One thing I like about nginx so far is the configuration, while I haven't had to do anything overly complex with it yet, it does seam to be quite flexible.

Here's a quick example of redirecting a www domain to the non www version:

server {
   listen 80;
   server_name www.example.com;
   rewrite ^ http://example.com/ permanent;
}

Note that's just one way of doing it, by creating a new virtual server for the non-www hostname and redirecting all requests. You can also do this from within your main server declaration, eg:

server {
   listen 80
   root /web/root/;
   if ($host != 'example.com') {
      rewrite ^ http://example.com/ permanent;
   }
}

I like the first method better, but this just goes to show how flexible the configuration is for nginx

The exploit takes advantage of hash collisions in the internal implementation of hashtables / hashmaps (think CFML struct). When two keys are hashed and result in the same hash code a collision occurrs, and additional processing must take place to store or retrieve the item. Most application servers store request input variable (eg form, url scopes) in such a data structure. If you can construct a request with variable names that all have the same internal hashcode, the request goes from taking less than a second to process to several minutes.

As you can imagine this can cause a server to crawl/crash pretty quickly with a relatively small payload. Microsoft has released an out of band security patch for ASP.NET already. Tomcat has provided a work around in versions 7.0.23 or 6.0.35 and up.

The typical patch / workaround for this issue is to limit the number of input request variables, ASP.NET defaults this limit to 1000, tomcat defaults to 10,000.

It's not clear yet if this vulnerability is remotely explotable within JRun, or ColdFusion. I did run some tests on a JRun/ColdFusion install and did not replicate the problem, when I tried on Tomcat I did experience the DOS, however it's still very possible that the issue exists on JRun - my tests were certainly not conclusive. If you are running ColdFusion on something other than JRun (such as Tomcat, JBoss which runs on tomcat, etc) make sure to check with your vendor about this issue.

I haven't seen any word from Adobe about this issue yet, but I'll be sure to update this entry and post another if anything becomes public.

Our HackMyCF ColdFusion Server Security Scanner has been updated to find the RDS vulnerability remotely (using our free scan). We can't readily detect the cfform vulnerability remotely because of the proper conditions to exploit are not predictable to find (we would have to crawl your entire site to look for the proper conditions).

We can however detect it, if you have a HackMyCF Subscription, and have setup the HackMyCF probe (a cfm file you place on your server which allows for encrypted communication). You also get even more detail in your report, showing which Cumulative Hotfixes you have installed, as well as which security hotfixes were applied (currently shows that for 9.0.1 only). Here's a screenshot of what a ColdFusion server security report can look like for a HackMyCF subscriber:

As you can see from the above screenshot we recently added a listing of Cumulative Hotfixes installed, that way its easy to know if you are running Cumulative hotfix 1 or cumulative hotfix 2, etc. You can also see things like the JVM version you are running, etc.

For a limited time you can use coupon code 543m to take $5 off the first 3 months of your subscription.

If you're curious about FuseGuard and how it works please head over to Adobe.com and register now!

As you may know Adobe released Cumulative Hotfix 2 for ColdFusion 9.0.1 on Friday. So here's what a server that is running cumulative hotfix 1 for 9.0.1 but not cumulative hotfix 2 looks like in a HackMyCF subscription:

The current known limitations of this feature are:

• Not enabled for ColdFusion 8.0.0 or below at this time (does work for 8.0.1 however).
• Requires a paid subscription and the probe installed (not possible on free version).

Also announcing the HackMyCF Probe

The probe is a cfm file that you place on your server, subscribers can specify a url to the cfm file for each server in their account. Then when we scan your server we also connect to this probe.cfm, which allows us to get information such as the exact ColdFusion version number (though we can usually determine this with out the probe), the JVM version, which hotfix jar files have been installed, and it also allows us to get a MD5 sum of certain files.

The addition of the probe allows us to find more potential vulnerabilities on your server, for example we can determine if ColdFusion is running as the SYSTEM, we can determine if you are running a version of the JVM that is selectable to a easy to execute denial of service (we could detect this without the probe, but since that would crash your server, we need to use the probe to detect it).

We launched the probe feature in HackMyCF several months ago, however it has been a somewhat soft launch (we haven't been promoting it too much yet). It has been in use now by lots of customers and is pretty solid (we haven't to update the probe.cfm file, even this latest feature uses existing functionality).

If your not familiar with two factor authentication the basic premis is that in order to authenticate you must provide more than one type of authentication, for example Something you know (a password), and Something you have (a hardware token device, a smart card, or a smartphone).

DuoSecurity's solution to this problem was compelling because they allow you to use a smartphone for your second factor by sending a push notification, you simply tap approve, and you're in. This is much easier they keying in a code for the end user (though they also support that via text message, or landline phone call) .

After I had integrated this solution into a SSH server for authentication, the folks at Duo asked if I would be interested in writing a ColdFusion port of their DuoWeb API (which allows you to use their technology to authenticate into Web Applications). I ofcourse said yes, and you can download duo_web for ColdFusion on github.

Here's a video showing how the push technology works:

Next I thought hey it would be great if you could add Two Factor Authentication to ColdFusion Administrator, and it turns out you can:

Setup Duo Security

1. Sign up for an account at DuoSecurity you can create an account for up to 10 users for free.
2. Next create a new integration in your account, for integration type select "Web SDK"
3. An integration key, a secret key, and an API hostname will be generated for you to use below.

Now Download duo_coldfusion and place it in the web root of the site used to login to ColdFusion administrator.

Next create an Application.cfc file in the /CFIDE/administrator directory with the following code:

<cfcomponent>
	<cfset this.name = "cfadmin">
	<cfset this.sessionmanagement = true>
	
	<cfset variables.appKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
	<cfset variables.iKey = "XXXXXXXXX">
	<cfset variables.sKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
	<cfset variables.duoHost = "api-XXXXXXXX.duosecurity.com">
	
	
	<cffunction name="OnRequest">
		<cfargument name="template">
		<cfinclude template="Application.cfm">
		<cfset var local = StructNew()>
		<cfif arguments.template contains "logout.cfm" AND isAuthenticatedTwoFactor()>
			<cfset StructDelete(session, "duoAuthenticated")>
			<cfinclude template="#arguments.template#">
			<cfreturn>
		</cfif>
		<cfif StructKeyExists(form, "sig_response")>
			<cfset local.duo_user = CreateObject("component", "duo_coldfusion.DuoWeb").verifyResponse(iKey=variables.iKey, aKey = variables.appKey, sKey=variables.sKey, sig_response=form.sig_response)>
			<cfif local.duo_user IS "pete">
				<cfset session.duoAuthenticated = true>
			</cfif>
		</cfif>
		<cfif IsUserLoggedIn() AND NOT isAuthenticatedTwoFactor()>
			<cfset local.post_action = "/CFIDE/administrator/index.cfm">
			<cfset session.duo_sig_request = CreateObject("component", "duo_coldfusion.DuoWeb").signRequest(iKey=variables.iKey, aKey = variables.appKey, sKey=variables.sKey, username=GetAuthUser())>
			<!--- show second factor authenication page --->
			<!doctype html>
			<html>
				<head>
					<title>Please Authenticate</title>
					<script src="/duo_coldfusion/js/Duo-Web-v1.bundled.min.js"></script>
					<cfoutput>
					<script>
					  Duo.init({
					    'host': '#JSStringFormat(variables.duoHost)#',
					    'sig_request': '#JSStringFormat(session.duo_sig_request)#',
					    'post_action': ''
					  });
					</script>
					</cfoutput>
				</head>
				<body>
					<h2>Authenticate</h2>
					<iframe id="duo_iframe" width="100%" height="500" frameborder="0"></iframe>
				</body>
			</html>
		<cfelse>
			<!--- two factor authentication --->
			<cfinclude template="#arguments.template#">	
		</cfif>
		
	</cffunction>
	
	<cffunction name="isAuthenticatedTwoFactor" returntype="boolean">
		<cfreturn StructKeyExists(session, "duoAuthenticated") AND session.duoAuthenticated>
	</cffunction>

</cfcomponent>

Next you need to generate a unique value for variables.appKey it MUST be 40 chars long. Plug in the values you got on the duo web site when you created your integration for the variables.iKey (integration key), variables.sKey (secret key), and the variables.duoHost.

<cfset variables.appKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
<cfset variables.iKey = "XXXXXXXXX">
<cfset variables.sKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
<cfset variables.duoHost = "api-XXXXXXXX.duosecurity.com">

Finally go and log into the ColdFusion administrator, after you enter your password you will be given a prompt which will let you pick your second factor method. If it authenticates you will be logged in and send to the CF Administrator.

It will look something like this when you are up and running:

ColdFusion Developer Week is a series of free, live webinars hosted by seasoned ColdFusion experts who will cover a wide range of topics from what ColdFusion is, how to code it, all the way through to more in depth topics such as ORM and ColdFusion Builder Extensions. If you are a new developer, someone with little or no ColdFusion experience, or even if you have been using ColdFusion all your life, this event is ideal for you. The ColdFusion Developer Week provides something for everyone, so sign up now!

Here's the schedule of webinars, I will be giving a presentation on ColdFusion security on Friday (listen to recording):

Monday

• Getting Started with Web Application Developement Using ColdFusion - Terry Ryan (10AM PT / 1PM ET)
• Working with PDFs Made Easy with ColdFusion - Tim Cunningham (1PM PT / 4PM ET)
• Introduction to ColdFusion Components (CFCs) - Raymond Camden (4PM PT / 7PM ET)

Tuesday

• Improve Your ColdFusion Code Through Unit Testing - Jamie Krug (10AM PT / 1PM ET)
• Using ColdFusion Frameworks for Application Development - Mark Mandel (1PM PT / 4PM ET)
• Understanding and Using the ColdFusion Server Monitor - Charlie Arehart (4PM PT / 7PM ET)

Wednesday

• ColdFusion Builder: The Professional IDE to Boost Your Productivity - Sagar Ganatra (10AM PT / 1PM ET)
• Expand Functionality with ColdFusion Builder Extensions - Simon Free (1PM PT / 4PM ET)

Thursday

• Developing Your First Application Using ColdFusion 9 and ORM - Bob Silverberg (10AM PT / 1PM ET)
• Speed Up Your Apps with Caching in ColdFusion (11:30AM PT / 2:30PM ET)
• ColdFusion and Mobile - Browser-Based Applications Made Easy - Dave Ferguson (1PM PT / 4PM ET)
• Become ColdFusion Empowered in Under an Hour - Nic Tunney (4PM PT / 7PM ET)

Friday

• Accessing ColdFusion Services From Flex Applications - Matt Gifford (10AM PT / 1PM ET)
• Securing your ColdFusion Applications - Pete Freitag (me) (11:30AM PT / 2:30PM ET)
• Make Your Site Searchable with Solr - Scott Stroz (1PM PT / 4PM ET)
• Bringing ColdFusion to Java SpringMVC (4PM PT / 7PM ET)

Make sure you go over to http://adobe.com/go/cfdeveloperweek to register.

Bug #83328 was logged for this issue in June 2010 in the ColdFusion Bug Tracker, please vote it up.

The workaround for CFFileUpload on ColdFusion 9.0.1 is pretty simple, I would imagine that the workaround for CFMediaPlayer is just as easy.

Edit the file /CFIDE/scripts/ajax/package/cffileupload_swf.js, and change the following lines:

$FS.defaultSWFLocation="/CFIDE/scripts/ajax/resources/cf/assets/MultiFileUpload.swf";
var defaultAddIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/addfile.png";
var defaultUploadIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/upload.png";
var defaultClearIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/clear.gif";
var defaultDeleteIcon="/CFIDE/scripts/ajax/resources/cf/images/fileupload/delete.png";

To this:

$FS.defaultSWFLocation=_cf_ajaxscriptsrc+"/resources/cf/assets/MultiFileUpload.swf";
var defaultAddIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/addfile.png";
var defaultUploadIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/upload.png";
var defaultClearIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/clear.gif";
var defaultDeleteIcon=_cf_ajaxscriptsrc+"/resources/cf/images/fileupload/delete.png";

The JavaScript variable _cf_ajaxscriptsrc was defined on the page before the script tag loads cffileupload_swf.js and it contains whatever value you have setup in the ColdFusion Administrator for the Default ScriptSrc path with ajax appended to the end.

What's FuseGuard?

If your not familiar with FuseGuard, it is a commercial grade software product for ColdFusion made by my company Foundeo Inc. It sits in front of your ColdFusion applications to help protect them against malicious attacks, written fully in CFML you can customize and extend it using a robust CFC api.

Click here to download an evaluation copy.

The video is in HD format so if you don't have time to watch it now, and you have TV that is connected to YouTube, click the Watch Later button and watch it tonight :)

(13)Permission denied: access to /

There are a few things that could be the problem:

Make sure it's not denied by Apache

Most apache Configurations have something like this in there:

<Directory />
    Order deny,allow
    Deny from all
</Directory>

The above will block access to all files. You should also see something like this:

<Directory /path/to/webroot>
    Order allow,deny
    Allow from all
</Directory>

So if you have created a VirtualHost or an Alias that does not fall under this /path/to/webroot apache will have denied access to it. The solution in that case is to add another Directory entry in your httpd.conf to allow access to that directory.

Make sure Apache has Read, Execute Permissions

The next thing to check is that Apache has read and execute permission (rx) on directories and read permission on files. You can run chmod 750 /dir (to give -rwxr-x--- permission) or chmod 755 /dir (to give -rwxr-xr-x permission), etc.

Make sure that the Directory Above has Execute Permission

This is the one that tends to get me. Suppose you are creating an Alias like this:

Alias /foo /tmp/bar/foo

Now you have made sure that apache can read and execute /tmp/bar/foo by running chmod 755 /tmp/bar/foo, but you also need to give Apache execute permission to /tmp/bar/ otherwise it cannot traverse the sub directory foo.