Thursday, November 13, 2014

CF: Allowing different extensions for scheduled task log files

This is a quick post for people that run into this dilemma where there scheduled task stop working upon upgrade. They may receive this type of error in their browser:

Initialization Error: Valid extensions are : log,txt. - Invalid extension of the file name.

At first you go "What the Heck!". Then, look through gazillion lines of code to find where we could have produced this error and could not pin-point it.
Then, more digging to find the culprit:
With the advent of ColdFusion 10 & 11 and the exposure of the scheduled task vulnerability there was a change to what extensions where supported for your log files when you schedule tasks. As a security element these files can only be log and txt files.

However, the raw capture of the task run is normally neither, more often than not, especially with debug for the local IP enabled the output is HTML.
Thus, we have, now, for many years, used htm as the preferred extension, since the raw capture of the task run is HTML, thus, easy to view in the browser.  Forcing it into txt would only makes us rename the file before opening in the browser again.

Nightmares of unneeded code change ensued...

Fortunately, the solution seems simple enough.
a) Stop the ColdFusion instance
b) Find the neo-cron.xml
c) find the line that read like txt,log
d) add your extension to that line, e.g. txt,log,htm
e) start instance

Hope this helps others who give themselves the "Duh" slap.


Friday, June 6, 2014

CF: CCFML or Making the Case for a Different CFML Future

Looking at the demands of our enterprise and the product road-maps as far as they have been disclosed by either Railo or Adobe we discovered a gap between what we are trying to achieve and what the technology is going to offer.

So, I have taken upon me to summarize a few thoughts and suggestions that I would like to share to see whether we can sway the Railo/Adobe general product direction.

I believe that focusing ever more innovation resources on the concept of RAD (Rapid Application Development) and language improvements, though interesting and useful, are not making CFML standout sufficiently to make a long-term difference and detract people from leaving or encouraging  new people to join.

In my opinion, the next level of server improvements need to be substantially different from other offerings and, this, in turn, requires a rethinking of what Railo/ACF offerings are.
Abandonment of the concept of Application Servers
Remove the need for download/installs
Remove the need for server administration and management
Redefine offering as packaged “infrastructure” with smart policy and deployment
Use clear convention based guidelines for subsystems (cache, application, storage, db)

Ok, now you say, what the heck are you dreaming about?
Good question, that.

In short, I am proposing that we work towards a true Cloud CFML platform === CCFML.

Let me explain:

We come from a heritage of dealing with individual servers and have embraced that concept wholeheartedly for many years. However, in the age of the cloud we should question those expectations.
How much more attractive could CCFML be when you only need a github/subversion account to deploy your code and a few policy definitions on how large you want your Application to scale and how fast.
When there are application problems, you can define policies how much CPU a process may consume, add more CPU cycles specifically for it, and/or cache. All automatically.
You application works automatically, fully scalable, across the globe on CFML.
You are kept abreast of any problems, bottlenecks and are given options to upscale CPU, refactor code, or add instances. But, best of all, you let the Cloud CFML take care of everything that a global CFML service should.
You want to push a new version, just change code and click deploy/schedule button.

Whatever decisions need to be made to get us this platform nirvana should be in the forefront of cfml future enhancements. This would require more standardization of convention so that we can have auto- configuration over coding whenever possible.
Behavior for deployment will need to be defined and “standard conventions” documented.
Here is just a selection of things that need to be answered on the way towards such a CCFML platform:
- Which distributed cache to implement and deploy
- Deployment system magic (version, install, upgrade, start, stop, pause engines)
- How do you scale session across servers
- How to communicate among cluster members
- How do you join servers to clusters
- How do you create a unified lightweight Application scope across the cluster,
- How to measure and set time,
- How to define and use a shared file-system
- How do you delineate code files storage vs. user assets
- How do you provide Application policy definitions for scaling
- How to manage and analyze code performance
- Create Application Manager (instead of Server Manager)
- Assigned Server roles, e.g. stateless vs. statefull servers
- Global logging and analysis
- Etc., etc.
There are probably many elements I don’t quite understand or have not considered. This is where I would ask for the smart people of the community to jump in, but, the point I am trying to emphasize is that future innovation should be directed towards creating such a platform rather than focusing on the minutiae of the language syntax.

The CFML language is quite mature and tweaks on syntax can only have limited impact on stopping developer attrition while an easy to use application platform has the potential to attract developers.
This model also provides a clear path for providers of this tech to charge for the services with the value recognition they are looking for.

The good news is that we have many components already; the next step is to create the working package and provide CFML as a first class cloud service.

We would not be the first, others like Microsoft with Azure and .net and the Java/Scala Play! Frameworks have already started the thought model and are getting traction. I fear that if we hesitate too long we may miss an opportunity to reverse course.

I hope this is not too confusing of a ramble and I am looking forward to feedback.


Friday, October 25, 2013

AWS: Cache Me If You Can! Getting Started with Elasticache.

Here are the presentation slides from our monthly Charlotte Cloud Computing Meetup and AWS Charlotte Meetup meeting.

Application cache has the potential to tremendously speed up your response times. Putting a cache infrastructure together on the other hand may not be for the faint of heart. 
In this meetup we will investigate the use of Amazon ElastiCache. Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud.


Friday, June 28, 2013

AWS: Amazon CloudSearch -- Find This!

Since we experienced some issues with this month’s meetup I am publishing the presentation slides here.
We may be able to run through this at a different time again.

From our meetup description:

So you have used SOLR and think that is the only way to go for anything search related. But, (isn't there always a but?) you are tired of maintaining infrastructure or attempting to scale this thing. 
Well time to look at alternatives specifically made for the cloud. 
In this meetup we will look at AWS search, which is based on A9 search technology acquired by Amazon. It does all the dirty work for you so you can focus on your facets ;o) 
We will discuss the good and the bad while attempting to use examples and build a search domain.


Thursday, April 4, 2013

CF: Railo: Using VisualVM tool to monitor running Railo servers

I had written a Adobe ColdFusion specific article on how to use the free VisualVM tool to get insight into the workings of the Java Virtual Machine. I have since been asked to provide similar guide for Railo CFML engine.

The good news is that the implementation is very similar and mostly follows the same path. I will demonstrate this using Windows OS example. I assume in this example that you have used the standard Railo installer for windows.

If so, here are some simple steps to use this great tool set working with Railo.

1) download java jdk also referred to as Java SE Development Kit. You can use 1.6.38 or later or 1.7.13 or later.  Again, Important to get the JDK not the JRE.

2) Download Visual VM:

3) Configure Railo jmx access:
On Windows, best way is to go to Tomcat Service Control, open the Java panel and add the following to the Java Options text box: (you can change the ports etc. this is is my sample):

You can decide whether to use ssl or not, and also on the port to use. If you want to use jmx authentication I would recommend you read:

You will need to restart your server after you have completed your changes.

4) Configure your Visual vm start up to point to your jdk if you have not set environmental variables:
e.g. on Windows
if you extracted the visualvm files into C:\visualvm135
Your JDK is located in C:\Java\jdk1.7.0_13
then you can use the following command line:

C:\Java\visualvm_135\bin\visualvm.exe --jdkhome "C:\Java\jdk1.7.0_13"

You can also add a batch file shortcut for reuse, e.g.

5) Start up the VisualVM tool (it may have to go through calibration first, simply acknowledge), then, and establish a connection a JMX connection by right clicking on the local node and choosing "Add JMX Connection..."

6) Add connection parameters:
If the server is local you can use: localhost:[port] in our case: localhost:8701

Now you should be able to monitor basic statistics of your Railo environment as it runs, and do some nifty things like forcing garbage collection and dump heap files for later analysis.


Monday, February 11, 2013

CF: cfObjective() 2013... talk is cheap (relatively ;o)

I decided to submit my slew of topics to this year's cfObjective conference. I had many things that I wanted to investigate or thought were worth sharing... never can pick really...
Fortunately for me the selection committee picked two of my submissions and, thus, if you time it right and have no better place to be, come join me at cfObjective in Minneapolis to dig into the mobile development realm ...

"Hey Bilal, come to the point", you say. "What are you going to yak about, since I am biZy! With a capital Z".
Well,  ok, here are the things I am going to talk about:

Design MVC Mobile App Visually In Hours

HTML5 / CSS3 / JavaScript Mobile Apps are becoming more popular. Unfortunately, the tools that we use to design them have not changed much. This talk is centered on using more advanced design tool such as Sencha Architect 2 to visually create front-end MVC mobile prototypes quickly in WYSIWYG fashion. We will step through the elements and create our own app and discuss native deployment options as well.
We will learn how to navigate the common UI of Sencha Architect, how to start and structure an Architect project, how to create a common mobile app with navigation pattern , how to link components, how to bind data, how to deploy generated code in your project, the difference in prototyping levels and the fit of rapid prototyping tools such as Architect, and we are going to have fun creating a real working mobile app.

Mobile but Secure

HTML5 CSS3 applications are becoming increasingly popular for mobile platforms. An assortment of applications makes use of the mobile devices to run, but when it comes to mobile security it is a wild west, the next frontier. What can you do to create mobile or web apps with a more solid security stance and prevent your mobile software from becoming another way to hack into your servers, your customers’ data? If you don't want to be in the news as the next mobile app whose weakness a hacker group used to get sensitive data you should familiarize yourself with the mobile security tips and tricks.
We will take a look at the mobile security top ten and discuss the juiciest elements such as   Insecure Data Storage, Weak Server Side Controls, Insufficient Transport Layer Protection, Client Side Injection, Poor Authorization and Authentication and ways and how to mediate them effectively.

So there you have it.
Hope to see you at the Mall of America in May !


Saturday, January 5, 2013

CF: Scheduled Task Security venerability in Adobe CF

Getting hit by a security vulnerability is no fun. This new one using CFIDE scheduling ( seems to have impacted quite a few users.
This all happened around Christmas and went downhill from there most likely automatic network scanning of availability of a certain URL path followed by automated attack.

Charlie Arehart has several blog post on this topic so I am not going to expand too much:

The old adage to lock down your server still holds but is no solace to the people that got hit since it would impact a fully patched server.
The short of this is to disable access to certain CFIDE paths. This may be the practice that you already follow, then kudos!, more importantly, get the word out to other users. Let your friends know so they don't fly blind.

Overall I am surprised by this vulnerability since it seems to originate from a vector that, in my mind, should require authentication or at least some sort of access control. Seemingly the scheduling of tasks is vulnerable and wide open by default. Initial thought on this: Crap!
Maybe, as a community, we should vet more closely the out of the box CFML code that is being deployed. The secure stance always has been to not deploy any example and docs on production, however, this is part of the system would be required to administer it.

Couple of things that I would like to delve deeper into:

a) Detecting Code Compromise:
In the last talk that I had presented around application security I had shown an example that can be easily implemented and allows users to detect any code change on the machine.
The idea is to generate an application signature that, then, can be verified to see whether the application is still consistent with what you published.
This is a simple version, you may expand and adjust. This will help you detect whether you have been compromised.
You can do this against the CFIDE, Customtag, and/or any other directory you store code in. You can create separate signatures (i.e. modules) or combined ones.

The goal is to quickly be able to tell whether you were hit by a zero-day vulnerability or anything else made its way onto your server that you did not expect.

It involves two general steps:

First run a recursive cfdirectory on your website/app and, second, create a hash from it.
Something like this:

<cfdirectory action="LIST" directory="c:\inetpub\wwwroot" 
  name="myAppFiles" filter="*.cf*" recurse="Yes">

<!--- build md5 hash  --->
<cfset myAppSig = Hash(SerializeJSON(myAppFiles),"MD5","us-ascii")>

Then compare the generated application signature against a last known good one. This can be done on App start, or a scheduled basis, even add hock if you app is small.

Here is the similar sample that stops application execution if compromised if you include it in your OnApplicationStart function:

<cffunction name="OnApplicationStart">
 This assumes that you have a database with a
 table named "appcheck" that has at least two fields
 id =    auto number/indexed
 value = text (20)
 The first time the app starts, the valid
 application signature will be determined.
 There after the application will abort if 
 the signature does not match.
 To publish new code.
 Clear the appcheck table or insert 
 the new valid signature as last row. 
 <cfquery name="selCheck">
  SELECT value
  FROM appcheck
  WHERE id = (SELECT Max(ID) FROM AppCheck) OR id=0
 <!--- determine app check crossum --->
 <cfdirectory name="selAppFiles" action="list" filter="*.cf*" 
  directory="#getComponentPath()#" recurse="Yes">
 <cfset strJson = SerializeJSOn(selAppFiles)>
 <cfset md5Hash = Hash(strJson,"MD5","us-ascii")>
 <cfif selCheck.RecordCount>
  <!--- application compromise check. 
        We could email someone automatically, 
        raise alarms, call the cops --->
  <cfif md5Hash neq selCheck.value>
   Application compromised.<br/>
   #md5Hash# -- #selCheck.value#

 <cfquery name="insCheck">
  (VALUE) VALUES ('#md5Hash#')

b) Preventing people from using the vulnerability:
Charlie and other have done a good job of summarizing the source and ways you can prevent the exploit. It all seems to boil down to not let users hit certain CFIDE paths:

  • /CFIDE/administrator
  • /CFIDE/adminapi
  • /CFIDE/componentutils

The bad thing is that using IIS/Apache facilities to lock out call URLs may not be good enough. There is the question of virtual paths and ColdFusion built in webservers that can bypass your effort. In addition, the normal Adobe CF connection between IIS and CF is using a wildcard based handling of all request. That means all requests to your website are first routed to CF/connector, even, if you ask for an image. If you know me you know I am biased, but obviously this blows big time, since it causes unnecessary processing on IIS and CF. Try to pause or stop CF and call a static HTML page on IIS or Apache, you will wait for a while. Enough of the ranting! In short, please test your lockout configs after you make changes to make sure that everything is locked out as it should be.

If you are using ColdFusion 10 on IIS you also have the option to deploy my BonCode connector. It does not block static page access, or hinder non CF processing. Since its first version it had the ability to block access to administration pages; you will not be able to bypass this even if you have the built in CF webserver running (yes, you can still hit the built in webserver if you bypass IIS altogether but that would require deliberate foolishness where you have opened the non-standard port on your Windows OS and firewalls everywhere).

Here is a blog post on how this feature is used to secure Railo administration pages. This method also works for OpenBD, and Adobe CF10.
The installation for CF10 is not out of the box, if there is interest in this I will provide it in later versions. Also this is not officially supported by Adobe, though given the system instability issues and problems that have occurred with the supplied connector you may want to consider testing anyway.