[Looking for Charlie's main web site?]

An interesting solution to problems with ColdFusion 10 and IIS 404 handlers

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
There was an interesting solution proposed today on the Adobe forums, to address a problem some folks are having with CF10, where they find problems using an IIS 404 error handlers set to pass to a CF page. I found it helped with one of my consulting clients, so I wanted to share the news with others readers here who may benefit.

[....Continue Reading....]

Note that ColdFusion 10 Update 13 is "needed" for OS X-only...and some confusion

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Some of you may have seen that Adobe released a new hotfix for ColdFusion 10 last night, called Update 13. If you only read the text in the update (shown in the "Server Update" page of the CF admin), you might proceed to apply that update (which is ok).

But guess what: it technically only has changes related to Mac OS X (specifically adding support for its Mavericks version).

This is addressed if you read the technote that the update text points to, or the Adobe blog entry from last night which announced the update (more on these in a moment.) Those DO indicate that if you are not running that OS, you need not apply the update. (And the day after I wrote this entry, this indication was added to the update text itself.)

But what if you are on Windows (or another *nix variant besides OS X)? Should you apply it? What if you do? (there's NO PROBLEM!) What if you don't? And given that the update text says you need to reconfigure the web server connector, do you really need to bother on Windows?

And what if you are installing CF10 for the first time, since you DO need to apply updates upon installation? (you can either apply update 13 or 12, but you must apply at least one of them to be fully updated.)

As important, how might Adobe have better clarified this, and how might they make a simple change now related to that (they since did)?

I address in this entry these questions and a few other concerns I have, about confusion that may ensue.

[....Continue Reading....]

Two videos I've done for the Adobe YouTube ColdFusion Channel

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Hey folks, I've done a couple of videos over the past several months on the Adobe YouTube ColdFusion channel, both focused on some important challenges related to ColdFusion 10. If you've got about 10 minutes to spare, I suspect you may learn things to surprise you.

First video, on single-login problems in CF10 Admin

The first video was done at cf.Objective() in May 2013, and was posted to YouTube by Adobe shortly thereafter:

Video 1: Solving the problem of single-login in ColdFusion10 (07m:32s)

If you've had the problem in CF10 of finding that you login to the Admin, only to be logged off soon thereafter, I explain in the video both why it happens and how to solve it. (I also wrote about it previously here.)

Second video, on important security hotfix notes document

The second video was done back in June, but sadly was not posted until last week. While the timeframe references I make are dated, the information shared is not and really may still be a surprise to as many now as back then:

Video 2: Security Hotfix Notes Document (5m46s)

This is such an important document. I also had written about it previously here.

See other CF videos there

Be sure to check out all the videos in the Adobe CF YouTube channel, about 20 of them currently, from different speakers and on many topics.

Still more reasons to make sure you have updated your ColdFusion 10 web server connector

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Several weeks ago, I did an entry, CF911: Why/when you MUST update the web server connector for #ColdFusion 10, and may have missed it.

In this entry, I want to throw in another reason why it's important to make sure you properly update (reconfigure/rebuild/upgrade) your web server connector after applying certain CF10 updates, or if applying only the latest update for the first time to a newly installed CF10 instance.

[....Continue Reading....]

CF911: Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Have you installed or updated CF10 (or 11) and found that you still have problems with it running right, even when you have "fully updated" CF10? In this blog entry, I explain how it may NOT be that "CF 10 is broken" but rather that you may have missed an important step when updating it.

In brief, a VERY common problem is that while they MAY WELL have applied the provided "updates" for CF, folks often do NOT notice that they may have to (and generally must) "update" the web server "connector" (if they are using an external web server, like IIS or Apache) as a separate manual step, after applying the update.

I explain here what that means, how do to it, and why you may miss that you need to.

Update in 2019:

Since writing this entry, I did one in 2019 on When and how to upgrade CF web server connector, easier since CF2016, which at least makes it EASIER to upgrade, though much of what I write here still applies. I also updated this post since originally writing it, in ways discussed below.

(Or if you'd rather just have me help you quickly help you analyze and rectify your situation, whether with regard to the connectors or any other CF server troubleshooting, I can do that in a brief consulting session, likely less than an hour, remotely and securely. I provide all the detail here for those who prefer to "go it on their own". For more on my consulting services, including rates, approach, satisfaction guarantee, and more, see the consulting page at carehart.org.)

[....Continue Reading....]

Understanding the 9.0.2 release of ColdFusion, a FAQ for those who missed the news last year

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
So perhaps you're currently running CF 9.0 or CF 9.0.1, and you may have noticed that there is a CF 9.0.2. Have you wondered what it's about? And have you noticed that it's not something you can just update to from 9.0 or 9.0.1? It's a complete installer, meaning you need to uninstall CF 9.0 or 9.0.1 before you can move up to it.

Should you? What do you gain? what do you lose? what are some gotchas? That's what this blog entry is about, answering the following questions:

  • First, what is ColdFusion 9.0.2? Why did Adobe create it?
  • What about the 9.0.1 updater? Can we still get that? Yes.
  • So what all does 9.0.2 add and remove?
  • If I download CF 9 today, what do I get?
  • "But if I download 9.0.2 today, I get the latest version of it available, right? I don't need to add hotfixes, do I?" Wrong.
  • Warning: DO NOT install 9.0.1 atop 9.0.2 (nothing will stop you)
  • If I am on 9.0 or 9.0.1, how can I get to 9.0.2?
  • Why might I want to get to 9.0.2 from 9.0 or 9.0.1?
  • How did i miss this? Was 9.0.2 discussed? Yes it was.

[....Continue Reading....]

ColdFusion 10 WACK book contributors (myself included) now listed at Amazon

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
By now most should know that a new CF10 version of the classic Web Application Construction Kit (or WACK) series was released some months ago:

Adobe ColdFusion Web Application Construction Kit: ColdFusion 10 Enhancements and Improvements

But some may not have known who the contributors were, because since its release the Amazon site for the book had listed only Ben (Forta). Doh! :-)

Ben is indeed the series editor and a fellow contributor--and truly the glue that has held the project together since the first edition for CF3 in 1997.

But as with each edition since the first, there are indeed multiple contributors.

Amazon book page now lists all the contributors

And now the Amazon page does list all the co-authors:

Charlie Arehart, Rob Brooks-Bilson, Raymond Camden, Ken Fricklas, Hemanth Khandelwal, and Chandan Kumar.

Of course, we were indeed properly listed on the front cover, for those who may have looked--and in that same alphabetical order, whereas the Amazon site order is a bit random. Anyway, it's just nice to see this issue fixed.

Problems like that just happen sometimes, and I'd only I noticed it this week and raised it to Amazon. To their credit they were quick to update it.

And I thought some of my co-authors and perhaps others in the community might want to know about it.

Glad to mention the book

Indeed, I've been meaning simply to announce the book and my involvement here myself but got behind on many such news items, as I've just been busy (with my ColdFusion troubleshooting consulting services). Busy is good, of course!

So this was a good chance both to share the above news of the correction for any who'd noticed the issue, and to mention my involvement with the book, in case that and news of the book itself may interest some of my readers. (FWIW, I was a contributor to all 3 vols for CF 8 and 9 also, and I do thank Ben for including me in these works.)

A bit about the book

For those who hadn't noticed the book yet, it's unique in the series in that we decided to go with just a single book, just about the updates. In the past, we instead updated all 3 books throughout. There are pros and cons to either choice, of course, but I do agree that the single book was the way to go.

FWIW, I did chapters 8, 10, and 19.

I was especially delighted to get in a chapter at the end on "hidden gems", as I have loved doing (as article or talks) for each release starting with my first CFDJ article on CF 4.0. The editors chose for Chapter 19 the more sedate name of "Miscellaneous Enhancements", but I'm just thrilled we got to add the chapter at all. :-)

You can learn more about (and buy, and review) the book here:

CF911: New Adobe document about ColdFusion security hotfixes: required reading, I'd say

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Here's a new document from Adobe (new as of last week, it seems) that you may have missed, but which I would argue is REQUIRED READING for all CF admins and developers:

Important hotfix-related notes for ColdFusion 9 and ColdFusion 10

What is this about? and why is it important? Read on below, as the document itself and current links from Adobe don't quite convey its significance, I think. For more perspective, I discuss below both what has happened to many folks after applying ColdFusion security hotfixes in recent years, and how this document helps.

[....Continue Reading....]

Part 3: Adobe hotfix released for "Serious security threat for ColdFusion servers"

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Adobe has come out with a new security hotfix for a very serious attack on ColdFusion servers which had hit many (perhaps most) CF shops over the past couple of weeks, and it's vital that all shops apply that fix. (Even if you think you've protected yourself in other ways

There is a new Adobe CF blog entry pointing to the new hotfix, and I point that out rather than the technote for the hotfix itself, because as often is the case, there has been some useful discussion related to applying the fix. Indeed, there's a warning I've shared there about a problem (hopefully temporary) with the hotfix file for users of ColdFusion 9.0.2. (Update: the confusion about 9.0.2 is resolved. The technote has been corrected. See the comments in the Adobe blog entry for more details.)

Users of ColdFusion 10, 9.0.2, 9.0.1, and 9.0 should certainly proceed to implement the fix.

I address several questions and other observations about this hotfix below.

[....Continue Reading....]

Part 2: Serious security threat for ColdFusion servers [now covered by a hotfix]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Since I posted my entry earlier today about a Serious security threat for #ColdFusion servers [not now covered by a hotfix], I have had many questions and discussions which lead me to share more info.

At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here.

[Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.]

Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering.

[....Continue Reading....]

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting