Coder's Revolution

Do you want a revolution?

Category Filtering: 'CF'

Adobe Product Security Incident Response Team (PSIRT) On ColdFusion And HeartBleed

ColdFusion, General, Networking, Railo, Security

The world is abuzz with the OpenSSL "heartbleed" bug and the ColdFusion community has also been going 'round about it too.  Firstly, a server (like Apache, Nginx, Tomcat, etc) can be exploited by a client on a hackers machine requesting an SSL connection.  In addition, a client (CURL, wget, CFHTTP, etc) can be exploited if connecting to a malicious SSL endpoint.  So basically, the bug has the ability to flow both ways. 

For most CF sites, they are using IIS, Apache, or Nginx to serve content so ColdFusion has no bearing on the vulnerability from that end.  Any CFML application, however, can connect to a malicious SSL endpoint.  Of course, it only matters if the OpenSSL library is specifically being used.  Any other SSL implementation is safe.

To date, neither Adobe or Railo have yet to make public announcements via security bulletins or their official blog.  There have been a handful of less "official" conversations in mailing lists and Twitter.  As best I can tell, neither Adobe ColdFusion or Railo use OpenSSL and therefore are safe.  Of course, any other parts of your web stack (even bundled libraries) might use OpenSSL.  Gert from Railo has promised a blog entry "soon" to address the issue regarding Railo.  There has been some complaining about the lack of official word from Adobe, and my understanding is that the ColdFusion team's hands are tied by the Adobe PSIRT who are the only ones allowed to comment publicly on security matters.

 The general consensus is they could certainly say something, even if it was simply, "Hey, we're looking into it and will get back to you soon".  That as it is, I E-mailed Adobe's PSIRT myself and got a reply that seems as close to an official reply as they are willing to provide at this point though I'm unclear why they're talking about it one-on-one but refraining from public statements.  For the sake of those who haven't E-mailed PSIRT, I will post their reply here for the benifit of the community until something official comes out.  Also, for funsies, I'll post my original E-mail plus my followup.  If I hear back again, I'll update this post.


From: Brad Wood
To: PSIRT@adobe.com
Date: Wed, Apr 16, 2014 at 5:45 AM
SubjectAdobe ColdFusion and Heartbleed

Dear Adobe PSIRT team, 

 
I would like to encourage you to please make a public announcement regarding Adobe ColdFusion and if it is vulnerable to the latest OpenSSL "heartbleed" bug. This is a very significant bug that has people around the world scrambling to patch their software.  Even if Adobe ColdFusion is not susceptible to the recent "heartbleed" bug I would strongly suggest making an announcement on your blog to state that or authorize the ColdFusion team to do so on their blog. 
 
Many people in the CF community have noticed the silence on this issue and an official announcement really needs to be made in order for your customers to feel safe and to verify with their employers that they have all the patches they need.  Communication is very important and I hate to see the Adobe ColdFusion team getting beat up for not addressing this issue publicly on their blog.  Please authorize them to make some kind of statement on this.
 
Thanks!
 
~Brad

From: PSIRT@adobe.com
To: Brad Wood
Date: Wed, Apr 16, 2014 at 1:39 PM
Subject: RE: Adobe ColdFusion and Heartbleed

Hello Brad,

 

Thank you for contacting us.  We appreciate your feedback.  Please note that ColdFusion does not use OpenSSL. However, customers who are using an external web server with their ColdFusion deployment (ex. Apache) should test for CVE-2014-0160. If affected, customers should follow the recommendations provided in the OpenSSL security advisory, available at https://www.openssl.org/news/secadv_20140407.txt. Adobe

also recommends consulting the ColdFusion lockdown guides for security best practices:

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf

http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf

 

We hope this information is helpful.  Please let us know if you have additional questions.

 

Thank you,

Adobe Product Security Incident Response Team


From: Brad Wood
To: PSIRT@adobe.com
Date: Wed, Apr 16, 2014 at 3:13 PM
SubjectAdobe ColdFusion and Heartbleed

Dear PSIRT Team, 
 
Thanks for the reply.  I appreciate the links and concern.  Let me be very clear though-- I am not asking about this for the sake of my servers, I am letting you know that Adobe needs to make a public official statement on the matter for the entire community to see.  Even if your blog entry said nothing more than what you put in your E-mail reply that would be great-- but the community has noticed the lack of public response by Adobe to this matter and it's reflecting quite poorly on your PR.
 
If the PSIRT team doesn't have time to make a quick announcement, please authorize the ColdFusion team to put out a blog post.  This would do a lot for the community as silence breeds distrust and most every other major technology stack have already addressed their platform publicly-- even if just to say they are not vulnerable.
 
Thanks!
 
~Brad
1

My First Experience With DataBoss Dynamic ORM Administrator

ColdBox, ColdFusion, ColdFusion Builder, ORM

With the release of DataBoss 1.3 today, I thought I'd share a quick story about my recent first project diving into DataBoss.  Full disclosure: DataBoss is a commercial product and I work for the company that makes it.  None the less, I thought it was pretty freaking useful so I thought I'd throw out this quick post.

For those of you who don't know what the heck DataBoss is-- it's a Dynamic ORM Administrator.  Basically, it can scaffold out CRUD (Create, Read, Update, Delete) screens for pretty much any database structure and it's all based on ColdFusion ORM.  It runs on Adobe ColdFusion as well as Railo and the minimum to get it running is to create ORM entity CFCs, drop them in your models folder and reload ORM via the interface.  It will pick up your entities, read all the relationships, and create all the screens necessary to manage the data in your database complete with formatting, validation, rich text editors, date dropdowns, etc.

So, the recent project I got assigned was for a company that does development services.  They had a project they had been working on for one of their clients that involved a nicely-normalized database of about 20 tables that supported a multi-lingual ordering and reservation system.  They had the front end system built out with ColdFusion but the problem was the deadline was getting very close and they weren't going to have to time build the backend of the system that allowed all the products, descriptions, and companies to be configured.  They needed to have a backend over to their client in a matter of days to start entering data, but there simply wasn't enough time to build one from scratch.

Enter DataBoss.  I was tasked with setting up a data-entry app they could use to manage their database until they had time to finish the backend.  The database that had already been built was well-structured and contained many examples of one-to-many, many-to-one, and many-to-many relationships.  I was given a backup of the data structure and a diagram that showed all the foreign key relationships.  Using Adobe's CFC Generator for ColdFusion Builder, I selected the tables via the RDS datasource view and stubbed out all the ORM entities in script.  Don't try to use the CF Builder plugin to create relationships.  It's horrible and you'll be sorry.  For just stubbing out the entities and the properties, it's pretty good though and saves a lot of time.

DataBoss is packaged as a portable ColdBox module which means you can drop it into an existing ColdBox app, or just deploy it as a small standalone app.  I chose the latter and dropped my ORM entities in the /model folder.  After adding my datasource name to Application.cfc and changing dbCreate to "none" the app sprang to life and displayed a list of all my entities in a drop down.  There's settings in a JSON file to control pagination as well as the internationalization of the DataBoss app itself.  DataBoss already comes bundled with German translations which was nice since this project was for a German company.  

At this point, I went through and configured all the relationships and added metadata to each entity and property that controlled how it displayed on the screen, what kind of validation it applied, and what form controls to display for each field.  After a bit of tweaking, we had really nice CRUD screens fleshed out that even used 24-hour clock and dd/mm/yyyy date formats to match the local standard.  I enabled the Basic HTTP Auth built into DataBoss, and it was ready to deploy publicly!  All in all, we had the entire admin finished and ready to deliver to the customer in just a few days.

I was pretty pleased with how easy it was to get working, and was a major saver for them to get the edit screens to their customer in time.  And now, they can use those ORM entities for future development on the application.  DataBoss Standalone is only 99 bucks which isn't bad considering the time it can save you.  Think about using it for that old legacy database you have no edit screens for, or to help you create your next database.  You can also download a trial to play around if you want.

Product Site:

http://www.data-boss.com/

Docs:

http://www.data-boss.com/docs/index.html

0

Modern JVM Languages and ColdFusion Venn Diagram

ColdFusion

2

Mainstream News About ColdFusion Venn Diagram

ColdFusion, Security

0

Know Python? Help ColdFusion Get Proper Script Highlighting On GitHub

ColdFusion, General, GitHub

It's bothered me for a while, that GitHub and Gist don't have proper syntax highlighting for full-script CFCs like this one.  

They handle tags fine, and even do script inside of a <cfscript> tag, but just leave full script components as black text all the way down the page.

 ColdFusion has allowed all-script components since version 9 which was released 5 years ago.  I always just assumed that GitHub was aware of the problem and someone somewhere was hard at work resolving it.  Silly Me.

GitHub uses this Ruby library to determine what language a while is written in:

https://github.com/github/linguist

Which in turn uses this Ruby wrapper to spin up the syntax highlighter:

https://github.com/tmm1/pygments.rb

But that library is just a proxy to this Python library that actually does the color coding:

https://bitbucket.org/birkenfeld/pygments-main

It looks like there's already a ticket from 2012 to add support and Ben Riordan took a whack at it last year with no luck.  So I've forked the Pygments library, but know nothing of Python so I'm asking anyone who does to help me get this figured out.  Since script already works inside <cfscript> tags, it sounds like all the pieces are there-- we just need to properly identify script components and use the correct highlighter for them. Comment here or shoot me an E-mail if you'd like to help!

3

Who's Had More Vulns- PHP, Java, or ColdFusion?

ColdFusion, General, Security, Technology

I get tired of people on complaining about ColdFusion as a technology choice because it's "so insecure".   I regularly am told that it has more holes, more vulnerabilities, and a worse track record than other platforms. That's why I compiled this quick chart showing the number of Common Vulnerabilities and Exposures (CVE) by year for CF as well as PHP and Java (as reported by cvedetails.com) which are two of the most-used languages on the web.  I also threw in Apache Tomcat for comparison since it completes in the web space and CF10 actually runs on a version of it.

 

Click to enlarge

So to break this down, the red line riding out on top with a huge spike in 2007, that's PHP.  The purple line coming out of the backfield for a solid lead (?) at the end is Java.  The yellow line is Tomcat who still manages 10-15 vulns a year (and the only one to go LOWER than CF.  And that green line on the bottom with the lowest number of vulns every year, and nothing even reported until 2006- that would be CF.

So, sure-- there's a lot more info than just the counts on the chart.  My point also isn't that PHP or Java are bad-- I'm just trying to make the point that oft-used technologies are targeted by crackers and nobody is perfect.  And according to this data, CF is doing way better than several of the main techs out there.  It should also be noted that CF, Java, and PHP were all created the same year-- 1995, so don't give me any of this "old" crap either.  (Tomcat was created in 1999)

References:

 

10

CFML, Meet Runnable.com For Live Code Sharing

ColdBox, ColdFusion, GitHub, Railo, Runnable

You may have seen be tweeting about Runnable.com this week.  I've spent a decent amount of time figuring out how their platform works and getting CFML (Railo) running on it.  Basically, Runnable.com is CFLive.net, trycf.com, and JSFiddle.net all mashed up and super cool.  In short, the platform lets developers post any code samples they want for any database/language/framework up on the Internet so other developers can come along and not only read their code, but run it right there in the browser.  It doesn't stop there, other developers and fiddle with the original code and run the new version right there on the site to figure out how it works.  

It's all possible with Docker.io, a cool virtualization platform I just learned about, and Runnable has the whole thing running on top of Amazons EC2.  Basically, each code sample is an entire Linux VM with whatever installed on it that the publisher wanted to set up.  The template of this VM is stored and every time a visitor comes to the site and wants to check out that code sample, a dedicated VM is spun up in seconds just for that user.  Docker.io allows them to simultaneously service hundreds of users because it shares overlapping resources between the VMs so they're very lightweight and come online in seconds.

And since each user gets their own isolated playground, there's no sandbox security to worry about.  In fact, each code page has an emulated bash shell with root privileges at the bottom of the page!  Any local changes made by the visitors of the site, are discarded after they close their browser and the session times out.  The code samples aren't limited to a single file of code-- publishers can create tutorials to demo entire frameworks, with multiple files. Need a database?  Install one.  Need Tomcat? Install it.

So, speaking of Tomcat-- this is where ColdFusion comes in.  Runnable's Twitter account popped into a recent conversation and urged us to get CFML setup, so i took the task and ran with it.  Due to some issue with the Railo installer which they're looking at, I installed Tomcat 7 with apt-get and deployed Railo 4.1 as a WAR file in the root context.  The Runnable guys were super helpful.  They exchanged several E-mails with me and even chatted on Skype for an hour last week answering questions, tweaking my setup, and writing down suggestions.  

I published a proof-of-concept Runnable called CFML Templating With Tags and then a more involved followup called Use WireBox To Create Objects In ColdBox.  I've also created a new GitHub organization called cf-runnable to store all my tutorials.  Feel free to send me pull requests, or ask to collaborate and store your CFML runnables there as well.  Now, what's really, REALLY cool about Runnable is anyone can clone one of my tutorials, make it their own, and re-publish it under their name.  That means no one else has to reinvent the wheel to start putting cool code up on Runnable-- I've already figured a lot of it out and you can springboard off of what I've done, or dive in fresh yourself.

So this is the intro to a blog series I'm going to do how how I got Runnable working with CFML, what little speedbumps I've hit, and how I've been integrating with GitHub to version and host my code.  I have a lot of ideas for Runnable- both improvements for them (like beefier descriptions, and embeddable runnables) and ColdBox-themed tutorials I want to create to let people play around with simple examples and how-to's.  Stay tuned!

3

Coder's Revolution Is Now Running ContentBox CMS

ColdBox, ColdFusion, ContentBox, General

I am proud to have finally brought my blog into the new age my converting from BlogCFC which served me well for many years to ContentBox Modular CMS.  Other than a few case-sensitivity glitches moving my database from a Windows backup to my Linux server, it went very well.  Contentbox has a built-in BlogCFC converter which is very nice and pulled across all my content, categories, comments, users, etc in just a minute or so.  I also wrote a simple open source module for ContentBox which will support the old BlogCFC-style links to entries, pages, and RSS feeds so old links will still work.  I am using Computer Know How's Bootswatch Theme.

 Both the URL compatibility module and the Bootswatch theme are available on ForgeBox and can be installed directly from the ContentBox admin with the click of a button.  This is part of why ContentBox is so advanced and extensible.  Hopefully I'll blog a bit more now that I've got all the new ContentBox features.  I know I still need to do some cleanup on the code formatting in some of my entries.  If you see any broken links for functionality, please let me know so I can take a look and fix it.

3

My cf.Objective() 2014 Submissions & VOTE!

CFObjective, ColdFusion, Railo
Everyone seemed to be tweeting out their cf.Objective() 2014 submissions today so I figured I would as well. However, not being able to fit much in 140 characters, I figured I would stick it in a quick blog entry. Firstly, I like the open voting format this year. it seemed to work well for CF Summit and I didn't hear a single complaint about the content there. After a slow start, I see a good number of additional topics have flowed into the board this last week or so. I've submitted 3 topics of my own for consideration on the cf.Objective() 2014 Trello board. They are thusly:
2

What do you want in ColdBox?

CacheBox, ColdBox, ColdFusion, LogBox, WireBox
Team ColdBox is working on putting together a list of features for our 4.0 release. Before we finalize anything, we'd like to hear from you. Please give us your wishlist for the ColdBox Platform and what you'd like to see us work on. There's always items like documentation and additional screen casts, etc but let's focus specifically on what development items we can do to make ColdBox faster, easier, smarter, and flexible for YOU. No suggestion is too big or small. ColdBox Platform
  • Core MVC
  • WireBox
  • LogBox
  • CacheBox
  • MockBox
I started a thread on the official ColdBox mailing list>, but I also want to open up comments for people not in the Google Group. Please leave a comment with your thoughts and suggestions.
0