Paul Alkema

Discussions on Web Development and Security

Paul Alkema

Entries Tagged as ColdFusion

Mura CMS vs Wordpress vs Magento

December 06, 2013 · No Comments

I received this email last week and I thought it was an interesting question. Please note, the original email has been changed slightly, to protect this individual from being identified.

Hi Paul,
I read your July 2010 article on ColdFusion v PHP, and am curious if there may be any updates on your opinions.

Our website (www.websitenameremoved.com which is a shell (link to three other separate sites)uses PHP and Joomla CMS.  Due to serious hacking issues precipitated by use of an old version of Joomla (1.5) we have decided to rebuild our site rather than upgrade.  I had an analysis completed; one option mentioned is ColdFusion together with Mura CMS, a second option is PHP with Joomla 3.1.  Do you have any opinions or comments that may help with our decision..?

This was my reply....

Hi,

In my opinion, the best open source CMS option out there is by far Wordpress. Now I know your probably not a huge fan of php technologies especially after what happened but the key is to make sure you upgrade as often as possible. Now, looking briefly at your site, it looked somewhat like an ecommerce website, for ecommerce my personal favorite is Magento. http://magento.com/

As far as Mura CMS and ColdFusion goes, I have been writing ColdFusion for 6 years now, it's a great language but if I was to start over, I wouldn't use anything ColdFusion based. The reason being, although it's a great language and is pretty easy to learn, there are SO few people who actually know it that it makes finding people who support ColdFusion sites almost impossible. If your contracting this through an agency, as long as your with that agency there probably won't be a problem with this however, most companies I've worked at liked to change agencies every few years just to keep the blood flowing. So many agencies honestly don't know ColdFusion and just butcher sites up which behind the scenes just makes things more expensive to support.

My recommendation would be to go with a solution that's either .net, php or completely custom. The major downside to open source technologies is that everyone and their mother have access to your code and there are hundreds and thousands of automated hack-bots that are constantly looking for out of date open source scripts to just automatically hack them. This is actually why I tend to go toward custom rather than open based code systems.

Another issue with open code systems, is that they become difficult to upgrade to new versions as custom modification are made; especially if these custom mods weren't implemented properly. Having said that, I've used Magento and Wordpress dozens of times and never had issues and as long as I made my mods correctly, the upgrades could just occur from inside of the admin console and it was always a breeze.

Hope this helped!
Paul Alkema
http://paulalkema.com/

So what are your thoughts? Do you agree with my advice, or do you think ColdFusion is the way to go?

No CommentsTags: ColdFusion

Dump or list all ColdFusion Variables in all scopes.

May 16, 2011 · 116 Comments

Dump or list all ColdFusion Variables in all scopes.

On some occasions you may run into issues where you need a variable but your not sure what scope it’s in. Well I’ve found the code below extremely helpful for finding what scope the variable I’m looking for is in.

	<cfdump var="#getPageContext().getBuiltInScopes()#"/>

Basically the function, “getPageContext().getBuiltInScopes()” will list all variables in all scopes.

Enjoy! :)

116 CommentsTags: ColdFusion

Get Drive Letter With ColdFusion

May 03, 2011 · 53 Comments

I ran into an issue recently where my production server's code used a different drive letter than my development environment. A small handful of applications relied on that drive letter and would break if the drive letter wasn't changed before deployment. In these specific scenarios, I couldn't call expandPath() or getTemplatePath() directly because the application wasn't in the root of the website.

My solution to this issue was to put the code below in my application.cfm / application.cfc file which sets an application variable called "driveLetter" to the applications current drive letter; then I call the application variable instead of the static drive letter that could change.

Get Drive letter

If you want to get the drive letter once, you could use do something like below.

	<cfset variables.driveLetter = listGetAt(expandPath('\'),1,'\')&'\' />

Get drive letter, then set application variable.

Below is the exact code I used in my application.cfm file to set the application variable initially, that way I don't have to run the script every time.

	
	<cfif !isDefined('application.driveLetter')>
		<cflock scope='application' timeout='5'>
			<cfset application.driveLetter = listGetAt(expandPath('\'),1,'\')&'\'/>
		</cflock>
	</cfif>

53 CommentsTags: ColdFusion

ColdFusion 9 Vulnerabilities, Are You Safe?

August 11, 2010 · 29 Comments

I recently attended CFUNITED and loved it! It was great! Anyway, one of my favorite sessions at CFUNITED was a session by Pete Frietag entitled "Writing Secure CFML". In the session he said "who here has ever had their server hacked?" and to my amazement about half of the room put their hand up. This tells me that people aren't reading security bulletins (Wait, everyone reads those right?) and patching their servers accordingly. In the last few months I've seen two pop up that I just wanted to bring attention too.

  1. Unauthenticated File Retrieval Vulnerability

    Problem

    Allows remote users to gain access to the server files through the ColdFusion Administrator. This could be used to gain database information or as a stepping stone to find internal vulnerability in applications.

    Solution

    Adobe has released a patch for this issue.
    http://www.adobe.com/support/security/bulletins/apsb10-18.html


    If your one of those people that don't like patching, an alternative fix is to change the default location of the ColdFusion Administrator or by limiting the ColdFusion Administrator's access from specified IP's.

    Severity: High
    CVE: CVE-2010-2861

  2. Solr Service Information Disclosure Vulnerability

    Problem

    ColdFusion allows users to remotely connect to search collections that have been created by the Solr service. The flaw in this however is that by default any user can connect to this service from any IP without any type of authentication would could be used to gather information about the server or internal processes.
    http://www.securityfocus.com/bid/38007/discuss

    Solution

    The best current solution at this time is to disable this service to be connected to from any other IP than the local IP of the server. Adobe has come out with an article outlining exactly how this can be done.
    http://kb2.adobe.com/cps/807/cpsid_80719.html

    Severity: Medium
    CVE: CVE-2010-0185

I would also highly recommend checking your server for vulnarabilities using http://hackmycf.com/. It's a very easy to use website that will tell you what patches your server needs.

29 CommentsTags: ColdFusion · Security

PHP vs. ColdFusion

July 01, 2010 · 74 Comments

PHP vs. ColdFusion

In my years I've found myself actively writing in several different languages. I've written full applications in ASP.NET, PHP and ColdFusion. My current primary languages are PHP and ColdFusion.

Throughout the years I've grown really fond of ColdFusion. In this article I'm going to explain the benefits & cons of ColdFusion over PHP.

Benefits to PHP

  1. Widely supported and has a huge community of people willing to help and answer questions.
  2. Open source.
  3. A vast amount of open source scripts available.
  4. A large number of shared hosting providers that are willing to offer hosting for very low cost. For instance $3.00 - $10.00/month.

Cons to PHP

  1. Is not the easiest language to learn.
  2. Development time can be very time consuming as everything is syntax based and requires a lot of code.
  3. Server settings are made through a text file called php.ini which can be a hassle and can make issues difficult to diagnose.
  4. Servers are typically apache, which often causes issues with file / folder rights.
  5. Doesn't have a very good template system compared to ColdFusion's custom tag based templates.

Benefits to ColdFusion

    1. Very easy to learn compared to PHP.
    2. Extremely easy to read compared to PHP.
    3. Writing ColdFusion applications require much less code compared to PHP.
    4. Coding applications is much less time consuming as ColdFusion is much more Robust than PHP.
    5. Although the Adobe ColdFusion server is not open source, there is an excellent ColdFusion alternative. http://getRailo.org/
    6. The ColdFusion administrator is very easy to use and has a nice User Interface.
    7. ColdFusion has something called Custom Tags, which makes the managing and accessing of website templates a breeze.
    8. Very easy to use coldfusion OOP functions. Also allows for .NET and Java integration.
    9. Integrates very well with Flex.
    10. Extremly Robust with a vast amount of built in javascript packages like cfgrid, cfwindow and cftooltip. Also coldfusion has built in functions to allow ajax binding extremly simple.

Cons to ColdFusion

      1. Community is not as big. However, although the community isn't as big, I think that you'll find more ColdFusion programmers per capita than php.
      2. Some people don't like how easy to learn and read ColdFusion is because they claim that it's so easy to code that it's not like programming it's more like talking about code. Which is probably true.
      3. Those who use Adobe's ColdFusion think that it's expensive. Those who use Railo think it's free.

EXAMPLES

Want to see some code examples? I'll show you how robust ColdFusion really is.

The PHP code below, will return the columns firstname, lastname from the Friends table.

<?php
//
$con = mysql_connect("localhost","username","password");
if (!$con)
 {
 die('Could not connect: ' . mysql_error());
 }

mysql_select_db("my_db", $con);

$result = mysql_query("SELECT friendId,firstName,lastName,nickName FROM friends");

while($row = mysql_fetch_array($result))
 {
 echo $row['FirstName'] . " " . $row['LastName'];
 }

mysql_close($con);
?>

Now look at the Coldfusion Example

The ColdFusion code below, will return the columns firstname, lastname from the Friends table.

<cfquery name="getMyFriends" datasource="peter">
SELECT friendId,firstName,lastName,nickName
FROM friends
</cfquery>

<cfloop query="getMyFriends">
#firstName# #lastName#
</cfloop>

Isn't the ColdFusion code just so straight forward to the point and easy to read?

This is just a single example of hundreds, no thousands of reasons of why I personally think that ColdFusion is better than PHP.

Have an opinion why you think one is better than the other? I want to hear it!

74 CommentsTags: ColdFusion · php

Change IP Address Coldfusion 9 Developer Edition

June 16, 2010 · 42 Comments

Are you receiving the error below and are looking at how to change the IP addresses available to your ColdFusion Developer box?

  A License exception has occurred.
  You tried to access the Developer Edition from a disallowed IP address 
  (xxx.xxx.x.xxx). The Developer Edition can only be accessed from 127.0.0.1 
  and two additional IP addresses. The additional IP addresses 
  are: xxx.xxx.x.xxx,xxx.xxx.x.xxx 

If you are, I have bad news, unfortunately there is no file or admin area to edit the allowed IP's. By default ColdFusion allocates the first two external IP addresses that hit the ColdFusion service. The only way to change the allocated IP addresses is to restart the ColdFusion service and hit the server with the correct IP addresses. Not ideal I know, but it's currently the only way.

42 CommentsTags: ColdFusion

Easily Restart ColdFusion Service

June 15, 2010 · 13 Comments

Today I installed ColdFusion 9 developer edition on my local pc. When asked which server type I wanted to use, I opted to user ColdFusion 9's built-in web server. However later I wanted to restart the server however and because I didn't have IIS I didn't have an easy way to handle this so wrote a BAT file to restart the service.

I would think there would be a better way to do this, however I was unable to find a different way of restarting the ColdFusion service with ColdFusion 9's built-in web server.

To use my BAT file, create a blank text document and insert the code below.

NET STOP "coldfusion 9 application server"
NET START "coldfuion 9 appliation server"

Save the file and rename it cfrestart.bat. That should do it! Now if you click on the file it should restart the service.

13 CommentsTags: ColdFusion

How to Remove the Shadow From cfwindow

June 08, 2010 · 8 Comments

While trying to get rid of cfwindow's drop shadow I came across an excellent article written by Todd Sharp on how to exactly this using a javascript function. The one issue I ran into while trying to use this method, was how to easily create windows on the fly using the ColdFusion.Window.create function.

My final solution to this, was to go into the cfwindow.js file in the application server and change the shadow attribute to false.

Find

_22c.shadow=true;

Replace With

_22c.shadow=false;

This will need to be replaced twice, as this statement appears twice in the file.

Note: A down side to using this method is that you'll have to redo this every time there is a server upgrade. Also, in order to use this method you have to have the ability to actually edit this file, which for users on a shared server is unlikely. Have better solution? I'd love to hear from you!

8 CommentsTags: ColdFusion · Javascript

How to subscribe a user in Exact Target via their API

May 11, 2010 · 25 Comments

Since obviously the Exact Target community has no appreciation for the ColdFusion community, I feel that I should post the code that I wrote to subscribe a user to a list.

Here's my cfc...

<cfcomponent>
    <cffunction 
    	name="subscribeUser" 
        access="public" 
        returntype="string"
        hint="Subscribes a user to the specified list in Exact Target.">
        <cfargument 
        	name="company" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="country" 
            type="string" 
            required="no" 
             />
        <cfargument 
        	name="emailAddress" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="firstName" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="lastName" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="emailType"
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="userid" 
            type="string" 
            required="yes" 
            default=""
             />
        <cfargument
        	 name="listId" 
             type="numeric" 
             required="no" 
             default="<listid>">
        <cfset var cfhttp = "">
        <cfhttp 
            url="http://cl.exct.net/subscribe.aspx?lid=#arguments.listId#" 
            method="post">
          <!--- company --->
          <cfhttpparam 
                name="COMPANY" 
                type="FormField" 
                value="#arguments.company#" 
                 />
          <!--- country --->
          <cfhttpparam 
                name="Country" 
                type="FormField" 
                value="#arguments.country#"
                 />
          <!--- email address --->
          <cfhttpparam
                name="email address" 
                type="FormField" 
                value="#arguments.emailAddress#"
                 />
          <!--- first name --->
          <cfhttpparam 
                name="FIRST NAME" 
                type="FormField" 
                value="#arguments.firstName#"
                 />
          <!--- last name --->
          <cfhttpparam 
                name="LAST NAME" 
                type="FormField" 
                value="#arguments.lastName#"
                 />
          <!--- email type --->
          <cfhttpparam 
                name="Email Type" 
                type="FormField" 
                value="#arguments.emailType#"
                 />
          <!--- user id --->
          <cfhttpparam 
                name="MID" 
                type="FormField" 
                value="#arguments.userId#"
                 />
          <!--- action --->
          <cfhttpparam 
                name="SUBACTION" 
                type="FormField" 
                value="sub_add_update"
                 />
        </cfhttp>
        <cfreturn cfhttp.FileContent />
    </cffunction>
</cfcomponent>

Here's my cfc invoke..

    <cfinvoke
        component="email-subscribe"
        method="subscribeUser"
        company="{user's company}"
        emailAddress="{user's email address}"
        firstName="{user's first name}"
        lastName="{user's last name}"
        country="{user's country}"
        emailType="{user's email type}"
        userid="{}"
        returnvariable="confirmation"
         />

The above CF code will add a user to the designated mailing list.

Tags: ColdFusion, Exact Target, ExactTarget, ColdFusion API, Paul Alkema

25 CommentsTags: ColdFusion

One of The Worst Security Holes in CAPTCHA's and How You Can Fix Them.

April 23, 2010 · 53 Comments

There have been several occasions where people have used security holes in CAPTCHA's to purchase large amounts of specific items like tickets or other items. Is this wrong to do? I would say yes. In this article I'm going to teach you how to manually take advantage of this security hole and what you can do to prevent it for happening.

The first steps to understand the issues with most CAPTCHA's is to understand how they work. The way that most CAPTCHA's are as follows

  1. A random word(s) or alpha numeric string is generated
  2. This string is rendered into an image which displays to the users, and the user is prompted to input the text they see in the image. In ColdFusion many times people will use the CfImage attribute action="captcha".
  3. The string is then usually encrypted and placed into a hidden form element that's located inside of the submitting form.
  4. After submitting the form, typically the text that the user entered is encrypted using the same type of encryption as the randomly generated string.
  5. Finally, the encrypted user entered string is compared to the encrypted randomly generated string. If they match, than the user isn't a bot, if they don't, than the user is a bot.

This method, is either the exact method or extremely similar to how most CAPTCHA applications are written. You may be wondering what the issue with this is. I think that most people think, wow because I'm encrypting all of my strings and my CAPTCHA is so hard to read that your CAPTCHA is fool-proof. The reality is this type of CAPTCHA only stops one type of spammer.

There are three types of spammers.

  1. Automated Spam Bots. An automated spam bots written on a large scale that normally posts random spam on random sites by crawling from site to site.
  2. Manual Bots. A small application written with the intent to do one purpose, for one web site.
  3. Manual Human Spam. Usually a paid human with the intent to spam a single or multiple sites.

The above method stops most Automated Spam Bots, but not all of them. The security issue that I'm pointing out today has really more to do with manual bots and how easy it is to write one. Please note, that the reason that I am helping you to write this is in absolutely no way to help anyone under any circumstances to hack, spam or do anything illegal in any way. It's for informational purposes, so that the web development community can better understand how to prevent this type of issue.

How to Write a Manual Bot

  1. First go to the web page that has the CAPTCHA that you would like your bot to get through. Note the action page that the form submits to0. You can take note of this by viewing the source code.
  2. Fill out the form completely as if you were to submit the form including the CAPTCHA text.
  3. Note all of the form field names including the hidden fields and record all of their values.
  4. Write a small script that allows you to send those HTTP form elements with the values recorded to your web page's action page. I know I make it sound easy, but that's because at least in ColdFusion it is easy.

I have a test page with an example page with a typical CAPTCHA. HERE.

When I fill out the form in my example CAPTCHA page above and I take note of the form elements and values this is what I get.

EXAMPLE
Action
http://paulalkema.com/assets/content/unsuspecting-page.cfm
Form
submitted=1
captcha_check=6501AA9BA0B073BC (this contains the encrypted version of the captcha.)
captcha=h7eunmjq (This was blank before, but I manually entered this as a value.)

Now that we have this data recorded you can build a script that could do this dynamically.
CODE EXAMPLE

    <cfhttp 
        url="http://paulalkema.com/assets/content/unsuspecting-page.cfm" 
        method="post">
        <cfhttpparam 
            name="submitted" 
            type="FormField" 
            value="1">
        <cfhttpparam 
            name="captcha_check" 
            type="FormField" 
            value="6501AA9BA0B073BC">
        <cfhttpparam 
            name="captcha" 
            type="FormField" 
            value="h7eunmjq">
    </cfhttp>
    <cfoutput>
        #cfhttp.FileContent#	
    </cfoutput>

The above code would submit all of the form variables to my action page, where my action page would then except that I'm not a bot. I have an example of the exact script above working HERE.

You may be a little skeptical that someone would actually go out of their way to do this to spam your site and you very well may be right, but the reality is that someone could do it. In March 2010, 4 people were indicted for using a script to simultaneously buy thousands of concert tickets through an automated script similar to this.

How to Prevent It

So what do you do to prevent it? I think the primary issue with the above technique is that your sending a generated encrypted version of your CAPTCHA and comparing it to a user typed version of the CAPTHA and if you write a script that can resend this information, the script can be run repeatedly and the action page. Solution? Send the generated encrypted version of your CAPTCHA through server side variables. If your using ColdFusion a possible solution would be to send your the generated encrypted version of your CAPTCHA through session variables..

SEO: Coldfusion, Captcha, Cfhttp, Issues With Captcha, Hack Captcha, Captcha Security

53 CommentsTags: ColdFusion