We are experiencing an elusive and frustrating issue as we attempt to migrate an internal ColdFusion website to a new server. The new server is Windows NT 6.0 with IIS 7, running ColdFusion 11.
Siteminder sends information via the header, including what RACF groups the user is in. The ColdFusion application.cfm file then sets this list as a variable, and the page checks against it to determine what area(s) the user works in and display the correct menu options, etc.
However, whenever the file name is typed out, it does not receive the header information. For example, with index.cfm set as the default page:
WorkforceTracking.localnet.com/Jobs/ - returns RACF group header.
WorkforceTracking.localnet.com/Jobs/index.cfm - does NOT return RACF group header.
We initially suspected that Siteminder was not set up to protect the sub-sites correctly. We were provided a file by our Siteminder team to check if the header information is coming through for other files in the directory, and it is. For the root site, and for any non-.cfm file, the header information comes through correctly.
This is true no matter what we set the default site to - I have changed it to other .cfm files, and they will receive the header information.
So, this seems to indicate that ColdFusion itself is losing the header information when a file is called directly. I am new to the server admin role, and am not sure what steps to take from here. Does anyone know why ColdFusion would be losing header information when a specific .cfm file is called?
Edit -
Currently, I have stripped down the application.cfm and index files to just output the header information, and have the index page say "Hello." The index.cfm file is below:
<cfset x = GetHttpRequestData()>
<cfoutput>
<table cellpadding = "2" cellspacing = "2">
<tr>
<td><b>HTTP Request item</b></td>
<td><b>Value</b></td>
</tr>
<cfloop collection = #x.headers# item = "http_item">
<tr>
<td>#http_item#</td>
<td>#StructFind(x.headers, http_item)#</td>
</tr>
</cfloop>
<tr>
<td>request_method</td>
<td>#x.method#</td>
</tr>
<tr>
<td>server_protocol</td>
<td>#x.protocol#</td>
</tr>
</table>
<b>http_content --- #x.content#</b>
</cfoutput>
<cfoutput>Hello!</cfoutput>
And (some) of the header output:
For devworkforcetracking2.localnet.com/Jobs/
content-length 0
JDWAS_RACFGROUPS U90^$IMS10G^$IMS20G^$IMS21G^$IMS30G^$TSO11^$TSO12^ (etc.)
SM_AUTHREASON 0
For devworkforcetracking2.localnet.com/Jobs/index.cfm
content-length 0
SM_SERVERSESSIONID a9CkEe5LwWPXXPu9a4Mssy8+o3w= (appears earlier for /Jobs/)
SM_AUTHREASON 0
Is it possible for you to enable trace on the SiteMinder webagent and see the details printed for the WorkforceTracking.localnet.com/Jobs/index.cfm resource.
If the headers are being passed, they would be getting printed in the siteminder agent trace log file.
Related
I'm using Mura CMS 7.1, which uses ColdFusion. On a page template I have some markup and am including a template file that has code for displaying calendar events from an outside source. When there are no events, I'm currently displaying a message as such. Instead however, I'd like to hide this entire section on the page template itself. Problem is I need to pass some sort of value from the include file back to the page template so I can set inline CSS to either display block/none for this section, and I'm not sure how to do this. My page template code is:
<section class="collegeEvents" style="display:">
<div class="collegeEvents__container wrapper-1170MaxWidth">
<h2 class="collegeEvents__heading">What's coming up?</h2>
<cfinclude template="inc/homeEvents.cfm" />
</div>
</section>
And the calendar code is all inside of the 'homeEvents.cfm' file. I need to be able to alter that inline css 'display' property with a value that I set in 'homeEvents.cfm'. How would I go about doing this so that the value is accessible from the page template?
I'm not suggesting this is good practice, but you could use a style block from code inside your included cfm. eg:
<cfsavecontent variable="variables.styleBlock">
<style>
<cfif myLogicHere>
.collegeEvents {display:none;}
<cfelse>
.collegeEvents {display:block;}
</cfif>
</style>
</cfsavecontent>
<cfhtmlhead text="#variables.styleBlock#" />
You could also use javascript to change the style afterwards, but with that there's more chance of a delay where the user sees the 'wrong' layout before the style is eventually applied.
This is a formatted comment.
I know that variables in the calling page are available in the included page. This leads me to believe that variables in the included page are available to the calling page. Here is a simple test of that theory.
CallingPage.cfm
<cfinclude IncludedPage.cfm>
<cfdump var = "#x#">
IncludedPage.cfm
<cfset x = 1>
Browse CallingPage.cfm and see what happens. If you get an error for an undefined variable, there is always to good old session scope.
Please see the comment from #haxtbh. I was able to accomplish the desired task using JS directly within the include.
I have a button (anchor tag) that send a confirm message if you press it.
The problem is that for example if you press it 5 times very quickly it will send 5 confirm messages, if you press it 2 times it will send 2 messages.
This can occur when the user has low connection speed and while the page is refreshing he presses again the button.
How can I manage this situation? I though of disabling the button but for other reasons this is not possible.
<a class="msg" href="/manage/conversations.cfm?destination=#destination#">
#ucase(request.l('Send'))#
</a>
Thank you for your time
Ultimately, you need to have code on your server to prevent processing the link multiple times from the same user.
However, to solve the UI issue, have you link call a function instead of the cf file directly.
<a class="msg" href="javascript: processLink(#destination#);">
#ucase(request.l('Send'))#
</a>
<script>
runCount = 0;
function processLink(destination){
runCount++;
if (runCount == 1){
window.location.href = "/manage/conversations.cfm?destination=" + destination;
}
}
</script>
As mentioned in the previous answer it's nice to have some client side javascript to stop duplicate submissions from trigger happy users however you should also do this checking server side.
One approach would be to create a hidden formfield with a GUID that coldfusion generates when coldfusion renders your form.
So something like:
<cfset GUID = createUUID()>
<cfoutput>
<form id="frm" action="/target.cfm" method="post">
<input type="hidden" name="guid" value="#GUID#">
<!-- all your formfields go here -->
<input type="submit">
</form>
</cfoutput>
On the server side the target page then checks if it has already previously received the GUID. There are lots of ways to do, here are two of many ways.
a) Use Session Scope.
This is probably the quickest way if you are not running in a clustered environment and just need something quick for a tiny application.
<cfif isDefined("session.MYPAGE_GUID") AND session.MYPAGE_GUID EQ form.guid>
<cfoutput>Duplicate Form Submission</cfoutput>
<cfabort>
<cfelse>
<cfset session.MYPAGE_GUID = form.guid>
<!-- Do Business Logic Here -->
</cfif>
b) Use a Database Table.
Create a database table with a column called GUID. Make sure that GUID is the primary key or has a unique constraint.
Before you run your business logic insert the form.GUID into the database table. If you can do the insert process your business logic, if not the database query will throw an error that the record exists. You can then catch this error and take the appropriate action for a duplicate submission.
I prefer the database option as it works across clustered environments and database server are solid protecting against race conditions to ensure that a GUID is only set once.
Please be aware that this is just demonstrating the basic concepts and is not a drop in solution. There is a bit of more work to get these concepts into an e-commerce solution.
The best way is to disable the link once it's selected. If you don't want to do that, an alternative is to structure conversations.cfm like this.
<div id="pageContent">
small amount of text
</div>
<cfflush>
</body>
</html>
<cfsavecontent variable = "actualPageContent">
code
</cfsavecontent>
<cfoutput>
<script>
var #toScript(actualPageContent, "newPageContent")#;
document.getElementById("pageContent").innerHTML = "newPageContent";
</script>
</cfoutput>
We have a form which has some mandatory fields and 2 buttons(One is Submit, second is Search).
Search buttton code is like :
<input name="btnSearch" type="submit" id="Search" value="Search">
This code redirects to action form and then further to a new screen. Finally it reverts back to the main form and has code to restore the selected values.
One of the mandatory fields has the following code:
<td align="right">Class Id:<font color="red">*</font></td>
<td><cfselect name="YY_CLASS_ID" size="1" query="XX_Class_List"
value="XX_CLASS_ID" display="XX_DESCRIPTION"
required="yes"selected="#variables.XX_CLASS_ID#">
<cfif variables.XX_CLASS_ID eq "">
<option value="" selected></option>
</cfif>
</cfselect></td>
When user clicks on the search button and this Class ID dropdown is blank, they get an error that "Error in YY_CLASS_ID text".
yy_class_id field has required attribute as ‘yes’ and message attribute is not set. As per our understanding, this means error should always come if the user tries to navigate away from the screen without populating the CLASS ID.
However, as per our user ,they were not getting this error in CF9 and started coming after the CF10 upgrade. They are frequent users of the screen and could have not missed this in past if this was happening during CF9 days.
Can anyone please confirm if something has changed in CF10 which was not earlier in CF9 and causing this issue. Or we missing something here.
Let me know if any more information is needed.
I've created a custom ItemStyle_ContactDetails.xsl for a SharePoint 2010 content query web part, which points to this custom file via the ItemXslLink property. The web part will be filtered to display only one record for that department's contact info. The list it's reading has these columns:
#Title -- built-in SharePoint column
/dsQueryResponse/Rows/Row/#WorkAddress -- built-in SharePoint column
/dsQueryResponse/Rows/Row/#PrimaryNumber -- built-in SharePoint column
#EMail -- built-in SharePoint column
#Opening_x0020_Hours -- custom multi-line rich text column
The above names are what they're called in the Data View Web Part from another site. I had the following in that DVWP that worked for a local site:
<td colspan="2" class="ms-vb" style="text-align:center">
<b><xsl:value-of select="#Title"/></b><br></br>
<div style="margin-top:10px;"><xsl:value-of
select="/dsQueryResponse/Rows/Row/#WorkAddress"/>
(MAP)
</div>
Tel: <xsl:value-of select="/dsQueryResponse/Rows/Row/#PrimaryNumber"/><br></br>
<xsl:value-of select="#EMail"/>
<p><b>Opening Hours:</b></p>
<div style="position:relative; top:0; margin:0">
<xsl:value-of select="#Opening_x0020_Hours"
disable-output-escaping="yes"/>
</div>
</td>
How do I translate this to the custom ItemStyle_ContactDetails.xsl template? The user needs to see the info without having to click a link to get to it -- it's always going to be just one record for that department. Thanks.
Some serious trial-and-error yielded the result, along with this great article: http://www.heathersolomon.com/blog/articles/CustomItemStyle.aspx
Maybe others trying this same thing can find this useful: You can edit the custom XSL file on the server via SPDesigner, but you can't do the same with the web part and hope to have the changes immediately reflected. You must export the content query web part, then edit the file in Notepad, etc., to make your changes to the following 3 items:
Change the ItemXslLink to point to your custom XSL file:
<property name="ItemXslLink" type="string">/Style Library/XSL Style Sheets/ItemStyle_ContactDetails.xsl</property>
Change the ItemStyle item in the web part to reference your template name; the template name in the XSL file is ContactDetails:
<xsl:template name="ContactDetails" match="Row[#Style='ContactDetails']" mode="itemstyle">
So in your web part, you'd have this:
<property name="ItemStyle" type="string">ContactDetails</property>
Update the CommonViewFields to list your custom columns and their types:
<property name="CommonViewFields" type="string">WorkAddress, Text; EMail,Text; Contact_x0020_Department,Choice; Map,URL; Opening_x0020_Hours,Text; PrimaryNumber, Text</property>
Save the web part file and import (upload) it via the browser to your web part gallery. Each time you make changes to the web part, you'll want to do this; the XSL file can be edited and saved in SPDesigner and the changes reflect immediately in the browser.
Hope this helps someone who gets stuck like I was :)
Whenever I edit "CommonViewFields" in the Webpart, I cannot edit the Properties after inserting the Webpart because of Correlation Error.
I am using SP 2013 onprem. Do I really need to modify the Webpart ? Isn't it enough to create a custom itemstyle.xls ?
I am playing around now for days. Each days more I have to say - Sharepoint is a mess.
My company gave me the task of resolving all security issues with a particular application. The security tream reported a cross site scripting error. The error lies in the following input field:
<input type="hidden" name="eventId" value="${param.eventId}"/>
The report from security wasn't very detailed, but the say they can make a POST request to the page that has the above tag including the following malicious code:
eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
And that when the page reloads, it will have the following:
<input type="hidden" name="eventId" value=""><sCrIpt>alert(83676)</sCrIpt></value>
I am trying to "be the hacker" and show the vulnerability. But I can't figure out how they manage to get that script in there. I am guessing they include it as a URL parameter in the GET request for the form, but when I try to do it myself I get a 403 error. Does anyone know how the vulnerability can be shown?
I know there is a number of XSS questions on the site, but none seem to hit this topic.
So, I am not sure why, but my original hunch was correct. The script can be put on as a URL parameter. For some reason though, this was not working with our staging site. Only with running the application locally. I am not sure why, but this works (only locally):
http://localhost:8080/myUrl/MyAction.do?eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
Doing that, you see an alert box pop up. I am planning to fix it using JSTL functions.
<%# taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input type="hidden" name="eventId" value="${fn:escapeXml(param.eventId)}"/>
Install [TamperData][1] add-on in firefox browser which let you edit the data before submitting. Doesn't matter if it's in POST or GET.
By using this hidden fields can be edited.
What you want to do to fix the problem, is to HTMLAttributeEncode the value before putting it inside the value-attribute. See OWASP ESAPI or MS AntiXSS for methods for doing HTML attribute encoding.
Seeing how the attack string is URL encoding, I think you guess about including it as a GET parameter seems reasonable.
I used the OWASP ESAPI API as the legacy jsp's didn't have JSTL available. This is what I used:
<input type="hidden" name="dataValue" value="<%=ESAPI.encoder().encodeForHTMLAttribute(dataValue)%>">
You can also use the API to filter request.Parameter() which I also needed, as in:
String userURL = request.getParameter( "userURL" )
boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
if (isValidURL) {
link
}
and:
String name = (String) request.getParameter("name");
name = ESAPI.validator().getValidInput("name ", name , "SafeString", 35, true);