[Looking for Charlie's main web site?]

ColdFusion Lockdown/Security guides: there are several, and some you may have missed

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
While helping people with various problems in my CF server troubleshooting services, I often have the chance to help people identify security vulnerabilities, especially in their configuration of CF and/or their web server, and sometimes related to their code.

I was wanting to point out to someone the various ColdFusion security resources, and while I have a category on them in my CF411 site, I thought this was a list worth pulling out into its own blog entry and expanding a bit.

You may be surprised to find that there are more to CF security guidelines than just the venerable server "lockdown guide" (for those administering and configuring CF, the OS, and the web server, among other things).

Did you know that there have been "developer security guidelines" as well, focused instead on coding? This latter guide has gone through three iterations, including just recently, as I'll discuss along with the lockdown guides, below.

[....Continue Reading....]

proXPN users: a simpler soluton for "Connecting to proXPN has failed"

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you're a user of proXPN (a free/low-cost VPN service), and you get the error, "Connecting to proXPN has failed", here is a simple solution that you may not find offered elsewhere: just try restarting proXPN. For more information, read on.

[....Continue Reading....]

CF911: Solving problem in ColdFusion Admin getting "error accessing this page" on certain actions

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Here's a real CF911 challenge (and solution): You may find that when using the CF Admin, especially in CF10 but it can happen in CF 9 or 8 depending on security hotfixes applied, when performing certain Admin operations (like making a change, or verifying datasources, or checking for server updates) you get an error:

"There was an error accessing this page. Check logs for more details."

And your operation fails. You're then prompted to "Click here to login", but even if you back up or client another link, you'll be prompted with the CF Admin login.

What gives? Why is it happening? And how can you fix things? Is CF broken? No, not in the sense that you need to reinstall or anything. The good news is that there is a quite simple solution. Well, there are several, depending on your goals.

The simple solution: delete the duplicate cfid/cftoken or jsessionid cookies that you will find your browser is sending to CF. But there is much more to this, as well as other solutions, which would be worth most readers taking a few minutes to read on here.

BTW, the same root problem can be the cause of your own application's users finding that they can't stay logged in. More on that in a moment.

[....Continue Reading....]

The State of the Online ColdFusion Meetup

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
As a follow-up to my previous blog entry today, on news of the CFHour podcast show ending this week, some have wondered (publicly) whether perhaps the Online ColdFusion Meetup, which I host, might help "fill the void" here.

I don't hold that out as a real possibility, for a couple of reasons, and I'd like to discuss them here.

Indeed, it's a good time to share a "State of the Online ColdFusion Meetup", to discuss what you might (and might not) expect to see in the future, and what you can perhaps do to help.

[....Continue Reading....]

CFHour going off the air. End of an era? Thanks, Dave and Scott

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you haven't heard the news yet, the CFHour podcast has had it's last show, it seems. Dave (Ferguson) and Scott (Stroz) announced the news at the end of their last episode (#213), quietly and without fanfare (or any advanced indications), citing time challenges, etc.

I'm holding a glimmer of hope that it's all an April Fool's prank, but if true it's indeed the end of an era and time to pause and reflect as if on the passing of a friend.

Update: I'm vindicated! :-) The guys announced in their next show that it WAS INDEED an April Fool's prank. Even so, I'll leave this entry, untouched, for posterity. Plus, most of the info is just as valuable to have shared, with them and with readers, whether they did or did not end the show. And like I said below, this gave them a chance like Twain and Nobel to see what folks thought when they thought they were dead. :-)

I also want to give some solace to fans of the show (and the general CFML community) with respect to where they may want to turn now to keep up on news, resources, etc. Fortunately, there are some places being actively updated. (And while surely some will see this as one more nail in CF's coffin, I don't and I'll address that briefly too.)

But first let's give credit where it's due about the podcast...

[....Continue Reading....]

Applying hotfixes to ColdFusion 9 and earlier? A guide to getting it right

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I realize that title may seem anachronistic. Why talk about hotfixes in CF9 and earlier, in 2014, indeed as CF11/Splendor is in beta? But I'll tell you that I still help people daily who are still on those older releases, and often they have problems that may have long since been solved by a hotfix or a cumulative hotfix they never applied--or may be caused by misapplication of such hotfixes.

Of course, in CF10 it's easier now because of the built-in "server updates" feature of the CF Admin. But in earlier releases, it was all on you to both keep up on the updates and to apply them manually. And a lot of people either never bothered, or may have tried and failed, or did it but got it wrong.

What you need to know

So in this blog entry, I some key info that will help you, if you may be in need of applying one or more of those updates to CF9 and earlier. Indeed, I'll point to some past entries I've done where I shared a lot more detail that I find is vital and rarely mentioned when some people try to share just the bare minimum of info (often leaving people hanging).

For instance, I'll help you answer such questions as what hotfixes do you already have applied? How do you find out? And you need to know exactly what version of CF you have, whether 9.0/9.0.1/9.0.2, 8.0/8.0.1, 7.0/7.0.1/7.0.2, and so on. I'll explain how to tell and why that's important, and especially when it comes to finding and applying hotfixes. And if you have applied hotfixes, are you sure you have done it right? It's easy to get things wrong and botch things. I'll help you avoid several very common mistakes.

(That's why it's so great that CF10 finally handles things for us. But this entry, focused on 9 and earlier, is not the place to discuss concerns with the CF10 hotfix mechanism. If you have questions or concerns about that, see the substantial CF10 Hotfix Installation Guide from Adobe, a 50-question FAQ on all things related to that feature.)

I'll also point you to where to find hotfixes and installers for CF9 and earlier (not as easy as it may seem), and still more.

If any of that's of interest, and I hope it is if you're on CF9 or earlier, then read on.

[....Continue Reading....]

An interesting solution to problems with ColdFusion 10 and IIS 404 handlers

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
There was an interesting solution proposed today on the Adobe forums, to address a problem some folks are having with CF10, where they find problems using an IIS 404 error handlers set to pass to a CF page. I found it helped with one of my consulting clients, so I wanted to share the news with others readers here who may benefit.

[....Continue Reading....]

Note that ColdFusion 10 Update 13 is "needed" for OS X-only...and some confusion

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Some of you may have seen that Adobe released a new hotfix for ColdFusion 10 last night, called Update 13. If you only read the text in the update (shown in the "Server Update" page of the CF admin), you might proceed to apply that update (which is ok).

But guess what: it technically only has changes related to Mac OS X (specifically adding support for its Mavericks version).

This is addressed if you read the technote that the update text points to, or the Adobe blog entry from last night which announced the update (more on these in a moment.) Those DO indicate that if you are not running that OS, you need not apply the update. (And the day after I wrote this entry, this indication was added to the update text itself.)

But what if you are on Windows (or another *nix variant besides OS X)? Should you apply it? What if you do? (there's NO PROBLEM!) What if you don't? And given that the update text says you need to reconfigure the web server connector, do you really need to bother on Windows?

And what if you are installing CF10 for the first time, since you DO need to apply updates upon installation? (you can either apply update 13 or 12, but you must apply at least one of them to be fully updated.)

As important, how might Adobe have better clarified this, and how might they make a simple change now related to that (they since did)?

I address in this entry these questions and a few other concerns I have, about confusion that may ensue.

[....Continue Reading....]

Four free tools I (nearly) always install on a new machine and use everyday

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I'd like to recommend four free tools that I think everyone (running Windows) should consider installing on their machines, as they can help with day to day tasks that many (certainly I) hit every day.

They don't run in the background, only doing their job when you ask them to, so I find them safe to install and use on production servers, though of course any tool can be abused. I've never seen these to cause a problem in many thousands of uses.

I was reminded to share this list today as I was helping a customer, as I got on their server with them to help them solve a problem. I recommended we install these as I do on nearly all my engagements (and indeed on all my own machines). I think they really are fundamental tools, as I'll explain below.

[....Continue Reading....]

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting