ColdFusion Posts Around the World.
ColdFusion Posts Around the World. ColdFusion Summit 2024 Slides: 20 ways to secure CFPete FreitagThis year at the Adobe ColdFusion summit in Las Vegas I presented on 20 ways to secure ColdFusion. You can download my slides here. When giving a presentation on security there are certain topics t...Latest ColdFusion Security Updates - September 2024Pete FreitagI am going to attempt to keep this page updated with the latest ColdFusion Security Updates and Hotfixes published by Adobe. This will allow me to update this page as more info becomes available about updates. I will also try to back fill this so it has past info as well. September 2024...Left and Right Accept Negative CountsPete FreitagHere's something I learned recently: you can pass negative values into the left() and right() functions in CFML. Thanks to John Whish for pointing this out in a pull request on cfdocs.org. The left() and right() functions work great for...Fixinator fixes unscoped variablesPete FreitagLast week's Adobe ColdFusion security update disabled searchImplicitScopes by default. Prior to that update, and for the past twenty five years, ColdFusion would search through the all the possible scopes until it found a ma...ColdFusion searchImplicitScopes and APSB24-14Pete FreitagAdobe has published a ColdFusion Security Hotfix APSB24-14 today which describes "a critical vulnerability that could lead to arbitrary file system read". One of the things you will want to take...Lucee RCE Vulnerabilities February 2024Pete FreitagLast week security researchers from Project Discovery published details on three Lucee vulnerabilities: A Remote Code Execution (RCE) on isDefined, StructGet, Empty functions ...DNS over HTTPS is not what I thoughtPete FreitagA few months ago I was on a mission to remove some of the old broken links on my blog. I started blogging back in 2002, so many of the sites that I linked to twenty years ago were no longer active, or no longer under the same ownership. I decided to start this task by weeding out any domains tha...Remove the Server Header in any IIS VersionPete FreitagRemoving the Server Header as of IIS 10 (the version of IIS installed by default on Windows Server 2016, 2019 or 2022) is now much easier than it had been with prior versions of IIS. By default IIS will return a HTTP response header like this: Server: Microsoft-IIS/10.0 This te...Self Signed Certificates in Edge on Windows 2022Pete FreitagWhen setting up a server for training purposes I wanted to create a self signed certificate for app1.example.com and trust it in Edge on Windows Server 2022. Normally when I create a self signed certificate on Windows Server I just use the IIS Server Certificates button C...Self Signed Certificates in Edge on Windows 2022Pete FreitagWhen setting up a server for training purposes I wanted to create a self signed certificate for app1.example.com and trust it in Edge on Windows Server 2022. Normally when I create a self signed certificate on Windows Server I just use the IIS Server Certificates button C...The newline cat mysteryPete FreitagI ran into a really strange problem today, whenever I would write a file it would show up as empty on my file system. Here's a simplified version of my code: var nl = chr(13); var csv = '"order_id","date"' & nl; csv &= '"1","2023-01-01"' & nl; fileWrite("/tmp/test.tx...The newline cat mysteryPete FreitagI ran into a really strange problem today, whenever I would write a file it would show up as empty on my file system. Here's a simplified version of my code: var nl = chr(13); var csv = '"order_id","date"' & nl; csv &= '"1","2023-01-01"' & nl; fileWrite("/tmp/test.tx...Ticket to ColdFusion Summit 2023Pete FreitagThe Adobe ColdFusion Summit is coming up in October. I will be speaking at the conference, and my company Foundeo is also one of the conference sponsors. As part of the sponsorship I have an extra entry ticket to CFSummit that I am going to give away to ...Win a Ticket for ColdFusion Summit 2023Pete FreitagThe Adobe ColdFusion Summit is coming up in October. I will be speaking at the conference, and my company Foundeo is also one of the conference sponsors. As part of the sponsorship I have an extra entry ticket to CFSummit that I am going to give away to ...Into The Box 2023 SlidesPete FreitagI'm back from Houston Texas after another great Into the Box conference. Slides for my talk Taming the top 25 Most Dangerous Software WeaknessesInto The Box 2023 SlidesPete FreitagI'm back from Houston Texas after another great Into the Box conference. Slides for my talk Taming the top 25 Most Dangerous Software Weaknesses can be found here. For code samples I used myFile Create Time in ColdFusion / CFMLPete FreitagToday I needed to get the time that a file was created from within some CFML code. I had first thought that cfdirectory or directory...File Created Date Time in ColdFusion / CFMLPete FreitagToday I needed to get the time that a file was created from within some CFML code. I had first thought that cfdirectory or directoryList would return this, but it only returns the date the a file was modified, not the date that it was created. My next thought was...Speaking at ColdFusion Summit Online Next WeekPete FreitagI will be giving my talk Taming the Top 25 Most Dangerous Software Weaknesses (for ColdFusion Developers) next Tuesday, December 6th 2022 at 1OpenSSL and ColdFusion / LuceePete FreitagI've had a several people asking me about the openssl vulnerabilities that were patched this week: CVE-2022-3602 and CVE-2022-3786 aka Spooky SSLColdFusion Security Training Class December 2022Pete FreitagEarly bird registration is open for my ColdFusion Security Training deep dive cHow Long Has Your ColdFusion Server Been Running?Pete FreitagSomeone asked on the CFML slack recently how can you find out how long your ColdFusion (or Lucee) server has been running via code. HowAdding CloudFlare Turnstile CAPTCHAs to CFML SitesPete FreitagCloudFlare recently released a new CAPTCHA service called Turnstile, which aims to provide a better user experience for CAPTCHA's. At the worsColdFusion Summit 2022 SlidesPete FreitagI'm back from another excellent CFSummit. So many great presentations and conversations. This year I gave a presentation on the 25 Most Dangerous SWays to suppress a finding in FixinatorPete FreitagCode is complex, so any static application security testing (SAST) tool will find things that may not be an actual security issue.Simple Parallel Execution in ColdFusion or LuceePete FreitagA really handy feature of the arrayEach() function is the parallel argument. It has been supporCreating a ColdFusion UUID in MySQLPete FreitagThe uuid() function in MySQL returns a 36 character hex string, formatted as: aa479ea9-1d9d-11ed-ba03-564760fe47b7 ColdFusioBetter CFML Code with CIPete FreitagI gave a presentation for the Adobe ColdFusion Developer Week Conference today titled: Better CFML Code with CI. You can find theFirefox Hosts File Not Working?Pete FreitagI'm probably not the first one to notice this, but if you have a hosts file (eg /ect/hosts or c:\windows\system32\drivers\etc\hostsHow to read a ColdFusion StacktracePete FreitagThis question came up recently: How do you read a stack trace? Are there any resources that will educate me? While theHow I cut AWS Lambda Java Cold Start Times in HalfPete FreitagIt is rare that a simple JVM argument change can have a dramatic impact on execution times, but in the case of AWS Lambda adjusting the Tiered CompSpring4Shell and ColdFusionPete FreitagI've had a bunch of people ask me if ColdFusion / Lucee servers need to worry about the recent Java vulnerability in Spring, nick named Spring4ShelOrder by NULL Values in MySQL, Postgresql and SQL ServerPete FreitagIf you have a column that may contain NULL values, and you want sort on that column with an ORDER BY clause, which comes firsCloudFlare Authenticated Origin PullsPete FreitagIf you are using CloudFlare in front of your web server, it is a good idea to setupLog4j 1.x Vulnerability GuidePete FreitagAlmost every day I see someone asking what to do about log4j 1.2 / 1.x versions. It can be quite a lot of wrap your head around, and it can't be answer...Log4Shell Vulnerability TimelinePete FreitagWhen I created a blog entry covering Log4Shell log4j on ColdFusion, and said I would update it aHow to get Log4j Version at Runtime in JavaPete FreitagHere's how you can get the version of Log4j you are using at runtime using Java: Java Code to Get the Log4j Version at RuntimeLog4j CVE-2021-44228 Log4Shell VulnerabilityPete FreitagThere is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applica...Listing loaded OSGI Bundles in LuceePete FreitagHere's a quick code snippet that will output a list of OSGI java bundles and bundle versions that are loaded / installed on Lucee: //CFMLEngiReplacing Twitter Share / Follow Widget Buttons with CSSPete FreitagWhile looking at the PageSpeed Insights for my blog I noticed that the Twitter widgets I was using to display a twitter follow button and a twDocker for DevsPete FreitagA few years ago I gave a presentation to my local CFUG titled Docker for Devs. I recently realized that I never posted the slides or the exampSecuring ColdFusion Applications - DevWeek 2021Pete FreitagIt was great to be a speaker at the ColdFusion DevWeek event last week. I spoke on the topic Securing ColdFusion Applications. As promiJava versions supporting TLS 1.3Pete FreitagWhat versions of Java support TLSv1.3 / TLS 1.3? Java 8 TLS 1.3 Support If you are on Java 8 (or 1.8 if you prefer) then you need versiURL Safe Base64 Encoding / Decoding in CFMLPete FreitagColdFusion / CFML has a builtin function that can convert a string or a binary object to a standard Base64 encoded string:TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021Pete FreitagThe OpenJDK Crypto Roadmap states that TLSv1 and TLSv1.1 will be disabled in OpenJDK releaBash Script to log file modifications with osqueryPete FreitagHere's a bash script that uses osquery to log which files in a specific folder have been modified over a 15 minute period. My use case herUsing Hashicorp Vault with ColdFusionPete FreitagHashicorp Vault is an open source, enterprise grade security vault. It is designed to grant secure access to the secrets that it stores. It can also act as an encryption as a service API. Vault is very powerful, and there are lots of resources and videos describing how it works. Using Vault is somet...SessionInvalidate for JEE SessionsPete FreitagThe builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID). You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.ser...Is maxlength necessary in cfqueryparam with timestamps?Pete FreitagJakob Ward recently posted an interesting question to the CFML slack channel: Is there a point to setting maxlength for a timestamp value in cfqueryparam? Or can this be ignored safely? My guess was that cfqueryparam would ignore the maxlength attribute when the cfsqltype is timestamp (or cf_sql_t...Java LTS Version Roadmap and GuidePete FreitagPeople often download and install the latest version of Java, rather than the latest LTS version of java. In most cases, especially if it is on a server you probably want to be using the LTS version of java. So what is a Java LTS Version? LTS stands for Long Term Support, this means that the java ve...ColdFusion Summit Fall 2020Pete FreitagThanks to all who attended my talk today on Securing ColdFusion Applications. You can find the slides here. Many had asked me about the link to ColdFusion Security Training class to be held on Thursday December 10, 2020 @ 11am-2pm & Friday December 11 @ 11am-2pm (Eastern Standard Time, UTC -5). In t...One liner to download a Browser with PowerShell on Windows ServerPete FreitagIt would be nice if Windows Server 2019 came with Microsoft Edge Browser, but it still comes with good old IE 11, and on a Windows Server, you have to jump through hoops to let IE download anything due to its default security settings. First I tried downloading Microsoft Edge Browser with IE on Wind...CFML Left and Right Functions can Accept Negative CountsPete FreitagHere is a handy trick I saw in some code recently. It turns out you can use a negative integer in the count argument of the left() and right() functions in CFML. This works in multiple versions of both Lucee and Adobe ColdFusion! Here's an example: left("Peter", -1) This will trim 1 character off th...Setting Lucee Admin Password with CommandBoxPete FreitagOne of the recent changes to Lucee is that no longer allows you to enter an admin password from the web based lucee admin if one had not been set yet. This is a great feature for security, but for local development it makes things a bit more cumbersome. You'll see what I mean when you hit this error...Cleaning up Development Disk Space CommandBoxPete FreitagI've been using CommandBox to startup CF servers on my dev laptop and desktop for several years, maybe even since the first version was released! CommandBox does a great job of hiding its internal magic, and thus the amount of disk space it consumes can creep up on you. To make matters worse it stor...Creating a Symbolic Link with ln -s What Comes First?Pete FreitagOne thing I've had to google more times than I'd like to admit is the path argument order for the ln command. What comes first in the ln -s command on linux or Mac? So I thought I'd write a little blog entry for future me to find. Here's an example: ln -s /real/path /linked/path To answer my own que... |