Download Firefox -  a safer, easier to use web browser. Return to iribbit.net - Leap into the online experience! Return to iribbit.net - Leap into the online experience! iribbit.net - Leap into the online experience!

Project News :.

The latest project to launch was the site for Gorilla Offroad Company. Aside from their main site, a social media strategy was develop to launch the company into various industry specific automobile enthusist discussion board communities as well as popular social media fronts like Facebook, Pinterest, and Twitter.


Valid XHTML 1.0 Transitional

Valid CSS!

Section 508 Compliant

powered by: Macromedia ColdFusion MX

made with: Macromedia Dreamweaver MX

What is RSS

XML - often denotes RSS Feed information.

Macromedia - ColdFusion Programming
white horizontal rule

ColdFusion News :.

To bring a little life to my site, I've pulled a couple What is RSS Feeds into this page. You can currently choose between the technology related news stories from the following news sources:



You are currently viewing and RSS Feed from Pete Freitag's Blog.



nginx Directive rewrite is not terminated

I have been setting up some sites on nginx today (moving from an apache server) and have been pretty happy with how an Apache rewrite rule like:

RewriteRule /foo/([0-9]+)/ /foo.cfm?id=$1

Can be done in nginx like this:

rewrite /foo/([0-9]+)/ /foo.cfm?id=$1;

This was working great until I ran into this error:

[emerg] 4603#0: directive "rewrite" is not terminated by ";" in /etc/nginx/sites-enabled/example.com.conf:26

But the line referenced did end with a semicolin!

It turns out the problem was that my rewrite rule had {} in it, for example:

rewrite ^/archive/([0-9]{4})/ /archive.cfm?year=$1;

Replacing the {4} with simply a + worked (though is less precise).


(Sat, 18 Oct 2014 01:47:00 GMT)
[view article in new window]

Using Mozilla's Certificate Authority List for Java SSL

Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's cacerts certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.

Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.

Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is curl -- they have also built a nice utility to grab mozilla's source code and build a PEM file called mk-ca-bundle.

So we can use this utility to build a file that can replace the cacerts file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's keytool executable.

Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.

#!/bin/sh

curl -o certdata.txt 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'

perl mk-ca-bundle.pl -n > ca-bundle.crt

java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt

Now you can specify the JVM arguments to have it use the new SSL certificate authority file:

-Djavax.net.ssl.trustStore=/path/to/trustStore.jks

If you specified a password other than changeit you will also need to pass the password into the JVM arguments:

-Djavax.net.ssl.trustStorePassword=yourPassword

(Fri, 06 Jun 2014 21:05:00 GMT)
[view article in new window]

SessionRotate solution for JEE Sessions

As you may know the new ColdFusion 10 function SessionRotate works great if you are using ColdFusion sessions (CFID, CFTOKEN), but it doesn't actually rotate the session id or invalidate the underlying J2EE session if you are using JEE sessions. This is documented and by design, because a single J2EE session can span multiple ColdFusion applications on the same domain.

You can still rotate your J2EE sessions, but keep in mind that if you have multiple CF applications on the same domain it will only keep info for the current session (you could probably modify the code to get that working).

<cffunction name="jeeSessionRotate" output="false" returntype="string">
	<cfset var sessionScope = Duplicate(session)>
	<cfset var req = getPageContext().getRequest()>
	<cfset StructDelete(sessionScope, "sessionid")>
	<cfset StructDelete(sessionScope, "urltoken")>
	<!--- invalidate old session --->
	<cfset req.getSession().invalidate()>
	<!--- create a new JEE session --->
	<cfset local.newSession = req.getSession(true)>
	<!--- copy the old session scope into a temp key in the new session, handled in onSessionStart --->
	<cfif NOT StructIsEmpty(sessionScope)>
		<cfset local.newSession.setAttribute("jeeSessionRotateOldSession", sessionScope)>	
	</cfif>
	<cfreturn local.newSession.getId()>
</cffunction>

In your code call the above function to rotate the J2EE session, it will then store the old session scope in the new J2EE session directly with the key jeeSessionRotateOldSession.

Then in the onSessionStart function of your Application.cfc add the following to bring the old session data back into the new CF session:

<cffunction name="onSessionStart">
	<cfset session.startTime = now()>
	<cfset local.oldSession = getPageContext().getRequest().getSession().getAttribute("jeeSessionRotateOldSession")>
	<cfif NOT IsNull(local.oldSession) AND NOT structIsEmpty(local.oldSession)>			
		<cfloop list="#StructKeyList(local.oldSession)#" index="local.key">
			<cfif NOT StructKeyExists(session, local.key)>
				<cfset session[local.key] = local.oldSession[local.key]>
			</cfif>
		</cfloop>	
		<cfset getPageContext().getRequest().getSession().removeAttribute("jeeSessionRotateOldSession")>
	</cfif>
</cffunction>  

This is needed because the CF session scope is no longer usable after you run jeeSessionInvliadate(), so we need to wait until onSessionStart is invoked again with the new jee session to copy the old CF session scope back over.

Note: that the jeeSessionRotate function above only copies values set via CF's session scope, it doesn't copy any values that other JEE applications might have set, it could be modified to do that if you needed to.


(Fri, 28 Mar 2014 17:26:00 GMT)
[view article in new window]

False TemplateNotFoundException ColdFusion 9

I was working on a server (CF9.0.2 Win2008 IIS7.5) installation today and ran into what I thought at first was an IIS connector issue. When I setup the server in IIS 6 compatibility mode, it simply returned a blank page, using the IIS 7 connector for ColdFusion 9 was showing me an IIS error page with a 404.0 response from the JWildCardHandler in ExecuteRequestHandler, the file that I was trying to serve was there, IIS had permission to read it. It was not a 404!

I then realized it was not an IIS connector issue (even though it really looked like it to me), but the problem was on the CF side.

In my exception.log I found:

"Error","jrpp-0","03/17/14","15:13:57",,"Could not find the ColdFusion component or interface C:\sites\test\Application.cfc.Ensure that the name is correct and that the component or interface exists. The specific sequence of files included or processed is: C:\sites\test\index.cfm'' "
coldfusion.runtime.CfJspPage$NoSuchTemplateException: Could not find the ColdFusion component or interface C:\sites\test\Application.cfc.
	at coldfusion.runtime.TemplateClassLoader.newInstance(TemplateClassLoader.java:565)
	at coldfusion.runtime.TemplateClassLoader.newInstance(TemplateClassLoader.java:541)
	at coldfusion.runtime.TemplateProxyFactory.getCFCInstance(TemplateProxyFactory.java:271)
	at coldfusion.runtime.TemplateProxyFactory.resolveName(TemplateProxyFactory.java:174)
	at coldfusion.runtime.TemplateProxyFactory.resolveName(TemplateProxyFactory.java:159)
	at coldfusion.runtime.TemplateProxyFactory.resolveFile(TemplateProxyFactory.java:120)
	at coldfusion.cfc.CFCProxy.(CFCProxy.java:92)
	at coldfusion.runtime.AppEventInvoker.(AppEventInvoker.java:48)
	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:192)
	at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
	at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
	at coldfusion.filter.PathFilter.invoke(PathFilter.java:94)
	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
	at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
	at coldfusion.CfmServlet.service(CfmServlet.java:201)
	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at jrun.servlet.FilterChain.service(FilterChain.java:101)
	at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
	at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
	at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
	at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
	at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
	at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
	at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
	at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
	at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
"Error","jrpp-0","03/17/14","15:13:57",,"File not found: C:\ColdFusion9\wwwroot\WEB-INF\exception\coldfusion\runtime\ApplicationException.cfm The specific sequence of files included or processed is: C:\ColdFusion9\wwwroot\WEB-INF\exception\coldfusion\runtime\ApplicationException.cfm'' "
coldfusion.runtime.TemplateNotFoundException: File not found: C:\ColdFusion9\wwwroot\WEB-INF\exception\coldfusion\runtime\ApplicationException.cfm
	at coldfusion.runtime.TemplateClassLoader.newInstance(TemplateClassLoader.java:567)
	at coldfusion.tagext.lang.IncludeTag.setTemplate(IncludeTag.java:191)
	at coldfusion.tagext.lang.IncludeTag.setTemplatePath(IncludeTag.java:111)
	at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:64)
	at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)
	at coldfusion.filter.ExceptionFilter.runBuiltInHandler(ExceptionFilter.java:552)
	at coldfusion.filter.ExceptionFilter.handleException(ExceptionFilter.java:329)
	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:84)
	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
	at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
	at coldfusion.CfmServlet.service(CfmServlet.java:201)
	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at jrun.servlet.FilterChain.service(FilterChain.java:101)
	at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
	at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
	at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
	at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
	at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
	at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
	at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
	at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
	at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

The Application.cfc was there and ColdFusion had read permission to it, the ApplicationException.cfm was there and ColdFusion also had read permission to that user.

I was getting this coldfusion.runtime.TemplateNotFoundException but the templates really were there!

So what was the problem?

I had denied write access to C:\ColdFusion9\wwwroot\ for ColdFusion's user account. So what I think happened is that ColdFusion tried to compile the cfm and cfc file (and it needs to write those files into the WEB-INF folder) it didn't have permission to write these files so it threw a TemplateNotFoundException on the file it was trying to compile... even though CF did find it and could read it, it just couldn't save the compiled class.

I had to blog this one because it is such an obscure exception, not sure if too many people will encounter it, but just in case...


(Mon, 17 Mar 2014 21:33:00 GMT)
[view article in new window]

ColdFusion defaults avoid flawed Random Number Generator

I've been researching a very interesting security topic for the past few weeks related to the Snowden NSA leaks and even related to ColdFusion. Thankfully Adobe's default settings avoid the weakness.

According to reports, the NSA has designed a backdoor into a random number generator algorithm, and was able to push it through NIST to be approved in 2006 as a FIPS standard. While the algorithm is apparently not named in the documents, all evidences points to an algorithm called Dual Elliptic Curve Deterministic Random Bit Generator (or Dual_EC_DRBG or ECDRBG). I am not qualified to explain the flaws in this algorithm, so I'll point you to someone who has explained it well, Matthew Green a cryptographer and research professor at Johns Hopkins University.

So how does this relate to ColdFusion?

The Enterprise version of ColdFusion has shipped with a library called BSafe Crypto-J, from RSA which is a java security provider that implements FIPS compliant crypto algorithms, allows CF's crypto to be FIPS compliant.

It turns out that RSA's default random number generator for its BSafe libraries is ECDRBG! This is interesting because ECDRBG is much slower than other secure random number generator algorithms approved by FIPS, and doubts about its security were published in 2007. Read more about this here.

So if ColdFusion is using BSafe are we at risk?

ColdFusion start up scripts specify -Dcoldfusion.jsafe.defaultalgo=FIPS186Random as a jvm argument (jvm.config) by default (I checked CF8, 9 and 10 installs and they all had it, but you should double check yours). It was unclear to me if FIPS186Random was still going to use ECDRBG since it is a FIPS 186 approved algorithm, so I contacted Adobe about this and suggested they contact RSA for clarification. The response I received from Adobe was:

We confirmed with RSA as well, FIPS186Random is safe to use and does not make use of ECDRBG variants of algorithms.

Adobe has just posted a blog entry about the issue.

So you need to make sure that you have note removed that line of configuration, or else you may be using the default one.

How can I find out which Random Number Generator is default?

Run the following CFML code:

<cfset secureRand = CreateObject("java", "java.security.SecureRandom")>
<cfdump var="#secureRand.getAlgorithm()#">

What is at risk if I'm using ECDRGB?

Random numbers are used in key generation, so this could weaken SSL/TLS connections made by your code (eg a CFHTTP call to a HTTPS url). Random numbers are also used in session identifier generation. Presumably an attacker that understands how to exploit the weakness could more accurately guess valid session identifiers.

How can I change the BSafe default RNG algorithm?

According to the RSA documentation you can set the java system property -Dcom.rsa.crypto.default.random to another algorithm (for example HMACDRBG). Adobe however has their own system property -Dcoldfusion.jsafe.defaultalgo that you can set for ColdFusion (in the jvm.config file).

What if I am running CF Standard not Enterprise?

The RSA BSafe CryptoJ libraries should only be enabled on enterprise installations of ColdFusion. Either way you can double check using the code above which random number generator is default (usually SHA1PRNG on standard).


(Tue, 17 Dec 2013 16:35:00 GMT)
[view article in new window]

Apache Security Patches on CentOS / RHEL

Those familiar with RedHat Enterprise Linux (RHEL) or CentOS servers may notice that when you update a Apache (or most any other package) on a RedHat / CentOS based server it still reports the same version number. This is because RedHat backports security updates, so the main version of Apache does stay the same and only the security fixes are patched.

This makes the platform more stable because it cuts down on incompatibilities between components, but if you have compliance requirements (eg PCI Compliance) you can't just look at the version number to see if you are all patched.

So how do I know if I have the latest Apache Security Patches

Apache publishes their security fixes on their site, you can find the list of security vulnerabilities in Apache 2.2.x here.

Looking at the list as of this writing, you will see that the Apache 2.2.25 has the most recent security fixes, and patched two issues: CVE-2013-1862 and CVE-2013-1896.

Also at the time of this writing a CentOS 6.4 server will report Apache 2.2.15 as the version number. So how do I know what security patches have been applied to the version of Apache that RedHat is maintaining? Run the following command:

rpm -q --changelog httpd

This will output a lot of stuff, but look towards the top and you will see:

* Fri Aug 02 2013 Jan Kaluza - 2.2.15-29
- mod_dav: add security fix for CVE-2013-1896 (#991368)

* Mon Apr 29 2013 Joe Orton - 2.2.15-28
- mod_rewrite: add security fix for CVE-2013-1862 (#953729)

So, in order to show that you have applied the latest security hotfixes / patches for Apache you need to compare the Changelog to the security vulnerabilities page on the Apache's site.


(Fri, 22 Nov 2013 20:42:00 GMT)
[view article in new window]

FuseGuard 2.4 Released

I'm pleased to announce the availability of FuseGuard (Web App Firewall For CFML) version 2.4 today! In addition Ortus Solutions (Luis Majano and the folks behind ColdBox) have also announced Ortus FuseGuard Module - a ColdBox module for FuseGuard.

I'm really excited about the partnership with Ortus Solutions, they have really done a great job at building this plugin to make it extremely easy to add FuseGuard to a ColdBox application!

What's New in FuseGuard 2.4

Here's a short list of what is new in FuseGuard 2.4:

  • Performance Optimizations - We spent a long time testing FuseGuard under load and made several code tweaks to boost the performance in this release.
  • Filter Improvements - Improved and fixed issues in the DictionaryAttackFilter, ScopeInjectionFilter, FileUploadFilter and ForeignPostFilter.
  • Compatibility - Improved support for OpenBD, added hooks to ease framework integration.
  • Miscellaneous - Added request.fuseguard_log_id to DBLogger with inserted id.

Sound like something you need? Download a 30 Day Trail of FuseGuard. View Docs & API Reference.


(Thu, 31 Oct 2013 19:05:00 GMT)
[view article in new window]

New HackMyCF Features

HackMyCF, my company's ColdFusion (and Railo too) server security scanner was recently updated with some cool new features for our paid subscribers.

Connector Version Check

Did you know that when you run the CF10 updater it doesn't update your web server connectors, you have to do that manually? Do you have any idea if you are running the latest web server connector? As part of your HackMyCF report (with our cfm file installed on your server) you can now see if you are running the latest connector for (CF9+). See an example report for CF9 or CF10.

CFIDE Scan

Your /CFIDE directory is a target for hackers to upload a malicious backdoor/shell cfm file because it is an implicit mapping, and often has full sandbox permissions when sandbox security is enabled. The latest version of HackMyCF's probe (this is the cfm file you place on your server that we connect to) can send back a listing of files and their MD5 checksums, allowing HackMyCF to find some of these malicious files. This update also lays the ground work for us to alert you when files are added or modified in /CFIDE.


(Thu, 24 Oct 2013 21:49:00 GMT)
[view article in new window]

Blocking .svn and .git Directories on Apache or IIS

One of the issues that our HackMyCF ColdFusion Server Scanner checks for is the existence of public .git/ or .svn/ directories. Exposing these directories to the public could lead to information disclosure, such as your server side source code.

Blocking .svn and .git Directories on Apache

Just add the following to your .htaccess or httpd.conf file:

RedirectMatch 404 (?i)\.git
RedirectMatch 404 (?i)\.svn

Or if you want to block all hidden directories (probably not a bad idea) you can do this:

RedirectMatch 404 (?i)/\..+

Blocking on IIS

On IIS7+ you can use the awesome request filtering feature to accomplish this, the most appropriate way to do this would probably be with the hiddenSegement feature. You can do this using the GUI or in your web.config file as follows:

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <hiddenSegments>
               <add segment=".git" />
               <add segment=".svn" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

(Tue, 15 Oct 2013 18:57:00 GMT)
[view article in new window]

CFDocs site now Open Source

You may be aware that I've run a site for quick access to the CFML documentation since 2004 called cfdocs.org. My goal for this site has always been to get to the documentation you need as fast as possible. The new version of the site uses it's own documentation that you can help edit, on github: https://github.com/foundeo/cfdocs.

The site has these advantages:

  • Super Fast, hosted on Amazon CloudFront CDN
  • Concise - the docs are not as verbose as the official docs
  • Compare - you will be able to see compatibility among different CFML servers (Adobe ColdFusion, Railo and OpenBD), you can even get a quick link to each vendors official documentation.

I hope you find this new site useful, and if you still want the old site you can get it at cf9.cfdocs.org.


(Fri, 04 Oct 2013 18:33:00 GMT)
[view article in new window]


© The connection to the FREITAG's RSS feed has timed out - please try again later. We are sorry for any inconvenience this may have caused.