Pete Freitag's Homepage
Fixinator fixes unscoped variables | Mark As Read |
Last week's Adobe ColdFusion security update disabled searchImplicitScopes by default. Prior to that update, and for the past twenty five years, ColdFusion would search through the all the possible scopes until it found a matching variable. As you can imagine this change caused quite a bit of work for ColdFusion developers who might have an unscope...
ColdFusion searchImplicitScopes and APSB24-14 | Mark As Read |
Adobe has published a ColdFusion Security Hotfix APSB24-14 today which describes "a critical vulnerabilitythat could lead toarbitrary file system read". One of the things you will want to take special note of in this hotfix is that a major change was made to how ColdFusion handles unscoped variables. According to the technote: Starting with this u...
Lucee RCE Vulnerabilities February 2024 | Mark As Read |
Last week security researchers from Project Discovery published details on three Lucee vulnerabilities: A Remote Code Execution (RCE) on isDefined, StructGet, Empty functions A RCE on CF_CLIENT cookie values A RCE on REST CFC requests, which was patched in 2023: CVE-2023-38693 The RCE on isDefined, StructGet, Empty functions Lucee Allows RC...
DNS over HTTPS is not what I thought | Mark As Read |
A few months ago I was on a mission to remove some of the old broken links on my blog. I started blogging back in 2002, so many of the sites that I linked to twenty years ago were no longer active, or no longer under the same ownership. I decided to start this task by weeding out any domains that no longer resolved over DNS. While I knew of a few ...
Remove the Server Header in any IIS Version | Mark As Read |
Removing the Server Header as of IIS 10 (the version of IIS installed by default on Windows Server 2016, 2019 or 2022) is now much easier than it had been with prior versions of IIS. By default IIS will return a HTTP response header like this: Server: Microsoft-IIS/10.0 This tells everyone that your server is running IIS, and more specifically vers...
Self Signed Certificates in Edge on Windows 2022 | Mark As Read |
When setting up a server for training purposes I wanted to create a self signed certificate for app1.example.com and trust it in Edge on Windows Server 2022. Normally when I create a self signed certificate on Windows Server I just use the IIS Server Certificates button Create Self-Signed Certificate, but I found that even if you tell Edge to trust...
The newline cat mystery | Mark As Read |
I ran into a really strange problem today, whenever I would write a file it would show up as empty on my file system. Here's a simplified version of my code: var nl = chr(13); var csv = '"order_id","date"' & nl; csv &= '"1","2023-01-01"' & nl; fileWrite("/tmp/test.txt", csv); I would then go to my terminal and type: cat /tmp/test.txt And it would...
Ticket to ColdFusion Summit 2023 | Mark As Read |
The Adobe ColdFusion Summit is coming up in October. I will be speaking at the conference, and my company Foundeo is also one of the conference sponsors. As part of the sponsorship I have an extra entry ticket to CFSummit that I am going to give away to one random subscriber of the CFBreak ColdFusion Weekly Newsletter. All you have to do is subscri...
Into The Box 2023 Slides | Mark As Read |
I'm back from Houston Texas after another great Into the Box conference. Slides for my talk Taming the top 25 Most Dangerous Software Weaknesses can be found here. For code samples I used my Bank of Insecurity repository which is full of security weaknesses.
File Created Date Time in ColdFusion / CFML | Mark As Read |
Today I needed to get the time that a file was created from within some CFML code. I had first thought that cfdirectory or directoryList would return this, but it only returns the date the a file was modified, not the date that it was created. My next thought was that getFileInfo must return this, but again it only returns the date that the file wa...
File Create Time in ColdFusion / CFML | Mark As Read |
Today I needed to get the time that a file was created from within some CFML code. I had first thought that cfdirectory or directoryList would return this, but it only returns the date the a file was modified, not the date that it was created. My next thought was that getFileInfo must return this, but again it only returns the date that the file wa...
Speaking at ColdFusion Summit Online Next Week | Mark As Read |
I will be giving my talk Taming the Top 25 Most Dangerous Software Weaknesses (for ColdFusion Developers) next Tuesday, December 6th 2022 at 1pm US Eastern Time. You will need to register with Adobe to join, it's free. Adobe is repeating many of the talks from the in person ColdFusion Summit that took place in October, if you weren't able to make ...
OpenSSL and ColdFusion / Lucee / Tomcat | Mark As Read |
I've had a several people asking me about the openssl vulnerabilities that were patched this week: CVE-2022-3602 and CVE-2022-3786 aka Spooky SSL. ColdFusion / Lucee and OpenSSL As far as I know both ColdFusion and Lucee do not use openssl for any of its crypto operations by default. Both ColdFusion and Lucee use the Java Cryptographic Extension (...
ColdFusion Security Training Class December 2022 | Mark As Read |
Early bird registration is open for my ColdFusion Security Training deep dive class in December. If you've ever attended one of my conference sessions on ColdFusion Security at Adobe ColdFusion Summit or Into The Box (or even cf.Objective() or CFUnited :-) you know that it is hard cover a wide variety of issues in a one hour session. It is an onli...
Registration Open ColdFusion Security Training Class December 2022 | Mark As Read |
Early bird registration is open for my ColdFusion Security Training deep dive class in December. If you've ever attended one of my conference sessions on ColdFusion Security at Adobe ColdFusion Summit or Into The Box (or even cf.Objective() or CFUnited :-) you know that it is hard cover a wide variety of issues in a one hour session. It is an onli...
How Long Has Your ColdFusion Server Been Running? | Mark As Read |
Someone asked on the CFML slack recently how can you find out how long your ColdFusion (or Lucee) server has been running via code. How long has the server been running? createObject("java", "java.lang.management.ManagementFactory").getRuntimeMXBean().getUptime () This approach uses Java's Management Factory Runtime Bean to get the number of millise...
Adding CloudFlare Turnstile CAPTCHAs to CFML Sites | Mark As Read |
CloudFlare recently released a new CAPTCHA service called Turnstile, which aims to provide a better user experience for CAPTCHA's. At the worst case the user will have to click a checkbox, rather than train a machine learning model solving a puzzle. Client Side Implementation There are a few different ways to implement the front end side, but at a ...
ColdFusion Summit 2022 Slides | Mark As Read |
I'm back from another excellent CFSummit. So many great presentations and conversations. This year I gave a presentation on the 25 Most Dangerous Software Weaknesses and how they relate to ColdFusion. It was nice to be able to present live, instead of over zoom! You can find the slides here, and the code samples are on github in my CFML Security Tr...
Ways to suppress a finding in Fixinator | Mark As Read |
Code is complex, so any static application security testing (SAST) tool will find things that may not be an actual security issue. Fixinator has a few different ways we can deal with this problem. For example, let's suppose you have a variable application.maxstories=10 set in Application.cfc, and you use that variable in a different file like this:...
Simple Parallel Execution in ColdFusion or Lucee | Mark As Read |
A really handy feature of the arrayEach() function is the parallel argument. It has been supported in Lucee since 4.5, but ColdFusion 2021 now supports it as well. What does the arrayEach function do? Quite simply it loops over each element of an array and invokes a function for each element of the array, here's a simple example: fruit = ["Apples"...
Creating a ColdFusion UUID in MySQL | Mark As Read |
The uuid() function in MySQL returns a 36 character hex string, formatted as: aa479ea9-1d9d-11ed-ba03-564760fe47b7 ColdFusion's createUUID() function returns a 35 character hex string formatted as: AA479EA9-1D9D-11ED-BA03564760FE47B7 Both store the same amount of data (16 bytes), the only difference is that there is an extra dash in the MySQL uuid(...
Better CFML Code with CI | Mark As Read |
I gave a presentation for the Adobe ColdFusion Developer Week Conference today titled: Better CFML Code with CI. You can find the slides for my talk here. I will update the blog entry with a link to the recording once available.
Firefox Hosts File Not Working? | Mark As Read |
I'm probably not the first one to notice this, but if you have a hosts file (eg /ect/hosts or c:\windows\system32\drivers\etc\hosts on windows) you might find that recent versions of Firefox will ignore it. When I encountered this, my guess was that it was caused by Firefox enabling DNS over HTTPS by default. And it turns out that you can workaroun...
How to read a ColdFusion Stacktrace | Mark As Read |
This question came up recently: How do you read a stack trace? Are there any resources that will educate me? While there are many resources specific to Java on reading a stacktrace, I don't think there are many related to ColdFusion or CFML. So let's make one here. Here's a part of a stacktrace that this particular user was wanting to understand b...
How I cut AWS Lambda Java Cold Start Times in Half | Mark As Read |
It is rare that a simple JVM argument change can have a dramatic impact on execution times, but in the case of AWS Lambda adjusting the Tiered Complication settings can have a really big impact on performance in many (but not all) cases. The change I made was to add the JVM arguments: -XX:+TieredCompilation -XX:TieredStopAtLevel=1 On AWS Lambda you...
Spring4Shell and ColdFusion | Mark As Read |
I've had a bunch of people ask me if ColdFusion / Lucee servers need to worry about the recent Java vulnerability in Spring, nick named Spring4Shell, or more formally known as CVE-2022-22965. To the best of my knowledge ColdFusion and Lucee do not make use of the Java Spring Framework by default, and do not include any of the vulnerable Spring jars...
Order by NULL Values in MySQL, Postgresql and SQL Server | Mark As Read |
If you have a column that may contain NULL values, and you want sort on that column with an ORDER BY clause, which comes first the null values or the non null values? This is something that I have to look up, or simply test each and every time I need to know, so I figured it would be good material for a blog entry. NULL Values First on MySQL or Po...
CloudFlare Authenticated Origin Pulls | Mark As Read |
If you are using CloudFlare in front of your web server, it is a good idea to setup CloudFlare Authenticated Origin Pulls. When this is enabled and properly configured only CloudFlare will be able to connect to your origin web server directly. An example setup on nginx might require that you add something like this: ssl_client_certificate /etc/clo...
Log4j 1.x Vulnerability Guide | Mark As Read |
Almost every day I see someone asking what to do about log4j 1.2 / 1.x versions. It can be quite a lot of wrap your head around, and it can't be answered easily in a sentence or two. So here's my attempt at providing some clarity and solutions for the millions of applications that are still using Log4j 1.x TLDR: Apache Log4j 1.x does have vulnerabi...
Log4Shell Vulnerability Timeline | Mark As Read |
When I created a blog entry covering Log4Shell log4j on ColdFusion, and said I would update it as new information comes in, I didn't realize I would be updating it several times a day for the past week. I think this Log4Shell / Log4j issue can be confusing to keep track of with all the new developments, so I decided to create a timeline. I will try...
How to get Log4j Version at Runtime in Java | Mark As Read |
Here's how you can get the version of Log4j you are using at runtime using Java: Java Code to Get the Log4j Version at Runtime org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImp lementationVersion() The above only works on version log4j2 (log4j version 2), and is based on jar file manifest information. There doesn't appear to ...
Log4j CVE-2021-44228 Log4Shell Vulnerability | Mark As Read |
There is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications. It is included in both Adobe ColdFusion and Lucee for example. Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. I'll update this entry as ne...
Listing loaded OSGI Bundles in Lucee | Mark As Read |
Here's a quick code snippet that will output a list of OSGI java bundles and bundle versions that are loaded / installed on Lucee: //CFMLEngine engine = getPageContext().getCFMLFactory().getEngine(); //org.osgi.framework.BundleContext bundleContext = engine.getBundleContext(); //array of org.osgi.framework.Bundle objects bundles = bundleContext....
Replacing Twitter Share / Follow Widget Buttons with CSS | Mark As Read |
While looking at the PageSpeed Insights for my blog I noticed that the Twitter widgets I was using to display a twitter follow button and a tweet / share button were causing some page speed issues. Specifically the TBT (Total Blocking Time), LCB (Largest Contentful Paint) saw an impact. Overall it was taking about 151 KiB and blocking the main thre...
Docker for Devs | Mark As Read |
A few years ago I gave a presentation to my local CFUG titled Docker for Devs. I recently realized that I never posted the slides or the examples. So while the version numbers may be a bit outdated, I thought it may be useful to post it. Docker for Devs Slides Example Docker-Compose Files
Securing ColdFusion Applications - DevWeek 2021 | Mark As Read |
It was great to be a speaker at the ColdFusion DevWeek event last week. I spoke on the topic Securing ColdFusion Applications. As promised here are the slides, and the example code I used can be found here. In this talk I thought it would be fun to come up with a list of the Top 10 Risks or Issues ColdFusion developers should be aware of. As with a...
Java versions supporting TLS 1.3 | Mark As Read |
What versions of Java support TLSv1.3 / TLS 1.3? Java 8 TLS 1.3 Support If you are on Java 8 (or 1.8 if you prefer) then you need version 8u261 b12 or greater. This version was released on July 14, 2020. Java 11 TLS 1.3 Support Java 11 has supported TLS 1.3 since it was first released, however there were some bugs in the early versions. For that re...
URL Safe Base64 Encoding / Decoding in CFML | Mark As Read |
ColdFusion / CFML has a builtin function that can convert a string or a binary object to a standard Base64 encoded string: toBase64 and you can decode back to a string using toBinary() and toString() or the binaryDecode() function. These builtin functions are quite handy, but if you need to pass the encoded value in a URL, or simply want a nicer lo...
TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021 | Mark As Read |
The OpenJDK Crypto Roadmap states that TLSv1 and TLSv1.1 will be disabled in OpenJDK releases by default after April 20, 2021. I assume this change also applies to Oracle, and all the JVMs that are derived from OpenJDK. How are they disabling it? or how can I reenable it if I need to? One nice feature you may not realize exists is the java.security...
Bash Script to log file modifications with osquery | Mark As Read |
Here's a bash script that uses osquery to log which files in a specific folder have been modified over a 15 minute period. My use case here wasn't file integrity monitoring, for that you would want to use file events. Here's the script: #!/bin/bash WORKSPACE_DIR=`echo ~/workspace` LOG_DIR=`echo ~/Documents/Logs/osquery_file_logs/` AGO_TIMESTAMP=`...
Using Hashicorp Vault with ColdFusion | Mark As Read |
Hashicorp Vault is an open source, enterprise grade security vault. It is designed to grant secure access to the secrets that it stores. It can also act as an encryption as a service API. Vault is very powerful, and there are lots of resources and videos describing how it works. Using Vault is something that I often cover in my ColdFusion security ...
SessionInvalidate for JEE Sessions | Mark As Read |
The builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID). You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.servlet.http.HttpSession object. Here's how you can d...
Is maxlength necessary in cfqueryparam with timestamps? | Mark As Read |
Jakob Ward recently posted an interesting question to the CFML slack channel: Is there a point to setting maxlength for a timestamp value in cfqueryparam? Or can this be ignored safely? My guess was that cfqueryparam would ignore the maxlength attribute when the cfsqltype is timestamp (or cf_sql_timestamp if you like to type). But I wasn't sure, ...
Java LTS Version Roadmap and Guide | Mark As Read |
People often download and install the latest version of Java, rather than the latest LTS version of java. In most cases, especially if it is on a server you probably want to be using the LTS version of java. So what is a Java LTS Version? LTS stands for Long Term Support, this means that the java vendor (for example Oracle) will support it for a lo...
ColdFusion Summit Fall 2020 | Mark As Read |
Thanks to all who attended my talk today on Securing ColdFusion Applications. I will be posting the slides here on this blog entry shortly. Many had asked me about the link to ColdFusion Security Training class to be held on Thursday December 10, 2020 @ 11am-2pm & Friday December 11 @ 11am-2pm (Eastern Standard Time, UTC -5). In that class we'll be...
One liner to download a Browser with PowerShell on Windows Server | Mark As Read |
It would be nice if Windows Server 2019 came with Microsoft Edge Browser, but it still comes with good old IE 11, and on a Windows Server, you have to jump through hoops to let IE download anything due to its default security settings. First I tried downloading Microsoft Edge Browser with IE on Windows Server 2019. I got the following prompt: Do yo...
CFML Left and Right Functions can Accept Negative Counts | Mark As Read |
Here is a handy trick I saw in some code recently. It turns out you can use a negative integer in the count argument of the left() and right() functions in CFML. This works in multiple versions of both Lucee and Adobe ColdFusion! Here's an example: left("Peter", -1) This will trim 1 character off the end of the string. The result of the above code ...
Setting Lucee Admin Password with CommandBox | Mark As Read |
One of the recent changes to Lucee is that no longer allows you to enter an admin password from the web based lucee admin if one had not been set yet. This is a great feature for security, but for local development it makes things a bit more cumbersome. You'll see what I mean when you hit this error message: No Password Set Yet! For security reaso...
Cleaning up Development Disk Space CommandBox | Mark As Read |
I've been using CommandBox to startup CF servers on my dev laptop and desktop for several years, maybe even since the first version was released! CommandBox does a great job of hiding its internal magic, and thus the amount of disk space it consumes can creep up on you. To make matters worse it stores everything in a hidden folder under your home d...
Creating a Symbolic Link with ln -s What Comes First? | Mark As Read |
One thing I've had to google more times than I'd like to admit is the path argument order for the ln command. What comes first in the ln -s command on linux or Mac? So I thought I'd write a little blog entry for future me to find. Here's an example: ln -s /real/path /linked/path To answer my own question, you put the existing path first (source fil...
- Welcome!
- cfNote aggregates blogs for the Coldfusion industry.
- Custom Feeds
- Add any RSS feed to the information you read daily.
- Blocked Feeds
- Block feeds to remove blogs you’re not interested in.
- Account Settings
- Customize the site by adding or removing feeds.
Don’t have an account yet?
- Customize your settings
- Edit how your blog displays
- Add or remove blogs you read. Sign Up.
About Us
cfNote is your source for all your Coldfusion news.
Know of a Coldfusion blog that we're missing? Let us know! |