Download Firefox -  a safer, easier to use web browser. Return to - Leap into the online experience! Return to - Leap into the online experience! - Leap into the online experience!

Project News :.

The latest project to launch was the site for Gorilla Offroad Company. Aside from their main site, a social media strategy was develop to launch the company into various industry specific automobile enthusist discussion board communities as well as popular social media fronts like Facebook, Pinterest, and Twitter.

Valid XHTML 1.0 Transitional

Valid CSS!

Section 508 Compliant

powered by: Macromedia ColdFusion MX

made with: Macromedia Dreamweaver MX

What is RSS

XML - often denotes RSS Feed information.

Macromedia - ColdFusion Programming
white horizontal rule

ColdFusion News :.

To bring a little life to my site, I've pulled a couple What is RSS Feeds into this page. You can currently choose between the technology related news stories from the following news sources:

You are currently viewing and RSS Feed from Pete Freitag's Blog.

My CFSummit 2015 Slide Decks

I was fortunate enough to be able to do two different talks this year at the Adobe CFSummit 2015 conference.

My first session, was a hands on Pre-Conference workshop taught by David Epler and myself, it was titled: Hack & Fix - Hands on ColdFusion Security Training. This was a 3 hour workshop which had a VM preloaded with the hackable CFML training app: HackableType that was first created by Jason Dean and I in 2010. Students then try to hack the vulnerable code, and then fix it. It went very well thanks to David, and all who attended!

Hack & Fix - Hands on ColdFusion Security Training - View Slides

For my second session I presented on Locking down ColdFusion Servers, an overview of the ColdFusion 11 Lockdown Guide. View Slides

My company Foundeo was a Gold sponsor of CFSummit 2015. I enjoyed meeting lots of our HackMyCF and FuseGuard customers and hopefully a few soon to be customers!

(Fri, 13 Nov 2015 02:05:00 GMT)
[view article in new window]

Adding Chrome Custom Search for CFDocs

I read some complaints recently that the new Adobe documentation site is not friendly with a chrome custom search engine (because the URIs are different based on what the tag/function starts with).

If you want to setup a custom search engine in chrome, it is really easy:

  1. Using Chrome go to chrome://settings/searchEngines
  2. Scroll down to an empty text box that says Add a new search engine
  3. In the first box type in the second box type cf and in the third box type

Now type cf followed by a space in the address bar, and then a tag or function name.

(Fri, 16 Oct 2015 20:07:00 GMT)
[view article in new window]

Disable Flash Remoting on ColdFusion Servers

Due to the recent security vulnerability ABSP15-20 / APSB15-21 in BlazeDS there has been increased interest in disabling flash remoting when not needed -- if you followed the lockdown guide for CF9, CF10, or CF11 you should already have it disabled.

This only applies to ColdFusion 10 and ColdFusion 11 right? Nope!

Your ColdFusion 7-9 servers may also be vulnerable to this issue but since they are considered EOL or End Of Life, they are no longer supported or patched by Adobe so there is no hotfix to apply.

If you do need flash remoting on these servers you can manually update the flex-messaging-core.jar file in your lib directory. I tested this on a CF 9.0.2 server tested that it worked by using the ColdFusion Server Monitor.

David Epler has posted some instructions for manually patching a CF9 server.

How can I disable Flash Remoting on ColdFusion Servers

There are a few ways this can be accomplished, I recommending doing each way to provide layers of assurance or defense in depth.

Uncheck: Enable Flash Remoting in ColdFusion Administrator - this is the easiest way to go, but I don't trust this method to fully disable anything that might be vulnerable to a security issue.

Block URIs on your web server web server blocks are always my favorite approach because they are blocked before hitting the CF server at all, they are the most efficient way to protect resources in most cases.

If you are using IIS 7+ you can block (if you are using IIS6 or lower you are running an EOL operating system with many other security issues to consider, time to upgrade!) using Request Filtering. It can run on a per site basis or on a global basis - for security rules like this it makes sense to run them on a global basis. Click on the URL tab and then Deny Url Sequence to add the following URIs to block, test them out in your browser to make sure you get a 404:


To block them on Apache you could do something like this globally in httpd.conf:

RedirectMatch 404 (?i).*/flex2gateway.*
RedirectMatch 404 (?i).*/flashservices.*
RedirectMatch 404 (?i).*/flex-internal.*
RedirectMatch 404 (?i).*/cfformgateway.*
RedirectMatch 404 (?i).*/cfform-internal.*

Using nginx you can do something like this (thanks Joseph Lamoree) :

location ~* ^/(flex2gateway|flashservices|flex-internal|CFFormGateway|cfform-internal|messagebroker) {
    return 403;

Keep in mind that when blocking only on the web server Flash Remoting is still enabled so you could still use the server monitor over the Internal Web Server, or if you have it running on its own port.

Disable by Removing Servlet Mappings

Removing Servlet Mappings removes the URL pattern to Servlet (the java code that executes requests) definition at the JEE servlet container level. It is done by editing the web.xml file found in the WEB-INF folder. You can either delete the <servlet-mapping> ... </servlet-mapping> tag or comment it out with an <-- XML comment --> (only uses two dashes).

Here's an example of a servlet mapping on CF9:

<servlet-mapping id="coldfusion_mapping_0">

You can also disable the servlet mappings that have the following URL patterns:


You can also remove the Servlets that correspond to these servlet-mapping but I have seen cases where CF would not start due to removing a servlet that is expected to be there. Removing unnecessary servlets can improve your CF server startup time and potentially reduce resource utilization, so it may be worth experimenting with for you.

What if I am running Railo / Lucee

There is a good chance your server could also be vulnerable to this issue, because many installers included BlaseDS and servlet mappings. To disable it you will want to edit your web.xml file and remove a servlet mapping like this:


I would also recommend adding the blocks on your web server config (as shown above) as an extra layer of protection incase you reinstall and put BlazeDS back in.

Possible issues with Flash Remoting after installing ColdFusion 11 Update 6 or ColdFusion 10 Update 17

I have seen one report of issues caused by this new update of BlazeDS, it was throwing a: java.lang.NoClassDefFoundError: javax/jms/InvalidSelectorException which may be due to missing ActiveMQ jar files.

(Thu, 03 Sep 2015 20:37:00 GMT)
[view article in new window]

HackMyCF Adds SSL/TLS Scanner

I'm pleased to announce a feature of HackMyCF that I've been excited about for a while: SSL / TLS Scanning.

If you stay up to date with security news you know that there have been a large number of vulnerabilities or weaknesses discovered in SSL or TLS protocols and implementations. For example, we have LogJam, Heartbleed, POODLE, CRIME, BEAST, and those are just the ones with cool names :)

While we have been issuing warnings when SSLv2 and SSLv3 (poodle) are enabled for a while, but here are some of the new checks we have added:

  • Warn if TLS 1.2 is not enabled
  • LogJam: Weak DH Group Size (less than 2048 bits) and some common prime warnings (not fully inclusive)
  • Warn if SSL Certificate will expire soon, or is expired
  • Warn if certificate is signed with SHA1 (will cause warnings/errors in recent Chrome versions)
  • Warn if TLS compression is enabled (CRIME)
  • Test for OpenSSL Heartbleed vulnerability
  • Warn if Public Key Size less than 2048 bits

Here's a screenshot from an example HackMyCF report:

HackMyCF TLS Report

Customers can enable this feature if they have set protocol = HTTPS in their server settings.

(Wed, 27 May 2015 20:37:00 GMT)
[view article in new window]

IncompatibleClassChangeError after ColdFusion 11 Update 5

If you use the Encrypt function in ColdFusion 11, you may experience an error that looks like this:

java.lang.IncompatibleClassChangeError: Expected static method coldfusion.runtime.CFPage.Encrypt(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; at cfprobe2ecfm877726397._factor9(/hackmycf/probe.cfm:258) at cfprobe2ecfm877726397.runPage(/hackmycf/probe.cfm:1) at coldfusion.runtime.CfJspPage.invoke( at coldfusion.tagext.lang.IncludeTag.handlePageInvoke( at coldfusion.tagext.lang.IncludeTag.doStartTag( at coldfusion.filter.CfincludeFilter.invoke( at coldfusion.filter.IpFilter.invoke( at coldfusion.filter.ApplicationFilter.invoke( at coldfusion.filter.RequestMonitorFilter.invoke( at coldfusion.filter.MonitoringFilter.invoke( at coldfusion.filter.PathFilter.invoke( at coldfusion.filter.LicenseFilter.invoke( at coldfusion.filter.ExceptionFilter.invoke( at coldfusion.filter.ClientScopePersistenceFilter.invoke( at coldfusion.filter.BrowserFilter.invoke( at coldfusion.filter.NoCacheFilter.invoke( at coldfusion.filter.GlobalsFilter.invoke( at coldfusion.filter.DatasourceFilter.invoke( at coldfusion.filter.CachingFilter.invoke( at coldfusion.CfmServlet.service( at coldfusion.bootstrap.BootstrapServlet.service( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at coldfusion.monitor.event.MonitoringServletFilter.doFilter( at coldfusion.bootstrap.BootstrapFilter.doFilter( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter( at coldfusion.bootstrap.BootstrapFilter.doFilter( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.apache.catalina.core.StandardWrapperValve.invoke( at org.apache.catalina.core.StandardContextValve.invoke( at org.apache.catalina.authenticator.AuthenticatorBase.invoke( at org.apache.catalina.core.StandardHostValve.invoke( at org.apache.catalina.valves.ErrorReportValve.invoke( at org.apache.catalina.core.StandardEngineValve.invoke( at org.apache.catalina.connector.CoyoteAdapter.service( at org.apache.coyote.http11.AbstractHttp11Processor.process( at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( at$ at java.util.concurrent.ThreadPoolExecutor.runWorker( at java.util.concurrent.ThreadPoolExecutor$ at org.apache.tomcat.util.threads.TaskThread$ at

The solution is to clear the Template Cache, this is done quite easily in the ColdFusion administrator under Server Settings » Caching simply click the Clear Template Cache Now button, and it will work.

Another way to fix this issue is to simply edit the cfm or cfc file that contains the Encrypt call and then the CF server will automatically recompile it (due to the updated timestamp). This method would only work if Trusted Cache is not turned on.

Why did this happen? It appears to me that the internal java method signature for the Encrypt function changed, and since CF compiles your CFML into Java bytecode and then caches it, the cached java bytecode is no longer valid after the update is applied.

(Mon, 20 Apr 2015 23:24:00 GMT)
[view article in new window]

Scope Injection in CFML

Here is an interesting vulnerability that I have come across several times in real CFML code during code reviews, I have spoken about it at conferences but have never written about it. Since it doesn't really have a name, I call it Scope Injection, you'll see why in a minute.

We have the following code:

<cfif session.isAdmin>
    Do something only an admin can do...

Now lets suppose that this session.isAdmin is set upon a successful authentication, but for unauthenticated sessions isAdmin is undefined in the session scope (onSessionStart does not initialize it).

Now suppose a request to the above code like this:


What happens when the above code example is run:

  • CF checks to see if session.isAdmin is defined in the session scope
  • The variable session.isAdmin was not defined in the session scope, so it starts searching other scopes, such as the url scope.
  • CF finds url.session.isAdmin defined and uses that value to evaluate the if statement as true.
  • Code that should only be executed by an admin can actually be executed by anyone.

Mitigating Scope Injection in CFML

To mitigate this, you should make sure that variables are initialized properly, a good place to do this is in your Application.cfc event lifecycle methods, onSessionStart for session scoped variables, onApplicationStart for application scoped variables, onRequestStart for request scope variables, etc.

So to mitigate this issue, we simply need this:

<cffunction name="onSessionStart">
    <cfset session.isAdmin = false>

If you are extra paranoid you can also use StructKeyExists to make sure the variable is defined:

<cfif StructKeyExists(session, "isAdmin") AND session.isAdmin>
  do admin stuff

Scope Injection in Railo / Lucee

This particular example is not vulnerable in the version of Railo / Lucee I tested, apparently because it does not allow cascading on builtin scopes. You can still have a scope injection issue on variables that are not in a builtin scope, consider this:

<cfif IsUserInRole("admin") OR IsUserInRole("superuser")>
   <cfset isAdmin = true>
<cfif isAdmin>
  do admin stuff

There is also a setting in the Railo / Lucee administrator that allows you to turn off cascading (under scopes) by setting it to strict. You can also do this in your Application.cfc:

this.scopeCascading = "strict";

When the scopeCascading setting is set to strict it removes the possibility of a scope injection vulnerability, and may also improve performance.

How FuseGuard protects from Scope Injection

FuseGuard customers have been enjoying protection from scope injection for the past 3 years. It operates in a strict mode by default which prevents inputs like, with strict mode off it only looks at valid scope names (like session, application, etc).

As of version 2.3 you can also set a prefix to ignore, for example fusebox apps commonly have url's like ?fusebox.action=foo so you can tell FuseGuard to allow that by adding:


You can also ignore a variable a-la-carte like this:

filter.ignoreVariable("url", "one.two");

(Tue, 03 Mar 2015 22:59:00 GMT)
[view article in new window]

Upload Files Directly to Amazon S3 using ColdFusion

Here's a quick example showing how to upload a file directly to Amazon S3 (bypassing your server). The tricky part in getting this to work is that you don't want to allow anyone to upload a file anywhere on your S3. To accomplish this you can create an AWS Access Control Policy, base64 encode it, and then sign it using HMAC-SHA1 with your AWS Secret Key. A policy is a JSON string that might look like this:

{ "expiration": "2014-11-26T13:23:00.000Z",
  "conditions": [
    {"bucket": "example-bucket-name" },
    ["eq", "$key", "image.jpg"],
    {"acl": "public-read" },
    {"redirect": "" },
    ["starts-with", "$Content-Type", "image/"]

To generate this policy dynamically we might do something like this:

<cfset expDate = DateConvert("local2utc", now())>
<cfset expDate = DateAdd("n", 15, expDate)><!--- policy expires in 15 minutes --->
<cfset fileName = CreateUUID() & ".jpg">
<cfsavecontent name="jsonPolicy">
{ "expiration": "#DateFormat(expDate, "yyyy-mm-dd")#T#TimeFormat(expDate, "HH:mm")#:00.000Z",
  "conditions": [
    {"bucket": "example-bucket-name" },
    ["eq", "$key", "#JSStringFormat(fileName)#"],
    {"acl": "public-read" },
    {"redirect": "" },
    ["content-length-range", 1, 1048576],
    ["starts-with", "$Content-Type", "image/"]
<cfset b64Policy = toBase64(Trim(jsonPolicy), "utf-8")>
<cfset signature = HMac(b64Policy, variables.awsSecretKey, "HMACSHA1", "utf-8")>
<!--- convert signature from hex to base64 --->
<cfset signature = binaryEncode( binaryDecode( signature, "hex" ), "base64")>

Because we are using the HMac function you must be on CF10+ or Railo 4.1+ if you are on an older version you will need to find a third party hmac implementation.

Next you create a form that posts directly to Amazon S3:

<form action="" method="post" enctype="multipart/form-data">
    <input type="hidden" name="key" value="#EncodeForHTMLAttribute(fileName)#" /
    <input type="hidden" name="acl" value="public-read" />
    <input type="hidden" name="redirect" value="" >
    <input type="hidden" name="AWSAccessKeyId " value="#EncodeForHTMLAttribute(variables.awsAccessKeyID)#" />
    <input type="hidden" name="Policy" value="#b64Policy#" />
    <input type="hidden" name="Signature" value="#signature#" />
    File: <input type="file" name="file" />
    <input type="submit" name="submit" value="Upload to Amazon S3" />

According to the S3 documentation there are some conditions in which the redirect will not happen:

Please note that the redirect is not guaranteed to be followed. It is possible that an upload would succeed, but that a networking problem on the end-users network prevents them from following the redirect. It is also possible that in certain failure conditions, that a file is actually uploaded but you are not notified about the upload.

To get around this uncertainty you can setup Event Notifications for the S3 bucket you are uploading to.

The other thing to note is that if an error occurs the redirect will not happen and the user will be presented with an XML error message. To handle that more gracefully you could upload the file via AJAX, and then handle the error condition within JavaScript.

(Wed, 26 Nov 2014 22:19:00 GMT)
[view article in new window]

Minor Update

As you may know I run a few doc shortcut sites, for CFML has been going quite well since publishing the source on github with a bunch of community contributions.

The other site I use alot is, I recently updated it to point to Java SE Version 8, and JEE Version 7. I also added package shortcuts to it, so you can hit urls like and get a summary of all the classes / interfaces in that package.

I hope you find the sites handy.

(Tue, 28 Oct 2014 22:51:00 GMT)
[view article in new window]

nginx Directive rewrite is not terminated

I have been setting up some sites on nginx today (moving from an apache server) and have been pretty happy with how an Apache rewrite rule like:

RewriteRule /foo/([0-9]+)/ /foo.cfm?id=$1

Can be done in nginx like this:

rewrite /foo/([0-9]+)/ /foo.cfm?id=$1;

This was working great until I ran into this error:

[emerg] 4603#0: directive "rewrite" is not terminated by ";" in /etc/nginx/sites-enabled/

But the line referenced did end with a semicolin!

It turns out the problem was that my rewrite rule had {} in it, for example:

rewrite ^/archive/([0-9]{4})/ /archive.cfm?year=$1;

Replacing the {4} with simply a + worked (though is less precise).

(Sat, 18 Oct 2014 01:47:00 GMT)
[view article in new window]

Using Mozilla's Certificate Authority List for Java SSL

Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's cacerts certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.

Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.

Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is curl -- they have also built a nice utility to grab mozilla's source code and build a PEM file called mk-ca-bundle.

So we can use this utility to build a file that can replace the cacerts file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's keytool executable.

Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.


curl -o certdata.txt ''

perl -n > ca-bundle.crt

java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt

Now you can specify the JVM arguments to have it use the new SSL certificate authority file:

If you specified a password other than changeit you will also need to pass the password into the JVM arguments:

(Fri, 06 Jun 2014 21:05:00 GMT)
[view article in new window]

© The connection to the FREITAG's RSS feed has timed out - please try again later. We are sorry for any inconvenience this may have caused.