displaying top 100 results
Tracker Issue Allow multiple sandboxes regardless of CF license
2612294 CF-3529340 Security David Epler Allow multiple sandboxes regardless of CF license Defining multiple sandboxes are a long standing feature of ColdFusion that have been restricted to just Enterprise, but should be expanded to Standard to provide better security
2673380 CF-4126669 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Entered Feature. Date Added :2015-07-26 13:47:20.0
Tracker Comment Comment on Security Analyzer - Fails to identify passwords in Script Functions Implemented as CFCs by CFwatson U.
2673384 CF-4126663 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-26 17:49:32.0
Tracker Comment Comment on Security Analyzer - Requires Server install as Trial/Enterprise by CFwatson U.
2673569 CF-4126396 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2016-02-08 15:48:57.0
2682302 CFB-4130056 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2016-02-09 17:07:29.0
2682304 CFB-4130054 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Entered Feature. Date Added :2016-02-10 13:06:25.0
Tracker Issue Security Analyzer - case sensitivity for <cfqueryparam>
2673451 CF-4126536 Security Analyzer David Epler Security Analyzer - case sensitivity for Testing sample source code that had the following:
update comments set
subscribe = 0,
followup = 0
where commentid =
The security analyzer flagged it SQLi, Error, High. There is not SQLi
Tracker Issue Security Analyzer - Unnamed Application and <cfsilent>
2673454 CF-4126533 Security Analyzer David Epler Security Analyzer - Unnamed Application and Using LitePost (https://github.com/dcepler/litepost) as example code to test.
In the Model Glue variation of LitePost, the Security Analyzer is flagging Application.cfm as not being within a named
2673569 CF-4126396 Security Analyzer David Epler Security Analyzer - Requires Server install as Trial/Enterprise Through out the entire pre-release installing ColdFusion Server was Developer Edition worked, specifically Developer Edition, Development Profile, RDS Enabled.. The latest builds from
Tracker Issue Security Analyzer - Show icon in navigator pane
2682304 CFB-4130054 Security Code Analyzer David Epler Security Analyzer - Show icon in navigator pane Related Bugs:
4146775 - Similar to ColdFusion Builder
Currently if a file has an issue it is only identifiable from the the security analyzer pane.
An indicator should also be shown
2673363 CF-4126693 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Which specific builds of Server and Builder was this fixed in? Date Added :2016-02-06 19:02:25.0
Added By:preethi Note Added: The fix would be available in the next drop. Date Added :2016-02-03 05
2673385 CF-4126662 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-09-22 09:37:28.0
Added By: PreRelease User User Name:David Epler Note Added: Forgot regex in the list Date Added :2015-07-27 16:10:47.0
Added By: PreRelease User User
Tracker Comment Comment on Security Analyzer - Incorrect flagging SQLi (BlogCFC - blog.cfc) by CFwatson U.
2673455 CF-4126531 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Attached blog.cfc from BlogCFC as noted in ticket. Date Added :2015-11-13 16:30:41.0
Added By:preethi Note Added: Hi David,
Can you attach the related testcase here.
Thanks! Date Added :2015-11-13 09
2673317 CF-4126912 Security Analyzer David Epler Inconsistent XSS markings for built-in-functions (BIF) that return integers Duplicate ID: CF-4126413
Problem Description:
Given the code:
#ceiling(url.id)#
#floor(url.id)#
#round(url.id)#
Actual Result:
The security analyzer marks the lines
2673452 CF-4126535 Security Analyzer David Epler Security Analyzer - incorrect flagging of method="post" on Using LitePost (https://github.com/dcepler/litepost) as example code to test.
Security Analyzer is flagging fusebox/home/entry/comment/dsp_commentForm.cfm with a warning, low for getvspost
Tracker Issue Security Analyzer - Unnamed Application and Fusebox
2673453 CF-4126534 Security Analyzer David Epler Security Analyzer - Unnamed Application and Fusebox Using LitePost (https://github.com/dcepler/litepost) as example code to test.
In the Fusebox variations of LitePost, the Security Analyzer is flagging Application.cfm as not being within a named
2612292 CF-3529344 Security David Epler Sandboxes should allow Fully Qualified Domain Names (FQDN) not just IP Addresses Currently ColdFusion only allows for IP Addresses to be entered into the sandbox under Server/Ports. This is problematic if the outbound connection might be going to a service
2612293 CF-3529341 Security David Epler Sandboxes should be limited to 127.0.0.1 port 80 by default All sandboxes when created should be limited to connect to only 127.0.0.1 (localhost) on port 80 by default. Currently, ColdFusion allows for all connections. This change would make the administrator
Tracker Issue Default user in Windows
2612295 CF-3529336 Installation/Config David Epler Default user in Windows The installer for Windows should allow for specifying the user that ColdFusion should run as and not rely on the administrator to come back and change it by following the lockdown guide. The Linux and Solaris installers have
Tracker Issue Secure Profile should be opt-out
2612296 CF-3529334 Installation/Config David Epler Secure Profile should be opt-out Duplicate ID: CF-3590046
The ColdFusion 10 installer set Secure Profile to be an opt-in with it being shown as "Enable Secure Profile". This should be changed to make it an opt-out with "Disable Secure Profile
2613396 CF-3324088 Web Container (Tomcat) David Epler Report Update Level in cfinfo and server.coldfusion struct Since it has been deemed that Updates no longer increment the ColdFusion version number, administrators and developers need a way to determine the update level of ColdFusion without
Tracker Issue Bug 79599:There is no ALT attribute on the DateChooser
2599725 CF-3039786 Accessibility David Epler Bug 79599:There is no ALT attribute on the DateChooser Problem:
There is no ALT attribute on the DateChooser.png when using . This causes 508 audit to fail. Bug #79003 mentions adding ALT attribute for type="autosuggest". This also occurs in Cold
Tracker Comment Comment on Security Analyzer - Incorrect SQLi by CFwatson U.
2673360 CF-4126698 CFwatson U. Added By: PreRelease User User Name:David Epler Note Added: Added File Date Added :2015-07-25 17:44:49.0
Added By: PreRelease User User Name:David Epler Note Added: Added additional variants of code that all mitigate SQLi Date Added :2015-07-25 16:44:33.0
Added By
2673361 CF-4126696 CFwatson U. Added By:preethi Note Added: The fix will be available in the next ColdFusion drop. Date Added :2016-01-27 04:24:35.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-18 13:02:41.0
2673362 CF-4126694 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-09-22 06:32:31.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-18 13:28:44.0
2673376 CF-4126678 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-09-22 06:31:51.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-21 14:02:10.0
Tracker Comment Comment on Security Analyzer - Does not flag incorrect EncodeFor Contexts by CFwatson U.
2673379 CF-4126670 CFwatson U. Added By:uogra Note Added: We have made the changes for encodeforcss, encodeforjavascript and encodeforhtmlattribute Date Added :2015-10-29 09:26:31.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-26 13:09:04.0
2673382 CF-4126665 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-09-22 06:28:57.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-26 16:11:48.0
Tracker Comment Comment on Security Analyzer - Fails to detect variables in struct notation by CFwatson U.
2673390 CF-4126655 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-09-22 06:30:49.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-29 11:19:52.0
Tracker Comment Comment on Security Analyzer - Does not detect missing method on <form> by CFwatson U.
2673391 CF-4126654 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-09-22 09:36:15.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-29 11:39:16.0
Tracker Comment Comment on Security Analyzer - Fails to detect XSS when variable goes through duplicate(), structAppend(), or structCopy() by CFwatson U.
2673392 CF-4126652 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-09-22 06:29:35.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-29 12:40:49.0
2673451 CF-4126536 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-11-21 06:23:22.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-10-30 22:16:00.0
Tracker Comment Comment on Security Analyzer - incorrect flagging of method="post" on <form> by CFwatson U.
2673452 CF-4126535 CFwatson U. Added By:preethi Note Added: Fix will be available in the next release.
Thanks! Date Added :2015-12-07 08:43:36.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-11-10 17:12:11.0
2673453 CF-4126534 CFwatson U. Added By:preethi Note Added: The fix will be available in the next ColdFusion drop. Date Added :2016-01-27 06:55:06.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-11-10 17:43:02.0
2673316 CF-4126922 Security Analyzer David Epler Should not mark some tag-specific variables as XSS (RecordCount/CurrentRow) Duplicate ID: CF-4087973
Problem Description:
Given the code:
SELECT ARTISTID, FIRSTNAME, LASTNAME, EMAIL, THEPASSWORD, ADDRESS, CITY, STATE, POSTALCODE, PHONE
Tracker Issue Security Analyzer - Should be POST only
2673362 CF-4126694 Security Analyzer David Epler Security Analyzer - Should be POST only The security analyzer sends data via GET and should be POST.
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 4126694
External Customer Info:
External
2673455 CF-4126531 Security Analyzer David Epler Security Analyzer - Incorrect flagging SQLi (BlogCFC - blog.cfc) Using BlogCFC as example code.
The Security Analyzer is incorrectly flagging the use of the variable posted in getActiveDays() method within org/camden/blog/blog.cfc. The variable
2613585 CF-3214592 Installation/Config David Epler Unable to create EAR/WAR on Windows without Administrator rights Problem Description:
In previous ColdFusion installers (8.0.1, 9.0.0, 9.0.2) running as non-admin user on Windows the installer would still allow the user to continue on and create
Tracker Issue Security Analyzer - Show full path & filename
2682302 CFB-4130056 Security Code Analyzer David Epler Security Analyzer - Show full path & filename The security analyzer pane in Builder only shows the filename of the file and not the complete path. This makes it difficult to know where the file with the issue when scanning directory
Added :2015-10-29 06:21:20.0
Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-26 15:21:02.0
Release User User Name:David Epler Note Added: Entered Bug. Date Added :2015-11-10 17:53:37.0
or not
Any Workarounds:
None.
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 4156608
External Customer Info:
External Company:
External Customer Name: David Epler
External Customer Email: depler@aboutweb.com
Tracker Issue Security Analyzer - Cookies in cfscript
2673361 CF-4126696 Security Analyzer David Epler Security Analyzer - Cookies in cfscript The security analyzer does not match stated rules for identifying issues with cookies when they are created with script.
----------------------------- Additional Watson Details
Tracker Issue Security Analyzer - Secure with Credentials
2673363 CF-4126693 Security Analyzer David Epler Security Analyzer - Secure with Credentials While the documentation says the security analyzer is "available only in development server, it is not available in the production server". There are still a potential for ColdFusion to be installed
Tracker Issue Security Analyzer - CGI scope is not "Safe"
2673376 CF-4126678 Security Analyzer David Epler Security Analyzer - CGI scope is not "Safe" When running the security analyzer across attached code it should flag the use of CGI.HTTP_USER_AGENT in line 1 as XSS and line 4 as SQLi.
There are numerous items populated into CGI scope that come
2673379 CF-4126670 Security Analyzer David Epler Security Analyzer - Does not flag incorrect EncodeFor Contexts The security analyzer seems to only be checking for EncodeForHTML regardless of the context of where the variable is used. This is incorrect. If the variable is being used in an HTML
2673380 CF-4126669 Security Analyzer David Epler Security Analyzer - Better information for HTMLEditFormat Prior to ColdFusion 10, the only way to escape/encode for XSS was mostly through the use of HTMLEditFormat. This function was deprecated when in ColdFusion 10 the ESAPI EncodeFor* functions
Tracker Issue Security Analyzer - CSRF Attack detection does not work
2673381 CF-4126667 Security Analyzer David Epler Security Analyzer - CSRF Attack detection does not work Related Bugs:
CF-4080920 - Similar to
The CSRF Attack detection for the security analyzer does not work according to the documentation.
Attached code samples have the correct usage
Tracker Issue Security Analyzer - addtoken and Secure Profile
2673382 CF-4126665 Security Analyzer David Epler Security Analyzer - addtoken and Secure Profile The behavior for addtoken in changes if Secure Profile is enabled or not. As the security analyzer is currently implemented it has no knowledge if the code will be deployed to a server with Secure
Tracker Issue Security Analyzer - Fails to identify passwords in Script Functions Implemented as CFCs
2673384 CF-4126663 Security Analyzer David Epler Security Analyzer - Fails to identify passwords in Script Functions Implemented as CFCs The security analyzer fails to identify hardcoded passwords in script functions implemented as CFCs that were introduced by Adobe in ColdFusion 9.
http
Tracker Issue Security Analyzer - Need top honor more cfparam types
2673385 CF-4126662 Security Analyzer David Epler Security Analyzer - Need top honor more cfparam types Currently the security analyzer seems to only check for . There are additional types that have specific format which will block invalid/dangerous input.
The other types that should be allowed are
2673390 CF-4126655 Security Analyzer David Epler Security Analyzer - Fails to detect variables in struct notation The security analyzer can not detect XSS or SQLi when variables are changed from from scope.variablename to scope["variablename"]
----------------------------- Additional Watson
2673391 CF-4126654 Security Analyzer David Epler Security Analyzer - Does not detect missing method on The security analyzer does not detect the missing method on html . W3C specification states that if it is not there it defaults to get.
----------------------------- Additional Watson Details
Tracker Issue Security Analyzer - Fails to detect XSS when variable goes through duplicate(), structAppend(), or structCopy()
2673392 CF-4126652 Security Analyzer David Epler Security Analyzer - Fails to detect XSS when variable goes through duplicate(), structAppend(), or structCopy() The security analyzer does not detect XSS when an unsafe variable is processed through duplicate, structappend, or structcopy
Tracker Issue encodeFor attribute for cfoutput, writeOutput
2612744 CF-3434473 Security David Epler encodeFor attribute for cfoutput, writeOutput While ColdFusion 10 added the various ESAPI encodeFor* functions, it is dependent upon the developer to properly wrap location where used with the appropriate function (e.g. #EncodeForHTML(url.name)#). Adding
the sub-components to install."
Thanks!,
-Aaron Date Added :2016-01-21 00:52:14.0
Added By: PreRelease User User Name:David Epler Note Added: The wording has always been confusing to me. Agree with Pete in changing the instruction to make it clear as to what checking or unchecking actually does
Tracker Issue Security Analyzer - Incorrect SQLi
2673360 CF-4126698 Security Analyzer David Epler Security Analyzer - Incorrect SQLi The security analyzer incorrectly identifies attached code as having a SQLi where the variable is completely controlled through the code
Security Analyzer should understand the context of variables
Tracker Issue Cannot use Admin API with CLI
2673244 CF-4141282 CLI David Epler Cannot use Admin API with CLI Problem Description:
When trying to invoke subsequent calls to Admin API after logging in, it fails when the attached code is run with CLI instead of a browser. The call to CFIDE.adminapi.administrator.login() returns true, but does
2611834 CF-3586644 Installation/Config : Connector David Epler wsconfig does not configure Oracle iPlanet 7.0.9 or higher Problem Description:
On new install of ColdFusion 10 running Redhat 5.9 with Oracle iPlanet Web Server 7.0.15 connector script fails to install.
From {ColdFusion Dir
Tracker Comment Comment on Security Analyzer Times out after 30 seconds, unable to scan large dir by CFwatson U.
that I can close the bug .
Thanks,
Mukesh Date Added :2016-02-11 06:39:56.0
Added By:mukumar Note Added: Hi David ,
Sure , Timeout configuration of RDS in CFBuilder will that documented .
Thanks,
Mukesh Date Added :2016-02-11 06:14:48.0
Added By: PreRelease User User Name:David Epler Note Added