I see that pre-compiling pages to java classes will increase performance, while using the -deploy command will encode the pages to java bytecode, thus hiding the source code.
Questions:
Can both of the above be done? Pre-compiling the application, then encoding them?
Is updating sourceless pages & cfc's as simple as encoding the newly updated files locally, then overwrite the older ones on the server?
Thank you for your contributions.
It's worth noting that byte code won't 'secure' your code if someone gets onto your server. There is nothing to stop someone from decompiling your code using tools like this.
There is offical Adobe info here on sourceless distribution but I haven't tried it. Remember, the compile hit if only on the first request (provided you have your CF admin setting correct) so the boost isn't for every request.
I'd also prefer to 'secure' my source code in other ways, i.e. making sure the server is secure.
Related
I see that pre-compiling pages to java classes will increase performance, while using the -deploy command will encode the pages to java bytecode, thus hiding the source code.
Questions:
Can both of the above be done? Pre-compiling the application, then encoding them?
Is updating sourceless pages & cfc's as simple as encoding the newly updated files locally, then overwrite the older ones on the server?
Thank you for your contributions.
It's worth noting that byte code won't 'secure' your code if someone gets onto your server. There is nothing to stop someone from decompiling your code using tools like this.
There is offical Adobe info here on sourceless distribution but I haven't tried it. Remember, the compile hit if only on the first request (provided you have your CF admin setting correct) so the boost isn't for every request.
I'd also prefer to 'secure' my source code in other ways, i.e. making sure the server is secure.
My CFIDE just went crazy this morning and I can't locate the what is causing this. When I log in from example.com/cfide/administrator/index.cfm some of the tabs on the left work fine and some are showing the index page of example.com like in an iframe... I restarted the app server but the issue is still there. Any recommendations on how to debug this thing?
So for posterity here is what we found.
There are two possibilities of exploits that could be affecting you:
the bitcoin exploit (miner.d)
the ckeditor file upload exploit (this is the h.cfm file)
There are others but these are common and known. Both tap underlying java to unfold work that either calls something more sinister, delivers server meta data or unrolls a scheduled task to fireoff worker bees to consume resources doing something the admin is unaware of.
So as we discovered we have a varietal of this h.cfm called fusebox.cfm (obfuscated with bonus encrypted CF5 garble). If you can open the file you will see that h.cfm file and open it you will see UGLY and Obfuscated code but not very sophisticated. A lot can be revealed by a coder's code and if you deconstruct and format this particular code you will discern that the developer is not native to CF, and jumps from script style to CMFL style (in caps no-less).
(here is the Stack Overflow link with the raw code (be careful))
It is also named: i.cfm, h9.cfm, r.cfm, adss.cfm or fusebox.cfm here is the black hat page that give you a ton of info. I'm viewing the cached site because I don't trust the blackhat sites. (because one loaded something on my system that raised an antivirus alert).
The file may be unreadable so here is a link to a site that describes some github sourcecode that can decrypt it for you. That is Coldfusion 5 crap that still floats around now and again. (I'm pretty sure it will look similar to that code in the SO link I pasted above).
Post mortum: One more coldfusion serve saved from villainy. Remember, it never hurts to run through your systems and see if anything can be found like this. It also never hurts to make things a little more difficult for would be server exploiters ;)
From last few day , I was searching for static code analysis tool for ColdFusion. I have not got a good one till now. I found two.
YASCA
https://code.google.com/p/cf-metrics/
From YASCA I was getting only XSS alerts and some alerts for session mgmt, nothing more than that. I have tried with my entire project.
I am not even able to properly install cf-metrics using ColdFusion10 , After putting the required jar file in the lib folder I was not able to access any one my IIS site
because of some isapi redirect isse.
Any other tools available?
If you're still looking for a ColdFusion Linter, I would recommend CFLint. It's hosted on GitHub and Maven. The parser was updated to use ANTLR4, so it's much faster than previous editions. We're also making it easier to customize than JSLint.
I've looked at this a couple of times in the past, as I maintain a large CF application.
Each time I looked I was unable to find anything suitable. I spent a while looking into using the Railo CFML parser (because it's open source) to build something ourselves and concluded at the time that it was possible, but was no small task.
You may be able to re-examine the Railo approach, but feed the AST from Railo into an existing code analysis tool. I never got that far, but it may be possible to an extent.
I'd love to hear different, but the short answer is that there's not much out there.
We recently had a hacker gain access to our system. They dumped some Coldfusion templates and included them in random pages on our sites.
The files they dump start with Allaire Cold Fusion Template and then contain what appears to be "garbage", but I believe that this is some kind of pre-compiled Coldfusion code.
We've cleared out the hacks, but I saved off the files because I was hoping that there would be some way to de-compile them and maybe make some sense of them. Although I think the hack is dealt with, I am a little worried about what this code was doing. (When I looked at the source of a page that included this code, it created no output, so something had to be going on in the background.)
If there isn't a way, that's cool, I just thought I would at least investigate the possibility of seeing what these files were doing. Thanks in advance for any help.
Wow, you have awakened some of my "old" brain cells... Way back when you could encrypt your ColdFusion templates and they could still be run on a ColdFusion server. This encryption was not very secure as the decrypting algorithm was readily available. It was/is an easy way to "hide" your code from the unknowing (I guess).
I did a quick Google search and found an old reference to a decrypt function on Adobe's site that may help "crack" that code. AB Positive Encrypt and Decrypt I believe their code would have to be encrypted this way otherwise the ColdFusion server would not be able to read the files either. This download includes the cfdecrypt.exe and cfencode.exe programs.
If that tool does not work and if I remember correctly, the ColdFusion encryption before CFMX was done using something called CFCrypt.exe. That was an older versions of ColdFusion I think but you can try using that too. I couldn't find it but I'm sure if you Google for it can be found.
Please post back with your results. I'm interested to see what they were doing.
There is a program out there cfdecrypt that will help you decompile them. I haven't used it in years, but here is a link I found to a github project:
https://github.com/disccomp/cfdecrypt
in the MFC application I am working on, I need to have an Internet Explorer (we are using the component CHtmlView) displayed, currently we are able to change the rendering mode the IE works in by using the FEATURE_BROWSER_EMULATION registry keys. However that only allows us to change the rendering mode of all the CHtmlView instances in the application, plus to apply that change, we must restart the application.
The problem is, we would like to have more than one version of the IE displayed side-by-side in our application. I know that it is possible to get multiple IE versions on one computer, but I'm not sure, how to get them all in one application.
We have some ideas, how to solve this problem, but they are not really a trivial solutions, so I want to ask for your ideas. Anyway, here is what we've come up with:
Download the source code of the page, add the document compatibility tag, change all the addresses in the document to the absolute ones, and save this page to the disk. Then reload the page from the disc with the IE. This solution works only partially, because although it makes IE to use the correct rendering mode, the page fails to load some of the resources, because it is in the different location than the original - the addresses we had changed works well, but for example the JavaScript generated ones doesn't. And this solution is generally very messy, so we had dropped that.
Use multiple processes - each IE version would have it's own executable/dll library, we use the browser emulation feature on each executable, and then somehow glue this into one application (I admit, I have no idea how, as I've never used multiple processes with windows/MFC). But I don't know, if that solution would even work...
Create a proxy for our application, that will change the downloaded source code in a similar way as the solution 1 presents - it will add the document compatibility tag, to force the IE into the desired mode, but it can leave the addresses intact, as the IE would see the source as coming from the original location. This solution seems to me like the safest one, but like with the 2. solution, I don't know how to make a proxy layer for our application, and more importantly, how much time would it take.
So do you have any ideas on how else could this be solved? If the solution uses something other than CHtmlView, so be it, we can always change that.
As for the IE versions, we would like to have, it would be nice to support IE6, but it is not necessary, the lowest required version is IE7.
Thanks ahead for your time, any ideas would be appreciated.
In the end I have solved this by using
our own proxy server (implemented using boost asio), and modifying the http request/response headers to force IE into the correct compatibility mode.
several executables with unique names, with the compatibility mode set in the registry. Each browser version ran in a separate process.
As it turned out, the proxy server solution didn't always work as expected. The multi-process solution did work as intended, but in the end, the emulated browsers didn't always work as the real browsers, and the whole solution wasn't 100% reliable.
I hope this will help someone in the future.