I see that pre-compiling pages to java classes will increase performance, while using the -deploy command will encode the pages to java bytecode, thus hiding the source code.
Questions:
Can both of the above be done? Pre-compiling the application, then encoding them?
Is updating sourceless pages & cfc's as simple as encoding the newly updated files locally, then overwrite the older ones on the server?
Thank you for your contributions.
It's worth noting that byte code won't 'secure' your code if someone gets onto your server. There is nothing to stop someone from decompiling your code using tools like this.
There is offical Adobe info here on sourceless distribution but I haven't tried it. Remember, the compile hit if only on the first request (provided you have your CF admin setting correct) so the boost isn't for every request.
I'd also prefer to 'secure' my source code in other ways, i.e. making sure the server is secure.
Related
My CFIDE just went crazy this morning and I can't locate the what is causing this. When I log in from example.com/cfide/administrator/index.cfm some of the tabs on the left work fine and some are showing the index page of example.com like in an iframe... I restarted the app server but the issue is still there. Any recommendations on how to debug this thing?
So for posterity here is what we found.
There are two possibilities of exploits that could be affecting you:
the bitcoin exploit (miner.d)
the ckeditor file upload exploit (this is the h.cfm file)
There are others but these are common and known. Both tap underlying java to unfold work that either calls something more sinister, delivers server meta data or unrolls a scheduled task to fireoff worker bees to consume resources doing something the admin is unaware of.
So as we discovered we have a varietal of this h.cfm called fusebox.cfm (obfuscated with bonus encrypted CF5 garble). If you can open the file you will see that h.cfm file and open it you will see UGLY and Obfuscated code but not very sophisticated. A lot can be revealed by a coder's code and if you deconstruct and format this particular code you will discern that the developer is not native to CF, and jumps from script style to CMFL style (in caps no-less).
(here is the Stack Overflow link with the raw code (be careful))
It is also named: i.cfm, h9.cfm, r.cfm, adss.cfm or fusebox.cfm here is the black hat page that give you a ton of info. I'm viewing the cached site because I don't trust the blackhat sites. (because one loaded something on my system that raised an antivirus alert).
The file may be unreadable so here is a link to a site that describes some github sourcecode that can decrypt it for you. That is Coldfusion 5 crap that still floats around now and again. (I'm pretty sure it will look similar to that code in the SO link I pasted above).
Post mortum: One more coldfusion serve saved from villainy. Remember, it never hurts to run through your systems and see if anything can be found like this. It also never hurts to make things a little more difficult for would be server exploiters ;)
From last few day , I was searching for static code analysis tool for ColdFusion. I have not got a good one till now. I found two.
YASCA
https://code.google.com/p/cf-metrics/
From YASCA I was getting only XSS alerts and some alerts for session mgmt, nothing more than that. I have tried with my entire project.
I am not even able to properly install cf-metrics using ColdFusion10 , After putting the required jar file in the lib folder I was not able to access any one my IIS site
because of some isapi redirect isse.
Any other tools available?
If you're still looking for a ColdFusion Linter, I would recommend CFLint. It's hosted on GitHub and Maven. The parser was updated to use ANTLR4, so it's much faster than previous editions. We're also making it easier to customize than JSLint.
I've looked at this a couple of times in the past, as I maintain a large CF application.
Each time I looked I was unable to find anything suitable. I spent a while looking into using the Railo CFML parser (because it's open source) to build something ourselves and concluded at the time that it was possible, but was no small task.
You may be able to re-examine the Railo approach, but feed the AST from Railo into an existing code analysis tool. I never got that far, but it may be possible to an extent.
I'd love to hear different, but the short answer is that there's not much out there.
We recently had a hacker gain access to our system. They dumped some Coldfusion templates and included them in random pages on our sites.
The files they dump start with Allaire Cold Fusion Template and then contain what appears to be "garbage", but I believe that this is some kind of pre-compiled Coldfusion code.
We've cleared out the hacks, but I saved off the files because I was hoping that there would be some way to de-compile them and maybe make some sense of them. Although I think the hack is dealt with, I am a little worried about what this code was doing. (When I looked at the source of a page that included this code, it created no output, so something had to be going on in the background.)
If there isn't a way, that's cool, I just thought I would at least investigate the possibility of seeing what these files were doing. Thanks in advance for any help.
Wow, you have awakened some of my "old" brain cells... Way back when you could encrypt your ColdFusion templates and they could still be run on a ColdFusion server. This encryption was not very secure as the decrypting algorithm was readily available. It was/is an easy way to "hide" your code from the unknowing (I guess).
I did a quick Google search and found an old reference to a decrypt function on Adobe's site that may help "crack" that code. AB Positive Encrypt and Decrypt I believe their code would have to be encrypted this way otherwise the ColdFusion server would not be able to read the files either. This download includes the cfdecrypt.exe and cfencode.exe programs.
If that tool does not work and if I remember correctly, the ColdFusion encryption before CFMX was done using something called CFCrypt.exe. That was an older versions of ColdFusion I think but you can try using that too. I couldn't find it but I'm sure if you Google for it can be found.
Please post back with your results. I'm interested to see what they were doing.
There is a program out there cfdecrypt that will help you decompile them. I haven't used it in years, but here is a link I found to a github project:
https://github.com/disccomp/cfdecrypt
Hei there, I'm not experienced at all in C++ as I need to start learning year the next year at my university, though, I've been creating a browser based game and I'm looking for someone to transform it into pc app.
Though, I'm wondering how to make that application send a http request via POST to a file on my webserver with the username / pw.
After all the tutotials I've been reading, I concluded that none worth spending my time with, because they all based on own database, and I'm looking for one that connects to a maestro server and requests the data from there.
This may not be the answer you are looking for, but you may consider two alternatives to a more pure C++ application.
If you already have a working browser game, try to take that same code and put the html/javascript/whatever in a file and give the file a ".hta" extention. It basically opens inside a browser to run your files, but it acts more like an application from the user's viewpoint. (And, as much as I hate Windows, they're pretty fun to create if I may say so). However, your source code with this option is easily read because it can be renamed to a text file (or html file).
You could use Visual C++ (or VB.net, which you have tagged to the question, as well as "Visual" C#) to create an application which mostly consists of a browser view. It could be a "standalone" application (however would rely completely on the .Net framework - may or may not be what you want) that basically accomplishes the same as the option above, but adds that you can "hide" your files inside your application.
Using the two above alternatives, you could make an application relatively quickly that would load your files, which I assume you have already created. Note that neither of the above alternatives will work on anything other than Windows OS's.
If the two above alternatives are not what you want, or if you have questions about either one, I'd be glad to attempt to help.
I've been able to find a friend that would do it in Delphi because I wouldn't want users to download net framework just for this ap.
So the program that would fit most for any apps is Delphi Prism XE (even if it's an addon of Visual Studio)
I see that pre-compiling pages to java classes will increase performance, while using the -deploy command will encode the pages to java bytecode, thus hiding the source code.
Questions:
Can both of the above be done? Pre-compiling the application, then encoding them?
Is updating sourceless pages & cfc's as simple as encoding the newly updated files locally, then overwrite the older ones on the server?
Thank you for your contributions.
It's worth noting that byte code won't 'secure' your code if someone gets onto your server. There is nothing to stop someone from decompiling your code using tools like this.
There is offical Adobe info here on sourceless distribution but I haven't tried it. Remember, the compile hit if only on the first request (provided you have your CF admin setting correct) so the boost isn't for every request.
I'd also prefer to 'secure' my source code in other ways, i.e. making sure the server is secure.