Today's muse is Henry, with this Twitter status message:
#coldfusion sandbox security requires FileRead() because some code uses "new Query()" due to base.cfc. That's a pretty bad design, no?
— Henry Ho (@henrylearn2rock) July 14, 2014
Showing posts with label Henry Ho. Show all posts
Showing posts with label Henry Ho. Show all posts
Tuesday 15 July 2014
Query.cfc et al functions have file-reads and server-wide exclusive locks buried in their code
G'day:
Today's muse is Henry, with this Twitter status message:
Today's muse is Henry, with this Twitter status message:
Monday 30 June 2014
Adobe apparently cease development and/or support of UI tags in ColdFusion
G'day:
I didn't want to put a question mark on that for the traditional reasons. However it seems this might be true. At last.
Thanks to Henry Ho for putting this news in front of me:
I didn't want to put a question mark on that for the traditional reasons. However it seems this might be true. At last.
Thanks to Henry Ho for putting this news in front of me:
#coldfusion stopped supporting UI tags.
RT @udayogra: As decided we won't invest any time in Ajax UI components https://t.co/kWD7vIbddO
— Henry Ho (@henrylearn2rock) June 30, 2014
Wednesday 9 April 2014
Ye Olde XMLSearche Bugge
G'day:
Henry mentioned this last night:
Henry mentioned this last night:
XMLSearch() is not thread safe since CF7 http://t.co/ubz29eJOOt #coldfusion Just encountered in CF10.That sounded like something I could get my teeth into, so had a look at it this morning.
— Henry Ho (@henrylearn2rock) April 8, 2014
Tuesday 9 July 2013
Well done Adobe ColdFusion Team
G'day:
Hopefully you've heard there's a patch out for ColdFusion 10 (now version 10.0.11) for the web sockets security hole that Henry Ho noticed a week or so ago. I did some investigation on the issue, and identified four separate problems with the web sockets implementation on un-patched (10.0.10 and below) ColdFusion 10 installations.
The good news is that two of those four issues are fixed, and they are the two significant ones:
Hopefully you've heard there's a patch out for ColdFusion 10 (now version 10.0.11) for the web sockets security hole that Henry Ho noticed a week or so ago. I did some investigation on the issue, and identified four separate problems with the web sockets implementation on un-patched (10.0.10 and below) ColdFusion 10 installations.
The good news is that two of those four issues are fixed, and they are the two significant ones:
- public CFC methods were callable via web sockets. Only remote methods ought to be externally accessible;
- non-web-accessible CFCs were accessible via web socket requests, provided there was a ColdFusion mapping to them.
Wednesday 3 July 2013
Official confirmation: Adobe is on the case regarding ColdFusion 10's web sockets security issue
G'day:
SSIA, really. But you know me: I can pad 14 words of information out to take 1400 words to say...
This is in reference to the security holes that were discovered in ColdFusion 10's web sockets implementation a few days ago, as I discussed in an earlier article: "Web socket security issue: risk assessment & findings".
Rakshith posted on Twitter & on the Adobe ColdFusion blog today that a fix is in the pipeline. He does not go into any details as to whether they're fixing all the issues identified, or some, or what: I guess time will tell.
However I'm pretty impressed with their turn-around time on this one. Henry raised the issue on June 27, and it's only a week later and they're got a patch in the works (I presume it's well under way, not that they were simply starting it when Rakshith announced it).
I look forward to testing it, and I will feedback with my findings having done so.
Not bad: only 180-odd words to re-articulate the necessary 14 ;-)
--
Adam
SSIA, really. But you know me: I can pad 14 words of information out to take 1400 words to say...
This is in reference to the security holes that were discovered in ColdFusion 10's web sockets implementation a few days ago, as I discussed in an earlier article: "Web socket security issue: risk assessment & findings".
Rakshith posted on Twitter & on the Adobe ColdFusion blog today that a fix is in the pipeline. He does not go into any details as to whether they're fixing all the issues identified, or some, or what: I guess time will tell.
However I'm pretty impressed with their turn-around time on this one. Henry raised the issue on June 27, and it's only a week later and they're got a patch in the works (I presume it's well under way, not that they were simply starting it when Rakshith announced it).
I look forward to testing it, and I will feedback with my findings having done so.
Not bad: only 180-odd words to re-articulate the necessary 14 ;-)
--
Adam
Sunday 30 June 2013
Web socket security issue: risk assessment & findings
G'day:
Yesterday I engaged in some unrepentant shock tactics, writing an article entitled "Security warning: stop using ColdFusion web sockets right now". This warning arose from my initial investigations into an apparent significant security hole in web sockets, as reported by Henry Ho on Stack Overflow. I have checked into things more thoroughly, and here's the details of my findings.
Firstly, I have considered how responsible I am being by publishing this material. But I have concluded my readership is far less than Stack Overflow's, so the vulnerability is already public. Plus I think it would be helpful for people to know what they're up against. Plus - unabashedly - I hope the "publicity" will encourage Adobe to deal with this ASAP.
Yesterday I engaged in some unrepentant shock tactics, writing an article entitled "Security warning: stop using ColdFusion web sockets right now". This warning arose from my initial investigations into an apparent significant security hole in web sockets, as reported by Henry Ho on Stack Overflow. I have checked into things more thoroughly, and here's the details of my findings.
Firstly, I have considered how responsible I am being by publishing this material. But I have concluded my readership is far less than Stack Overflow's, so the vulnerability is already public. Plus I think it would be helpful for people to know what they're up against. Plus - unabashedly - I hope the "publicity" will encourage Adobe to deal with this ASAP.
Threat summary
OK, so what's the story? Basically ColdFusion 10's web sockets have a couple of significant security failings, and some other unhelpful quirky behaviour as well.
Saturday 21 July 2012
Which is better: having your methods inline in a CFC, or included from a separate file? (cont'ed)
This is just a reply to Henry, Shawn and Dave regarding my earlier posting on this topic, but as it's longer than 4kB, I cannot post it as a comment to the original post, so I'm creating a new one.
Hi guys. I didn't reply to the bulk of this last night cos I was watching a movie(*) and could multi-task enough to keep an eye on the #ColdFusion channel on Twitter, but not enough to give my reply to you the attention it warrants.
@Henry. Yeah, I too am let down by the lack of static methods in ColdFusion, and for the same reason. I have hit Adobe up about this a coupla times (for CF9 and for CF10), but I'm always swamped by colleagues saying it's to complicated to implement (this was not from Adobe, but a CF community member, so dunno if that has merit); most CF developers are too "junior" to understand what they are so it'd be wasted on them; you can work around it easy enough; ColdFusion is all about simplicity, and this concept is to complicated; and that old specious chestnut "if you want to use Java, use Java". Which is all a mix of faulty logic or is just plain facile. Still: the idea always garners this negative criticism, so I guess it didn't seem compelling to Adobe. Anyway: we are where we are... no static methods.
Hi guys. I didn't reply to the bulk of this last night cos I was watching a movie(*) and could multi-task enough to keep an eye on the #ColdFusion channel on Twitter, but not enough to give my reply to you the attention it warrants.
@Henry. Yeah, I too am let down by the lack of static methods in ColdFusion, and for the same reason. I have hit Adobe up about this a coupla times (for CF9 and for CF10), but I'm always swamped by colleagues saying it's to complicated to implement (this was not from Adobe, but a CF community member, so dunno if that has merit); most CF developers are too "junior" to understand what they are so it'd be wasted on them; you can work around it easy enough; ColdFusion is all about simplicity, and this concept is to complicated; and that old specious chestnut "if you want to use Java, use Java". Which is all a mix of faulty logic or is just plain facile. Still: the idea always garners this negative criticism, so I guess it didn't seem compelling to Adobe. Anyway: we are where we are... no static methods.
Subscribe to:
Posts (Atom)