Apr 29, 2014

ColdFusion Splendor - Released (Finger Crossed)

ColdFusion Splendor released yesterday


Hope this will not be like a CF 10 with lots of bugs all around.

If product is like CF 10 (not 10.0.1 ..) then seriously we have to look around ColdFusion Road Map.

Also please give CF world a time and timespan between 2 product release. Hope you understand what I am telling about.

Finger Crossed, Hope CF Splendor will be Awesome Product for Adobe.
Right now, lets accept it and be Pride of CF

Welcome <cfSplendor>

Apr 26, 2014

ColdFusion Security Statistics Report 2014 - My look

2014 Website Security Statistics Report   released few days back which gives brief Info about security issues related to all web technologies.

Here are few points and some care which we need to take:

1. ColdFusion 5th most widely used languages.
2. But the main Point in the report which brings me sad is "10.59% of ColdFusion sites had at least one SQL Injection vulnerability, the highest among all Programming Languages"

Who is responsible ?

Yes, we developers who are not writing secure CFML code to stop SQL Injection Vulnerabilities.
Not using QueryParam is not at all accepted in CF World.

Writing a Parametrized Query can stop most of SQL Injection Vulnerabilities. Please follow it.

3. XSS (46%), SQL Injection(11%) and Information Leakage(24%) Vulnerabilities are major  concerns.

Hope we will write Secure CFML code and protect our ColdFusion Sever to prevent such vulnerabilities in future.

Apr 24, 2014

How ColdFusion Server was allowing to Install IIS malware which Steals data

I was preparing for my company Level seminar on ColdFusion Security this week and gone through numerous blog and slides to learn about recent ColdFusion attacks.

The one which brings me more Interest is IIS Malware attack.

What is it ?
How IIS malware injected in your server ?

Lot's of questions to be asked but the reason for such attack was CF Backdoor Vulnerability.

Yes, If you keep your Door open some one will come and steal some data from your Server.
Here Door terms your ColdFusion Server.

Lets check  this IIS Malware Injection through flow chart.

iis malware injection
Flow Chart of IIS Malware Injection though CF Backdoor Vulnerability

CF vulnerability allowing to create a Web Shell (A Web shell is a type of Remote Access Tool (RAT) or backdoor Trojan file) in server which in turns execute DLL and adds that module in IIS.

Injected DLL was capturing the post request for specific page example paymentProcess.cfm (Installer added this page during installing DLL) and writing POST parameters info in some log file.

Specifically design DLL was also undetectable by modern Anti-Virus.
Even SSL can't stop this. As it captures data after SSL post is decrypted by the server.

It says that how much Imp was to read ColdFusion Lock Down guide. If you have locked your server then well and good. If not then check lock down guides and lock your server soon.

If you are not aware of CF lock down guide please visit :

I will be coming with next blog which will contain detail recent CF Vulnerabilities.

Hope it may help

Apr 13, 2014

Get Active threads / Kill any specific Thread using CF Admin API.

As we know we can create threads using <cfthread> tag.
We can run, join or terminate a thread but lets say we have a real world scenario and we want to show all CF threads in our web Application which are running and do all operations though web App.

So for this we have to get Metadata Info for all threads.

In my Last post   we have discussed about how we can access CF Administrative APIs.
So to achieve this we are going to use CF Admin API using servermonitoring.cfc.
You can also visit Server Monitoring in ColdFusion Administrator and see those threads and Manage it.

getActiveThreadsRunning() will return all metadata info of Threads which are running currently like ThreadName, TimeTaken,CFStrackTrace etc.

Let’s move on to see how we can Kill any thread.
You may get into situation where any threads are running for longer period of time and because of that other process are waiting in queue:

We can call abortCFThread() present under servermonitoring.cfc to achieve this.

Hope it will help you.
Happy Coding :)

ColdFusion Administrative API: An OverView

Most of the times or generally we use to do Admin level settings via going to CF Admin Page
But we can also change admin Level settings through code base using CF Admin APIs
Say for example Login in CF admin, adding a datasource or to see how many threads are running in our CF server.

All these can be achieved through Admin APIs which perform all CF Administrative work.

ColdFusion Provides reach Admin API located under CF directory (<CF Directory>\cfusion\wwwroot\CFIDE\adminapi).

There are almost 18 Components in total present in CF 10
CF11(Splendor: Beta Version) adds one more which is document.cfc.

Most of the CF Administrative work we can achieve it using these admin CFCs.

Above Image shows a list of Admin APIs present in CF splendor.

As all CF admin APIs are encrypted but we can check list of methods available under each CFC by calling them.
Let’s say we have to see what are the methods present under adminsitrator.cfc

use: http://coldfusion10/CFIDE/adminapi/administrator.cfc
enter your RDS password and you can check the methods available under administrator.cfc.

To call any CF admin APIs, you have to first Log in to CF administrator:
So first we have to create objects for those CFC and call it:
So, walk over to all the Admin APIs and get familiar with It.

Hope it will help you.
Happy Coding :)