Chris 5:42 pm on January 2, 2026
Tags: admin API, coldfusion ( 22 ), CVE-2023-29298, hack, vulnerability

ColdFusion Remote File Attack Using Admin API

I recently came across an older ColdFusion 2018, update 12, server that was many patches behind. I can’t go into details on this server’s origin.

We noticed that one of many websites on this single Windows IIS server returned a “Failed to add HTML header” a couple of times. This site still uses FuseBox 3.1. Then the site just started returning empty content, with no error and a valid 200 HTTP code. No errors logged in the ColdFusion logs.

We noticed a .jpg file in the root with a recently modified date that did not belong there, and the robots.txt was recently updated.

The .jpg file contained malicious PHP code, while the robots.txt file had the following appended:

# Sitemap: http://{url}/?sitemap=1&type=index
# AUTH:upload/7FD4B026F124.jpg

I am not positive why it added a sitemap reference.

If you deleted the .jpg file, it recreated it and appended another “AUTH:” line when the site was hit again, due to a cfinclude (in this case it was in the index.cfm).

When looking at FusionReactor, we saw HTTP calls being made to api.cdnapi.tech. Unknown the reason for those, but it’s malicious. Check your code for this.

We did find suspicious calls to “cf_script/clients.cfm” in the IIS log file. It was determined that this file was added to mimic the client variables handler file name. I am not going to publish the code, but it basically wrote a .cfm file from a form field (seemingly from the GET request, while it injected a form field below and likely modified the action property of the form), ran it via a cfinclude, and then deleted the file with some error handling. Pretty simple.

After running IIS logs through Claud.ai, it found that the adminAPI was exploited using a vulnerability that bypassed directory restrictions. Look for “/hax/..” and “/..” in your IIS logs. This exploits CVE-2023-29298.

GET /hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true
GET /hax/..CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat Status: 200
GET /index.cfm?{redacted}/CFIDE/administrator/index.cfm/CFIDE/adminapi/base.cfc User-Agent: python-requests/2.32.4

The first GET queries the API administrator to get the ColdFusion version. The second appears to verify access to admin API using the getHeartBeat() method. The last GET statement is an injection attempt via a form. I have redacted the URL query specific to the site. Both GET statements were successful. We seen some other POST requests to accessmanager.cfc and base.cfc without the directory traversal hack, but were unsuccessful.

These requests were scattered over a period of about a month.

As an immediate solution, we blocked any URI starting with “hax/” and “/..” in our WAF (Web Application Firewall). There should be no reason to access this path other than to exploit the server.

This information is to help other ColdFusion admins narrow down a similar compromised server as a reference. This particular server is getting the needed updates and resolution.

If you need assistance with a compromised server, reach out to me or CF Webtools to help you in a time of crisis.

#admin-api, #coldfusion-2, #cve-2023-29298, #hack, #vulnerability

Chris 3:59 pm on June 27, 2023
Tags: cfhttp, coldfusion application server ( 3 ), log

Adobe ColdFusion Log Verboseness

Server logs in ColdFusion are a must-have resource to help you tune, monitor, and troubleshoot your servers. But what happens when there is too much information? By default, the maximum file size is 5MB. Once it hits that size, it rolls into an archive file, appending a number to the filename. By default, up to 10 archives are stored before they are deleted upon the next archive. Based upon observations on ColdFusion 2021, the size limitation is ignored for “coldfusion-out” and “coldfusion-error” rolling over into archives around 20MB.

*Example of `coldfusion-out.log` directory listing and its archives.*

*ColdFusion 2021 Debugging & Logging Settings UI*

But what if there’s so much information being logged that the logs become relatively useless? A prime example is “HTTP request” logging in coldfusion-out.log on a site that actively uses a third-party API. All you see are HTTP requests.

Example coldfusion-out.log HTTP request entry:

Jun 26, 2023 07:09:56 AM Information [ajp-nio-127.0.0.1-8012-exec-105] - Starting HTTP request {URL='https://apisite.com', method='GET'}
Jun 26, 2023 07:09:56 AM Information [ajp-nio-127.0.0.1-8012-exec-105] - HTTP request completed  {Status Code=200 ,Time taken=137 ms}

You can change the “priority” variable value in the neo-logging.xml configuration files located in cf_root/lib (ex: C:\ColdFusion2021\production\lib\neo-logging.xml). This limits the logged messages based on message severity (type). Unfortunately, this setting is not documented or in the UI. You will need to restart ColdFusion for this setting to take effect.

*Logging verboseness in neo-logging.xml*

Your options include the following:

information (default)
warning
error
fatal

I recommend changing the value to “warning”. Just remember, this will change all your logs.

Thanks to “cflog & fox server log level” thread comments on Adobe Support Community for leading me to the answer.

I was also made aware by Nimit Sharma on the ColdFusion #Adobe Slack Channel that you can disable HTTP logging for the http.log file. However, I do not believe this stops HTTP logging on the “coldfusion-out.log” file. If you are interested in this still, you can go to “Dugging and Logging” > “Log Files” in the ColdFusion Administrator (v2021), and in the actions column, press the disable logging button next to http.

#cfhttp, #coldfusion-application-server, #log

Chris 5:05 pm on February 13, 2023
Tags: coldfusion ( 22 )

Purchasing Adobe ColdFusion

Are you in the market or considering purchasing Adobe ColdFusion’s full or upgrade license?

While you always have the option of going straight to Adobe, I recommend purchasing through a reseller. You will typically see a 5% discount and up to 25% depending on the sale.

Do you need help with installation, upgrades, or troubleshooting? Contact me at CF Webtools to hire ColdFusion experts and get where you are going. I will be happy to discuss your situation and give you advice up-front.

Integral

Integral is a great business headquartered in Germany and has regional offices in the UK and the USA. They are the parent company of FusionReactor, and their representative at the ColdFusion conferences is always very helpful and knowledgeable. They have a dedicated ColdFusion software store at:

buy-adobe-software.com

They typically have about a 5% discount and typically offer a 10% discount on their FusionReactor Application Performance Monitor when purchased together as a 1-year subscription.

I highly recommend a FusionReactor Standard Edition at a minimum for tunning and debugging. Especially useful when troubleshooting performance issues or crashes. Their Enterprise and Ultimate editions are even better while logging data to the cloud.

The Adobe ColdFusion release cycle is about once every 2-3 years. If you are about two years into the release cycle, I recommend purchasing the “Platinum Support” option. Not only will this provide you with 1 year of support, but it will provide you a perceived 50% discount on the next upgrade that is “pre-paid”. Meaning you automatically receive the next major version of ColdFusion. Purchasing within 1-2 years can be a gamble depending upon if you expect to use support. This support package is good only for a 1-year term, however the upgrade key remains available even if you do not upgrade within that support subscription period.

Atypical Upgrade Discounts

FusionReactor will also sometime offer a 25% discount on editions that would be normally full price if you are past the previous year’s installation. Typically you can upgrade from the previous edition for about a 50% discount. However, anything older than the previous edition requires a full purchase. A commitment to subscribe to FusionReactor for one year used to be the requirement, but is currently no longer required.

Q1 2023 Discount Link: https://www.fusion-reactor.com/blog/news/coldfusion-hot-sale/ (good until the end of Feb 2023)

Coalesce Solutions

Coalesce Solutions is headquartered in Memphis, TN, and is an alternative to Integral. I met them at the last ColdFusion conference, and they were very helpful. We use their AWS Marketplace solutions as needed for AWS EC2 instances. I do not have first-hand experience with their ColdFusion licensing options, but they do have a store available at:

getcoldfusion.com

Their full and upgrade pricing is similar to Integral’s.

#coldfusion-2

Chris 5:49 pm on April 26, 2018

ColdFusion Docker Image Released

On April 25, 2018, Adobe released the long awaited, official, Docker Image for ColdFusion 2016! ColdFusion 2018’s image is in the works.

I am excited about this primarily for two reasons:

#1 Development: we can create a docker image that can possibly be passed around to developers either as general use or specific to a customer’s setup. This has the potential to speed up “ramp-up time” for developers when beginning a new client workload.

#2 Fix AWS AMI’s: The current AMI solution on AWS is bleak. You’re limited to operating systems that are either the wrong flavor of Linux for you or an outdated Windows Server version. You are also stuck with the inability to upgrade the OS or ColdFusion. I’m hoping this makes its way into the AWS container library that you can lease month-to-month, both in the Standard and Enterprise flavors.

Adobe choose the JFrog container repository over Docker Hub “due to licencing and distribution issues”. This seems to be a common theme with Adobe, but at least it’s out there. You can find these repos at https://bintray.com/eaps/coldfusion.

As of 4/26/2018, you will find the following images:

ColdFusion Server (2016)
ColdFusion Addons (2016)
ColdFusion API Manager (2016)
ColdFusion API Manager Addons (2016)

The “ColdFusion Server” contains the “barebones” only. It runs the bundled “built-in” web server (normally port 8500).

You’d then normally want to connect Apache or IIS to ColdFusion using wsconfig. However that’s not possible, in the common sense, here. The reason being is that you’re in a container that has no real access to the outside space, including your webserver services.

So in this case you’ll need to treat this as a distributed setup. You’ll need to copy some files, including wsconfig, onto your Apache file system – likely in another container. From there you’ll run wsconfig and connect it to the “remote” ColdFusion instance. There are some basic instructions at http://blogs.coldfusion.com/setting-up-coldfusion-in-distributed-envionment/ and Adobe says they will work on an official instruction set. I also plan on posting my own instructions. I don’t think this will work with IIS without a hack, but this is definitely something I’d want. The majority of web servers we maintain are IIS.

When you run the ColdFusion container, you are able to pass in a limited set of environment variables. They range include items such as password, secure profile, external session info, addons, and a startup script.

The setup script will be a .CFM file that calls the admin object. Here you will script items such as datasources. However, as far as I know, not all admin functions are available via the API. One of the major benefits of running containers is to have a disposable environment that can easily be recreated. In order to do this, you must be able to script out all your configuration. I would also like to see all settings be available in the environment variables as that’s what it’s intended for. Using a script is more or less a hack that needs additional maintenance.

Another method is mounting a volume for configuration files such as JVM.config and neo-*.xml files. I have to experiment with this to figure out how that would work.

The third method would be to mount a directory that has CAR archives into “/data” and configurations in the archive would be automatically imported during container setup. However this is a rather static method and not easy to manage. However according to Immanual Noel, on 4/27/2018, Adobe is having an issue importing DSN’s and scheduled tasks in this fashion and are currently working on this issue.

The final method would be to use Ortus’s CFConfig CLI. You could pass in a JSON string and let it build out the configuration. This might actually be one of the best ways to do it. I’m hoping Adobe’s implementation catches up to this quickly though. Ortus has great open source products for ColdFusion, but this shouldn’t be required.

The “ColdFusion Addons” container runs SOLR and PDF services. The “.NET” service will not exist as it is a Linux container. I would have preferred separating out the services though due to the container pattern of one service per container. This extends the ColdFusion container.

According to Adobe, they are not going to create a Windows container at this point due to performance issues they saw. But the great thing about Docker on Windows is that it’s capable of running both Windows and Linux containers. It’s very rare that I need to run .NET, however that does leave my 2 points out in the cold if a customer uses it.

In conclusion, I look forward to testing this out and perhaps implementing this solution where it makes sense.

CF Summit 2017 – Part 2

Starting from Part 1 of my “CF Summit 2017” series I will dive into some of my conversations with Adobe and more “Application Monitoring Suite” details.

The Adobe Team

Let me start out by saying that I know a number of people, myself included, enjoyed having the ColdFusion engineering team on-site at the conference. I want to thank them for the long trip from India which appears to be at least a 24 hour trip one-way. I could barely stand the 3 hour cattle flight from Omaha on Southwest. Those seats were great when I was a kid half my current size – but they never seemed to take into account that American adults actually sit in those seats too!

I spent a bit of time speaking with Anit Kumar, the Technical Support Manager, who was very welcoming of what I had to say. A number of people also wanted his attention, so I also spoke a bit to Vamseekkrishna Nanneboina, the Quality Engineering Manager. Continue reading →

Chris 7:11 pm on November 20, 2017

CF Summit 2017 – Part 1

My co-worker at CF Webtools, Wil Genovese, and myself were fortunate to attend the Adobe ColdFusion 2017 Summit this year.

The primary focus of the event was on “Aether”, the next version of ColdFusion, which will be known as “ColdFusion 2018”. The primary topic surrounding Aether was the API Manager, Containerization (Docker), security by default and a new “Application Performance Monitoring Suite”.

Continue reading →

Chris 6:46 pm on September 7, 2017

Finding the ColdFusion 11 Serial Number

Looking for the ColdFusion 11 Serial (License) Number on your existing install? Check out the plain-text file:

./cfusion/lib/license.properties

under the “sn” line

Chris 3:25 pm on June 21, 2017
Tags: Lucee, Scheduled Tasks

Lucee 5 ColdFusion Scheduled Tasks

Lucee 5.0 – 5.2.1.9 (current version) has a bug in scheduled tasks that seems to affect both Windows and Linux servers.

When scheduling a task, they end up getting marked as “expired” and never run. Not sure how this issue has made it this far into revisions, but as of this post it’s still an issue.

https://luceeserver.atlassian.net/browse/LDEV-897

You can work around this issue using a cron job by way of curl.

On Windows you can use the Windows Task Scheduler and curl. Curl can be downloaded from https://curl.haxx.se/download.html

6/21/2017 – marked for “NextSprint scheduled”

#lucee, #scheduled-tasks

Chris 4:43 pm on November 22, 2016

Adobe ColdFusion 11 AWS AMI Converts to Developer Edition

We have a ColdFusion 11 server hosted on Amazon’s Web Service (AWS) Elastic Compute Cloud (EC2). We subscribe to the Adobe ColdFusion 11 license on a monthly basis using the Amazon Machine Image (AMI) Store.

We are still migrating sites to the EC2 instance and it is still in its infancy. What we noticed was that the log files were getting large quite fast with these entries:

License Error.You tried to access the Developer Edition from IP address (0.0.0.0). Already two IP addresses are accessing ColdFusion concurrently. The Developer Edition supports access by any IP address, but only two at a time, apart from the localhost. The additional IP addresses accessing ColdFusion are: 0.0.0.0,0.0.0.0 The specific sequence of files included or processed is: C:\ColdFusion11\Main\wwwroot\CFIDE\administrator\templates\secure_profile_error.cfm”

This meant that only two distinct visitors would be able to view our production sites at any given time. The license is supposed to be a Enterprise level license which can support very large traffic. But instead the license reverted to developer edition without warning.

The way I was able to resolve this issue was to send an email to CFsup@adobe.com. I included my AWS Account number. I also ran this issue by the “Adobe” CFML Slack Channel. Here was the timeline (Central Time):

8:12 PM: Posted issue on CFML Adobe Slack channel
8:21 PM: Emailed CFsup@adobe.com
11:15 PM: Anit Kumar responds to Slack from home
12:10 AM: Anit Kumar responds via email with new .jar file
12:38 AM: Server now on Enterprise license correctly

Here were the steps taken to apply patch:

Navigate to the \ColdFusion11\cfusion\lib and search for “cfusion-req.jar”.
Stop the ColdFusion Service.
Take a backup of this original jar file and delete it. Renaming the jar file, will not help.
Rename the enclosed cfusion-req.jar.123 to cfusion-req.jar and save it on the location mentioned in Step 1.
Start the ColdFusion Service.
Check the Edition by clicking on the System Information (“I” icon on right hand side top).

Anit said we could just apply the patch to the cfusion instance, however we ended up applying it to it and another CF instance while waiting for a response.

When we asked Anit what the issue was, this was his reply:

This was an issue with Amazon side and is very sporadic in nature. We have fixed and merged this in CF2016 AMIs on Amazon.

Chris 7:00 pm on August 4, 2015
Tags: coldfusion ( 22 ), Java ( 2 ), tools.jar, upgrade ( 2 )

Copy tools.jar When Upgrading Java for ColdFusion

I happened to read a post on Adobe’s ColdFusion Facebook page, that references a blog post, that references a pretty obscure tip. ColdFusion really needs to implement this somehow in CF Admin like a configurable directory for this file.

I remember knowing this step, but forgot, because it’s documented in obscure places like in the upgrade notes when ColdFusion releases a patch that officially supports a newer version of ColdFusion.

Anyway, ending my rant, when you upgrade to a new major version of Java (and in my opinion every minor version too) be sure to do the following:

Copy tools.jar from {JDK_Home}/lib to {cf_install_home}/{instance}/lib/
Delete all files from {cf_install_home}/{instance}/stubs/ to get the newly compiled classes.

Only JDK contains the tools.jar file not the jre installation. You don’t have to install JDK on the machine where ColdFusion is installed. You can just have jre on this machine and get tools.jar from any other machine’s JDK installation.

#coldfusion-2, #java, #tools-jar, #upgrade

Chris Tierney

Passing Along My Knowledge!

Category Archives: ColdFusion Servers