Download Firefox -  a safer, easier to use web browser. Return to iribbit.net - Leap into the online experience! Return to iribbit.net - Leap into the online experience! iribbit.net - Leap into the online experience!

Project News :.

The latest project to launch was the site for Gorilla Offroad Company. Aside from their main site, a social media strategy was develop to launch the company into various industry specific automobile enthusist discussion board communities as well as popular social media fronts like Facebook, Pinterest, and Twitter.


Valid XHTML 1.0 Transitional

Valid CSS!

Section 508 Compliant

powered by: Macromedia ColdFusion MX

made with: Macromedia Dreamweaver MX

What is RSS

XML - often denotes RSS Feed information.

Macromedia - ColdFusion Programming
white horizontal rule

ColdFusion News :.

To bring a little life to my site, I've pulled a couple What is RSS Feeds into this page. You can currently choose between the technology related news stories from the following news sources:



You are currently viewing and RSS Feed from Pete Freitag's Blog.



Why is my cron.daily script not running?

Over the years when setting up servers I have run into the various ways that your cron.daily or cron.hourly scripts manage to fail to run. Today I ran into a new reason which I don't recall running into before, maybe something has changed or maybe I just never ran into it.

I ran into the problem on a Ubuntu 16.04 LTS server - I placed a script in /etc/cron.daily/my_script.sh but it was not running.

I checked all the usual suspects, the reasons I was aware of that cause a cron script to be ignored:

  • The script must have the x permission
  • The script did not depend on certain environment variables being set (for example if you rely on $HOME to be set, you may need to define it yourself). Cron scripts do not have all the same environment variables that you have when you are logged in to a shell, so the script can work when you run it but fail when cron runs it.
  • The script did not rely on a customized PATH to execute commands. The PATH that cron gives your script will be minimal, and if you have made customizations to it they may not show up. The best way around this is to use the full path to your commands (use the which command to help figure this out).

But my problem was not any of the above. I found that you can execute the run-parts command in a test mode to see which scripts it would call in a directory. You can run it like this (it will not execute any of the scripts, it just outputs which ones it would execute):

run-parts --test /etc/cron.daily

My script was not listed in the output! Well, that was comforting at least but why was it not listed? It turns out you cannot have a file extension on the script, so by renaming the script from my_script.sh to my_script it works!


(Wed, 10 Jan 2018 20:34:00 GMT)
[view article in new window]

Announcing FuseGuard Version 3
FuseGuard 3

After many hours in development and testing we are proud to announce the release of FuseGuard 3! FuseGuard 3 ships with 11 new filters, 1 new logger and several additional improvements to better protect your CFML applications.

With FuseGuard 3 we've tweaked and improved the protections that were included in version 2, and have added new methods identifying malicious requests. The result is that more malicious requests to your applications can be detected, blocked, and logged with FuseGuard 3.

What is FuseGuard?

If you are not familiar with FuseGuard, it is a web application firewall written in CFML. It runs onRequestStart to block or log malicious requests made to your application. If configured to, FuseGuard will block the malicious request before it hits your application code. It can also log these events.

What's New in FuseGuard 3?

Configuring FuseGuard is now much easier as FuseGuard 3 can be fully configured from within the FuseGuard Manager web admin. That means you can add filters, edit filter settings, and do it all from the web UI. If you want to keep using the CFC based configuration you used in FuseGuard 2 that is also still fully supported.

Configure Filters in FuseGuard Manager
FuseGuard 3 Filters

There are 11 new filters in FuseGuard 3:

  • Geographical Filter - Does your application only serve users in a specific geographic region? FuseGuard 3 makes it easy to connect IP country data to whitelist or blacklist IP addresses based upon country.
  • Remote Execution Filter - this new filter looks for several patterns used to exploit CFML specific remote code execution vulnerabilities.
  • XML Entity Injection Filter - looks for xml entity injection patterns.
  • Shell Execution Filter - looks for common shell execution patterns and paths.
  • Remote Method Filter - block remote CFC method calls or SOAP requests.
  • HoneyPot Filter - Uses project honeypot data to block malicious IP addresses.
  • XML External DTD Filter - looks for xml external DTD patterns.
  • User Agent Filter - looks for malicious or malformed user agents.
  • IP BlackList Filter - easily black list IPs using the IP List managers
  • IP WhiteList Filter - create IP whitelists easily.
  • File Upload Content Filter - inspects file upload contents for executable CFML experimental.

Those filters listed above are just the new filters in FuseGuard 3, the 18 filters which were part of FuseGuard 2 are also included which look for things like SQL Injection, Cross Site Scripting, Path Traversals, Malicious File Uploads, Null Byte Injection and more.

The FuseGuard manager UI has been updated and improved in this version, here are a few screenshots:

Updated FuseGuard Manager UI
FuseGuard 3 Dashboard
FuseGuard 3 Logs

New Subscription Pricing

We are now offering FuseGuard with subscription pricing for an annual term. A one year subscription allows you to always have access to the latest version of FuseGuard.

PS: here's a coupon code for you: Take $50 off your FuseGuard 3 order when you order by December 31 2017. Use Coupon Code: fuseguard2017


(Thu, 30 Nov 2017 23:47:00 GMT)
[view article in new window]

CFSummit 2017

It was another great ColdFusion Summit event in Las Vegas this year. My company Foundeo Inc. was a sponsor again this year. It was great to meet so many new people this year. During the keynote Tridib Roy Chowdhury asked for a show of hands as to how many people were attending for the first time. It was impossible to count, but to me it looked like about half the room were first time attendees. That was great to see.

This year I did another full day training on Writing Secure CFML for the pre-conference. It was sold out at 50 seats and was a lot of fun to present. The demo code for that session can be found here: github.com/foundeo/cfml-security-training. I don't publish the slides for this topic because I offer this CFML security training commercially as well.

On Thursday my company announced FuseGuard 3 which is a new update to our web application firewall product for CFML. I will post a blog entry with more details on that later this week.

Finally on Friday I presented on Securing Mature CFML Code Bases (slides, code).

Looking forward to another CFSummit in 2018.


(Tue, 28 Nov 2017 00:09:00 GMT)
[view article in new window]

Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151

Starting with Java 1.8.0_151 and 1.8.0_152 there is a new somewhat easier way to enable the unlimited strength jurisdiction policy for the JVM. Without enabling this you cannot use AES-256 for example.

First download the JRE, I like to use the server-jre for servers. When you extract the server-jre look for the file java.security in the jre/lib/security folder. For example for Java 1.8.0_152 the file structure looks like this:

/jdk1.8.0_152
   |- /jre
        |- /lib
              |- /security
                    |- java.security

Now open java.security with a text editor and look for the line that defines the java security property crypto.policy it can have two values limited or unlimited - the default is limited.

By default you should find a commented out line:

#crypto.policy=unlimited

You can enable unlimited by uncommenting that line, remove the #:

crypto.policy=unlimited

Now restart your java applications that point to the JVM and you should be all set.


(Thu, 19 Oct 2017 21:27:00 GMT)
[view article in new window]

Java 9 Security Enhancements

With the General Availability release of Java 9 scheduled for today, I thought it would be appropriate to go over the new features that pertain to security.

Implement HTTP/2 Client
Implementation of a HTTP/2 Client in the standard java SDK. JEP 110

SHA-3 Hash Algorithms
Implements the SHA-3 cryptographic hash functions defined by NIST FIPS 202: SHA3-224, SHA3-256, SHA3-384, and SHA3-512. JEP 287

Improve Secure Application Performance
Improves performance of applications that run with a SecurityManager enabled. JEP 232

Disable SHA-1 Certificates
Allows you to disable X.509 certificate chains with SHA-1 based signatures (eg TLS / HTTPS). JEP 288

TLS Application-Layer Protocol Negotiation Extension (ALPN)
Implements the ALPN TLS extension, needed for HTTP/2. JEP 244

Create PKCS12 Keystores by Default
Instead of the proprietary JKS format, use standard PKCS12 format. JEP 229

OCSP Stapling for TLS
Implements OCSP stapling via TLS Certificate Status Request Extension and Multiple Certificate Status Request Extension. JEP 249

Leverage CPU Instructions for GHASH and RSA
Improves performance by leveraging CPU instructions. JEP 246

DRBG-Based SecureRandom Implementations
Implements Deterministic Random Bit Generator defined in NIST 800-90Ar1. JEP 273

Filter incoming serialization data
Allows filtering of incoming streams of object-serialization data. JEP 290

Datagram Transport Layer Security (DTLS) API
Defines an API for working with DTLS (RFC 4347). JEP 219

Overall some nice security improvements to look forward to.


(Thu, 21 Sep 2017 22:33:00 GMT)
[view article in new window]

Upcoming CFML Conferences in April 2017

I will be speaking at two conferences this month.

The conference is the Adobe CFSummit East also known as the Adobe ColdFusion Government Summit. It will be held on April 18-19, 2017 in Washington DC. The first day is two half day hands on sessions, I will be presenting the first session which is a CFML security training class (sold out). On day two I will be presenting a 1hr session: Bulletproof Your Adobe ColdFusion Server with the Lockdown Guide.

This conference is free to attend, so if you are on the east cost it may be worth it to consider attending. Other speakers besides myself include: Rakshith Naresh, Giancarlo Gomez, Matt Hintze, Elishia Dvorak, Charlie Arehart, Dan Wilson, Nolan Erck, Masha Edelen, and Dan Fredericks. The opening keynote will be given by Tridib Roy Chowdhury & Steve Drucker. My company Foundeo Inc. is a sponsor of the event.

The following week is the Into the Box Conference. This conferences is loaded with tons of great speakers and should be a really good place to learn the latest techniques for modern CFML development. While the conference organized on by the makers of the ColdBox framework, you don't need to use ColdBox to get a lot out of this conference. Many of the tools in the Box ecosystem can be utilized on their own and can provide great benefits to developers. Take for example CommandBox, if you are not using this tool spend 5 minutes looking into it right now and find out why you should be.

At Into the Box I will be speaking on Securing CFML Codebases, a look at techniques to improve the security of your existing CFML codebase.


(Tue, 04 Apr 2017 22:14:00 GMT)
[view article in new window]

CFSummit 2016 Slides

Here are my slides from the Adobe ColdFusion Summit 2016 conference in Las Vegas:

The conference appeared to be a great success with about 500 people in attendance. My company Foundeo Inc. was a Gold Sponsor again this year. I met a lot of great ColdFusion developers, thanks for saying hello.

I also presented a full day pre-conference workshop on CFML Security along with Dave Epler. This session went very well and was sold out at 50 people. For this session (and other CFML security training classes I teach) I built a CFML web application called Bank of Insecurity you can find the code on github here.


(Tue, 18 Oct 2016 01:02:00 GMT)
[view article in new window]

Securing Legacy CFML - dev.Objective() 2016 Slides

Back from another great dev.Objective() conference in Minneapollis. This year Foundeo was a sponsor, and I spoke on Securing Legacy CFML Code. Find the slides here.
(Mon, 20 Jun 2016 23:10:00 GMT)
[view article in new window]

My CFSummit 2015 Slide Decks

I was fortunate enough to be able to do two different talks this year at the Adobe CFSummit 2015 conference.

My first session, was a hands on Pre-Conference workshop taught by David Epler and myself, it was titled: Hack & Fix - Hands on ColdFusion Security Training. This was a 3 hour workshop which had a VM preloaded with the hackable CFML training app: HackableType that was first created by Jason Dean and I in 2010. Students then try to hack the vulnerable code, and then fix it. It went very well thanks to David, and all who attended!

Hack & Fix - Hands on ColdFusion Security Training - View Slides

For my second session I presented on Locking down ColdFusion Servers, an overview of the ColdFusion 11 Lockdown Guide. View Slides

My company Foundeo was a Gold sponsor of CFSummit 2015. I enjoyed meeting lots of our HackMyCF and FuseGuard customers and hopefully a few soon to be customers!


(Fri, 13 Nov 2015 02:05:00 GMT)
[view article in new window]

Adding Chrome Custom Search for CFDocs

I read some complaints recently that the new Adobe documentation site is not friendly with a chrome custom search engine (because the URIs are different based on what the tag/function starts with).

If you want to setup a custom search engine in chrome, it is really easy:

  1. Using Chrome go to chrome://settings/searchEngines
  2. Scroll down to an empty text box that says Add a new search engine
  3. In the first box type cfdocs.org in the second box type cf and in the third box type http://cfdocs.org/%s

Now type cf followed by a space in the address bar, and then a tag or function name.


(Fri, 16 Oct 2015 20:07:00 GMT)
[view article in new window]


© The connection to the FREITAG's RSS feed has timed out - please try again later. We are sorry for any inconvenience this may have caused.