Copy link to clipboard
Copied
It's broken in spots I've run across like use of ...
CKEditor 4 is now end-of-life software. Security patches are only released for CKEditor 4 LTS, which is available exclusively in our Extended Support Model Package.
and likely others.
It's incredibly valuable ... Shouldn't we keep it as relevant as possible ?
Copy link to clipboard
Copied
So you're not asking about "working on the playlist" (as you put it) but updating the videos, right? And if so, that's certainly a fair point (for many reasons).
As for "more modern CF training", Adobe does in fact offer it--to those who register for the CF certification and its included online training. It's not free, but not expensive (as certs AND training go), at only US$149. Of course, many would prefer to see free training online, and perhaps someday Adobe may move that training to be on youtube, or maybe they will have Damien update that training there on Youtube.
Until then, I hope the info above helps you or others who find this thread.
Copy link to clipboard
Copied
Charlie,
Thanks for that clear and meaningful response. I'm new around here and when I was an active developer, I worked for a company, Internetbrands, that owned a lot of web properties written in Coldfusion, in 2012 through 2014, we kinda made fun of it, those of us that fixed bugs and worked with the dev teams, as opposed to "serious" web development in C++/PHP/Java/JavaScript/Perl ... etc, etc.
Well, the jokes on me, because now, I need gainful employment again, I'm 10 years older and I want the certainty/security of a large community and corporate support of my tools, so I'm going to be a CF Maxi ...
Now, I know where to go to get relevant training, so I can get a "Real" Job.
Cheers !!
Copy link to clipboard
Copied
Welcome, and thanks. I think you'll find that Adobe cf cert training to be a great boon to your plans.
Looking forward to perhaps seeing you hear more often, whether seeking help or helping.
Copy link to clipboard
Copied
Charlie,
One other issue is that certification is nice, as long as it isn't frozen in time.
What about ongoing training and continuing education. I'm never seen anyone do it better than Salesforce, they have a whole culture devoted to constantly enhancing everyone knowledge base.
Is there something like that at Adobe for Coldfusion ?
Copy link to clipboard
Copied
They have indeed been keeping it updated, so that's good news.
I doubt we'll ever see it as formally managed/updated/complete as similar programs in other large companies. Though Adobe is as large or larger, the focus on cf is tiny compared to the focus Salesforce would put on their namesake product. I've heard there are plans for another cert to come. Let's see how that may go.
Copy link to clipboard
Copied
Where is this CF2016 playlist? (ie, URL)
I'm not familiar with Adobe's video, but we integrated CKEditor4 on our own. We wrote a CFTag to make it easier to integrate into existing CFML projects, but CKEditor can be added to any project by including their libraries and using vanilla javascript.
The real danger is when using any filemanager-related script to upload files. I believe that a recent CVE-2023-26360 exploit used Adobe's implementation of a filemanager script located at "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc", so I wouldn't recommend blindly enabling this. For more information on this exploit, check out this advisory from 12/5 (same day as your post):
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
NOTE: If you are still using CF2016, it's unsupported and all CFCs are susceptible to XML code execution vulnerabilities even if your publicly accessible CFC is empty and does absolutely nothing. We've avoided using CFUI tags because Adobe's implementation resulted in invalid HTML (which invalidates HTML & passing accessibility tests) and technical debt due to the included third-party static resources (ie, JS) that weren't properly maintained & updated. We've also always blocked access to "cf_scripts" at the WAF or web server levels. For more info on this, check out this blog post entitled "Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet" by Brian Reilly:
https://www.hoyahaxa.com/2023/09/exploiting-cve-2017-11286.html
Copy link to clipboard
Copied
James, it's a YouTube playlist on Adobe's cf channel:
https://youtube.com/playlist?list=PL3iywAijqFoUD31CQBLsHvJn4WAonNA7r&si=v49ymPsyzC8k6fuG
All that you offer are valid points, but I suspect the op here is not USING cf2016. He was merely pointing out his own shared concerns of the YouTube playlist being about such an old version. Of course, there are far older playlists/videos on YouTube. It's the nature of the beast that old videos remain available. And while Adobe could technically "pull it down", they currently have not updated the video.
That's why I offered my first answer here, at least for the sake of one seeking modern cf training from Adobe.
Copy link to clipboard
Copied
Thanks for the mention, James, and +1 to your comment about iedit.cfc and anything else used as a filemanager/means to upload files. (Pete Freitag's CVE-2018-15961 is an example of the underlying risk here.)
And the general risk for remote access to .cfc files extends beyond CVE-2017-11286. Many of the recent recent ColdFusion vulnerabilities related to cfclient, WDDX and deserialization -- including CVE-2023-26360, CVE-2023-29300, and several in APSB23-52 -- just require remote HTTP access to _any_ .cfc file. The public exploits for CVE-2023-26360 and used iedit.cfc because it was a publicly-accessible CFC file, but that could also be swapped out for any other .cfc. Avoiding remote CFC methods and blocking remote access to .cfc files goes a long way toward preventing access to codepaths with a history of vulnerabilities.