ColdFusion News :.

I am in the process of building some mobile apps for one of my clients, and while I'm pretty familiar with running the iPhone simulator and building iPhone apps, I'm pretty new to the Android development tools at this point. So I thought I would give a quick and easy guide for folks to follow, that might be interested in getting started with Android Development and running the Android Emulator.

I should mention that there is also an Eclipse Plugin for Android Development as well that you can use instead. Also, I'm using a Mac, but I think the steps should be pretty close if you are running Windows or Linux.

Step 1 - Download the Android SKD

Download the Android SDK, and unzip it somewhere. I placed the android-sdk-mac_86 folder in my /Applications/ folder, but you can put it wherever you want.

Step 2 - Optional Add to System Path

Since we are using the command line you might find it useful to add the android-sdk-platform/tools folder to your system path so you can run the android commands from any folder. If your interested in doing that, Google provides instructions here.

Step 3 - Install Android Platforms

At this point, I tried running the emulator command, but the SDK doesn't contain any Android Platforms, the Android platform is essentially Android OS, you need to install at least one version (eg 1.6, 2.1, 2.2, etc) to run the emulator.

To install platforms run the android command located in the tools folder of the SDK (use Terminal.app on a Mac, or the Command Prompt on Windows, Linux folks you know what to do :). This will pop up a window. Select Available Packages, pick some platform versions and install.

Step 4 - Create a Virtual Device

Still in the android tool, click on Virtual Devices on the left, and then click New. Here's an example of the settings for the new device:

Once you create the avd file, it should show up in the listing of Android Virtual Devices:

Step 5 - Run the emulator

Now select the virtual device you just created and click Start on the right, and the emulator should start running:

If you are using jQuery UI's Autocomplete control, your IE6 users may experience some issues when the autocomplete suggestions overlay a HTML <select> list. The autocomplete suggestions show up behind the select list in Internet Explorer 6.

To fix this you need to simply include the bgiframe plugin in a script tag on your page. The jQuery UI autocomplete control will detect bgiframe and use it to fix itself for IE6.

Adobe released a security hotfix for a path traversal vulnerability in ColdFusion administrator (CVE-2010-2861, APSB10-18). On the Adobe security bulletin page it lists affected software versions: ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX. Take special notice of the and earlier versions, so if you are running CF7 you will quite possibly still be vulnerable to this.

This vulnerability allows an attacker to ready any file that ColdFusion has permission to read (on windows this should be limited to the same drive that contains the ColdFusion administrator).

Applying the hotfix is quite simple, just replace a couple files in your ColdFusion administrator directory. So go ahead and take care of this now, it should take less than 5 minutes of your time. Also while your at it, make sure you ColdFusion administrator is not publicly accessible. Add IP restrictions, or a web server password.

HackMyCF Updated

My ColdFusion Security Scanner, HackMyCF has been updated to detect this vulnerability. There are a few conditions however in which it can't detect it, so I encourage you to apply the hotfix regardless of what it says.

How do you protect your code from Cross Site Scripting (XSS) when your business requirements state that the user must be able to input HTML? This can be a difficult problem to solve and XSS is very difficult to filter against because there are hundreds of attack vectors.

Remember that social networking site MySpace? They allow anyone to create profile pages with lots of CSS, and HTML markup. They were concerned about XSS and they had pretty extensive blacklist filters in place to prevent it.

One clever hacker named Samy figured out a way to embed JavaScript in his MySpace profile page, that would automatically add you as a friend when you viewed his profile. After about 5 hours Samy had roughly 1 million friends! After 6 hours MySpace was shut down for "maintenance"

Back to the problem at hand, how to we prevent this sort of thing? One way is to use a Java Library called AntiSamy. AntiSamy uses a XML policy file that defines what HTML tags and attributes are allowed in your application.

Invoking AntiSamy from ColdFusion

AntiSamy requires a couple jar files to run, in order to use the code in a jar file in ColdFusion you need to add the Jar files to your java classpath. Mark Mandel wrote an awesome utility called JavaLoader which allows us to dynamically load jar files, without modifying the java classpath variables, or copying files to particular locations. I am going to use JavaLoader in my example because it makes things very easy.

<cfset policyFile = ExpandPath("./antisamy-slashdot-1.4.1.xml")>
<cfset jarArray = [ExpandPath("lib/antisamy-bin.1.4.1.jar"), 
	ExpandPath("lib/antisamy-required-libs/batik-css.jar"),
	ExpandPath("lib/antisamy-required-libs/batik-util.jar"),
	ExpandPath("lib/antisamy-required-libs/nekohtml.jar"),
	ExpandPath("lib/antisamy-required-libs/xercesImpl.jar")]>
<!--- using Java Loader to avoid adding jar files to classpath --->
<cfset classLoader = CreateObject("component", "lib.javaloader.JavaLoader").init(jarArray)>
<cfset antiSamy = classLoader.create("org.owasp.validator.html.AntiSamy").init()>
<cfset cleanResults = antiSamy.scan(form.html, policyFile)>
	
<cfoutput>
	<h3>AntiSamy Result:</h3>
	#cleanResults.getCleanHTML()#
</cfoutput>

Download complete working version - Includes all Jar files, JavaLoader (Requires CF8+ due to array notation, could be modified to work on CF7)

Using AntiSamy in ColdFusion is actually quite simple, you just need to create an instance of the Java object org.owasp.validator.html.AntiSamy and then invoke the scan(htmlContent, policyFileLocation) method. It returns a CleanResults object which has a bunch of nifty methods, such as getCleanHTML() which returns sanitized HTML based on your policy.

Using AntiSamy with ESAPI

Another great Java security API is the OWASP Enterprise Security API (ESAPI), it actually makes use of AntiSamy under the hood as well. One example is in the ESAPI.validatior().isValidSafeHTML(htmlContent) method. I recommend you checkout ESAPI for it's collection of Encoders to protect you against XSS (for outputting variables that should not contain HTML). See my Writing Secure CFML presentation slides from CFUnited 2010 for more on ESAPI.

As promised I just published the slides for my Writing Secure CFML presentation at CFUnited 2010.

You can even watch a recording of the presentation brought to you by Tim Cunningham of CFMumboJumbo.com:

The slides for my 2010 CFUnited presentation Locking Down ColdFusion are now available. The presentation is based on the ColDFusion 9 Lockdown Guide whitepaper that I wrote for Adobe. It covers various techniques to make your ColdFusion installation more secure.

I also presented on Writing Secure CFML at CFUnited which as you can probably gather is more dedicated to the coding side of things. Those slides will be available soon.

Click Here to download Locking Down ColdFusion Slides

FireFox (3.6.7) released today fixed an interesting security vulnerability called Cross Domain Data Theft using CSS discovered by Google security researcher Chris Evans.

It works kind of like JSON Hijacking, but uses a cross domain <link /> tag instead of a cross domain <script /> call to the attacker site.

Here's how it works:

1. Post a comment on the victim site that looks like this: {}body{background-image:url('http://google.com/ - it can be anywhere on the page, doesn't need to be in a style tag or attribute.
2. Get the attacker to visit your site which contains a link tag like this: <link rel="stylesheet" href="http://victimsite.example.com/page/with/above/css">
3. The attacker site also includes some javascript calling window.getComputedStyle(...) this can be used to steal the content of the page at victimsite.example.com

The {} in the CSS resets the CSS parser because up to that point it is very confused (since it's trying to parse the HTML of the page as CSS).

To fix this issue Firefox (and WebKit) now reject loading CSS files that meet these conditions:

1. CSS File is from another domain
2. Content type is not text/css
3. Page does not start with valid CSS syntax

You can find a lot of the interesting details here in this Firefox Bug Report.

The new autocomplete widget in jQuery UI 1.8 is a nice addition. While it works great for basic purposes working with ID / value pairs is not so nice out of the box.

I wanted to use the autocomplete widget to allow someone to select an employee by typing in an employee name into the text box, but I want the form to post the ID of the employee, not the employee name.

First you need to setup your server side search script, I'm using ColdFusion here:

<cfparam name="url.term" default="">
<cfset emp = empDAO.searchByName(url.term)>
<cfset result = ArrayNew(1)>
<cfoutput query="emp">
	<cfset s = StructNew()>
	<cfset s["label"] = emp.FullName>
	<cfset s["value"] = emp.EE_ID>
	<cfset ArrayAppend(result, s)>
</cfoutput>
<cfset json = SerializeJSON(result)>
<cfcontent reset="true" type="application/json"><cfoutput>#json#</cfoutput><cfabort>

The jQuery UI autocomplete widget sends a variable in the query string called term which contains the text the user has typed in. You need to return an array of objects in JSON. For example, your output might look like this:

[{label:"Pete Freitag", value:1}, {label:"Pete Doe", value:2}]

Now the HTML code I am using in the form simply looks like this:

<input type="text" name="EmployeeID" value="" class="employeeAutocomplete" />

Next I need to write some jQuery JavaScript that applies the autocomplete widget to any input tag with the employeeAutocomplete, this code would go in your $(document).ready() event handler:

$('input.employeeAutocompete').autocomplete({source:'employee-search-json.cfm'});

Now this works well up to this point, but when I select an item it put's the employee ID in the text box. From the user perspective this doesn't make any sense. What I want is for the employee's name to be put in the text box, and have a hidden field containing the employee ID passed in the form.

So to accomplish that I need to do a bit more JavaScript, I'm going to do the following:

1. Change the name on the existing input field to whatever it was plus _autocomplete_label
2. Create a hidden input field with a name attribute value of the original input element (this will contain my ID value).
3. Create a custom select event handler for the given jQuery UI autocomplete instance.

So here's my new code:

$('input.employeeAutocomplete').each(function() {
	var autoCompelteElement = this;
	var formElementName = $(this).attr('name');
	var hiddenElementID  = formElementName + '_autocomplete_hidden';
	/* change name of orig input */
	$(this).attr('name', formElementName + '_autocomplete_label');
	/* create new hidden input with name of orig input */
	$(this).after("<input type=\"hidden\" name=\"" + formElementName + "\" id=\"" + hiddenElementID + "\" />");
	$(this).autocomplete({source:'employee-search-json.cfm', 
		select: function(event, ui) {
			var selectedObj = ui.item;
			$(autoCompelteElement).val(selectedObj.label);
			$('#'+hiddenElementID).val(selectedObj.value);
			return false;
		}
	});
});

Now when I submit the form the value of the EmployeeID field will be an employee ID, and the text box will simply show the employee name.

Would be cool if this widget supported an option to do what I just did, but it only takes a few additional lines of code to accomplish.

I do a lot of work related to security in ColdFusion and I've been keeping a list of ideas and features that could make a future version of ColdFusion more secure. Here's 10 ideas in no particular order:

1. Add an allowedextensions attribute to cffile for action=upload and deprecate the accept attribute - The accept attribute is useless as far as security goes since the mime types come from the client, you can easily spoof this (example). This new attribute would simply be a list of file extensions that you allow to be uploaded, eg "jpg,png,gif,jpeg".
2. Ask for a Windows Username to run ColdFusion services as during installation - The ColdFusion installer already does this on a unix install, but not windows. This should setup permissions on the ColdFusion installation directory.
3. Update Documentation and verbage related to ScriptProtect so people don't think it completely protects you from XSS - It's a very weak protection, yet alot of people think it fully protects them. I think this is due to how it is worded in the CF Administrator and documentation.
4. Add Application.cfc variables and CF Administrator settings to specify httpOnly, secure, domain for session cookies (CFID, CFTOKEN, jsessionid)
5. Allow administrators to change the root ColdFusion Administrator username to something other than admin - Admin is always the default super user for ColdFusion administrator, it would be nice if you could specify an arbitrary username instead.
6. Create an audit log for ColdFusion administrator changes.
7. Improve ScriptProtect - I know this feature will always be insufficient, but alot of people use it. It could be improved quite a bit, it should at least block iframe tags!
8. Remove the possibility of CRLF injection - Any tag that outputs headers (for example cfheader, cfcontent, cfmail (subject attribute, or cfmailparam)) should strip the CRLF characters, so you can't inject new headers. Please vote for bug 83739
9. Make addtoken=false default for cflocation - Whenever you do a cflocation it puts the session id's in the url query string. Users don't know that if they copy and paste the link somewhere it allows whoever visits the link to be logged in as them.
10. Linux Installation scripts should detect SELinux and be able to install on SELinux. - You can still run ColdFusion on SELinux but it takes some configuration. (I provided some instructions in the ColdFusion 9 Lockdown Guide that I wrote)

If you like any of these ideas you can add them to this survey for ColdFusion 10, and feel free to post some more ideas in the comments!

I will be presenting at the ColdFusion Meetup online user group this Thursday (June 17th) at Noon Eastern Time. The topic: Introduction to FuseGuard and Web Application Firewalls.

I will be discussing some things about Web Application Firewalls in general, and then I will give a demo FuseGuard a web application firewall built in CFML.

RSVP Here

© The connection to the FREITAG's RSS feed has timed out - please try again later. We are sorry for any inconvenience this may have caused.