Showing posts with label Henry Ho. Show all posts
Showing posts with label Henry Ho. Show all posts

Tuesday 15 July 2014

Query.cfc et al functions have file-reads and server-wide exclusive locks buried in their code

Today's muse is Henry, with this Twitter status message:

Monday 30 June 2014

Adobe apparently cease development and/or support of UI tags in ColdFusion

I didn't want to put a question mark on that for the traditional reasons. However it seems this might be true. At last.

Thanks to Henry Ho for putting this news in front of me:

Wednesday 9 April 2014

Ye Olde XMLSearche Bugge

Henry mentioned this last night:

That sounded like something I could get my teeth into, so had a look at it this morning.

Tuesday 9 July 2013

Well done Adobe ColdFusion Team

Hopefully you've heard there's a patch out for ColdFusion 10 (now version 10.0.11) for the web sockets security hole that Henry Ho noticed a week or so ago. I did some investigation on the issue, and identified four separate problems with the web sockets implementation on un-patched (10.0.10 and below) ColdFusion 10 installations.

The good news is that two of those four issues are fixed, and they are the two significant ones:
  • public CFC methods were callable via web sockets. Only remote methods ought to be externally accessible;
  • non-web-accessible CFCs were accessible via web socket requests, provided there was a ColdFusion mapping to them.
I've verified those are now fixed.

Wednesday 3 July 2013

Official confirmation: Adobe is on the case regarding ColdFusion 10's web sockets security issue

SSIA, really. But you know me: I can pad 14 words of information out to take 1400 words to say...

This is in reference to the security holes that were discovered in ColdFusion 10's web sockets implementation a few days ago, as I discussed in an earlier article: "Web socket security issue: risk assessment & findings".

Rakshith posted on Twitter & on the Adobe ColdFusion blog today that a fix is in the pipeline. He does not go into any details as to whether they're fixing all the issues identified, or some, or what: I guess time will tell.

However I'm pretty impressed with their turn-around time on this one. Henry raised the issue on June 27, and it's only a week later and they're got a patch in the works (I presume it's well under way, not that they were simply starting it when Rakshith announced it).

I look forward to testing it, and I will feedback with my findings having done so.

Not bad: only 180-odd words to re-articulate the necessary 14 ;-)


Sunday 30 June 2013

Web socket security issue: risk assessment & findings

Yesterday I engaged in some unrepentant shock tactics, writing an article entitled "Security warning: stop using ColdFusion web sockets right now". This warning arose from my initial investigations into an apparent significant security hole in web sockets, as reported by Henry Ho on Stack Overflow. I have checked into things more thoroughly, and here's the details of my findings.

Firstly, I have considered how responsible I am being by publishing this material. But I have concluded my readership is far less than Stack Overflow's, so the vulnerability is already public. Plus I think it would be helpful for people to know what they're up against. Plus - unabashedly - I hope the "publicity" will encourage Adobe to deal with this ASAP.

Threat summary

OK, so what's the story? Basically ColdFusion 10's web sockets have a couple of significant security failings, and some other unhelpful quirky behaviour as well.

Saturday 21 July 2012

Which is better: having your methods inline in a CFC, or included from a separate file? (cont'ed)

This is just a reply to Henry, Shawn and Dave regarding my earlier posting on this topic, but as it's longer than 4kB, I cannot post it as a comment to the original post, so I'm creating a new one.

Hi guys. I didn't reply to the bulk of this last night cos I was watching a movie(*) and could multi-task enough to keep an eye on the #ColdFusion channel on Twitter, but not enough to give my reply to you the attention it warrants.

@Henry. Yeah, I too am let down by the lack of static methods in ColdFusion, and for the same reason. I have hit Adobe up about this a coupla times (for CF9 and for CF10), but I'm always swamped by colleagues saying it's to complicated to implement (this was not from Adobe, but a CF community member, so dunno if that has merit); most CF developers are too "junior" to understand what they are so it'd be wasted on them; you can work around it easy enough; ColdFusion is all about simplicity, and this concept is to complicated; and that old specious chestnut "if you want to use Java, use Java". Which is all a mix of faulty logic or is just plain facile. Still: the idea always garners this negative criticism, so I guess it didn't seem compelling to Adobe. Anyway: we are where we are... no static methods.