We recently had a hacker gain access to our system. They dumped some Coldfusion templates and included them in random pages on our sites.
The files they dump start with Allaire Cold Fusion Template and then contain what appears to be "garbage", but I believe that this is some kind of pre-compiled Coldfusion code.
We've cleared out the hacks, but I saved off the files because I was hoping that there would be some way to de-compile them and maybe make some sense of them. Although I think the hack is dealt with, I am a little worried about what this code was doing. (When I looked at the source of a page that included this code, it created no output, so something had to be going on in the background.)
If there isn't a way, that's cool, I just thought I would at least investigate the possibility of seeing what these files were doing. Thanks in advance for any help.
Wow, you have awakened some of my "old" brain cells... Way back when you could encrypt your ColdFusion templates and they could still be run on a ColdFusion server. This encryption was not very secure as the decrypting algorithm was readily available. It was/is an easy way to "hide" your code from the unknowing (I guess).
I did a quick Google search and found an old reference to a decrypt function on Adobe's site that may help "crack" that code. AB Positive Encrypt and Decrypt I believe their code would have to be encrypted this way otherwise the ColdFusion server would not be able to read the files either. This download includes the cfdecrypt.exe and cfencode.exe programs.
If that tool does not work and if I remember correctly, the ColdFusion encryption before CFMX was done using something called CFCrypt.exe. That was an older versions of ColdFusion I think but you can try using that too. I couldn't find it but I'm sure if you Google for it can be found.
Please post back with your results. I'm interested to see what they were doing.
There is a program out there cfdecrypt that will help you decompile them. I haven't used it in years, but here is a link I found to a github project:
https://github.com/disccomp/cfdecrypt
Related
I see that pre-compiling pages to java classes will increase performance, while using the -deploy command will encode the pages to java bytecode, thus hiding the source code.
Questions:
Can both of the above be done? Pre-compiling the application, then encoding them?
Is updating sourceless pages & cfc's as simple as encoding the newly updated files locally, then overwrite the older ones on the server?
Thank you for your contributions.
It's worth noting that byte code won't 'secure' your code if someone gets onto your server. There is nothing to stop someone from decompiling your code using tools like this.
There is offical Adobe info here on sourceless distribution but I haven't tried it. Remember, the compile hit if only on the first request (provided you have your CF admin setting correct) so the boost isn't for every request.
I'd also prefer to 'secure' my source code in other ways, i.e. making sure the server is secure.
From last few day , I was searching for static code analysis tool for ColdFusion. I have not got a good one till now. I found two.
YASCA
https://code.google.com/p/cf-metrics/
From YASCA I was getting only XSS alerts and some alerts for session mgmt, nothing more than that. I have tried with my entire project.
I am not even able to properly install cf-metrics using ColdFusion10 , After putting the required jar file in the lib folder I was not able to access any one my IIS site
because of some isapi redirect isse.
Any other tools available?
If you're still looking for a ColdFusion Linter, I would recommend CFLint. It's hosted on GitHub and Maven. The parser was updated to use ANTLR4, so it's much faster than previous editions. We're also making it easier to customize than JSLint.
I've looked at this a couple of times in the past, as I maintain a large CF application.
Each time I looked I was unable to find anything suitable. I spent a while looking into using the Railo CFML parser (because it's open source) to build something ourselves and concluded at the time that it was possible, but was no small task.
You may be able to re-examine the Railo approach, but feed the AST from Railo into an existing code analysis tool. I never got that far, but it may be possible to an extent.
I'd love to hear different, but the short answer is that there's not much out there.
So this is my first time posting a question here. If I do it wrong, please, be gentle. :)
I'm trying to find a decent reporting solution at my company and it seems like JasperReports is one of the better (read: inexpensive) ways to go. They've got a newly revamped Eclipse-based banded report editor called JasperSoft Studio, and it looks really slick.
The problem I'm having is figuring out exactly what pieces I need in order to use this tool (or the files it creates) in my CF apps. After much Googling, I'm not really finding the answers I'm looking for... and what little information I do find is really pretty old.
Is anyone using JasperSoft Studio in combination with the JasperReports Library to do any on-the-fly PDF creation? We've come to a point on this particular application where cfdocument just isn't cutting it.
The things I know are:
CF is using a really (really, really) old version of JasperReports
under the hood to drive cfreport.
There is a way for me to override the really old version of
JasperReports so that CF will load the newest one.
Beyond that though, I'm not sure if it's just a matter of using JasperSoft Studio to create compiled JRXML files or (.jasper files, I'm not sure which) and then maybe just rename those to '.cfr' which cfreport knows how to deal with... or what?
If I look at the documentation for JasperReports Library it would seem that I need a lot more than just the JR Library and the JasperSoft Studio to make all of this work... but it's just kind of unclear to me. Because the library is so flexible and can be used from lots of different types of systems I'm having trouble figuring out what I need for my certain set of circumstances.
Is anyone out there using JasperReports in their CF applications or does anyone have any experience setting up to use JasperReports with CF?
There seems to be precious little information on this topic. :(
Also, in case it comes up (as it did in a few of the much older posts I found on the internet) ColdFusion is written in Java so I DO have access to any underlying Java Classes that I might need.
I already did some searching on stackoverflow and as far as I can see there are many ways to use databases in C++. Unfortunately at work my tools are pretty limited. I only get to use visual studio C++ 6 and don't even have boost (although I have learned to cope with that) - I assume that I can only use what is the standard distribution being delivered togather with VS C++ 6.
Now my code generates a lot of data and I would like to store some of it in a simple databse (like an MS Access db). What tools might I be able to use?
My alternative approauch would be to create a database-like object via a struct and vectors/arrays.
I also have office 2010 installed - perhaps I could somehow use Access?
Computation-speed also plays a role - the faster the better.
Another important thing: my PC at work isn't an open client. Thus I can not install any new software. Downloading and moving files works. Basically I must be able to install the tool by just moving the files into a desired folder.
Please let me know if the question is confusing or insufficiently detailed I will do what i can to remedy the situation then.
Thnaks in advance for your help :)
Even though you said 'only standard tools', I'd still say, get SQLite. It ss a public domain software, i.e. no license whatsoever . You can download an 'amalgamation' - one .h file and one .c file and include it into your project. It should compile in VC6 no problem. Very easy to use, you will be up and running in 10 minutes.
It does exactly what you need - a DB in a single file, no servers, zero-setup, etc.
Well, Visual C++ 6 did include MFC which had a suite of classes for the creation and manipulation of databases, I'm fairly certain it would be possible to use these to create a database that is accessible from Access. Unfortunately Microsoft's online help doesn't seem to go back that far, but all the reference material you need should come with the VS 6. (In my opinion VS Help system was better back then anyways.)
On a side note, you could download an old version of boost that would work with VS6. I'm not sure what the last version of boost that supports VS6 is, my guess it's somewhere around 1.3x.
VC6 should work.
Can you use MFC's db objects? (DAO I think back then?).
If your app really generates a lot of data, you might want to look at MySql. I've run into size limitations in older Access tables. Unless it's an extraordinarily simple db, you probably don't want to brew your own (though it might be fun if you have a lot of time).
The key will be finding a driver/db combo that will work. I would install the GA (free) MySql, create a tiny db with 1 table and find the driver ("connector" in MySql terms) that will work. Maybe older ODBC driver?
Also, check out ConnectionStrings.com for info on getting connected to a particular database / driver.
So I understand that there are a few options available as far as parsing straight XML goes: NSXMLParser, TouchXML from TouchCode, etc. That's all fine, and seems to work fine for me.
The real problem here is that there are dozens of small variations in RSS feeds (and Atom feeds too), so supporting all possible permutations of feeds available out on the Internet gets very difficult to manage. I searched around for a library that would handle all of these low-level details for me, but came out without anything.
Since one could link to an external C/C++ library in Objective-C, I was wondering if there is a library out there that would be best suited for this task? Someone must have already created something like this, it's just difficult to find the "right" option from the thousands of results in Google.
Anyway, what's the best way to parse RSS/Atom feeds in an iPhone application?
I've just released an open source RSS/Atom Parser for iPhone and hopefully it might be of some use.
I'd love to hear your thoughts on it too!
"Best" is relative. The best performance you'll need to go the SAX route and implement the handlers. I don't know of anything out there open source available (start a google code project and release it for the rest of us to use!)
Whatever you do, it's probably a really bad idea to try and load the whole XML file into memory and act on it like a DOM. Chances are you'll get feeds that are much larger than you can handle on the device leading to frequent memory warnings and crashes.
I'm currently trying out the MWFeedParser #Michael Waterfall is developing.
Quite easy to set up and use (I'm a beginner iPhone developer).
His sample code for using MWFeedParser to populate a UITableViewController implementation is helpful as well.
take a look at apple's XML Performance sample -- which points to using libXML directly -- for performance and quicker updates to the display. Which may be important if you are working with very large feeds.
Check out my library for parsing Atom feeds, (BSAtomParser) at GitHub. It doesn't care about validating the feed, it does its best at returning whatever is valid. The parser covers most of RFC 4287, even extensions.
Here's my solution: a really simple yet powerful RSS parsing library: https://github.com/H2CO3/RSSKit
Have you looked at TouchCode yet? I don't think it has an RSS processor, but it might give you a start.
http://code.google.com/p/touchcode/
I came accross igasus project on sourceforge today. I haven't used it or really checked it, but perhaps it might help.
From their site:
igagus is a web service for the iPhone that allows aggregation of RSS to be delivered in an iPhone friendly format.
Actually, I was trying to suggest you ask on the TouchCode discussion board, because I remember someone was trying to expand it to support RSS. That might be a decent starting point. But I was being rushed by my wife.
But I see now that TouchCode doesn't have a discussion board. I'd still ask the author, though, he might know what came of that effort.
This might be a reasonable starting point for you. Atom support isn't there yet, but you could help out?