In this case you would still get the stack trace, because the error is thrown by Tomcat before it hands the request off to CF. ... View more

The easiest way you can mitigate this (and a generally good practice) is to setup a default website on your web server that listens on the IP/port, and does not serve dynamic (CFML, ASP.NET, etc) requests. Then have the web server setup to serve your site only when the host header matches. This has the advantage of catching all the bots that are just hitting random IP addresses, you can simply serve up a static html page with a link to the main site (but really you woudn't be getting any legit human traffic).   As for this issue in Tomcat, it appears that because it is a URL parsing issue Tomcat is unable to know which web application should handle the issue. I would have though that having the <error-page> defined for status 400 would be sufficient, but according to this thread: https://stackoverflow.com/questions/52814582/tomcat-is-not-redirecting-to-400-bad-request-custom-error-page you would have to use the ErrorReportValve to catch this in Tomcat and display a friendly HTML page.   Hope that helps!   Pete Freitag Foundeo Inc. ... View more

Just want to add, since it was not mentioned that CF9 has reached end of life many years ago. That means it presumably has security holes that are not patched, and will never receive any future security update. You really should not be using CF9 in production anymore (CF2016 & CF2018 are still supported currently). ... View more

It sounds like you may need to configure the RemoteIpValve in Tomcat to let it know that the request was proxied over a secure transport: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve    Pete Freitag Foundeo Inc. ... View more

I would guess it has to do with how CF is encoding the equals sign in the header value. Try adding encoded="false" to your cfhttpparam that contains the token. ... View more

To Charlie's point, there could be a case where a file can be executable on a web server without an extension, in Apache you can setup a ScriptAlias which points to an entire director for stuff like cgi-bin. It is a bit of a stretch, and you could argue that if your upload code allows uploads into a cgi-bin then it probably doesn't matter what the file extension is. I think it would be good to retain some way of blocking extensionless uploads either with another setting, or by an empty string in the extension list, eg: cfm,,cfml,etc or maybe a special keyword, eg: no-extension in the extension list. ... View more

There is a setting in MySQL that can be changed to allow connections, you would then also need to open the mysql port in the firewall for traffic coming from your CF server's IP. I'd probably go for the above route, but if it really is not an option, then you can create a SSH tunnel, for example: Assuming you are on a unix OS on your CF server you would run this: ssh -L  33306:127.0.0.1:3306 user@mysql-server.example.com This creates a tunnel on port 33306 on 127.0.0.1 which points to port 3306 on mysql-server.example.com You would of course need to make sure the tunnel stays up all the time (which is why it is probably better to configure the MySQL server to accept the connections directly), if your CF server is on Windows then you can use putty to create the tunnel. ... View more

Hi Thorsten, Typically that would be done over TLS (formerly known as SSL) not ssh, though you could probably create a SSH tunnel. Using TLS is probably what you want for an encrypted communication channel. Typically the process I have used is to create a ca certificate, public key and private key on the mysql server, then import the CA certificate into a PKCS12 keystore. From there you have to use the JDBC connection string to tell the datasource to use SSL and point to a keystore file. For example: useSSL=true&requireSSL=true&trustCertificateKeyStoreUrl=file:///config/mysql/mysql-ca-truststore.p12&trustCertificateKeyStoreType=PKCS12&trustCertificateKeyStorePassword=whatever For reference, and for instructions on how to do the MySQL side of it, take a look at the MySQL Docs: MySQL :: MySQL Connector/J 8.0 Developer Guide :: 6.7 Connecting Securely Using SSL If your MySQL Server supports TLS 1.2 (the community edition doesn't by default, see my blog entry about that) you may also want to add enabledTLSProtocols=TLSv1.2 -- Pete Freitag Foundeo Inc. ... View more

Yes, they have made some changes in CF2018 to where the connector puts those files, if I recall correctly, that is normal for CF2018 to put them there. ... View more

Hi Gary, Sure, you can just use the AND operator to add multiple conditions to the cfif statement: <cfif ArrayIsDefined(F,2) AND isNumeric(f[2]) AND f[2] GTE 1 AND f[2] LTE 99> The conditions are evaluated using short circuit logic, so if ArrayIsDefined(F,2) is false, then isNumeric(f[2]) is never executed. Pete Freitag Foundeo Inc. ... View more

Glad you got it working, and good to know that the issue happened in FireFox. Maybe something for the Adobe team to look into if it is reproducible on FireFox. ... View more

Hmm, I agree with Charlie, that it should not be necessary to give the Users group r/w access to the entire drive... The Users group is telling here because the IIS IUSR account (the account that anonymous requests to IIS are authenticated as) is implicitly a member of the Users group, you cannot remove it from this group and it doesn't show up in the GUI as a member, but it just IS a member of Users always. Looking at where the lockdown installer failed, I would guess that the actual problem is that IUSR did not have permission to the cf_scripts directory in your CF installation folder when it tried to create a virtual directory. Giving full read/write permission to the entire drive would "solve" the problem if that were the cause, but it is also way more than should be necessary. It should only need to grant read permission to that folder, maybe it is trying to write a web.config or something as well? ... View more

You probably want to stick with Java 11, instead of Java 12. Version 11 is a long term support (LTS) version, meaning it is meant to be stable and supported for a long time. Version 12 is not a LTS version and will go unsupported in September 2019. So Java 12 is kind of a stepping stone release as they get to the next LTS release. You might find my blog entry on this useful: https://www.petefreitag.com/item/860.cfm ... View more

If you had a proxy or load balancer that is doing SSL termination, and then proxying over plain http then Tomcat would not realize it should be setting a secure cookie. But I'd think in your case you would probably not be doing that. Either way best bet is probably to make sure you have setup tomcat to always set the secure flag for jsessionid, eg like this <cookie-config><http-only>true</http-only><secure>true</secure></cookie-config> in web.xml Probably not related but I was reminded of this when you mentioned IE working differently with cookies : https://www.petefreitag.com/item/857.cfm ... View more

FYI Tomcat will set the JSESSIONID cookie as secure as long as it thinks the request is made over https. Not sure why you are getting two cookies, most often this is due to having some code that is trying to set a cookie manually.  I did some looking into this a few years ago: https://www.petefreitag.com/item/817.cfm ... View more

Actually it is important to destroy the session upon logout and CF does in fact not mind at all - there is even a function you can call to do it: sessionInvalidate() https://cfdocs.org/sessioninvalidate It is a security best practice to do this upon logout.  If you use j2ee sessions there is a way to do that as well. Beyond that it also helps with performance because it allows the session memory to be freed up. ... View more

It is a JVM argument -- what do you have specified in the JVM arguments in the Java And JVM settings of ColdFusion Administrator? You will probably want to remove this:  -XX:StartFlightRecording This is a profiling feature in the JVM, you probably don't want that enabled on your production server. More info: How to Produce a Flight Recording ... View more

Hi Annie, I don't think it would make much difference, because the apache user will be a member of both the apache group and the webusers group, and the cfuser can be controlled by the owner user bits. Feel free to email me directly to discuss further, it is my first name (4 letters) at foundeo.com ... View more

Just curious incase it makes a difference, what DB type are you using? ... View more

Thanks for clarifying Annie, that is odd that it would need write permission to that file. It is just a configuration file but perhaps the new autotuning feature now writes to it so it opens for writing instead of opens it for reading?? ... View more

I have added a bug here: https://tracker.adobe.com/#/view/CF-4204021 please vote for this bug if you are having the issue. I have heard that Adobe is aware of the issue. I'm not sure what the course of action will be, I'm hoping they come out with another real update (not a jar file to download) to fix all the bugs soon. ... View more

First - you should file a bug so Adobe is aware of the issue. Next make sure that apache has permission to read that file Finally make sure that selinux has the proper label on the file: chcon -t httpd_config_t -u system_u /opt/coldfusion2018/config/wsconfig/1/uriworkermap.properties ... View more

Are you talking about this: Adobe Security Bulletin APSB19-10 ? If so that is not technically a zero-day unless it was being exploited before the patch was released, I didn't hear that was the case, but maybe you heard something I didn't. I found one of those vulnerabilities in the hotfix, so I do know the details of it, but I don't usually post details publicly (even when patches exist). Feel free to email me, my first name (4 letters) at foundeo.com ... View more

Ok - cool - have a good afternoon! ... View more

You might have misunderstood what I was saying -- Application.cfm still works on CF2018, you do not need to change that to upgrade. ... View more

Application.cfm still works in ColdFusion 2018 just fine. For the most part code written for CF9 should work just fine with CF2018. The one place where you might an issue is if you were using something that was removed: ColdFusion Help | Deprecated Features for example the cfgraph tag was removed in CF11. Checkout that link it should tell you what has been removed and then you just need to search your code to see if you are using any of the features. There is also a code compatibility analyzer in the CF Admin that you can run, it might be useful. ... View more

Yeah that syntax should work on CF9+ queryExecute only works on CF11+. I prefer queryExecute when possible, but in your case the query cfc approach should work. ... View more

Using queryExecute is probably the best way to go here. While I usually pass the queryparams as a struct in this case since you have a dynamic number of params I would pass them as an array, something like this: sql = "INSERT INTO Contacts (First, Last, Email, Subject, Description)"; params = [];  if ( trim(form.type) == 1 ) {           sql &= "VALUES(?,?,?,?,?)";          params.append( { maxlength=50, cfsqltype="cf_sql_varchar", value=trim(form.first) } );     params.append( { maxlength=50, cfsqltype="cf_sql_varchar", value=trim(form.last) } );           //etc...       } else {        //etc...      }  insertRec = queryExecute(sql, params, {datasource="db" result="qryInsert"}); ... View more