SameSite Cookies with IIS

coldfusion java web SameSite cookies are a great technique for mitigating Cross Site Request Forgery attacks. The only downside is that not all browsers support them yet (ahem... looking at you IE).

This entry was:

False TemplateNotFoundException ColdFusion 9

coldfusion I was working on a server (CF9.0.2 Win2008 IIS7.5) installation today and ran into what I thought at first was an IIS connector issue.

This entry was:

Blocking .svn and .git Directories on Apache or IIS

web One of the issues that our HackMyCF ColdFusion Server Scanner checks for is the existence of public .git/ or .svn/ directories. Exposing these directories to the public could lead to information disclosure, such as your server side source code.

Blocking .svn and .

This entry was:

Changing the ColdFusion CFIDE Scripts Location

coldfusion One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the /CFIDE/scripts/ folder is in it's default location. There have been security vulnerabilities located in this folder in the past, most notably was the FCKEditor Vulnerability in ColdFusion 8.

This entry was:

Is your ColdFusion Administrator Actually Public?

coldfusion Every so often I get an email back from someone who ran saying something like this:

Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true.

This entry was:

ColdFusion 9 Performance Brief from Adobe

coldfusion Adobe has posted a ColdFusion 9 Performance Brief, outlining several performance improvements over ColdFusion 7 and 8. The brief reports a 40% performance improvement over ColdFusion 8, and a 500% improvement over ColdFusion 7, running CanvasWiki.

This entry was:

Request Filtering in IIS 7 Howto

web I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

This entry was:

IIS: Disabling Weak SSL Protocols and Ciphers

web It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.

Requirement 4.

This entry was:

ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only

coldfusion There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.

Whether or not this hotfix is required on IIS has been a question posed by many.

This entry was:

Remove X-Powered-By: ASP.NET Header

web Have you ever noticed that IIS tends to brand every HTTP response with the header X-Powered-By: ASP.NET - it will do this even if your site is not powered by ASP.

This entry was:

Howto Disable the Server Header in IIS

web Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.

This entry was:

Apache mod_rewrite for IIS

web mod_rewrite is easily my favorite module for Apache. You can use it to create very clean urls, and you can even use it for security validation.

This entry was:

Moving SSL Certs from IIS to Apache

linux web I found some instructions for converting SSL certificates generated for IIS to private key, and cert files you can use on unix, or Apache for windows.

First Export your IIS certificate into a pfx file (this is something you should do anyways for backup)

Run mmc.

This entry was:

Batch Files to Restart Services on Windows

coldfusion I wrote some batch files today for restarting services on windows. The bat files can be used to restart ColdFusion MX or IIS services on Windows NT/2000/XP.

Batch File to restart ColdFusion MX

@echo off

REM - File: cfmxrestart.

This entry was:


did you hack my cf?