[Looking for Charlie's main web site?]

Two videos I've done for the Adobe YouTube ColdFusion Channel

Hey folks, I've done a couple of videos over the past several months on the Adobe YouTube ColdFusion channel, both focused on some important challenges related to ColdFusion 10. If you've got about 10 minutes to spare, I suspect you may learn things to surprise you.

First video, on single-login problems in CF10 Admin

The first video was done at cf.Objective() in May 2013, and was posted to YouTube by Adobe shortly thereafter:

Video 1: Solving the problem of single-login in ColdFusion10 (07m:32s)

If you've had the problem in CF10 of finding that you login to the Admin, only to be logged off soon thereafter, I explain in the video both why it happens and how to solve it. (I also wrote about it previously here.)

Second video, on important security hotfix notes document

The second video was done back in June, but sadly was not posted until last week. While the timeframe references I make are dated, the information shared is not and really may still be a surprise to as many now as back then:

Video 2: Security Hotfix Notes Document (5m46s)

This is such an important document. I also had written about it previously here.

See other CF videos there

Be sure to check out all the videos in the Adobe CF YouTube channel, about 20 of them currently, from different speakers and on many topics.

Don't forget to vote, for cf.Objective() 2014 topics, including 2 ColdFusion talks from me

By now you may have heard that the call for speakers for the cf.Objective() 2014 conference closed a couple of weeks ago and now it's time to vote among the posted topics using the conference Trello board.

I wanted to point out to my readers that I have proposed two talks. The first one I gave at the Adobe CF summit last month and was very well-received. You can see the description and VOTE button on each of the following pages:

CF911: Solving Frequent CF Server Problems in New/Better Ways (click to visit, then vote)

The second is one that I gave to the Atlanta CFUG earlier this year.

Updating/Hotfixing ColdFusion 10, 9 and 8: Tips and Traps (click to visit, then vote)

Both are full of surprising and helpful tips, based on my experience helping hundreds of shops with related issues in my CF server troubleshooting services. But the talks are not "sales pitches".

They're goal is to be just like my blog entries here, and my past talks: I just want to help people find, understand, and resolve problems with their CF servers. It's wonderful to be able to help people come away more confident and capable in managing their servers, whether from the consulting sessions, the talks, the blog entries, the cf911.com wiki of cf server troubleshooting resources, the cf411.com site of tools and resources of interest to CFers, and so on.

Anyway, if these talks sound interesting, please go add your votes using the link for each above, and click the vote option that then appears. And of course, vote for all the other talks you think ought to be invited. The board uses your votes, so every vote counts.

Still more reasons to make sure you have updated your ColdFusion 10 web server connector

Several weeks ago, I did an entry, CF911: Why/when you MUST update the web server connector for #ColdFusion 10, and may have missed it.

In this entry, I want to throw in another reason why it's important to make sure you properly update (reconfigure/rebuild/upgrade) your web server connector after applying certain CF10 updates, or if applying only the latest update for the first time to a newly installed CF10 instance.

[....Continue Reading....]

CF911: Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it

Have you installed or updated CF10 (or 11) and found that you still have problems with it running right, even when you have "fully updated" CF10? In this blog entry, I explain how it may NOT be that "CF 10 is broken" but rather that you may have missed an important step when updating it.

In brief, a VERY common problem is that while they MAY WELL have applied the provided "updates" for CF, folks often do NOT notice that they may have to (and generally must) "update" the web server "connector" (if they are using an external web server, like IIS or Apache) as a separate manual step, after applying the update.

I explain here what that means, how do to it, and why you may miss that you need to.

(Or if you'd rather just have me help you quickly help you analyze and rectify your situation, whether with regard to the connectors or any other CF server troubleshooting, I can do that in a brief consulting session, likely less than an hour, remotely and securely. I provide all the detail here for those who prefer to "go it on their own". For more on my consulting services, including rates, approach, satisfaction guarantee, and more, see the consulting page at carehart.org.)

[....Continue Reading....]

Understanding the 9.0.2 release of ColdFusion, a FAQ for those who missed the news last year

So perhaps you're currently running CF 9.0 or CF 9.0.1, and you may have noticed that there is a CF 9.0.2. Have you wondered what it's about? And have you noticed that it's not something you can just update to from 9.0 or 9.0.1? It's a complete installer, meaning you need to uninstall CF 9.0 or 9.0.1 before you can move up to it.

Should you? What do you gain? what do you lose? what are some gotchas? That's what this blog entry is about, answering the following questions:

  • First, what is ColdFusion 9.0.2? Why did Adobe create it?
  • What about the 9.0.1 updater? Can we still get that? Yes.
  • So what all does 9.0.2 add and remove?
  • If I download CF 9 today, what do I get?
  • "But if I download 9.0.2 today, I get the latest version of it available, right? I don't need to add hotfixes, do I?" Wrong.
  • Warning: DO NOT install 9.0.1 atop 9.0.2 (nothing will stop you)
  • If I am on 9.0 or 9.0.1, how can I get to 9.0.2?
  • Why might I want to get to 9.0.2 from 9.0 or 9.0.1?
  • How did i miss this? Was 9.0.2 discussed? Yes it was.

[....Continue Reading....]

Tracking ColdFusion sessions within FusionReactor, by way of FREC logging

Someone asked on the FusionReactor mailing list (a Google Group) whether FusionReactor tracked CF sessions. I started to write a reply, with the good news/bad news in answer to that, and as sometimes happens, it became long enough that I thought it might be better suited as a blog entry that I could point to from the list instead, and which may also help those not on the list (which is a great resource, as a low-volume list with a high signal to noise ratio.)

Anyway, here is the answer I wanted to offer to that question...

[....Continue Reading....]

ColdFusion 10 WACK book contributors (myself included) now listed at Amazon

By now most should know that a new CF10 version of the classic Web Application Construction Kit (or WACK) series was released some months ago:

Adobe ColdFusion Web Application Construction Kit: ColdFusion 10 Enhancements and Improvements

But some may not have known who the contributors were, because since its release the Amazon site for the book had listed only Ben (Forta). Doh! :-)

Ben is indeed the series editor and a fellow contributor--and truly the glue that has held the project together since the first edition for CF3 in 1997.

But as with each edition since the first, there are indeed multiple contributors.

Amazon book page now lists all the contributors

And now the Amazon page does list all the co-authors:

Charlie Arehart, Rob Brooks-Bilson, Raymond Camden, Ken Fricklas, Hemanth Khandelwal, and Chandan Kumar.

Of course, we were indeed properly listed on the front cover, for those who may have looked--and in that same alphabetical order, whereas the Amazon site order is a bit random. Anyway, it's just nice to see this issue fixed.

Problems like that just happen sometimes, and I'd only I noticed it this week and raised it to Amazon. To their credit they were quick to update it.

And I thought some of my co-authors and perhaps others in the community might want to know about it.

Glad to mention the book

Indeed, I've been meaning simply to announce the book and my involvement here myself but got behind on many such news items, as I've just been busy (with my ColdFusion troubleshooting consulting services). Busy is good, of course!

So this was a good chance both to share the above news of the correction for any who'd noticed the issue, and to mention my involvement with the book, in case that and news of the book itself may interest some of my readers. (FWIW, I was a contributor to all 3 vols for CF 8 and 9 also, and I do thank Ben for including me in these works.)

A bit about the book

For those who hadn't noticed the book yet, it's unique in the series in that we decided to go with just a single book, just about the updates. In the past, we instead updated all 3 books throughout. There are pros and cons to either choice, of course, but I do agree that the single book was the way to go.

FWIW, I did chapters 8, 10, and 19.

I was especially delighted to get in a chapter at the end on "hidden gems", as I have loved doing (as article or talks) for each release starting with my first CFDJ article on CF 4.0. The editors chose for Chapter 19 the more sedate name of "Miscellaneous Enhancements", but I'm just thrilled we got to add the chapter at all. :-)

You can learn more about (and buy, and review) the book here:

"Use UUID for cftoken" in ColdFusion Admin does always not block use of 8-digit cftokens

This topic came up on a discussion list, in the context of a larger thread, and I wanted to share here what I said there.

As an update since I first wrote this, it turns out this issue may or may not affect you depending on a couple of variables, which I will discuss, with a prefix of "update:" below. But don't dismiss this thinking you are not affected. I would propose that still far more CF servers may be exposed than not, as I will explain.

The CF Admin has (for several releases) offered an option called, "Use UUID for cftoken" (in the "Settings" section), and it's been intended as a security measure. Its purpose is to cause CF to use a UUID value (a long, complex string of numbers and letters) for the CFTOKEN cookie (and session variable) that CF generates, versus what used to be a simple, 8-digit value. This cookie, along with the simpler and incrementing CFID, is used to connect users to the session and/or client scope values created for that user in CF code.

Some may be surprised to learn, though, that while this setting DOES cause CF to *create* such UUID-formatted CFTOKEN values for requests that do not already present a CFTOKEN cookie, it does NOT necessarily cause CF to block any continued use of such simple, 8-digit cftoken cookies.

In other words, browsers which had visited your site before you turned on "use uuid for cftoken" would still send the 8 character cftoken they already had, not a uuid, and that could be accepted as valid by CF, even with that setting on, under certain conditions. (And the user will not be sent any new cftoken cookie in a UUID format, in CF's response, in those conditions.)

There's good and bad news related to this fact, which I will elaborate on below.

Update: Since writing this entry, I learned of a couple of factors that influence if and when this is a problem.

  1. It turns out that if you are using CF10, or CF9 or 8 with the "session fixation" hotfix (APSB11-04), then the problem only happens until you restart CF. The Admin does not currently warn you of this, so beware that you will have the exposure below until you do restart. (If you have added one of the later security hotfixes or cumulative hotfixes that came out since then, then you have gotten the fix.) This fix causes CF to create a new UUID-based CFTOKEN, if you turn on this feature at least (and after a restart) when a browser presents a previously created 8-digit cftoken.
  2. On the other hand, even if you are running CF 10, or running 8 or 9 and HAVE applied that hotfix, note that if you TURN OFF that fixation protection (by adding the -Dcoldfusion.session.protectfixation=false value to your jvm.config, as discussed in that technote), then you are back to the state that I discuss below.
  3. And of course, if you are on CF 8 or 9 and have NOT yet applied that APSB11-04 hotfix (or a later cumulative one that includes it), then you are indeed still vulnerable.

So that leaves still many people who could be affected by this. Even if it seems you may not be, you may want to continue reading this entry to understand what the issue is about, for you and others who may be impacted by it.

[....Continue Reading....]

How to create a "new file" in ColdFusion Builder without use of a project

A newcomer to ColdFusion Builder (coming from Dreamweaver) expressed frustration on the Adobe CFBuilder forum about the challenge of doing something as simple as creating a new file--without having to name it first, and when not using "projects".

I offered a reply, both explaining why CFB has a project-oriented nature (being an Eclipse-based product) and also how they could be seen akin to DW "sites". Still, I appreciate the difference and the challenge to newcomers.

But most important, I explained how the Aptana plug-in built-into CFB does indeed offer a solution for him, in its "Untitled Files" feature, easily accessed from the File>New dialog. This would let him create a new file without need of either naming the file first or picking a project (whether when creating the new page or when saving it).

It's not an obvious solution, but I show how it can be made to be easily accessible with a single keystroke.

Rather than repeat myself here, I'll just point interested readers to the forum thread, "Creating a new file". Perhaps others will share more insights after mine, and feel free to leave comments here or there as you see fit.

Speaking at Atlanta ColdFusion User Group tonight on 2 important topics

Just wanted to note that I'll be speaking tonight at the Atlanta CFUG on two important topics:

For more details on the talks, or to get the slides once I post them (likely right after the meeting), please see the links for the two sessions above.

And if you may want to attend, please RSVP.

I may offer these later on the Online ColdFusion Meetup or perhaps one of the remaining CF conferences this year, if I may be selected to speak.

Java now has a built-in expiration date. What that's about (not obvious at first)

If you may have looked at the release notes for the latest (as of this writing) JVM update (Java 1.7 update 21), you may have noticed that it refers to an "expiration date" for this version of the JVM. What's that about, you may wonder?

[....Continue Reading....]

Getting around "Invalid screen name or password" error adding comments to Adobe ColdFusion docs

Hopefully folks know that one can add comments to the documentation on the Adobe ColdFusion docs pages (like that for the the CF9 Developer guide or the CF10, by clicking the "discuss" link at the bottom of any documentation page. You'll be asked to login with a valid Adobe id.

But have you ever found that when you tried that, you get:

Invalid screen name or password. Please try again.

...even though you KNOW that you're entering the right id? Indeed, one that has been used before?

Perhaps it also happens on other Adobe site properties, and the trick I propose may work for you, also.

[....Continue Reading....]

CF911: New Adobe document about ColdFusion security hotfixes: required reading, I'd say

Here's a new document from Adobe (new as of last week, it seems) that you may have missed, but which I would argue is REQUIRED READING for all CF admins and developers:

Important hotfix-related notes for ColdFusion 9 and ColdFusion 10

What is this about? and why is it important? Read on below, as the document itself and current links from Adobe don't quite convey its significance, I think. For more perspective, I discuss below both what has happened to many folks after applying ColdFusion security hotfixes in recent years, and how this document helps.

[....Continue Reading....]

Solving seeming ColdFusion / MySQL 5.6 incompatibility, by updating CF's MySQL driver

If you're running ColdFusion 10 (and perhaps also CF 9 or earlier), you will find that if you update your MySQL installation to version 5.6, you'll get the following error from any SQL you try to run from CFQUERY (and perhaps other CF querying tags, like CFSTOREDPROC):

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'OPTION SQL_SELECT_LIMIT=DEFAULT'

Summary: There is a reasonable explanation and a rather simple solution: update the MySQL driver that CF is using to at least version 5.1.22 of the driver, the first to support MySQL 5.6, because the one built into CF 10 (driver version 5.1.17) not only does not. More important, that older driver uses something that causes the failure above in 5.6.

That explanation of the "solution" may be enough for some to take the ball and run with it (and if not, I will offer more details on how to do that), though it should be noted that updating the driver is not formally supported, nor is MySQL 5.6 technically supported at all in CF10 (or 9). But for those who will press on knowing that risk, you now know what you need to do.

But as often, there's much more to this than meets the eye, so I hope you will follow along to learn more. I have broken this into two parts:

  • the problem (with what I hope is helpful explanation of what the real root of the problem is),
  • who's to blame (not Adobe, I will argue)
  • and the solution (with some caveats that even experienced folks, or those who don't care about "the problem", should still read.

And again, while I discuss this in the context of CF10, where I've seen the problem happen, it could apply also to CF9 (and it seems reasonable that it would), so all the information still applies, it would seem.

[....Continue Reading....]

Helpful keyboard shortcuts for working with Windows Remote Desktop: Switching windows and more

Keyboard shortcut fans, or anyone looking to save time while working with a remote desktop session, will want to check this out. There are a handful of really helpful keyboard shortcuts that can make working with a remote desktop session a lot more productive. But I find that very few people know about them and are delighted when they do learn of them.

What I have to say here is a reprisal of a blog entry I did about 8 years ago. Sadly, the site on which I posted it (tipicalcharlie.com) is no more, and I'd been meaning for the longest time to resurrect some of the posts there, as they can be as valuable now as then. Thanks to the great internet wayback machine, I found a copy of the entry, as I've had more and more people say they had never heard of these capabilities, which still work today (from XP through Windows 2012, whether as host or remote).

Here is the entry, originally posted April 25 2005 (with some slight tweaks adding section headings and a couple other updates as noted):

[....Continue Reading....]

Part 3: Adobe hotfix released for "Serious security threat for ColdFusion servers"

Adobe has come out with a new security hotfix for a very serious attack on ColdFusion servers which had hit many (perhaps most) CF shops over the past couple of weeks, and it's vital that all shops apply that fix. (Even if you think you've protected yourself in other ways

There is a new Adobe CF blog entry pointing to the new hotfix, and I point that out rather than the technote for the hotfix itself, because as often is the case, there has been some useful discussion related to applying the fix. Indeed, there's a warning I've shared there about a problem (hopefully temporary) with the hotfix file for users of ColdFusion 9.0.2. (Update: the confusion about 9.0.2 is resolved. The technote has been corrected. See the comments in the Adobe blog entry for more details.)

Users of ColdFusion 10, 9.0.2, 9.0.1, and 9.0 should certainly proceed to implement the fix.

I address several questions and other observations about this hotfix below.

[....Continue Reading....]

Part 2: Serious security threat for ColdFusion servers [now covered by a hotfix]

Since I posted my entry earlier today about a Serious security threat for #ColdFusion servers [not now covered by a hotfix], I have had many questions and discussions which lead me to share more info.

At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here.

[Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.]

Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering.

[....Continue Reading....]

Serious security threat for ColdFusion servers [now covered by a hotfix]

Hey folks, there's a fairly serious security threat out in the wild, and you may want to check if your server's been hit. (It may be old news to some, but for now it's hitting people in the past week or so.) It's been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverages the Admin API.

And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)

There's quite a bit for you to consider regarding this recent threat, as I discuss here.

[....Continue Reading....]

Copyright ©2017 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting