Pete FreitagMay 14, 2018
SameSite Cookies with IIS
SameSite cookies are a great technique for mitigating Cross Site Request Forgery attacks. The only downside is that not all browsers support them yet (ahem... looking at you IE).
March 17, 2014
False TemplateNotFoundException ColdFusion 9
I was working on a server (CF9.0.2 Win2008 IIS7.5) installation today and ran into what I thought at first was an IIS connector issue.
October 15, 2013
Blocking .svn and .git Directories on Apache or IIS
One of the issues that our HackMyCF ColdFusion Server Scanner checks for is the existence of public .git/ or .svn/ directories. Exposing these directories to the public could lead to information disclosure, such as your server side source code.Blocking .svn and .
January 10, 2011
Changing the ColdFusion CFIDE Scripts Location
One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the /CFIDE/scripts/ folder is in it's default location. There have been security vulnerabilities located in this folder in the past, most notably was the FCKEditor Vulnerability in ColdFusion 8.
April 28, 2010
Is your ColdFusion Administrator Actually Public?
Every so often I get an email back from someone who ran HackMyCF.com saying something like this:Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true.
February 24, 2010
ColdFusion 9 Performance Brief from Adobe
Adobe has posted a ColdFusion 9 Performance Brief, outlining several performance improvements over ColdFusion 7 and 8. The brief reports a 40% performance improvement over ColdFusion 8, and a 500% improvement over ColdFusion 7, running CanvasWiki.
February 16, 2010
Request Filtering in IIS 7 Howto
I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.
October 08, 2009
IIS: Disabling Weak SSL Protocols and Ciphers
It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.Requirement 4.
August 20, 2009
ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.Whether or not this hotfix is required on IIS has been a question posed by many.
October 21, 2008
Remove X-Powered-By: ASP.NET Header
Have you ever noticed that IIS tends to brand every HTTP response with the header X-Powered-By: ASP.NET - it will do this even if your site is not powered by ASP.
December 06, 2005
Howto Disable the Server Header in IIS
Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.
March 24, 2005
Apache mod_rewrite for IIS
mod_rewrite is easily my favorite module for Apache. You can use it to create very clean urls, and you can even use it for security validation.
August 27, 2003
Moving SSL Certs from IIS to Apache
I found some instructions for converting SSL certificates generated for IIS to private key, and cert files you can use on unix, or Apache for windows.First Export your IIS certificate into a pfx file (this is something you should do anyways for backup)
Run mmc.
October 09, 2002
Batch Files to Restart Services on Windows
I wrote some batch files today for restarting services on windows. The bat files can be used to restart ColdFusion MX or IIS services on Windows NT/2000/XP.Batch File to restart ColdFusion MX
@echo off
REM - File: cfmxrestart.
