The blog of Russ (snake) Michaels - ColdFusion

ColdFusion Directory Traversal vulnerability

Tue, 24 Aug 2010 00:53:00 --0100

There has been a lot of noise over the past week about the ColdFusion Directory Traversal Vulnerability.
If you haven't heard, the basic issue is that ColdFusion allows the inclusion of just about any file on the server (usually Windows servers) to be included by using either a URL parameter or form parameter. Without special encoding the vulnerability will let you grab any file ending in .xml, but by adding a %00 to the parameter, just about any file gets included in the normal display of the ColdFusion Administrator login page. This means that no authentication is required to pull this off. The flaw is in the internationalization tags being used by the Administrator pages which include XML files to render the text for different languages in the CFAdmin section. In turn the XML files aren't really XML files, but instead are files containing large switch/case statements which, according to the arguments, spit out the value for the piece of text the XML file is called with. The flaw is that the code calling the file uses user input to decide which file to grab, but doesn't properly sanitize the request, allowing the inclusion of other files from the same disk the CFAdmin section is living on. As Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive. Including the CF configuration files which may include things like database connection settings (with passwords saved which can be decrypted easily). Adrian also points out that once an attacker gains access to the CF Admin, itâ€™s game over.

The patches provided by Adobe for the problem are quite simple, and in most cases shouldn't even require a restart of the ColdFusion services. The impact of the vulnerability is huge. As Rafal Los, who rightfully calls this a "Disaster", points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.

Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.

As we have been working with and hosting ColdFusion since version 5, we understand how most CF developers work, and how poorly the servers are administered in most installations. In his post, Rafal Los offers some Google dorks for finding CF servers, and states that "There is really no legitimate reason to have a ColdFusion Admin interface on the public internet" really, I can't think of one, yet there are many results!. So why are there so many results?

It is a combination of factors, laziness I'm sure being close to the top of the list, but there are others. The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the '/CFIDE/' directory. This directory has other directories inside of it which are used by CF for things like form validation, Ajax, rendering of graphs, etc. and as such some applications stop working if the CFIDE directory does not exist, so it must be mapped as a virtual directory in most cf websites.
Often it is the webmaster or developer who is setting up and managing the ColdFusion server and who usually has very little knowledge of server security and limited knowledge of the ColdFusion Administrator and its associated security issues or the CFIDE requirements in an application, even if a real server admin is involved his knowledge of ColdFusion will be little to none.

Thankfully Adobe has finally released a Lockdown Guide written by Pete Freitag which is well done, and I hope is somewhat due to all the advice and feedback I have given Adobe over the years in this dept. I just hope people read and follow it.

Another problem is those older versions for which no patch is forthcoming. CF developers are very wary of changing the version of CF their application currently works on. Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources. This means that there are now a lot of old applications which are on old versions of CF.

If you run a CF server then you should install the patches and lock down access to your ColdFusion Administrator.
If you have a CFIDE vDir mapped to your sites, DO NOT use the original folder, take a copy of the CFIDE, put it somewhere else and delete the ADMINISTRATOR and ADMINAPI folders, now use this copy for your virtual directories. I have various old CF security and lockdown articles on this blog which you may want to take a look at.

FREE Railo hosting is now available at CFMLDeveloper.com

Tue, 29 Jun 2010 16:41:00 --0100

As of today, Railo 3.1 is now available at CFMLdeveloper.com.

If you already have an account then simply login to HELM and go to Packages -> add new and choose one of the new Railo Plans. Please note that the SETUP fee still applies for all new packages, but is still a one-time fee for fraud validation purposes and your hosting is then FREE forever. For more info please refer to the HELP pages.

If you do not yet have an account then simply SIGNUP from the hosting page.

Please don't forget to check the Hosting support pages if you get stuck, most common questions can be found there.

cfmldeveloper upgraded to CF9

Sun, 30 May 2010 13:31:00 --0100

Last night I just completed upgrading cfmldeveloper.com to ColdFusion 9. For those that do not know cfmldeveloper.com is the FREE ColdFusion hosting service that I run for developer. Recently rebranded from cfdeveloper.co.uk.

What's new in ColdFusion 9

ColdFusion 9's list of new features is quite long, so I'll just mention a few items that I find most interesting. For a complete list of new features, go to Adobe's site.

One huge addition in ColdFusion 9 is the incorporation of the Java Hibernate object-relational mapping (ORM) library. ColdFusion abstracts much of the complexity of Hibernate away and offers a simple API to allow the loading and saving of CFCs to a relational database. This makes object-oriented development even easier, as you can build an object model without thinking about the database at all, and let Hibernate translate that model into a schema automatically. By providing nested transactions and hooks into the Hibernate event model, you can build robust domain models very quickly.

The next feature is sure to be a favourite of anyone who has spent many hours building "export to Excel" logic in applications. Sometimes it is the simple approach of creating an HTML table and letting Excel convert it; other times, it is the much more tedious option of using Apache POI to build up worksheets and formulas. ColdFusion 9 includes the new cfspreadsheet tag, which finally puts an end to this chore. Along with the tag is a large set of functions to allow virtually any manipulation of a spreadsheet. These functions can be saved in Excel or OpenOffice format as well.

There are a lot of new goodies I could talk about, but here is a quick list:

|> Server API for SOAP and AMF (allowing remote use of core features such as charting, PDF creation, and email from Flex or other external systems)
|> Huge set of Microsoft SharePoint integration functions to leverage an existing SharePoint deployment
|> Seamless support for the Java portlet specifications, making integration with things like Liferay a breeze
|> Addition of Apache Solr to supply search services (a worthy replacement over Verity)
|> Addition of Ehcache to supply page and page-fragment caching, along with cache statistics and other cache manipulation functions
|> Big performance improvements over ColdFusion 8 and ColdFusion 7.

ColdFusion Builder

The next item isn't actually a feature of ColdFusion 9, but it's worth pointing out. Adobe has built a dedicated IDE for ColdFusion development called ColdFusion Builder. Back when ColdFusion was run by Allaire, there was a tool called CF Studio or Homesite. When Macromedia acquired Allaire, it dropped Studio development in favour of its Dreamweaver tool. Since then, many people have used Dreamweaver or migrated to the CFEclipse plug-in for the Eclipse IDE. Thankfully, Adobe has now released ColdFusion Builder, which is built on the Eclipse platform and offers tight integration with their Flash Builder tool for building Flash and Flex applications.

ColdFusion Builder offers a useful and predictable set of tools, which include code completion, server management, debugging, templates, snippets, etc. And since it is built on Eclipse, the world of Eclipse plug-ins is open; it includes things such as Git or Subversion integration, Mylyn, ANT, Maven, etc. ColdFusion developers have been vocal about wanting a real IDE from Adobe, so it is nice to see that Adobe is listening.

ColdFusion 9 Tutorials and Resources

MangoBlog: Adding a custom page title

Thu, 20 May 2010 16:33:00 --0100

l have recently decided to try out MangBlog for the new cfmldeveloper.com site and I have to say I really like it much better than BlogCFC (sorry Ray).

Because MangoBlog allows you to add custom pages you can pretty much use it to create your entire web site with a basic CMS as long you don't need to do anything complex on your pages, at which point you may find the tinyMCE editor too restrictive.

When you add a custom page to MangoBlog the "title" is used not only on the page but also on the navigation menu, which I didn't find too useful as I did not want the menu text and page title to be the same. So I was instantly thrown in at the deep end with a requirement to customise MangoBlog, which thankfully turned out to be very easy as it is very well written and easy to understand.

MangoBlog is written in classic CFML style using imported tag libraries and <mango: mytag attributes> syntax as apposed to using the OO style frameworks that are popular these days.

Adding a custom page title is a snip.

When adding a new page, simply add a new custom field like this

label:    page title
key:      pagetitle
Value:   My Page Title

Now edit the page.cfm file in your skin folder and edit the code that displays the <mango:Blog title />, it will look something like this depending on your skin.

<h1 id="banner-header"><a href="<mango:Blog url />" accesskey="1"><mango:Blog title /></a></h1>

and change it to this

   <mango:PageProperty ifHasCustomField="pageTitle" customField="pageTitle" />
     <mango:PageProperty ifNOTHasCustomField="pageTitle"><mango:PageProperty title />
   </mango:PageProperty>

This checks for the existance of the "pageTitle" custom field on each page, it is exists then it will display that value, otherwise it will display the title.

You can use the same method to insert any custom field values on any page.

Fix the DNS caching in ColdFusion

Fri, 16 Apr 2010 15:22:00 --0100

It has been a well known fact for many years (to some of us at least) that ColdFusion (or rather the JRE) caches DNS look-ups forever until the service is next restarted.

The caveat of this is that if any domain name you are connecting to from CFML has had a DNS change such as a change of IP address then code will suddenly stop working until you next restart CF.

Areas that will affect include:-

SMTP servers in the CFADMIN
Database Servers in your Datasources
CFHTTP calls
Web Services
CFFTP, CFPOP, CFEXCHANGEMAIL, CFIMAP, CFMAIL

Plus any other tag, CFX tag, java class that allows you to connect to a remote server.

This has never really caused us any major issues, occasionally we had had a customer complain that CFHTTP calls have mysteriously stopped working, or that they could no longer connect to their payment gateway after the provider made some updates, but it has been so rare that restarting CF was an acceptable solution.

Recently we got a notice from our payment gateway provider (SagePay formerly ProtX) telling us that their IP addresses would change. Knowing this would affect CF and that we have several customers who also used SagePay I knew we would have to restart CF on every server to make sure their ecommerce stores did not break.

This prompted me to look into this problem, find out why the JRE cached DNS look-ups and see if I could change it.

After some investigation I learned that the class used to lookup host names for HTTP operation is the Java InetAddress class

If You read the above page you can see that the result of positive host name resolutions is cached forever, it also advises how to override the default behaviour with the following property.

networkaddress.cache.ttl
Indicates the caching policy for successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the successful lookup. The default setting is to cache for an implementation specific period of time.

In a standard ColdFusion installation you would find this in the following file:-

C:\ColdFusion8\runtime\jre\lib\security\java.security

If you are using a custom JRE in a J2EE type installation then the path may be something like:-

C:\Program Files\Java\jdk1.6.0_12\jre\lib\security\java.security

In a CF multi-server installation:-

C:\JRun4\jre\lib\security\java.security

Find the following line

    #networkaddress.cache.ttl=-1 

and change it to

    networkaddress.cache.ttl=14400

This sets the TTL to 14400 seconds (4 hours).

Now you will note that there are various warnings about DNS cache poisoning and the security manager which may scare you. So also note that InetAddress by default resolves against localhost, so if there was a cache poisoning problem then the problem is with your local machine or DNS server thus any application that resolves DNS lookup-up against localhost will be affected, which includes ASP, PHP, local services etc, so ColdFusion/Java is really not where you area of concern should be when it comes to DNS, but rather that your local machine is secure and that your DNS server is protected against cache poisoning. Plus the problem would still exist when you restart CF anyway, and this is probably a fairly common occurrence for most people, so I personally would not worry about it and I think this is a pretty daft and pointless reason for this default setting. Some may disagree, but hey that's their prerogative.

Microsoft Access DSN's no longer working after upgrading to ColdFusion 9

Fri, 05 Mar 2010 18:23:00 --0100

I upgraded a CF8 server to CF9 the other day and thought everything had gone fine, but today I received an email from a user saying his Microsoft Access DSN was no longer working.

The error was:

[Macromedia][SequeLink JDBC Driver]TCP/IP error, connection refused

First course of action was to google the error as usual, which turned up nothing useful, so then started my own investigations using a bit of common sense.

I checked the SequeLink ODBC services and they were running, so I tried to restart and they would not.

It was at this point that I noticed all the CF8 services were still running, which was odd, because while CF9 leaves CF8 intact it should disable and stop all the services. This has been the case since CF7 in fact that the previous version is left intact.

Thinking back on my install I remembered CF informing me that it had detected CF8 was installed and had changed a couple of ports for some reason, I thought nothing of it at the time as I presumed it would not cause a problem, but in hindsight I should have known better as whenever CF has ever used alternative ports for anything in the past it has always caused issues.

I also did not stop all the CF8 services prior to installing CF9, as the installer always does this for you anyway, but I guess in this case it did not and thus detected a conflict. So a lesson learned there, always stop all services prior to an upgrade.

So anyway I was sure the problem was with the ODBC service, so the next step was to hunt for the tcp settings, this actually proved to be quite simple in the end.

I first checked the windows service and see where the exe file is located, which pointed me to
D:\ColdFusion9\db\slserver54\bin\swagent.exe "ColdFusion 9 ODBC Agent"
Ah now my memory was starting to clear, this is where the SeqeuLink drivers are.

Look for config files that may contain tcp port settings.
This led me to the following file
D:\ColdFusion9\db\slserver54\cfg\swandm.ini
Now look for TCP port references, which led me the following lines in this file
ServiceConnectInfo=tcp://LOCALHOST.19999
ServiceConnectInfo=tcp://LOCALHOST.20000
I then compared this to the CF8 settings, which showed
ServiceConnectInfo=tcp://LOCALHOST.19997
ServiceConnectInfo=tcp://LOCALHOST.19998
So clearly CF had indeed changed the ports due to a conflict. So I simply set the ports back to 19997 and 19998 in that order, stopped and disabled all the CF8 services, and started the CF9 ODBC services and voila everything was fixed.

So what initially seemed like it was going to be PITA problem actually only me less and 1 hour to resolve, and most of that was spent googling for a solution and finding nothing. Once I actually started my own investigation it actually took less than 30 minutes to diagnose and resolve, sods law.

If you are having some other type of SequeLink ODBC service errors that are not fixed by my solution then the following TechNote may also help you out.
http://kb2.adobe.com/cps/188/tn_18800.html

Cumulative Hot Fix 1 for Coldfusion 9

Mon, 22 Feb 2010 16:56:00 --0100

Technote here : http://kb2.adobe.com/cps/825/cpsid_82536.html

Bizzarely I cannot find any reference to this hotfix or tech note anywhere on the Adobe site, it is not on the below ColdFusion hotfixes or updates pages at the time of writing this, and is not in any of the ColdFusion RSS feeds. So not sure how people are supposed to find out about this. Very poor job Adobe, tut tut.

http://www.adobe.com/support/coldfusion/downloads_updates.html
http://kb2.adobe.com/cps/402/kb402604.html

Security Alert! Sites hacked via upload scripts

Fri, 18 Sep 2009 11:33:45 --0100

SECURITY ALERT!

There has been an increase in the past few days of sites being hacked via file upload scripts, particularly a number of high profile ColdFusion based sites.

The hacker gets in by uploading a CFM, ASP, PHP or other supported file type to the server and executing the file, thus escalating his access.

If you have any publicly accessible areas of your site where files can be uploaded then you should make sure you are not vulnerable, make sure that you are validating allowed uploaded file types and not allowing executable files to be uploaded.

In particular you should pay attention to things like image uploads on forums or other applications which people seem to think are safe because it only allows images to be upload. Many scripts will actually accept the uploaded file to the final destination folder before validating it and then deleting it if it is not valid, thus giving a window of opportunity for the file to be executed.

What happens is that the hacker uses a load testing tool that constantly executes the URL on your site where he knows his file will be uploaded (e.g. mysite.com/files/xyz.cfm), this is done many times a second, so when he then uploads the file it will get executed in those few milliseconds before it is deleted.

To avoid this scenario you should perform checks prior to accepting the upload, or upload the file to a temp location first that the hacker cannot access and then move it to the destination folder once it has been verified.

ColdFusion 9 Tutorials and Resources

Fri, 17 Jul 2009 15:33:00 --0100

I was about the start compiling a list of useful links to info and tutorials for CF9 and CFBuilder, but it seems someone has beat me to it, so rather than re-invent the wheel I will just link to this chaps page and save myself some work :-) If you are looking for find out what is new in CF9 and how to do it, this is worth reading.

A few of my favourite new features are below, of course I tend to look at things from a hosts perspective these days rather than a developer seeing as I don't do a lot of coding anymore.

Most of these improvements are especially great for me because I actually had discussion with Adobe some years ago about about what improvements needed to be made to ColdFusion to make it more suitable for shared hosting and explained how they needed to work, and these are areas I specifically addressed, so it seems that finally they did listen to me.

View Undelivered Mail
This new feature allows you to browse mail sitting in the undelivered folder and then delete or respool them. This is handy for manual checking or on a dev machine. Currently my company has a custom script that automatically respools all undelivered mail for 24 hours, and then deletes them, which is very useful in a shared hosting environment otherwise the undelivered folder regularly fills up. It is a shame Adobe didn't have the foresight to add this kind of automation as well, but at least the viewer allows an easy way to find missing emails.
Application Specific Datasources
This is a real code saver and somewhat of a security benefit as well. With this new "this.datasource" application property to can set an application wide datasource, thus negating the need to specify the DSN in every query. A full review of this feature can be found on Ben Nadel's blog.
Server Manager
ColdFusion 8 introduced server monitoring for single and multiple servers via a Flex based app which provided access to all sorts of ColdFusion internals, alerts, proactive problem management, and more.
ColdFusion 9 takes this a big step further with a new tool called "ColdFusion Server Manager". This AIR based application allows you to monitor as many servers as needed (including individual ColdFusion instances on a multi-instance configuration) and even offers pop-up alerts when issues occur, it allows for remote server configuration (define a data source, for example), it also allows for settings to be applied to multiple servers at once, it can clear the template caches, it can upload hot-fixes to one or more servers, and it even allows you to select two ColdFusion servers to compare their configuration settings, highlighting any differences between them.
Oh, and before you ask, here are answers to the three most commonly asked questions.
1. No, this is not a separately sold utility, it is part of ColdFusion itself (and installed via a link in the ColdFusion Administrator).
2. ColdFusion Server Manager uses APIs added to ColdFusion 9, so no, this will not work with ColdFusion 8 or earlier.
3. Adobe have not made any decisions yet as to product edition, so no decision as to whether this is an Enterprise only feature or not.
Server Security
One of my big issues has always been ColdFusion's security, or rather lack thereof. You need the enterprise edition to get security sandboxes and these only sandbox CFML code, if someone writes some Java code into their CFML pages they can completely bypass the sandbox and do whatever they like, which actually makes ColdFusion one of the most insecure application servers out there in a shared hosting environment as PHP, ASP and .NET do not suffer from this problem.
This has supposedly now been addressed with ColdFusion 9 now allowing you to restrict access to certain JAVA functionality. I have not yet looked into this, and as no-one else seems to have written an article on particular area yet I may as well do so, so a more detailed tutorial ont his subject will be coming soon.
64bit ColdFusion for all
Up till now, 64bit ColdFusion has only been available to ColdFusion Enterprise customers. This will (thankfully) change in ColdFusion 9, and all customers will have access to 32bit or 64bit versions, regardless of edition. Groovy!

ColdFusion 9 and ColdFusion Builder BETA now available for download

Mon, 13 Jul 2009 13:54:14 --0100

Today, Adobe are announcing a new beta version of Adobe ColdFusion 9 software, the premiere server-side framework, runtime, and language for building HTML-based or rich Internet applications (RIAs). By extrapolating complex tasks into fewer lines of code, Adobe ColdFusion 9 enables you to build Internet applications faster and easier than with any other technology.

In tandem, they are introducing a new ColdFusion development tool: Adobe ColdFusion Builder(TM), available in beta today. Adobe ColdFusion Builder is an Eclipse(R)-based IDE for ColdFusion development that is deeply integrated with ColdFusion 9. Now you can manage your entire ColdFusion development cycle, from concept to production, with one easy-to-use tool.

By providing a highly customizable environment, Adobe ColdFusion Builder helps you to develop ColdFusion applications faster than ever before.

These beta versions of ColdFusion 9 and ColdFusion Builder will enable you to:

Develop and manage applications faster and easier than ever before
Create RIAs quickly and easily with ColdFusion and the Adobe Flash(R) Platform
Integrate applications across a multitude of technologies in enterprise environments

To download the beta of ColdFusion Builder and get started today,

visit >

http://www.adobe.com/go/coldfusion_builder_beta_download?sdid=EUSXS

To download the ColdFusion 9 beta, visit >

http://www.adobe.com/go/coldfusion_beta_download?sdid=EUSXT

If you're interested in learning more about ColdFusion 9 or ColdFusion Builder, register to attend an eSeminar at no charge >

http://www.adobe.com/cfusion/event/index.cfm?event=detail&id=1345643&loc=en_us&sdid=EUSXR

Plus, visit Adobe MAX 2009 in Los Angeles for highly technical

sessions that can help you learn these tools >

http://max.adobe.com?sdid=EUSXU

FCKEditor Security threat in ColdFusion 8

Mon, 06 Jul 2009 18:46:00 --0100

Recent postings on SANS and The Register identify a vulnerability in some ColdFusion 8 installations. It involves the richtext feature found in the cftexarea tag. This TAG actually implements an open source rich text editor called FCKEditor. FCKEditor has functionality built in to handle file uploads and file management but this feature should be disabled in the version embedded in CF server. The problem lies in that in some cases the connector that runs this feature is actually turn on.

Is your connector enabled, to find out navigate to the following folder on your server.

CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm

and Look at the config.cfm file. and see if the connector is on (config.enabled).

If enabled, this means a hacker might be able to directly call the filemanager system to upload files and take control of the server. FCKEditor has had some history on being exploited by this type of attack.

    // What the user can do with this connector
    Config.ConfigAllowedCommands             = "QuickUpload,FileUpload,GetFolders,GetFoldersAndFiles,CreateFolder" ;

Solutions:

1) Turn off the connector so that the filemanagement and file upload features can't work. Do this by commenting it out.

2) Just restrict what the filemanager can do, see code above, remove the fucntions you do not want to allow.

3) To be completely safe, delete the entire filemanager directory found under "CFIDE\scripts\ajax\FCKeditor\editor". The embedded version of FCKeditor for CF doesn't and really shouldn't use this feature. So removing those files completely is the safest thing to do. Be mindful that updates to CF might re-introduce those files and naturally re-open the problem. You can avoid this by making the file/folder read only so that it cannot be updated.

Please note that if your host is secure and runs sites so that they cannot read/write files outside of their own root, then any attack should only be localised to the attacked site and not the whole server.

At BlueThunder/CFMX Hosting we employ Security sandboxes for every site restricting access and PHP/ASP etc are also restricted in the same way using server security, so it should not be possible for any uploaded code to access paths outside of that website.

If your host allows CFFILE by default without a sandbox or only runs CF Standard edition, then beware as their entire server is vulnerable to this and just about any other file upload attack as well.

The Adobe Product Security Incident Response Team (PSIRT) has posted an official response to this issue here, a patch is expected soon, but in the mean time make sure you are not at risk.

UPDATE: hotfix now available HERE

CF on IIS7 – internal server error

Tue, 30 Jun 2009 15:04:00 --0100

As you will see elsewhere on my blog, I have recently setup windows 2008 server 64bit as my new desktop. For the most part everything has worked ok, but there have been a few interesting quirks.

One of these quirks was that any new site I setup in IIS7 resulted in a "500 internal server error" identifying the AboMapperCustom wildcard application mapping for ColdFusion as the cause.

Now my Default Web Site from where I run the CFADMIN was working fine, so I was rather perplexed as to why other sites did not work when they seemed to be setup exactly the same.

Now I am actually using DotNotPanel on my local machine to setup and manage sites, so this may be a contributing factor, but still the cause of the problems may affect others, so hopefully the solutions may help.

Using the Web Server Configuration Tool I tried to disable then enable CFML on the server several times to no avail, then when checking the Handler Mappings" for the site, I noticed that the wildcard application map for CF was actually there twice, which I am sure may well have been a contributing factor, so I removed one of them. I also then noticed this alert on the handler mappings page.

This site is in an application pool that is running in classic mode, so you can manage ISAPI extension and native modules that are mapped to

paths. You must manage managed handlers (system.web/httphandlers) directly

in the configuration files.

Now if I recall "classic mode" means 32bit, so this seemed likely to be causing a problem, although I am not sure how I ended up using this application pool by default.

Anyway to change this, open the IIS manager, find your site, right click and select

Manage Web â??> Advanced Settings

And change the application pool at the top to "Default Application Pool". In my case this fixed the problem and the alert went away, hopefully this may help someone else having issues with IIS7 and CF.

CFAjaxProxy Security errors

Wed, 10 Jun 2009 12:34:00 --0100

This was a very odd problem I had on a clients site this week. Whenever he used the <CFAjaxProxy> tag on a page, the page simply stopped rendering at the point where the tag appeared. No error appeared on the page or in the ColdFusion logs.

The reason no error occurred turned out to be caused by the application.cfc, he has an OnError function that was doing a cfabort.

<cffunction name="onError" returnType="void" output="false">
        <cfargument name="exception" required="true" />
        <cfargument name="eventname" type="string" required="true" />
        <!--- <cfdump var="#ARGUMENTS#" /> --->
        <cfabort />
</cffunction>

Once I got rid of this problem, the following error appeared.

Security: The requested template has been denied access to C:\ColdFusion8\wwwroot\WEB-INF\cfclasses\cfcheckUsername2ecfc1070071758.class.
The following is the internal exception message: access denied (java.io.FilePermission C:\ColdFusion8\wwwroot\WEB-INF\cfclasses\cfcheckUsername2ecfc1070071758.class write)

So yet another path that needs to be added to the sandbox for every site in order for Ajax to work. Really there is no reason why this should be so as the classes should be created by CF internally and no special permissions should be required by the application.

The number of paths now required in each sandbox for CF8 in order for all tags and functions to work correctly is ridiculous. I have enlightened Adobe how things should work in shared hosting environments and all the paths that do not get inherited by sandboxes when applied at a root level, so here's hoping that CF9 will finally be shared hosting friendly.

ColdFusion 8 performance Issues when using Java 6

Thu, 19 Mar 2009 12:48:00 --0100

For the last few weeks on one of our ColdFusion 8 servers I have been noticing an increase in performance issues. Requests would regularly start taking longer and timing out and it would often be happening to all the running requests and not just some. Strangely this also seemed to happen whenever I modified a security sandbox, which would usually take a long time to process the request and would also cause all other requests to slowdown and timeout as above.

One common factor I noticed while stack tracing these requests with FusionReactor and the server monitor was that they all seemed to be using Fusebox and there was a lot of class loading going on.

Now I know that frameworks like Fusebox and ModelGlue can be slow to initialise the first time as they have a lot of classes to load, but this shouldn't happen again unless an application is re-initialised or CF is restarted.

I had Charlie Arehart helping me look at this issue and he reminded me of the problem with Java 6, which I had totally forgotten about. For all the other performance improvements and increased functionality in Java 6, it introduced a bug in the class loader that causes substantially slower class loading. You can see a discussion of the problem on Sun's forums.

This bug will affect any application using a lot of CFC's, especially those using frameworks such as fusebox, ModelGlue, Transfer etc, due to the large number of classes that must be loaded as a result. So for those of you not caching your CFC's, perhaps it time to start doing so.

This lead us to the conclusion that whenever you make any changes to a security sandbox this causes all existing classes to be reloaded, which seemed to be confirmed by the stack traces which did show a lot of class loading happening in the slow running processes.

As the aforementioned bug is supposed to have been fixed in the current release of Java 6, I decided to go with Charlie's suggestion and give this a try and see if it resolved the problem. So I downloaded and installed the JDK 6 Update 12, set ColdFusion to use this version and so far I have not been able to repeat the previous issues when modifying security sandboxes, so it seems as though this solution has worked. It is however early days as I only made the change last night, so time will tell if this gives an overall performance boost to ColdFusion in general.

Updating ColdFusion to use a newer version of Java is very straight forward, so here are the steps for anyone interested in doing so.

Download the latest version of the JDK (or whatever version you need) from http://java.sun.com/javase/downloads/index.jsp

Now install this on your server in your desired location, but don't forget that you may need to setup additional permissions if you are not running ColdFusion in the standard configuration and have it running under anything other than SYSTEM.

now you need to edit your jvm.config file and modify the java.home path to point to the newly installed JDK.

On a standard installation this file can be found in c:\coldfusion8\runtime\bin\jvm.config, if you are using a J2EE or multi-server installation then your path will be different.

Comment out the existing java.home by adding a # to the start of the line and then enter your new path like so:-

#java.home=C:/ColdFusion8/runtime/jre

java.home=C:/Program Files/Java/jdk1.6.0_12/jre

Please note the path is using back slashes and not the default forward slashes that you will get if you copy and paste the path from windows explorer. This is required or ColdFusion will not start. If you are running multiple instances of ColdFusion with each using their own JVM.config then you will need to make this change in each jvm.config file.

Now simply restart ColdFusion, then login to your cfadministrator and go to the system information page, where it shows which version of Java is being used, which should now reflect your changes.

ColdFusion 8 Server Monitor

I also wanted to mention that while trying to diagnose these issues I tried using the built in server monitor, which unfortunately caused more of a hindrance than a help. It seems that enabling the Profiling and Memory Tracking on a live production server may not a good idea and could well bring it to its knees within minutes. While these options were enabled the JRUN memory usage started to climb and continued to climb until the max 1024mb had been consumed, at which point CF will stop responding. I also noted the memory tracking will also incorrectly report the memory usage of complex FuseBox variables, stating that they are several TerraBytes in size, so this seems to imply that again the problems were related to frameworks and class loading.

I have however enabled the server monitor briefly since updating Java and the memory consumption problem does seem to have gone but the incorrect reporting of memory usage in application and request scopes is still there.

Sadly I have never been able to get the "Sessions by memory usage" or "CF Threads by memory usage" to work, they have always been blank, so whether these have the same issues I do not know.

The new face of CFMX Hosting

Thu, 19 Feb 2009 20:23:00 --0100

For the last 6 years I have been working for Loud-n-clear Ltd, with whom I merged CFMX Hosting back in 2003. After 6 years of feeling like I was banging my head against a brick wall I decided it was time split the companies up again so that I could actually work on growing and expanding CFMX Hosting, and get out of the rut I had found myself in. So In January I left Loud-n-clear, separating CFMX Hosting and taking it with me and launched a new company called "BlueThunder Internet". This will be the new name of CFMX Hosting, which I am re-branding to be more generic and less CF-centric which I feel will be a positive move in the in this current recession where I don't think one can afford to restrict oneself to such a small niche especially in such a competive market place as hosting. Plus there is the fact that there is no such thing as "CFMX" any longer since Adobe changed the name back to plain "ColdFusion", so I have been thinking of changing the name for a while.

While I am still a huge ColdFusion fan it is no longer the only cfkid on the block, so my new company will be specialising in "CFML" and supporting the likes of Railo and BlueDragon as well as ColdFusion and all the other usual technologies. I have become a big fan of Railo of late especially since it is far better suited to the shared hosting environment than ColdFusion with its per site admin interface which means less support tickets and more control for the customer, plus the security side of things is also significantly better.

If you haven't yet heard about railo or you have heard about it but don't know why you would want to use it, I strongly recommend heading over to CFMeetup and watching the recent recording of the Railo 3.1 Open Source Presentation, this should give you some idea of how cool Railo is and some of awesome and unique new features it provides, or perhaps like me it will even get you as excited as you used to be about ColdFusion :-)

With the emergence of open BlueDragon and railo now also being open source as well, I think this is going to give a much needed boost to CFML as a language and the community at large. Finally CFML is now on equal footings with the likes of PHP as it is now also free to download and use, but with the added advantage of being easier to learn and more powerful, oh and it works better on windows too ;-)

For those who may be wondering where the name "BlueThunder" came from, it was many many hours of trying to find a domain name that wasn't already taken and is easy to remember, which is very hard by the way. I had exhausted just about every name using the word "fusion" or "hosting" so I then randomly just decided to start thinking of names of old 8 bit computer games and old TV shows and then I remembered that old show about the helicopter called Blue Thunder, which as well as liking the name I thought was also a bit of a play on words in the same vein as ColdFusion, it has that same feeling of power, so having found a domain name that was free, I snapped it up. You may also notice the new logo might look slightly reminiscent of the original Allaire ColdFusion logo.