Paul Alkema

Discussions on Web Development and Security

Paul Alkema

ColdFusion 9 Vulnerabilities, Are You Safe?

August 11, 2010 · 29 Comments

I recently attended CFUNITED and loved it! It was great! Anyway, one of my favorite sessions at CFUNITED was a session by Pete Frietag entitled "Writing Secure CFML". In the session he said "who here has ever had their server hacked?" and to my amazement about half of the room put their hand up. This tells me that people aren't reading security bulletins (Wait, everyone reads those right?) and patching their servers accordingly. In the last few months I've seen two pop up that I just wanted to bring attention too.

  1. Unauthenticated File Retrieval Vulnerability

    Problem

    Allows remote users to gain access to the server files through the ColdFusion Administrator. This could be used to gain database information or as a stepping stone to find internal vulnerability in applications.

    Solution

    Adobe has released a patch for this issue.
    http://www.adobe.com/support/security/bulletins/apsb10-18.html


    If your one of those people that don't like patching, an alternative fix is to change the default location of the ColdFusion Administrator or by limiting the ColdFusion Administrator's access from specified IP's.

    Severity: High
    CVE: CVE-2010-2861

  2. Solr Service Information Disclosure Vulnerability

    Problem

    ColdFusion allows users to remotely connect to search collections that have been created by the Solr service. The flaw in this however is that by default any user can connect to this service from any IP without any type of authentication would could be used to gather information about the server or internal processes.
    http://www.securityfocus.com/bid/38007/discuss

    Solution

    The best current solution at this time is to disable this service to be connected to from any other IP than the local IP of the server. Adobe has come out with an article outlining exactly how this can be done.
    http://kb2.adobe.com/cps/807/cpsid_80719.html

    Severity: Medium
    CVE: CVE-2010-0185

I would also highly recommend checking your server for vulnarabilities using http://hackmycf.com/. It's a very easy to use website that will tell you what patches your server needs.

29 CommentsTags: ColdFusion · Security

Reverse Image Search using tineye.com

July 09, 2010 · 37 Comments

About 6 months ago I came across a reverse image search website called tineye.com. This site's is really an excellent way to find an original or the source of image. It can also be really helpful for finding other websites that have stolen your original images.

tineye.com

37 CommentsTags: Misc

PHP vs. ColdFusion

July 01, 2010 · 74 Comments

PHP vs. ColdFusion

In my years I've found myself actively writing in several different languages. I've written full applications in ASP.NET, PHP and ColdFusion. My current primary languages are PHP and ColdFusion.

Throughout the years I've grown really fond of ColdFusion. In this article I'm going to explain the benefits & cons of ColdFusion over PHP.

Benefits to PHP

  1. Widely supported and has a huge community of people willing to help and answer questions.
  2. Open source.
  3. A vast amount of open source scripts available.
  4. A large number of shared hosting providers that are willing to offer hosting for very low cost. For instance $3.00 - $10.00/month.

Cons to PHP

  1. Is not the easiest language to learn.
  2. Development time can be very time consuming as everything is syntax based and requires a lot of code.
  3. Server settings are made through a text file called php.ini which can be a hassle and can make issues difficult to diagnose.
  4. Servers are typically apache, which often causes issues with file / folder rights.
  5. Doesn't have a very good template system compared to ColdFusion's custom tag based templates.

Benefits to ColdFusion

    1. Very easy to learn compared to PHP.
    2. Extremely easy to read compared to PHP.
    3. Writing ColdFusion applications require much less code compared to PHP.
    4. Coding applications is much less time consuming as ColdFusion is much more Robust than PHP.
    5. Although the Adobe ColdFusion server is not open source, there is an excellent ColdFusion alternative. http://getRailo.org/
    6. The ColdFusion administrator is very easy to use and has a nice User Interface.
    7. ColdFusion has something called Custom Tags, which makes the managing and accessing of website templates a breeze.
    8. Very easy to use coldfusion OOP functions. Also allows for .NET and Java integration.
    9. Integrates very well with Flex.
    10. Extremly Robust with a vast amount of built in javascript packages like cfgrid, cfwindow and cftooltip. Also coldfusion has built in functions to allow ajax binding extremly simple.

Cons to ColdFusion

      1. Community is not as big. However, although the community isn't as big, I think that you'll find more ColdFusion programmers per capita than php.
      2. Some people don't like how easy to learn and read ColdFusion is because they claim that it's so easy to code that it's not like programming it's more like talking about code. Which is probably true.
      3. Those who use Adobe's ColdFusion think that it's expensive. Those who use Railo think it's free.

EXAMPLES

Want to see some code examples? I'll show you how robust ColdFusion really is.

The PHP code below, will return the columns firstname, lastname from the Friends table.

<?php
//
$con = mysql_connect("localhost","username","password");
if (!$con)
 {
 die('Could not connect: ' . mysql_error());
 }

mysql_select_db("my_db", $con);

$result = mysql_query("SELECT friendId,firstName,lastName,nickName FROM friends");

while($row = mysql_fetch_array($result))
 {
 echo $row['FirstName'] . " " . $row['LastName'];
 }

mysql_close($con);
?>

Now look at the Coldfusion Example

The ColdFusion code below, will return the columns firstname, lastname from the Friends table.

<cfquery name="getMyFriends" datasource="peter">
SELECT friendId,firstName,lastName,nickName
FROM friends
</cfquery>

<cfloop query="getMyFriends">
#firstName# #lastName#
</cfloop>

Isn't the ColdFusion code just so straight forward to the point and easy to read?

This is just a single example of hundreds, no thousands of reasons of why I personally think that ColdFusion is better than PHP.

Have an opinion why you think one is better than the other? I want to hear it!

74 CommentsTags: ColdFusion · php

Change IP Address Coldfusion 9 Developer Edition

June 16, 2010 · 42 Comments

Are you receiving the error below and are looking at how to change the IP addresses available to your ColdFusion Developer box?

  A License exception has occurred.
  You tried to access the Developer Edition from a disallowed IP address 
  (xxx.xxx.x.xxx). The Developer Edition can only be accessed from 127.0.0.1 
  and two additional IP addresses. The additional IP addresses 
  are: xxx.xxx.x.xxx,xxx.xxx.x.xxx 

If you are, I have bad news, unfortunately there is no file or admin area to edit the allowed IP's. By default ColdFusion allocates the first two external IP addresses that hit the ColdFusion service. The only way to change the allocated IP addresses is to restart the ColdFusion service and hit the server with the correct IP addresses. Not ideal I know, but it's currently the only way.

42 CommentsTags: ColdFusion

Easily Restart ColdFusion Service

June 15, 2010 · 13 Comments

Today I installed ColdFusion 9 developer edition on my local pc. When asked which server type I wanted to use, I opted to user ColdFusion 9's built-in web server. However later I wanted to restart the server however and because I didn't have IIS I didn't have an easy way to handle this so wrote a BAT file to restart the service.

I would think there would be a better way to do this, however I was unable to find a different way of restarting the ColdFusion service with ColdFusion 9's built-in web server.

To use my BAT file, create a blank text document and insert the code below.

NET STOP "coldfusion 9 application server"
NET START "coldfuion 9 appliation server"

Save the file and rename it cfrestart.bat. That should do it! Now if you click on the file it should restart the service.

13 CommentsTags: ColdFusion

How to Remove the Shadow From cfwindow

June 08, 2010 · 8 Comments

While trying to get rid of cfwindow's drop shadow I came across an excellent article written by Todd Sharp on how to exactly this using a javascript function. The one issue I ran into while trying to use this method, was how to easily create windows on the fly using the ColdFusion.Window.create function.

My final solution to this, was to go into the cfwindow.js file in the application server and change the shadow attribute to false.

Find

_22c.shadow=true;

Replace With

_22c.shadow=false;

This will need to be replaced twice, as this statement appears twice in the file.

Note: A down side to using this method is that you'll have to redo this every time there is a server upgrade. Also, in order to use this method you have to have the ability to actually edit this file, which for users on a shared server is unlikely. Have better solution? I'd love to hear from you!

8 CommentsTags: ColdFusion · Javascript

How to subscribe a user in Exact Target via their API

May 11, 2010 · 25 Comments

Since obviously the Exact Target community has no appreciation for the ColdFusion community, I feel that I should post the code that I wrote to subscribe a user to a list.

Here's my cfc...

<cfcomponent>
    <cffunction 
    	name="subscribeUser" 
        access="public" 
        returntype="string"
        hint="Subscribes a user to the specified list in Exact Target.">
        <cfargument 
        	name="company" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="country" 
            type="string" 
            required="no" 
             />
        <cfargument 
        	name="emailAddress" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="firstName" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="lastName" 
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="emailType"
            type="string" 
            required="yes"
             />
        <cfargument 
        	name="userid" 
            type="string" 
            required="yes" 
            default=""
             />
        <cfargument
        	 name="listId" 
             type="numeric" 
             required="no" 
             default="<listid>">
        <cfset var cfhttp = "">
        <cfhttp 
            url="http://cl.exct.net/subscribe.aspx?lid=#arguments.listId#" 
            method="post">
          <!--- company --->
          <cfhttpparam 
                name="COMPANY" 
                type="FormField" 
                value="#arguments.company#" 
                 />
          <!--- country --->
          <cfhttpparam 
                name="Country" 
                type="FormField" 
                value="#arguments.country#"
                 />
          <!--- email address --->
          <cfhttpparam
                name="email address" 
                type="FormField" 
                value="#arguments.emailAddress#"
                 />
          <!--- first name --->
          <cfhttpparam 
                name="FIRST NAME" 
                type="FormField" 
                value="#arguments.firstName#"
                 />
          <!--- last name --->
          <cfhttpparam 
                name="LAST NAME" 
                type="FormField" 
                value="#arguments.lastName#"
                 />
          <!--- email type --->
          <cfhttpparam 
                name="Email Type" 
                type="FormField" 
                value="#arguments.emailType#"
                 />
          <!--- user id --->
          <cfhttpparam 
                name="MID" 
                type="FormField" 
                value="#arguments.userId#"
                 />
          <!--- action --->
          <cfhttpparam 
                name="SUBACTION" 
                type="FormField" 
                value="sub_add_update"
                 />
        </cfhttp>
        <cfreturn cfhttp.FileContent />
    </cffunction>
</cfcomponent>

Here's my cfc invoke..

    <cfinvoke
        component="email-subscribe"
        method="subscribeUser"
        company="{user's company}"
        emailAddress="{user's email address}"
        firstName="{user's first name}"
        lastName="{user's last name}"
        country="{user's country}"
        emailType="{user's email type}"
        userid="{}"
        returnvariable="confirmation"
         />

The above CF code will add a user to the designated mailing list.

Tags: ColdFusion, Exact Target, ExactTarget, ColdFusion API, Paul Alkema

25 CommentsTags: ColdFusion

One of The Worst Security Holes in CAPTCHA's and How You Can Fix Them.

April 23, 2010 · 53 Comments

There have been several occasions where people have used security holes in CAPTCHA's to purchase large amounts of specific items like tickets or other items. Is this wrong to do? I would say yes. In this article I'm going to teach you how to manually take advantage of this security hole and what you can do to prevent it for happening.

The first steps to understand the issues with most CAPTCHA's is to understand how they work. The way that most CAPTCHA's are as follows

  1. A random word(s) or alpha numeric string is generated
  2. This string is rendered into an image which displays to the users, and the user is prompted to input the text they see in the image. In ColdFusion many times people will use the CfImage attribute action="captcha".
  3. The string is then usually encrypted and placed into a hidden form element that's located inside of the submitting form.
  4. After submitting the form, typically the text that the user entered is encrypted using the same type of encryption as the randomly generated string.
  5. Finally, the encrypted user entered string is compared to the encrypted randomly generated string. If they match, than the user isn't a bot, if they don't, than the user is a bot.

This method, is either the exact method or extremely similar to how most CAPTCHA applications are written. You may be wondering what the issue with this is. I think that most people think, wow because I'm encrypting all of my strings and my CAPTCHA is so hard to read that your CAPTCHA is fool-proof. The reality is this type of CAPTCHA only stops one type of spammer.

There are three types of spammers.

  1. Automated Spam Bots. An automated spam bots written on a large scale that normally posts random spam on random sites by crawling from site to site.
  2. Manual Bots. A small application written with the intent to do one purpose, for one web site.
  3. Manual Human Spam. Usually a paid human with the intent to spam a single or multiple sites.

The above method stops most Automated Spam Bots, but not all of them. The security issue that I'm pointing out today has really more to do with manual bots and how easy it is to write one. Please note, that the reason that I am helping you to write this is in absolutely no way to help anyone under any circumstances to hack, spam or do anything illegal in any way. It's for informational purposes, so that the web development community can better understand how to prevent this type of issue.

How to Write a Manual Bot

  1. First go to the web page that has the CAPTCHA that you would like your bot to get through. Note the action page that the form submits to0. You can take note of this by viewing the source code.
  2. Fill out the form completely as if you were to submit the form including the CAPTCHA text.
  3. Note all of the form field names including the hidden fields and record all of their values.
  4. Write a small script that allows you to send those HTTP form elements with the values recorded to your web page's action page. I know I make it sound easy, but that's because at least in ColdFusion it is easy.

I have a test page with an example page with a typical CAPTCHA. HERE.

When I fill out the form in my example CAPTCHA page above and I take note of the form elements and values this is what I get.

EXAMPLE
Action
http://paulalkema.com/assets/content/unsuspecting-page.cfm
Form
submitted=1
captcha_check=6501AA9BA0B073BC (this contains the encrypted version of the captcha.)
captcha=h7eunmjq (This was blank before, but I manually entered this as a value.)

Now that we have this data recorded you can build a script that could do this dynamically.
CODE EXAMPLE

    <cfhttp 
        url="http://paulalkema.com/assets/content/unsuspecting-page.cfm" 
        method="post">
        <cfhttpparam 
            name="submitted" 
            type="FormField" 
            value="1">
        <cfhttpparam 
            name="captcha_check" 
            type="FormField" 
            value="6501AA9BA0B073BC">
        <cfhttpparam 
            name="captcha" 
            type="FormField" 
            value="h7eunmjq">
    </cfhttp>
    <cfoutput>
        #cfhttp.FileContent#	
    </cfoutput>

The above code would submit all of the form variables to my action page, where my action page would then except that I'm not a bot. I have an example of the exact script above working HERE.

You may be a little skeptical that someone would actually go out of their way to do this to spam your site and you very well may be right, but the reality is that someone could do it. In March 2010, 4 people were indicted for using a script to simultaneously buy thousands of concert tickets through an automated script similar to this.

How to Prevent It

So what do you do to prevent it? I think the primary issue with the above technique is that your sending a generated encrypted version of your CAPTCHA and comparing it to a user typed version of the CAPTHA and if you write a script that can resend this information, the script can be run repeatedly and the action page. Solution? Send the generated encrypted version of your CAPTCHA through server side variables. If your using ColdFusion a possible solution would be to send your the generated encrypted version of your CAPTCHA through session variables..

SEO: Coldfusion, Captcha, Cfhttp, Issues With Captcha, Hack Captcha, Captcha Security

53 CommentsTags: ColdFusion

Pull a List of All Coldfusion Datasources, Along With Username and Passwords

April 20, 2010 · 64 Comments

There are special times when you may need to get a list of your datasources or retrieve the passwords for your datasources. If this is your case, no problem.

The script below will pull all datasources, along with the username and a decrypted password.


    // Create Data Source Object
    dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").
	getDatasourceService().getDatasources();
    
    // Loop Through DataSources
    for(i in dataSourceObb) {
     if(len(dataSourceObb[i]["password"])){
	 
     // Get username
     username=(dataSourceObb[i]["username"]);
	 
     // Get and decrypt password
     decryptPassword=Decrypt(dataSourceObb[i]["password"],
     generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede",
     "Base64");
	 
     // Output all datasources along with username and passwords
     writeoutput("" & "DataSource: "  & i & "
" & "Username: " & username & "
Password: " & decryptPassword &"

"); } }

Enjoy!

UPDATE: When this post was originally posted, this worked on 9, however since then 9.0.1 has been released. This version has fixed this issue.

Tags: Coldfusion, Datasource Passwords, ColdFusion Passwords, ColdFusion ServiceFactory, Paul Alkema

64 CommentsTags: ColdFusion

How To Select All Columns From a Table In MSQL

April 20, 2010 · 46 Comments

On occasions I've needed to perform actions on a table to all columns but wanted it to be dynamic in a way that I could use it on multiple table. In order to do so, I needed a way to pull all of the columns in my table before performing my action.

Here is an example of how to pull all of the columns in the specified table.

EXAMPLE

      DECLARE @table varchar(40)
            SET @table = 'your-table'
            
            SELECT [name]
            FROM   syscolumns
            WHERE  [id] IN
                   (SELECT [id]
                   FROM    sysobjects
                   WHERE   [name] = @table
                   )

This is how you can use this method to pull the primary key.

EXAMPLE

    DECLARE @table_name VARCHAR(40)
            SET @table = 'your-table'
            
            SELECT [name]
            FROM   syscolumns
            WHERE  [id] IN
                   (SELECT [id]
                   FROM    sysobjects
                   WHERE   [name] = @table_name
                   )
               AND colid IN
                   (SELECT SIK.colid
                   FROM    sysindexkeys SIK
                           JOIN sysobjects SO
                           ON      SIK.[id] = SO.[id]
                   WHERE   SIK.indid        = 1
                       AND SO.[name]        = @table
                   )

46 CommentsTags: SQL