven
page.
We do the same for <cfmail> you need to put the email
and the password in the tag so we use application variables instead
to make changes more efficient.
When you try accessing application.cfm from the browser you
get:
nvalid request of Application.cfm, Application.cfc or
OnRequestEnd.cfm file.
You have requested a page with the name application.cfm. This
file name is reserved by the ColdFusion engine for the
specification of application level settings and therefore cannot be
directly requested from a web client.
Maybe you are looking for
-
After I've upgraded my iPhone iOS to 5.0.1, I got problems with connectivity. If my iPhone lose network, then it gets frozzen and I cannot make calls. After restart the telephone still does not work.
-
Nokia 1520 Screen Sencitivity Problem
Hi..I have nokia 1520..for last 2-3 days i m facing problem of screen sencitivity. I m opening messages bing is opening. Screen is geeting minimize autometically. Please let me know what should do?
-
Allowing for Alternate Correct "Answers"
Don't know which forum this falls under, sorry: I want to create a training simulation (and actually, an assessment simulation too) where the user can select one of a variety of correct methods for accomplishing a task. How do I program the multiple
-
Install Photoshop Elements 11 again after a crash
After having to get windows 8.1 from my PC I want to reinstall PE 11 again.I bought it in april 2013 and rght now I can't find any option to install it again because there is only a 12 in the download options. All my money wasted???
-
'x' missing from top corner when trying to delete an app ios 6.1.2
Hi all, First post so be gentle. I have latest IOS 6.1.2 for IPad Retina Display and I can't delete any app by holding the icon till it shakes. It does start shaking, but the 'x' is missing form the top corner. Have rebooted it but still no joy. Any