Category Archives: ColdFusion

Chris 1:31 pm on July 24, 2023
Tags: cfscript   

cfscript cf*() functions are Custom Tags

I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags. They use CFCs (query.cfc, ldap.cfc, http.cfc, etc.) located in the ColdFusion installation directory.

I found this interesting as I never put together that the early introduction of cfscript functionality using “cf…()” was a custom tag. See the screenshot below.

These do not correspond with “modern” cfscript such as “httpservice = new http();”. “cfhttp();” is a custom tag, however.

The discussion surrounded Adobe’s position/long-term plan for these CFC’s. If you look at ColdFusion Deprecated Features, these specific functions have been depreciated since the 2018 release. Not that they are NOT marked as “Deprecated and unsupported”. However, in the Adobe bug tracker, any related bug (and there’s a lot) has been marked as “Never fixing”. This realistically means “unsupported” and therefore, bugs, and potentially security risks, continue to be present even in 2023. Adobe has marked this for internal discussion on how to handle future releases.

It is my recommendation that if you use “cf…()” in your cfscripts while using ColdFusion 2018+, you cease using them in any new code, instead using “modern cfscript”. For existing code, getting those swapped typically looks like replacing the function as you touch it through the code lifecycle. However, some more sensitive organizations may wish to swap these out as a project and were unaware of this. To be clear, I am aware of no active security issues that would dictate immediate replacement.

It is good to take a quick peek at ColdFusion Deprecated Features to become familiar with depreciated functions and attributes so we do not continue to build technical debt for ourselves or our customers. A more popular example may be HTMLEditFormat.

Screenshot of Adobe ColdFusion 2021 Installation Directory Containing Custom Tags for CFCs

#cfscript

Chris 1:03 pm on April 6, 2023
Tags: cms, masa, Mura   

Be Aware of Mura CMS Security Issues

Mura CMS was a popular open-source content management system (CMS) written in ColdFusion. While initially an open-source project maintained by blueriver.com, it was re-licensed as a closed-source cloud application with the release of Mura CMS v10 in 2020. There are forked open-source projects based on the last open-source release of Mura CMS 7.1, including Masa CMS – which is currently maintained at v7.4.

Mura CMS 7.x and Masa CMS versions v7.4.0-beta and earlier contain an authentication bypass vulnerability allowing an unauthenticated attacker to log in as any site member or system user. There is a conditional logic flaw in the “remember me” code. Simply, some well-formed steps can send arguments.userHash variable with no value, creating a true value when looking to see if arguments.userHash is empty or arguments.userHash equals the user’s hash. This is accomplished by passing an empty userHash cookie value if using Lucee, or passing in a single irrelevant character if Adobe ColdFusion.

For this article, I am only focusing on the open-source version. Mura CMS 10 has a different CVE (2022-47003). The Common Vulnerabilities and Exposures (CVE) database defined this vulnerability:

CVE-2022-47002 – Authentication Bypass Vulnerability in Masa CMS (Base Score: 9.8 CRITICAL)
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
Fixed Version(s): Masa CMS v7.2.5, Masa CMS v7.3.10, Masa v7.4.0-beta.3 and later

Continue reading

#cms, #masa, #mura

Chris 3:24 pm on January 22, 2019
Tags: .jar, , SDK   

Getting AWS Java SDK 2.0

In the past I’ve always used REST calls to the AWS API from ColdFusion. There are never any complete CFC libraries that work and they’re almost always dated. The reason being that AWS moves so fast, it’d require a full time person or more to keep it up-to-date and complete.

I am moving towards using the AWS Java SDK to call Java methods from ColdFusion. The SDK is kept up-to-date regularly by AWS and is quite complete and proven. The most common SDK in use today is version 1.x. However, late last year they came out with version 2.0.

According to AWS, “it is a major rewrite of the 1.11.x code base. Built with support for Java 8+, 2.x adds several frequently requested features, like nonblocking I/O, improved start-up performance and automatic iteration over paginated responses. In addition, many aspects of the SDK have been updated with a focus on consistency, immutability, and ease of use.”

But as a non-Java developer that uses Java libraries, this hasn’t come without difficulties. Because of its sheer size, AWS requires you to compile the source into a JAR file. You can compile all of it, which took me 1 hour and 3 minutes at a size of 122MiB. However, they recommend only compiling the (components) service that you plan on using.

I initially installed Maven on Windows 10 to compile it. However, as of version 2.3.6 there is a bug which makes the test fail in Windows, and thus the build. An issue was opened to resolve this and as of 1/22/2019 is pending to be merged into the master branch.

Therefore I compiled in Ubuntu for Windows.

Here’s my commands I used to get the environment ready and build the whole SDK using Maven:

sudo su
apt-get update && apt-get upgrade
# Install Maven
apt install maven
# Install Java SDK 8
apt-get install software-properties-common
add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer
# Verify Maven works and it does not throw a JAVA_HOME notice
mvn-version
# Get the AWS SDK source
git clone https://github.com/aws/aws-sdk-java-v2.git
# Check out a tag containing the release you want to use for the build
cd aws-sdk-java-v2
git fetch && git fetch --tags
git checkout 2.x.x
# Build out the SDK
mvn clean install
# compiles to ./bundle/target/aws-sdk-java-bundle-2.x.x.jar

Now, as I mentioned before, it’s recommended to compile only the components (services) you are going to use to reduce the JAR footprint.

The guide for this can be found here: https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/setup-project-maven.html

However, I found that guide to be fairly unhelpful. Currently I haven’t been able to get it to build successfully (it creates an empty JAR file).

Basically it’s supposed to use a “Bill of Materials” in the “MVN Repository” as your dependency dictionary. Then I believe it’s supposed to download the source files located in the MVN Repository, based upon your dependency definitions.

Here’s my pom.xml file that is used to define all that:

mvn-no-jar

After hours of frustration, I decided to boot up an AWS Linux 2 instance to see if maybe it was Windows Ubuntu related. Interestingly enough I got a different outcome.

When looking at the contents of the target jar, it looks promising. Not exactly sure what to expect just yet.

#jar, #java, #sdk

Chris 6:21 pm on November 21, 2017  

CF Summit 2017 – Part 2

Starting from Part 1 of my “CF Summit 2017” series I will dive into some of my conversations with Adobe and more “Application Monitoring Suite” details.

The Adobe Team

20171117_101210Let me start out by saying that I know a number of people, myself included, enjoyed having the ColdFusion engineering team on-site at the conference. I want to thank them for the long trip from India which appears to be at least a 24 hour trip one-way. I could barely stand the 3 hour cattle flight from Omaha on Southwest. Those seats were great when I was a kid half my current size – but they never seemed to take into account that American adults actually sit in those seats too!

I spent a bit of time speaking with Anit Kumar, the Technical Support Manager, who was very welcoming of what I had to say. A number of people also wanted his attention, so I also spoke a bit to Vamseekkrishna Nanneboina, the Quality Engineering Manager. Continue reading

Chris 7:11 pm on November 20, 2017  

CF Summit 2017 – Part 1

My co-worker at CF Webtools, Wil Genovese, and myself were fortunate to attend the Adobe ColdFusion 2017 Summit this year.

The primary focus of the event was on “Aether”, the next version of ColdFusion, which will be known as “ColdFusion 2018”. The primary topic surrounding Aether was the API Manager, Containerization (Docker), security by default and a new “Application Performance Monitoring Suite”.

20171116_101311

Continue reading

Chris 4:31 pm on September 26, 2017  

Running ColdFusion 9 on Windows 10

CommandBoxLogoMost of us find it impossible to install and run Adobe ColdFusion (ACF) 9 on Windows 10. There are a select few that suspiciously find it easy to install and run on Windows 10.

One of the more popular methods is to create a Windows 7 Virtual Machine (VM) and install Windows 7 there. I’ve even done that. But what you find, particularly on Hyper-V, is that it lacks portability. I can’t reasonably send another developer my VM. #1 due to licensing issues #2 it can be huge depending upon the size you reserved for the virtual drive.

But thanks to the Ortus team, and with a little open mindness, CommandBox takes care of this issue. From the Ortus website: “CommandBox is a standalone, native tool for Windows, Mac, and Linux that will provide you with a Command Line Interface (CLI) for developer productivity, tool interaction, package management, embedded CFML server, application scaffolding, and some sweet ASCII art. It seamlessly integrates to work with any of our *Box products but it is also open for extensibility for any ColdFusion (CFML) project as it is also written in ColdFusion (CFML) using our concepts of CommandBox Commands. It tightly integrates with our contribution community; ForgeBox, so developers can share modules world-wide.”

So basically what’s going on here, in this blog entry’s context, is CommandBox will run ACF 9+, Railo 4.2 and Lucee 4.5+. This is done by running a WAR in Java against CommandBox’s own web server which still supports ACF9 integration. Technically you’re supposed install Java 1.7 for official support of ColdFusion 9. However, from what I’ve seen, it runs just fine on Java 1.8.

Here are the easy steps in Windows to get you running in less than 10 minutes:

  1. Download CommandBox at https://www.ortussolutions.com/products/commandbox#download. I suggest “With JRE Included”.
  2. Extract the contents to something like C:\CommandBox. For all other OS’s see Installation.
  3. Open a Command Prompt
  4. Go to your new directory, such as “CD C:\CommandBox”
  5. Type “box” and enter
  6. This will then initiate Box for the first time and then take you to the Box CLI.
  7. Change the directory to your first website that needs ColdFusion 9, in this example. ex: “cd \websites\cf9test”
  8. Here we will set the ColdFusion engine, version, hostname (optional) and name (optional). Run:
    server set app.cfengine=adobe@9 (this will run the latest version of ACF 9)
    server set web.host=cf9test.local (be sure to set in DNS or your hosts file to 127.0.0.1 or you will get a “Cannot assign requested address: JVM_Bind” error)
    server set name=cf9    *
  9. Step #8 will be saved in server.json and never needs to be done again as long as that file is intact. For more configuration arguments, see Server.json.
  10. Type “start” and enter**
  11. This will download the ColdFusion 9 WAR and extract it and then initialize it. This may take a number of minutes.
  12. Once CF9 is “installed” a browser window will open up to “http://cf9test.local” or whatever you set the web.host to. If you didn’t define web.host it will open up to “http://127.0.0.1”. Either way it will use a random port number. This port number can be defined in the server.json configuration file.
  13. Append “/CFIDE/Administrator” to the URL it is using. If you accidentally closed the browser tab, look for the blue CF task icon in your task bar. Click it once and click “open browser”.
  14. The password to the ACF admin is “commandbox”
  15. Configure necessary settings such as data sources or enable J2EE session variables if needed.
  16. Then go back to your root URL and you should be up and running.

There is so much you can do with CommandBox, including https, URL rewrite and even generating CFM frameworks. See the CommandBox Manual for more.

*When setting the server name, this will allow you to keep configurations stored such a DSN in the admin. You can use a general name such as “cf9” and use it among different instances or you can use a more specific name just for that instance or a group of instances such as “mysite”. Without it, you have a chance of loosing or overwriting configurations in the CF Admin.

There is a way to script out you ColdFusion config, such as DSN’s, using CFConfig CLI. However as of this post writing, it doesn’t allow you to use ColdFusion 9. But feel free to experiment using this with other versions or later down the road.

There are a number of other ways to configure your servers as well. See Configuring your CommandBox servers on first start by Brad Wood.

**The trick to thinking here is the webroot for the website being loaded up in your browser, is the directory you run “start” in.

Chris 4:30 pm on April 7, 2016  

ColdFusion Framework Note

I tend to monitor the “ColdFusion Programmers” Facebook group. Today a poster asked:

Hi guys, What do you prefer: CFWheels or Coldbox? I used before CFWheels and is good but I recently starts playing with Coldbox and so far is pretty cool – Jorge Alexandro Martinez Dominguez

My response was:

I use FW/1 for about everything because it’s simple and what I know. However ColdBox will give you a ton more functionality via modules and they aggressively keep that framework up-to-date. They are very involved in the community and even have a “Into The Box” event once a year for pre-conference. I would use either, but if you’re new to both I’d probably look at ColdBox. Both base frameworks are similar.

ColdBoxLogo2015_300Brad Wood, from Ortus Solutions, also chimed in a with a blog post from 2015 about how ColdBox 4 changed pretty drastically. It’s always a good read when asking yourself the Framework question: It’s Time You Looked At ColdBox 4

Chris 3:21 pm on April 1, 2016  

Simple jQuery AJAX w/ ColdFusion

I had a request to supply a sample HTML page that would send a subscriber’s email address to ColdFusion without reloading the page. So I figured I’d post it here for any others looking for a simple example. This method uses jQuery, AJAX and a ColdFusion component.

index.html or index.cfm

<!DOCTYPE html>
<html>
	<head>
	</head>
	<body>
		<div id="subscribeContainer">
			<input type="email"><button type="button">Subscribe</button>
		</div>
		<script src="//ajax.googleapis.com/ajax/libs/jquery/2.2.2/jquery.min.js"></script>

		<script>
			(function($) {
				// bind the button with an event handler
				$('#subscribeContainer button').click( function(e) {
					// when button is pushed, POST data to remote ColdFusion component method
					$.post(
						'subscription.cfc',
						{
							method: 'subscribe',
							email: $('#subscribeContainer input').val()
						}
						)
						.done( function() {
							// everything worked
							$('#subscribeContainer').text('You have been subscribed.');
						})
						.fail( function() {
							// something failed
							$('
<span>There was an error subscribing.</span>').appendTo('#subscribeContainer');
						}
					);
				});
			})(jQuery);
		</script>
	</body>
</html>

subscription.cfc

component {

	remote void function subscribe( required string email ) {
		// call database insert method here
	}

}
Chris 4:52 pm on March 7, 2016
Tags: , , , , Nebraska, Omaha   

Come Work With My Team!

CF Webtools LogoCF Webtools, where I’ve placed my career coming up on 8 years, is seeking a talented ColdFusion developer. We’re 25 strong and are looking for #26!

You can either work remotely in the comforts of your own personal office space (AKA your spare bedroom) or enjoy your own office space at our Omaha, NE office. We keep in touch with each other day-to-day via Skype. This provides us with one-on-one, project chats and company-wide chats. Most of the time it’s text chatting, but we also use it for voice when it’s just more efficient.

CF Webtools is a great fit for me because it provides the diversity and challenges needed not to become worn out with the same task over-and-over. There are always new opportunities that arise over the years. With this also comes constant learning. Each project brings its own set of challenges.

Granted most projects are not picture perfect as they tend to build up technical debt over time; but you get the opportunity to sell your expertise to the customer giving them the best path forward fitting their needs.

Experience needed not only includes ColdFusion but SQL, SQL, SQL, web server, Windows, Linux, Mobile OS, basic networking and just a good set of troubleshooting skills.

Give Mark or Jason a call at 402-408-3733, tweet @cfwebtools or contact the business owner Mark via his blog at coldfusionmuse.com .

Omaha Staff 2015

Omaha Staff

 

#career, #cf-webtools, #coldfusion-2, #job, #nebraska, #omaha

Chris 6:01 pm on December 3, 2015  

Allaire Brothers talking about ColdFusion