Archive for the ‘ Security ’ Category

Manually configuring Internet Information Services 7 connector with ColdFusion

ColdFusion can be set up in a distributed environment, meaning that the ColdFusion is on a different physical machine than the web server. In a distributed environment, the connector is installed on the server hosting the web server and this server sends the request across the network to the remote server hosting ColdFusion .

ColdFusion comes with a Web Server Configuration Tool for connecting to external web servers. Usually, you copy the wsconfig.jar file to the web server machine and run the web server in a configuration where it refers to the remote server hosting ColdFusion. There may be occasions, however, when the Web Server Configuration Tool doesn’t work properly, for example, due to a firewall or network security restrictions. Should this happen, you can still configure the connector manually. This article demonstrates the steps required for manually configuring connections to Internet Information Services 7 websites in a distributed environment.

Read More (Adobe) >>


Hotfix for CF 8 decrypt function and more

If you are getting the following error while decrypting a string using decrypt function with CFMX_COMPAT algorithm in Cold Fusion 8, it might not necessarily be a coding error. You will need to apply the hotfix from Adobe.

Error: “The input and output encodings are not same”.

Get the hotfix here. Cumulative Hot Fix 3 for ColdFusion 8.0.1

Cumulative Hot Fix 1 for Coldfusion 9 released

Adobe released Cumulative Hot Fix 1 for Coldfusion 9.

Note from Adobe:
The fixes are contained in ColdFusion 9 Cumulative Hot Fix 1 (CHF1). Adobe recommends that you apply CHF1 to ColdFusion 9 only if you are experiencing one or more of the issues listed below. This cumulative hot fix is specific to ColdFusion 9 and should not be applied to any other releases.

Security Bulletin APSB10-05 – Security update available for BlazeDS

An important vulnerability (CVE-2009-3960) has been identified in BlazeDS 3.2 and earlier versions. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information. This issue affects LiveCycle 9.0, 8.2.1 and 8.0.1, and ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2, which are installed with different versions of Data Services products. Adobe has provided a solution for the reported vulnerability for each affected Adobe product. It is recommended that users update their installations of each affected Adobe product to the latest version.

Affected software versions
BlazeDS 3.2 and earlier versions
LiveCycle 9.0, 8.2.1, and 8.0.1
LiveCycle Data Services 3.0, 2.6.1, and 2.5.1
Flex Data Services 2.0.1
ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

Solution is available on Adobe site

Solution available for potential ColdFusion information disclosure issue

Solution available for potential ColdFusion information disclosure issue – regarding Solr

An important vulnerability (CVE-2010-0185) has been identified in ColdFusion 9.0, which could allow access to collections created by the Solr Service to be accessed from any external machine using a specific URL. Adobe has provided a solution to the reported vulnerability.