Download Firefox -  a safer, easier to use web browser. Return to iribbit.net - Leap into the online experience! Return to iribbit.net - Leap into the online experience! iribbit.net - Leap into the online experience!

Project News :.

The latest project to launch was the site for Gorilla Offroad Company. Aside from their main site, a social media strategy was develop to launch the company into various industry specific automobile enthusist discussion board communities as well as popular social media fronts like Facebook, Pinterest, and Twitter.


Valid XHTML 1.0 Transitional

Valid CSS!

Section 508 Compliant

powered by: Macromedia ColdFusion MX

made with: Macromedia Dreamweaver MX

What is RSS

XML - often denotes RSS Feed information.

Macromedia - ColdFusion Programming
white horizontal rule

ColdFusion News :.

To bring a little life to my site, I've pulled a couple What is RSS Feeds into this page. You can currently choose between the technology related news stories from the following news sources:



You are currently viewing and RSS Feed from Pete Freitag's Blog.



HackMyCF Adds SSL/TLS Scanner

I'm pleased to announce a feature of HackMyCF that I've been excited about for a while: SSL / TLS Scanning.

If you stay up to date with security news you know that there have been a large number of vulnerabilities or weaknesses discovered in SSL or TLS protocols and implementations. For example, we have LogJam, Heartbleed, POODLE, CRIME, BEAST, and those are just the ones with cool names :)

While we have been issuing warnings when SSLv2 and SSLv3 (poodle) are enabled for a while, but here are some of the new checks we have added:

  • Warn if TLS 1.2 is not enabled
  • LogJam: Weak DH Group Size (less than 2048 bits) and some common prime warnings (not fully inclusive)
  • Warn if SSL Certificate will expire soon, or is expired
  • Warn if certificate is signed with SHA1 (will cause warnings/errors in recent Chrome versions)
  • Warn if TLS compression is enabled (CRIME)
  • Test for OpenSSL Heartbleed vulnerability
  • Warn if Public Key Size less than 2048 bits

Here's a screenshot from an example HackMyCF report:

HackMyCF TLS Report

Customers can enable this feature if they have set protocol = HTTPS in their server settings.


(Wed, 27 May 2015 20:37:00 GMT)
[view article in new window]

IncompatibleClassChangeError after ColdFusion 11 Update 5

If you use the Encrypt function in ColdFusion 11, you may experience an error that looks like this:

java.lang.IncompatibleClassChangeError: Expected static method coldfusion.runtime.CFPage.Encrypt(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; at cfprobe2ecfm877726397._factor9(/hackmycf/probe.cfm:258) at cfprobe2ecfm877726397.runPage(/hackmycf/probe.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:246) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:736) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:572) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:466) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:42) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:142) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:58) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:219) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:121) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:422) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:744)

The solution is to clear the Template Cache, this is done quite easily in the ColdFusion administrator under Server Settings » Caching simply click the Clear Template Cache Now button, and it will work.

Another way to fix this issue is to simply edit the cfm or cfc file that contains the Encrypt call and then the CF server will automatically recompile it (due to the updated timestamp). This method would only work if Trusted Cache is not turned on.

Why did this happen? It appears to me that the internal java method signature for the Encrypt function changed, and since CF compiles your CFML into Java bytecode and then caches it, the cached java bytecode is no longer valid after the update is applied.


(Mon, 20 Apr 2015 23:24:00 GMT)
[view article in new window]

Scope Injection in CFML

Here is an interesting vulnerability that I have come across several times in real CFML code during code reviews, I have spoken about it at conferences but have never written about it. Since it doesn't really have a name, I call it Scope Injection, you'll see why in a minute.

We have the following code:

<cfif session.isAdmin>
    Do something only an admin can do...
</cfif>

Now lets suppose that this session.isAdmin is set upon a successful authentication, but for unauthenticated sessions isAdmin is undefined in the session scope (onSessionStart does not initialize it).

Now suppose a request to the above code like this:

/admin/something.cfm?session.isAdmin=1

What happens when the above code example is run:

  • CF checks to see if session.isAdmin is defined in the session scope
  • The variable session.isAdmin was not defined in the session scope, so it starts searching other scopes, such as the url scope.
  • CF finds url.session.isAdmin defined and uses that value to evaluate the if statement as true.
  • Code that should only be executed by an admin can actually be executed by anyone.

Mitigating Scope Injection in CFML

To mitigate this, you should make sure that variables are initialized properly, a good place to do this is in your Application.cfc event lifecycle methods, onSessionStart for session scoped variables, onApplicationStart for application scoped variables, onRequestStart for request scope variables, etc.

So to mitigate this issue, we simply need this:

<cffunction name="onSessionStart">
    <cfset session.isAdmin = false>
</cffunction>

If you are extra paranoid you can also use StructKeyExists to make sure the variable is defined:

<cfif StructKeyExists(session, "isAdmin") AND session.isAdmin>
  do admin stuff
</cfif>

Scope Injection in Railo / Lucee

This particular example is not vulnerable in the version of Railo / Lucee I tested, apparently because it does not allow cascading on builtin scopes. You can still have a scope injection issue on variables that are not in a builtin scope, consider this:

<cfif IsUserInRole("admin") OR IsUserInRole("superuser")>
   <cfset isAdmin = true>
</cfif>
<cfif isAdmin>
  do admin stuff
</cfif>

There is also a setting in the Railo / Lucee administrator that allows you to turn off cascading (under scopes) by setting it to strict. You can also do this in your Application.cfc:

this.scopeCascading = "strict";

When the scopeCascading setting is set to strict it removes the possibility of a scope injection vulnerability, and may also improve performance.

How FuseGuard protects from Scope Injection

FuseGuard customers have been enjoying protection from scope injection for the past 3 years. It operates in a strict mode by default which prevents inputs like url.one.two, with strict mode off it only looks at valid scope names (like session, application, etc).

As of version 2.3 you can also set a prefix to ignore, for example fusebox apps commonly have url's like ?fusebox.action=foo so you can tell FuseGuard to allow that by adding:

filter.setIgnorePrefixList("fusebox");

You can also ignore a variable a-la-carte like this:

filter.ignoreVariable("url", "one.two");

(Tue, 03 Mar 2015 22:59:00 GMT)
[view article in new window]

Upload Files Directly to Amazon S3 using ColdFusion

Here's a quick example showing how to upload a file directly to Amazon S3 (bypassing your server). The tricky part in getting this to work is that you don't want to allow anyone to upload a file anywhere on your S3. To accomplish this you can create an AWS Access Control Policy, base64 encode it, and then sign it using HMAC-SHA1 with your AWS Secret Key. A policy is a JSON string that might look like this:

{ "expiration": "2014-11-26T13:23:00.000Z",
  "conditions": [
    {"bucket": "example-bucket-name" },
    ["eq", "$key", "image.jpg"],
    {"acl": "public-read" },
    {"redirect": "https://example.com/upload-complete.cfm" },
    ["starts-with", "$Content-Type", "image/"]
  ]
}

To generate this policy dynamically we might do something like this:

<cfset expDate = DateConvert("local2utc", now())>
<cfset expDate = DateAdd("n", 15, expDate)><!--- policy expires in 15 minutes --->
<cfset fileName = CreateUUID() & ".jpg">
<cfoutput>
<cfsavecontent name="jsonPolicy">
{ "expiration": "#DateFormat(expDate, "yyyy-mm-dd")#T#TimeFormat(expDate, "HH:mm")#:00.000Z",
  "conditions": [
    {"bucket": "example-bucket-name" },
    ["eq", "$key", "#JSStringFormat(fileName)#"],
    {"acl": "public-read" },
    {"redirect": "https://example.com/upload-complete.cfm" },
    ["content-length-range", 1, 1048576],
    ["starts-with", "$Content-Type", "image/"]
  ]
}
</cfsavecontent>
</cfoutput>
<cfset b64Policy = toBase64(Trim(jsonPolicy), "utf-8")>
<cfset signature = HMac(b64Policy, variables.awsSecretKey, "HMACSHA1", "utf-8")>
<!--- convert signature from hex to base64 --->
<cfset signature = binaryEncode( binaryDecode( signature, "hex" ), "base64")>

Because we are using the HMac function you must be on CF10+ or Railo 4.1+ if you are on an older version you will need to find a third party hmac implementation.

Next you create a form that posts directly to Amazon S3:

<form action="https://example-bucket-name.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
    <input type="hidden" name="key" value="#EncodeForHTMLAttribute(fileName)#" /
    <input type="hidden" name="acl" value="public-read" />
    <input type="hidden" name="redirect" value="https://example.com/upload-complete.cfm" >
    <input type="hidden" name="AWSAccessKeyId " value="#EncodeForHTMLAttribute(variables.awsAccessKeyID)#" />
    <input type="hidden" name="Policy" value="#b64Policy#" />
    <input type="hidden" name="Signature" value="#signature#" />
    File: <input type="file" name="file" />
    <input type="submit" name="submit" value="Upload to Amazon S3" />
</form>

According to the S3 documentation there are some conditions in which the redirect will not happen:

Please note that the redirect is not guaranteed to be followed. It is possible that an upload would succeed, but that a networking problem on the end-users network prevents them from following the redirect. It is also possible that in certain failure conditions, that a file is actually uploaded but you are not notified about the upload.

To get around this uncertainty you can setup Event Notifications for the S3 bucket you are uploading to.

The other thing to note is that if an error occurs the redirect will not happen and the user will be presented with an XML error message. To handle that more gracefully you could upload the file via AJAX, and then handle the error condition within JavaScript.


(Wed, 26 Nov 2014 22:19:00 GMT)
[view article in new window]

Minor JavaDocs.org Update

As you may know I run a few doc shortcut sites, cfdocs.org for CFML has been going quite well since publishing the source on github with a bunch of community contributions.

The other site I use alot is JavaDocs.org, I recently updated it to point to Java SE Version 8, and JEE Version 7. I also added package shortcuts to it, so you can hit urls like javadocs.org/javax.servlet and get a summary of all the classes / interfaces in that package.

I hope you find the sites handy.


(Tue, 28 Oct 2014 22:51:00 GMT)
[view article in new window]

nginx Directive rewrite is not terminated

I have been setting up some sites on nginx today (moving from an apache server) and have been pretty happy with how an Apache rewrite rule like:

RewriteRule /foo/([0-9]+)/ /foo.cfm?id=$1

Can be done in nginx like this:

rewrite /foo/([0-9]+)/ /foo.cfm?id=$1;

This was working great until I ran into this error:

[emerg] 4603#0: directive "rewrite" is not terminated by ";" in /etc/nginx/sites-enabled/example.com.conf:26

But the line referenced did end with a semicolin!

It turns out the problem was that my rewrite rule had {} in it, for example:

rewrite ^/archive/([0-9]{4})/ /archive.cfm?year=$1;

Replacing the {4} with simply a + worked (though is less precise).


(Sat, 18 Oct 2014 01:47:00 GMT)
[view article in new window]

Using Mozilla's Certificate Authority List for Java SSL

Every so often you run into an issue where you need to import a certificate signing authority's certificate into Java's cacerts certificate authority file. Oracle does a update the cacerts file every so often, but they never seam to be as up to date as a browser like FireFox.

Mozilla, the folks that make FireFox and other great internet software have a rigorous process for approving certificate signing authorities before allowing their software to trust the certificates they sign. Once a certificate has been approved it makes it way into the NSS (Network Security Services) libraries which is what FireFox and other software use to determine if they can trust a particular cert. The certificates can be found in the NSS source code: here.

Lots of linux /open source software uses Mozilla's list of certificate authorities, most notably is curl -- they have also built a nice utility to grab mozilla's source code and build a PEM file called mk-ca-bundle.

So we can use this utility to build a file that can replace the cacerts file that java ships with. We will use one additional utility called keyutil to convert the certificate file into a JKS (java keystore) file format. You could also potentially use openssl to convert the PEM file to PKCS12 and then import it using java's keytool executable.

Here's a shell script that builds the a java keystore out of the mozilla trusted certificate authority list.

#!/bin/sh

curl -o certdata.txt 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'

perl mk-ca-bundle.pl -n > ca-bundle.crt

java -jar keyutil-0.4.0.jar --import --new-keystore trustStore.jks --password changeit --import-pem-file ca-bundle.crt

Now you can specify the JVM arguments to have it use the new SSL certificate authority file:

-Djavax.net.ssl.trustStore=/path/to/trustStore.jks

If you specified a password other than changeit you will also need to pass the password into the JVM arguments:

-Djavax.net.ssl.trustStorePassword=yourPassword

(Fri, 06 Jun 2014 21:05:00 GMT)
[view article in new window]

SessionRotate solution for JEE Sessions

As you may know the new ColdFusion 10 function SessionRotate works great if you are using ColdFusion sessions (CFID, CFTOKEN), but it doesn't actually rotate the session id or invalidate the underlying J2EE session if you are using JEE sessions. This is documented and by design, because a single J2EE session can span multiple ColdFusion applications on the same domain.

You can still rotate your J2EE sessions, but keep in mind that if you have multiple CF applications on the same domain it will only keep info for the current session (you could probably modify the code to get that working).

<cffunction name="jeeSessionRotate" output="false" returntype="string">
	<cfset var sessionScope = Duplicate(session)>
	<cfset var req = getPageContext().getRequest()>
	<cfset StructDelete(sessionScope, "sessionid")>
	<cfset StructDelete(sessionScope, "urltoken")>
	<!--- invalidate old session --->
	<cfset req.getSession().invalidate()>
	<!--- create a new JEE session --->
	<cfset local.newSession = req.getSession(true)>
	<!--- copy the old session scope into a temp key in the new session, handled in onSessionStart --->
	<cfif NOT StructIsEmpty(sessionScope)>
		<cfset local.newSession.setAttribute("jeeSessionRotateOldSession", sessionScope)>	
	</cfif>
	<cfreturn local.newSession.getId()>
</cffunction>

In your code call the above function to rotate the J2EE session, it will then store the old session scope in the new J2EE session directly with the key jeeSessionRotateOldSession.

Then in the onSessionStart function of your Application.cfc add the following to bring the old session data back into the new CF session:

<cffunction name="onSessionStart">
	<cfset session.startTime = now()>
	<cfset local.oldSession = getPageContext().getRequest().getSession().getAttribute("jeeSessionRotateOldSession")>
	<cfif NOT IsNull(local.oldSession) AND NOT structIsEmpty(local.oldSession)>			
		<cfloop list="#StructKeyList(local.oldSession)#" index="local.key">
			<cfif NOT StructKeyExists(session, local.key)>
				<cfset session[local.key] = local.oldSession[local.key]>
			</cfif>
		</cfloop>	
		<cfset getPageContext().getRequest().getSession().removeAttribute("jeeSessionRotateOldSession")>
	</cfif>
</cffunction>  

This is needed because the CF session scope is no longer usable after you run jeeSessionInvliadate(), so we need to wait until onSessionStart is invoked again with the new jee session to copy the old CF session scope back over.

Note: that the jeeSessionRotate function above only copies values set via CF's session scope, it doesn't copy any values that other JEE applications might have set, it could be modified to do that if you needed to.


(Fri, 28 Mar 2014 17:26:00 GMT)
[view article in new window]

False TemplateNotFoundException ColdFusion 9

I was working on a server (CF9.0.2 Win2008 IIS7.5) installation today and ran into what I thought at first was an IIS connector issue. When I setup the server in IIS 6 compatibility mode, it simply returned a blank page, using the IIS 7 connector for ColdFusion 9 was showing me an IIS error page with a 404.0 response from the JWildCardHandler in ExecuteRequestHandler, the file that I was trying to serve was there, IIS had permission to read it. It was not a 404!

I then realized it was not an IIS connector issue (even though it really looked like it to me), but the problem was on the CF side.

In my exception.log I found:

"Error","jrpp-0","03/17/14","15:13:57",,"Could not find the ColdFusion component or interface C:\sites\test\Application.cfc.Ensure that the name is correct and that the component or interface exists. The specific sequence of files included or processed is: C:\sites\test\index.cfm'' "
coldfusion.runtime.CfJspPage$NoSuchTemplateException: Could not find the ColdFusion component or interface C:\sites\test\Application.cfc.
	at coldfusion.runtime.TemplateClassLoader.newInstance(TemplateClassLoader.java:565)
	at coldfusion.runtime.TemplateClassLoader.newInstance(TemplateClassLoader.java:541)
	at coldfusion.runtime.TemplateProxyFactory.getCFCInstance(TemplateProxyFactory.java:271)
	at coldfusion.runtime.TemplateProxyFactory.resolveName(TemplateProxyFactory.java:174)
	at coldfusion.runtime.TemplateProxyFactory.resolveName(TemplateProxyFactory.java:159)
	at coldfusion.runtime.TemplateProxyFactory.resolveFile(TemplateProxyFactory.java:120)
	at coldfusion.cfc.CFCProxy.(CFCProxy.java:92)
	at coldfusion.runtime.AppEventInvoker.(AppEventInvoker.java:48)
	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:192)
	at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
	at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
	at coldfusion.filter.PathFilter.invoke(PathFilter.java:94)
	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
	at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
	at coldfusion.CfmServlet.service(CfmServlet.java:201)
	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at jrun.servlet.FilterChain.service(FilterChain.java:101)
	at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
	at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
	at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
	at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
	at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
	at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
	at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
	at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
	at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
"Error","jrpp-0","03/17/14","15:13:57",,"File not found: C:\ColdFusion9\wwwroot\WEB-INF\exception\coldfusion\runtime\ApplicationException.cfm The specific sequence of files included or processed is: C:\ColdFusion9\wwwroot\WEB-INF\exception\coldfusion\runtime\ApplicationException.cfm'' "
coldfusion.runtime.TemplateNotFoundException: File not found: C:\ColdFusion9\wwwroot\WEB-INF\exception\coldfusion\runtime\ApplicationException.cfm
	at coldfusion.runtime.TemplateClassLoader.newInstance(TemplateClassLoader.java:567)
	at coldfusion.tagext.lang.IncludeTag.setTemplate(IncludeTag.java:191)
	at coldfusion.tagext.lang.IncludeTag.setTemplatePath(IncludeTag.java:111)
	at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:64)
	at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)
	at coldfusion.filter.ExceptionFilter.runBuiltInHandler(ExceptionFilter.java:552)
	at coldfusion.filter.ExceptionFilter.handleException(ExceptionFilter.java:329)
	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:84)
	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
	at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
	at coldfusion.CfmServlet.service(CfmServlet.java:201)
	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at jrun.servlet.FilterChain.service(FilterChain.java:101)
	at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
	at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
	at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
	at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
	at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
	at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
	at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
	at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
	at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

The Application.cfc was there and ColdFusion had read permission to it, the ApplicationException.cfm was there and ColdFusion also had read permission to that user.

I was getting this coldfusion.runtime.TemplateNotFoundException but the templates really were there!

So what was the problem?

I had denied write access to C:\ColdFusion9\wwwroot\ for ColdFusion's user account. So what I think happened is that ColdFusion tried to compile the cfm and cfc file (and it needs to write those files into the WEB-INF folder) it didn't have permission to write these files so it threw a TemplateNotFoundException on the file it was trying to compile... even though CF did find it and could read it, it just couldn't save the compiled class.

I had to blog this one because it is such an obscure exception, not sure if too many people will encounter it, but just in case...


(Mon, 17 Mar 2014 21:33:00 GMT)
[view article in new window]

ColdFusion defaults avoid flawed Random Number Generator

I've been researching a very interesting security topic for the past few weeks related to the Snowden NSA leaks and even related to ColdFusion. Thankfully Adobe's default settings avoid the weakness.

According to reports, the NSA has designed a backdoor into a random number generator algorithm, and was able to push it through NIST to be approved in 2006 as a FIPS standard. While the algorithm is apparently not named in the documents, all evidences points to an algorithm called Dual Elliptic Curve Deterministic Random Bit Generator (or Dual_EC_DRBG or ECDRBG). I am not qualified to explain the flaws in this algorithm, so I'll point you to someone who has explained it well, Matthew Green a cryptographer and research professor at Johns Hopkins University.

So how does this relate to ColdFusion?

The Enterprise version of ColdFusion has shipped with a library called BSafe Crypto-J, from RSA which is a java security provider that implements FIPS compliant crypto algorithms, allows CF's crypto to be FIPS compliant.

It turns out that RSA's default random number generator for its BSafe libraries is ECDRBG! This is interesting because ECDRBG is much slower than other secure random number generator algorithms approved by FIPS, and doubts about its security were published in 2007. Read more about this here.

So if ColdFusion is using BSafe are we at risk?

ColdFusion start up scripts specify -Dcoldfusion.jsafe.defaultalgo=FIPS186Random as a jvm argument (jvm.config) by default (I checked CF8, 9 and 10 installs and they all had it, but you should double check yours). It was unclear to me if FIPS186Random was still going to use ECDRBG since it is a FIPS 186 approved algorithm, so I contacted Adobe about this and suggested they contact RSA for clarification. The response I received from Adobe was:

We confirmed with RSA as well, FIPS186Random is safe to use and does not make use of ECDRBG variants of algorithms.

Adobe has just posted a blog entry about the issue.

So you need to make sure that you have note removed that line of configuration, or else you may be using the default one.

How can I find out which Random Number Generator is default?

Run the following CFML code:

<cfset secureRand = CreateObject("java", "java.security.SecureRandom")>
<cfdump var="#secureRand.getAlgorithm()#">

What is at risk if I'm using ECDRGB?

Random numbers are used in key generation, so this could weaken SSL/TLS connections made by your code (eg a CFHTTP call to a HTTPS url). Random numbers are also used in session identifier generation. Presumably an attacker that understands how to exploit the weakness could more accurately guess valid session identifiers.

How can I change the BSafe default RNG algorithm?

According to the RSA documentation you can set the java system property -Dcom.rsa.crypto.default.random to another algorithm (for example HMACDRBG). Adobe however has their own system property -Dcoldfusion.jsafe.defaultalgo that you can set for ColdFusion (in the jvm.config file).

What if I am running CF Standard not Enterprise?

The RSA BSafe CryptoJ libraries should only be enabled on enterprise installations of ColdFusion. Either way you can double check using the code above which random number generator is default (usually SHA1PRNG on standard).


(Tue, 17 Dec 2013 16:35:00 GMT)
[view article in new window]


© The connection to the FREITAG's RSS feed has timed out - please try again later. We are sorry for any inconvenience this may have caused.