displaying top 100 results
Portal Topic Cryptojacking: Hacking for Bitcoins
Cryptojacking: Hacking for Bitcoins
[ANeff] Bug for: per-app null value can be hacked from address bar
3851606 CF-4200508 Suchika S. getColumnList() returns a string [] and not an array object.We have a hack for converting String[] to array for the headless version. We have added similar hack for member function if it is for the function parameter but not for the calling object. The calling object
Tracker Comment Comment on IsValid("integer") does not exclude some none-numeric characters by External U.
2597048 CF-3169196 External U. This is a crazy bug that defies logic. Lots of people use isValid("integer") to validate data that's expected to be an integer to provide protection from hacking, maliciously causing errors to progress hacking, or manipulation of data, so this is actually a security
Tracker Comment Comment on Incorrect behaviour of SerializeJSON() on strings that contain U+xxxx in CF10 Update 15 by External U.
2609053 CF-3941059 External U. Please fix, it's terrible to have to hack my code when handling Base64 strings of images because the spec is being incorrectly interpreted.
2613176 CF-3341284 External U. We are unable to upgrade our CF without investing additional engineering time to hack together a fix for something that should not be broken.
Tracker Comment Comment on coldfusion.util.key leaks by External U.
2597097 CF-3119991 External U. A work mate hacked together a solution. It's detailed here; http://stackoverflow.com/questions/5898291/coldfusion-util-key-memory-leak-issue-with-structure-keys/9401913
Tracker Comment Comment on Bug 80384:cfquery not returning named query variable in certain instances by External U.
2599341 CF-3040311 External U. This is holding up our production server upgrades. With millions of lines of codebase an audit is absolutely ridiculous! Anything short of a hot fix is unacceptable and a hack bandaid.
Tracker Comment Comment on Bug 72392:(Watson Migration Closure)consistent syntax and support for TLS over all protocol tags by External U.
2603458 CF-3035553 External U. Heavily seconded ... that "bug" or lack of features! Fortunately, I found a Java hack to provide SSL to poll GMail with cfpop ...
Portal Topic It’s Up To Us To Stop Hackers
of hacking and security breaches. According to NBC News, Hackers stole nearly half a billion personal records in 2018. There were fewer breaches, but the breaches were bigger and worse and more data than ever was stolen. Crypto-miners have improved as well and not in a good way.
The post It’s Up To Us
Tracker Comment Comment on IIS 404 custom error handler URLs that are .cfm files do not consistently return entire document by External U.
and it creates a zombie process in iis. The pathway that autodiscover uses is also a common one for script hacks on PHP sites, so in production, script hacks against your server can zombie hundreds of threads in a few minutes, killing IIS very quickly. The CFContent problem is equally obvious, any request after
Portal Topic Why you should limit password length
aliaspooryorik Why you should limit password length Allowing long passwords is good but could also be used as an attack vector
The post Why you should limit password length appeared first on ColdFusion. Blog,ColdFusion,Modern CFML,blog,Hacking,modern cfml
Tracker Comment Comment on Stop Encrypting the Administrator Code by External U.
2609632 CF-3818547 External U. Is this the same security team that facilitated the h.cfm hack?
Are you sure you should be listening to them?
(in case you hadn't worked it out, that was not a serious question, but was a serious observation that your "security team" isn't really up to much
Tracker Comment Comment on Going to a url formed like this: c.cfm/test/test.cfm returns a coldfusion.runtime.TemplateNotFoundException by External U.
2612071 CF-3560929 External U. I have found a "hack-ish" work around ...
In the Application.cfc utilize the OnMissingTemplate method like so:
Then check
Tracker Comment Comment on IIS 404 custom error handler URLs that are .cfm files do not consistently return entire document by External U.
2612631 CF-3488063 External U. Super annoying! Have tried most of the 'hacks' and none seem to work. I continuously end up with either a header code 200, or the default. It's not CF10 by itself obviously, as locally everything works just fine (running on a mac).
Tracker Comment Comment on Function SerializeJSON() converts employee's last name ("No") to boolean false in JSON output by External U.
2613240 CF-3337394 External U. We run travel sites that rely heavily on JSON data and ISO country codes. The ISO country code for Norway is NO and we've had to code a hack around this issue in a few places.
The code below illustrates how the bug affected us:
Tracker Comment Comment on Function SerializeJSON() converts employee's last name ("No") to boolean false in JSON output by External U.
2613240 CF-3337394 External U. We run travel sites that rely heavily on JSON data and ISO country codes. The ISO country code for Norway is NO and we've had to code a hack around this issue in a few places.
The code below illustrates how the bug affected us:
Tracker Comment Comment on Connection String in MySQL Datasource sent to Database with trailing space by External U.
2613636 CF-3197321 External U. Yes, this needs to be fixed as soon a possible. This makes moving from CF9 to CF10 questionable when you see such minor problems like this go unsolved. It also makes long term administration in CF10 more difficult when you have to manually hack a fix into the XML
requiring the owner of the website to hack their code to accommodate HotBox (and any other plug-in module they might use).
One very jerry-built way it might work is have the site's serialise extend HotBox's one, I suppose... but it still requires hacking about to then have the site's methods also call
if an address cannot be extracted. This means if someone added a URL parameter of "?email=hacked@own.ed" to the URL of the request, if InternetAddress.getAddress() was null, then the results of parseEmail() would not be null but would be "hacked@own.ed".
This is a basic example, but the ramifications could
Tracker Issue Do not evaluate value if null=tue on CFQUERYPARAM
2673002 CF-4157592 Database Christopher Tierney Do not evaluate value if null=tue on CFQUERYPARAM Currently this code:
will still try to evaluate "myVal".
When attempting to turn off/on NULL's via if a value exists or not, for example in the arguments of a method, we have to hack together
reporting CF as the perfect backend solution for Flex which is totally false, till we add this feature. Other SS solutions are much faster than CF is, unless you use typed structures, which is just an hack, nothing more.
is Better?) appeared first on ColdFusion. Application Performance,Discussion,Performance,application performance,discussion,Hacking,performance
forget that when mentioning the .NET framwork? LOL. And my user account got hacked from Adobe, not from MS ;-) ). What about community support. What about IDE. What about longterm maintainability of large code bases. What about quality of support and speed of reaction. What about licensing. I could go
Tom Woo Charlie, thank you so much for putting this out there -- the Hostek link made me ashamed...I had no idea it could be so simple. A bit of a hack, yes, but for those managing very old sites where everything is working and you don't want to break anything, this is invaluable.
My only trouble
Tracker Issue Bug 74044:(Watson Migration Closure)[RIA]ColdFusion should support SWF verification similar to FMS
2602327 CF-3036977 Flex/Flash : Flex remoting João Fernandes Bug 74044:(Watson Migration Closure)[RIA]ColdFusion should support SWF verification similar to FMS Problem:
[RIA]ColdFusion should support SWF verification similar to FMS. This increases security by avoiding changed/hacked swf files
Tracker Comment Comment on cfsearch with contextpassages throws a null pointer error when larger number of results are returned by External U.
referenced forum so that context highlighting displays the CONTENT passages that the error occurs. My best guess it this point is that it is memory related. But it did work just fine, against the same content on an older server, under CF 9. Since it is a standard solr behavior and not an undocumented hack I
2610071 CF-3733001 External U. Not all tags are created equal, so it's a bit silly to think that hacking off some brackets is even mildly acceptable. What's this nonsense having "cf" still attached? Have you seen what you did to cfsilent with this approach? Have you? Monsterous. Hideous! Part
Tracker Comment Comment on Null coalescing operator by Bradley W.
the proper truthy/falsey constructs that language like JavaScript and Groovy have. Instead of making elvis be a hacked-up combination of two things, it needs to be fixed to be a proper null coalescing operator and then this ticket won't be needed. We tried to start using the elvis operator in ColdBox 5
://www.petefreitag.com/item/644.cfm
I think I recommended this back during CF8 beta as well, but that bug must have been deleted.
It is now a pretty common practice to use HttpOnly in cookies, and using cfheader is quiet a hack.
Method:
Result:
----------------------------- Additional Watson Details
Tracker Comment Comment on In CF11 (not 9) , structKeyExists() returns false when cfdump shows true. Which is it? by External U.
of the value stored with the key.
The workaround of having to run ListFind(StructKeyList(), "key") to see if the key exists in the list combined with StructKeyExists(myStruct, "key") returning false is an ugly hack. StructKeyExists() should just return true for *ANY* key that actually exists, regardless
Tracker Comment Comment on keyExists member function not available on all struct objects by Awdhesh K.
is the object type. Here system whether the passes object is one of the Member Function supported object type or not. If not (that is the case here), it will by-pass member function completely.
To support it we will have to add a hack wherein exception object needs to added for this special case, which
Tracker Comment Comment on Does not auto-start after reboot by External U.
This is a hack, not a fix. Adobe should get this fixed in the installer.
Tracker Comment Comment on Function SerializeJSON() converts employee's last name ("No") to boolean false in JSON output by External U.
properly as a boolean with no ambiguity?
This is a problem because there is no way to treat "No" or "Yes" as a string (there is a hack that seams to work by prepending chr(2) to the string, but that is not something I would want to rely on) because javaCast("string", "NO") still shows up as a boolean
Portal Comment Comment on ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15 released by Charlie Arehart
) that Pete Freitag’s awesome “HackMyCF” tool keeps pointing out that we are missing–but we can’t update Tomcat ourselves. We need Adobe to do it. What’s the holdup? (I am pretty sure there’s an equivalent concern regarding Tomcat 8 on CF2016, but I don’t have ready access to the version number he would
Factory or even specify a cache provider other than EHCache. Any string other than EHCache will throw an error.
This means that it is not possible to implement any second level other than the EHCache that ships with ColdFusion 11! The way that RegionFactory implementation seems a bit of a hack.
Steps
Tracker Issue Bug 80336:(Watson Migration Closure)I'd also love to see CF add better XSS integration integration
:http://www.owasp.org/index.php/Category:OWASP_AntiSamy_ProjectEssentially it allows you to parse a string and remove potential XSS attacks.I wrote a blog entry a while back showing how to use AntiSamy in CF:http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacksIt just seems like with increasing XSS attacks out there
by creating a scheduled task to run every few minutes (I have it at 2) to send a server message to all open connections. This forces traffic over the connection so that it never times out. However, it is absolutely a hack with much more overhead involved than if ping-pongs were implemented directly in CF.
but the answer options have to be rearranged so that all 0 value data items are at the top of the list. If it was the opposite where only items at the top of the list were colored it would be better but having to rearrange the order to put non-0 data as the last in the list of cfchartdata is a terrible hack
Tracker Comment Comment on cffile action=upload should allow file extensions when strict is true by Charlie A.
to me who had been hacked because of all this: bad guys had uploaded a cfm file (to a page doing cffile action="upload") with content that looked like an image (at the top) but had CFML at the bottom. It passed the strict test ("looked like a png"), but then that file was executable
to have this as an (optional) setting on CFCOLLECTION & the UI in CF Admin, rather than hacking config files. This *is* CF we're talking about after all![/quote]-- Adam
Method:
Result:
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3043982
Tracker Issue [ANeff] Bug for: final ignored
.compiler.FinalVariableMutationException is thrown
-----------
Actual Result: final ignored
Expected Result: coldfusion.compiler.FinalVariableMutationException on line 3
2) Run:
-----------
final variables.foo = "final honored"
variables.foo = "final ignored"
writeOutput(variables.foo)
foo = "I call hacks"//if this line is commented
Portal Comment Comment on Input validation to avoid XSS by Charlie Arehart
Charlie Arehart
Sorry that I missed this when you posted last week.
So first, your confusion and doubt is understandable. Security is a complicated topic, and just when you may feel you’ve buttoned something up, along comes some hack that makes you vulnerable again. Sadly, one must become
Tracker Issue cflogin - errors with bad input
.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
At the end of the day, these smell like someone trying to hack, but cflogin shouldn't throw these exceptions.
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3517498
Tracker Comment Comment on IIS 404 custom error handler URLs that are .cfm files do not consistently return entire document by External U.
header set, but for some reason didn't check immediately.
* I also had the numerous hacks resetting content and outputting a cfsavecontent variable on my 404 page by this stage, and decided not to rock the boat as it all seemed to be working fine.
Yesterday our host finally also put in place