Show all feed information | Ping Blog Update
Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12 . One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877. When the hotfix was released I …
keywords adobe, cf, coldfusion, few days, hotfixes, intention, revisions, security, security bulletin, security hotfix, vulnerabilities, vulnerability
My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems. The site generates an email report detailing what security issues were …
keywords absence, coldfusion, hotfixes, scanner, security, security issues, security problems, server security
When ColdFusion 8 added the ability to return data from remote functions formatted with JSON they also added some settings that allow you to put a prefix on the JSON string. Why would I want to prefix my JSON? The reason this setting exists is to prevent a hack called JSON hijacking . Services …
keywords ajax, attribute, authentication, cfc, cfset, coldfusion, coldfusion administrator, coldfusion tags, exploits, gmail, google, hijacking, infinite loop, json, modern browsers, script src, script tag, security, twitter
I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working. He was getting a JRun Servlet …
keywords amp, coldfusion, coldfusion administrator, fckeditor, java, security, security hotfix, upload, uri
Adobe has posted the recording of my Adobe MAX presentation Building JEE Portlets with ColdFusion 9 . Overall it was a great conference and I was happy to be a part of it. I was also happy to cover the topic of Portlets in ColdFusion 9, since it hasn't gotten much publicity as a new feature. …
keywords adobe, adobe building, coldfusion, coldfusion 9, max, new feature, presentation, publicity, slides
It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards. Requirement 4.1 states: Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder …
keywords credit card numbers, dss, iis, protocols, ssl, testing tool, third party, web, web based, web tool, windows
If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings. One of the features of Railo is that each web …
keywords administrator password, apache httpd, bin directory, coldfusion, config, contexts, drawback, ip, localhost, lt, mappings, passwords, railo, security, uri, virtual hosts
If you ever wondered why there are so many programming languages, look no further than the the many ways to convert a string to lower case. Almost every language has a core function to make a string lowercase, yet there seems to be pressure to come up with a distinct name for the function: …
keywords actionscript, cfml, java javascript, lower case, lowercase, misc, objective c, perl, programming, programming languages, python, ruby
There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12 . Whether or not this hotfix is required on IIS has been a question posed by many. This was finally clarified in comment on Ben Forta's …
Adobe posted several critical hotfixes for ColdFusion and JRun yesterday in Security Bulletin APSB09-12 . I discovered one of the XSS vulnerabilities, and I will post details about it soon. In the mean time, please patch your servers.
