Stillnet Studios

There have been some attacks recently against ColdFusion servers that allow users to upload files. This is a common feature on many sites – uploading your profile photo, classified ad pictures, etc. Here is my take on handling file uploads securely.

First, make sure you are not uploading files directly into your webroot. For example if you store your user’s profile photos in /images/profilePhotos, don’t upload your file right into there. You need to put it somewhere safe first and verify that it really is an image file. Adding accept=”image/jpeg” to your cffile tag doesn’t save you here either. There are attacks where the mime type is spoofed, making ColdFusion think an image file is being uploaded, when really its a .cfm file.

So, you need to place the file somewhere outside your webroot. A convenient place to use is your server’s temp directory. You can get the path to a temp directory by calling the built-in getTempDirectory() function. For example:
Continue reading ‘Secure image uploading with ColdFusion’ »

If you are developing a ColdFusion application, or even just a stand alone CFC that you plan to distribute, you might want to make sure it runs on all three major CFML engines – Adobe ColdFusion, Railo, and Open BlueDragon. It can be tedious to always copy code around between your three test sites, but there is an easier way. You can have the same code base run through all three CFML engines at once.

There are a few caveats: Continue reading ‘Running your CFML code through Railo, OpenBD, and Adobe CF all at once’ »

I have been working on an project in my spare time that will eventually be deployed on Open BlueDragon. I ran into an error the other night after adding some methods to one my CFCs. I run all three CFML engines side by side (another blog post about that is coming soon), so I was easily able to see and compare the error messages in all three.

This was my error message in OpenBD:

Continue reading ‘Error messages on Railo, OpenBD and ColdFusion 8 compared’ »

We had an issue recently where one of our Excel import routines was putting garbled data into the database. By “garbled” I mean the field contained a few normal words then broke into a bunch of strange characters. This Excel file was read in using an ODBC datasource.

If you are not familiar with this method of reading Excel files, here is a short summary.
1) Create a system ODBC DSN using the MS Excel driver in your Windows ODBC control panel. Point it to an empty .xls file somewhere on your drive.
2) Create a datasource in ColdFusion (driver: “ODBC Socket”) and select your Windows ODBC DSN from the drop down.
3) Copy the XLS file you want to read on top of the empty file you setup in your ODBC DSN.
4) Use it like this in your CFML:

<cfquery name="myQuery" datasource="XLSPassThroughDSN">
SELECT * 
FROM [Sheet1$]
</cfquery>

This usually works well but for some reason we were having problems. Digging through the Excel file turned up nothing out of the ordinary, except some rows (and not the ones causing problems) looked like they were double byte encoded (unicode).

Turns out this XLS driver determines the data type of each column in the spread sheet by looking through the first couple of rows and guessing a data type based on that data. In our case column B only contained values with less than 100 characters in the first few dozen rows. So the driver assumed it was a varchar type of some length. But much further down in the spread sheet, in a different row, that same column contained a value that was several hundred characters, thus overflowing the data type.

Normally this only results in truncated data. If that would have been the issue I probably would have found the fix much sooner. But instead we were ending up with garbled data, which was truncated as well but it was impossible to tell.

The fix is to adjust your registry to tell the driver to scan through more, preferably all, of the rows before guessing at a data type. In your odbc control panel you’ll notice a setting for this:

But, that doesn’t work! You need to change the registry value manually. I set mine to 1000, since that will cover the length of any of the spreadsheets we upload.

The registry keys are located at:

For Excel 97:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\3.5\Engines\Excel
For Excel 2000 and later versions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Excel

Here is the MS knowledge base article for more detail: http://support.microsoft.com/kb/189897/

Now the driver scans through all the rows before determining a data type, and probably uses something like a “text” type for column B. I think our data may have been getting garbled, instead of just truncated, because of the double byte data.

A while back I had to implement a captcha on a client’s site. The site owner wanted a simple small captcha (that ruled out reCAPTCHA). We decided to try the new captcha features of ColdFusion8. What you may not realize is that the new captcha feature does not provide the whole captcha system, instead it merely can create captcha images. Its up to you how you implement your captcha system.

Before I get too far just let me state for the record that I dislike captchas and will be happy when they are looked upon like we look at the <blink> tag now. So you don’t need to leave comments telling me how I shouldn’t be using a captcha in the first place. 🙂 The client specifically wanted this feature at this point in time.

I’ve seen some approaches that place the clear text value of the captcha in a hidden field. Then when the form is submitted they compare that value against what the user had typed in. I don’t feel this way is very secure. It will stop simple bots, but you need to guard against more than just that. Sometimes spammers code their bots to work against a specific site. If they find your hidden clear text captcha value, they will easily grab it and use it to submit your form. If this is a simple contact form then you might not have much to worry about, but if its a “send to a friend” feature – watch out, those are high value targets.

Encrypting the hidden value doesn’t help much either. That adds one more step to what the spammer needs to do. They will have to manually read one of your captcha images – then they have the clear text and encrypted values to your captcha system. Now they can just submit that encrypted/plain text pair over and over again to your form.
Continue reading ‘A secure, ajaxy captcha with cfimage’ »

I came across a web hosting company that not only offers Railo 3.1 but has a free 60 day trial. So if you wanted to give Railo a whirl on something other than your own local machine, here is a simple way to do it. The free trial account comes with 100mb of space and 1GB of transfer, and a MySQL database so it seems pretty usable. You’ll have PHP and Ruby on Rails enabled in your account, too.

If you didn’t know, Railo has a separate Server administrator and one or more Web Administrators. This means Railo is ideally suited for CFML hosting since you get your very own administrator where you can setup datasources, mappings, etc.

The site is http://alurium.com

The Founder is Peter Amiri, here is his blog http://blog.amiri.net and on twitter: @peteramiri

Peter told me that you don’t need a credit card for the free trial, either.

If you’ve ran into this error when consuming a web service in Open BlueDragon, this may help you. Here is what my error looked like:
Continue reading ‘java.lang.NoClassDefFoundError error on OpenBD when consuming a webservice’ »

When trying to create a Verity collection on a freshly setup ColdFusion8 installation today I received this error:

Unable to create collection MyCollection.
An error occurred while creating the collection: com.verity.api.administration.ConfigurationException: Failed to retrieve style path. (-6044)

Turns out the Verity installation did not complete correctly. I could tell by looking in the {cf-root}/verity/verity-install.log file. This problem is fixed by simply uninstalling and reinstalling verity.

In the {cf-root}/verity directory you’ll find a script named uninstall-verity.sh (on linux) or uninstall-verity.bat (on windows). Just run that and then run the install-verity.* file and you should be back in business.

I was installing ColdFusion 7.02 on a client’s CentOS 5.2 Linux server the other day and received an error when running the installer. Note that this OS is NOT supported by Adobe for this version of ColdFusion. This is a fairly old version of CF being installed on a pretty current version of CentOS. The error was:

[root@server tmp]# ./coldfusion-702-linux.bin
Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
awk: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
/bin/ls: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
Launching installer
grep: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
/tmp/install.dir.3348/Linux/resource/jre/bin/java: error while loading shared libraries: libpthread.so.0: cannot open shared object file: No such file or directory

There is a hard coded value in the installer thats causing things to get messed up. Fixing this is fairly easy, you can modify the installer like this:

cp coldfusion-702-linux.bin coldfusion-702-linux.bin.backup
cat coldfusion-702-linux.bin.backup | sed "s/export LD_ASSUME/#xport LD_ASSUME/" > coldfusion-702-linux.bin

That comments out the offending line in all places in the installation script.

More discussion on this here:
http://www.billmitchell.org/coldfusion/centos5/mx7_apache.php
http://www.talkingtree.com/blog/index.cfm/2006/12/6/Running-ColdFusion-MX-7-on-Fedora-Core-6-Linux

You will probably run into more issues installing CF7 on this version of CentOS but it can be done. I also had to upgrade the connector to work with Apache 2.2 (when CF7 came out the connector was designed to run on Apache 2.0). The Adobe KB article that discusses this is here: http://kb.adobe.com/selfservice/viewContent.do?externalId=8001e97&sliceId=1. Their example didn’t quite work for me because its defaulting to the version of Java thats on your OS, which won’t work unless its a Sun 1.4.2x version. So I just used the JRE that is bundled with ColdFusion to install the new connector:

/opt/coldfusionmx7/runtime/jre/bin/java -Dtrace.ci=1 -jar ../../runtime/lib/wsconfig.jar \
        -server coldfusion \
    -ws apache \
        -dir /etc/httpd/conf \
        -bin /usr/sbin/httpd \
        -script /etc/rc.d/init.d/httpd \
        -coldfusion -v

I thought that was the last hurdle but when we tried to log in to the ColdFusion administrator we got an error about “The Graphing service is not available”. The message in the log file was “Unable to initialize Graphing service: java.lang.UnsatisfiedLinkError: /opt/coldfusionmx7/runtime/jre/lib/i386/libawt.so: libXp.so.6: cannot open shared object file: No such file or directory”. This was fixed by installing the libXp library:

yum install libXp

Railo 3.1, the much anticipated open source release of the Railo CFML engine was released yesterday. I’ve been playing with it the last two evenings. So far I’m very impressed. They have an “Express” version which you can get running almost instantly. I tried that, but then opted to get it working as I would for a real site – using Tomcat and Apache. It was much easier than I thought.

The administrator is very full featured with everything you would expect – scheduled tasks, ability to create database connections to MySQL and MSSQL (among several others), and search! Railo has Apache Lucene built right in. Creating a new Lucene index is as easy as creating Verity collection in Adobe ColdFusion. The cfsearch/cfindex tags work like you would expect them to, with a few exceptions. You can even populate and search the collection right from within the administrator.

I was happy to see that you can define multiple SMTP servers. Railo will try each of them in order if any of them are unavailable.

I also really like the way Railo has done the administrator – with one global administrator (called the server administrator) and then administrators for each site (called a web administrator). I think this is going to make it much easier for hosting companies to offer CFML support.