The other speakers at the event are Rakshith Naresh the product manager for ColdFusion at Adobe, and Mike Tangorre of FigLeaf.

If you are interested in attending the live event, please register here, they are also broadcasting over Connect, which you can: register for the webcast here, and will be streaming live from Facebook here

The event is mainly focused towards government agencies and contractors - Carahsoft, the company putting on the event, is a big reseller of Adobe Products to the Government.

I will make my slides available here on my blog after the presentation.

1. Install ColdFusion 9.0 - If you are running on IIS7, you may want to skip the Web Server Connector, and do it manually after the next step (so you can skip installing IIS6 compatibility mode).
2. Install ColdFusion 9.0.1
3. Configure IIS7 using wsconfig - If you are running IIS7 you can now use the native IIS7 connector provided in the ColdFusion 9.0.1 update, run {cf-root}/runtime/bin/wsconfig.exe
4. Install ColdFusion 9.0.1 Cumulative Hotfix 2 - This includes all security hotfixes prior to and including APSB11-14.
5. Install APSB12-06 March 2012 Using Section 1 - This hotfix includes prior security hotfix ABSP11-29, we know this because the instructions tell you to delete hf901-00003.jar if it exists..

I plan on keeping this entry up to date as new hotfixes are released for CF 9.0.1, so you may consider bookmarking this page. This page is up to date as of March 16, 2012.

If you are not sure what hotfixes you have installed our HackMyCF paid service can let you know which hotfixes are installed and which are not on CF 9.0.1 - here's a screenshot showing an out of date server:

For example if you want to use AES encryption with anything higher than a 128 bit key, then you need to do this otherwise you will get an exception about invalid key length when you try to encrypt or decrypt.

But - Pete? you ask, how do I use a higher key bit length with AES encryption in ColdFusion? Instead of GenerateSecretKey("AES") use this: GenerateSecretKey("AES", 256)

You my also be thinking what if I don't use the Encrypt or Decrypt functions - should I still do this? My answer here would be Yes. Other techonologies such as HTTPS can use AES 256 encryption, without this policy a cfhttp call can only use 128 bit encryption even if the server supports 256 bit SSL (note I haven't done any tests to back this up, I am assuming that is the case).

Now if you do your development on a Mac you might find that AES 256 works just fine without doing anything. The JVM that apple ships appears to have unlimited crypto enabled (at least if you live in the US it does - may differ depending on your locale).

Ok - how do I enable it?

First, head over to oracle and download the policy files for Java 1.6 (unless you are running a different version of Java, but if you are running CF 8 or 9 you are probably running java 1.6).

Next locate the JVM directory that ColdFusion is using. If you are at this point sayings what's a JVM I never installed a JVM, then you are probably using the JVM that ships with ColdFusion, which on windows might be located at c:\ColdFusion9 untime\jre\ here's how to find out for sure:

• Login to ColdFusion Administrator
• Click on Settings Summary on the left under the Server Settings
• Look for Java Home under the JVM Details heading

Now you will want to place the two jar files local_policy.jar and US_export_policy.jar under the lib/security/ folder. If the files already exist copy them into a temp directory for backup, then replace with the ones you just downloaded. Restart ColdFusion, and you're done.

Upgrade your JVM to at least 1.6.0_24

Now is probably a good time to upgrade your JVM if you are running a 1.6 version lower than 1.6.0_24 - because without doing so you are leaving your server open to a serious DOS vulnerability. Adobe has certified and supports Java 1.6.0_24 for all versions of ColdFusion 8 and 9 (more info on the JVM DOS vulnerability here)

One thing I like about nginx so far is the configuration, while I haven't had to do anything overly complex with it yet, it does seam to be quite flexible.

Here's a quick example of redirecting a www domain to the non www version:

server {
   listen 80;
   server_name www.example.com;
   rewrite ^ http://example.com/ permanent;
}

Note that's just one way of doing it, by creating a new virtual server for the non-www hostname and redirecting all requests. You can also do this from within your main server declaration, eg:

I like the first method better, but this just goes to show how flexible the configuration is for nginx

The exploit takes advantage of hash collisions in the internal implementation of hashtables / hashmaps (think CFML struct). When two keys are hashed and result in the same hash code a collision occurrs, and additional processing must take place to store or retrieve the item. Most application servers store request input variable (eg form, url scopes) in such a data structure. If you can construct a request with variable names that all have the same internal hashcode, the request goes from taking less than a second to process to several minutes.

As you can imagine this can cause a server to crawl/crash pretty quickly with a relatively small payload. Microsoft has released an out of band security patch for ASP.NET already. Tomcat has provided a work around in versions 7.0.23 or 6.0.35 and up.

The typical patch / workaround for this issue is to limit the number of input request variables, ASP.NET defaults this limit to 1000, tomcat defaults to 10,000.

Update: - Adobe has released a security hotfix to address this issue on ColdFusion 8 and 9. If you are running CF 6 or 7 you may still be vulnerable to this but Adobe no longer produces security hotfixes for these versions (upgrade to CF 8 or above).

Our HackMyCF ColdFusion Server Security Scanner has been updated to find the RDS vulnerability remotely (using our free scan). We can't readily detect the cfform vulnerability remotely because of the proper conditions to exploit are not predictable to find (we would have to crawl your entire site to look for the proper conditions).

We can however detect it, if you have a HackMyCF Subscription, and have setup the HackMyCF probe (a cfm file you place on your server which allows for encrypted communication). You also get even more detail in your report, showing which Cumulative Hotfixes you have installed, as well as which security hotfixes were applied (currently shows that for 9.0.1 only). Here's a screenshot of what a ColdFusion server security report can look like for a HackMyCF subscriber:

As you can see from the above screenshot we recently added a listing of Cumulative Hotfixes installed, that way its easy to know if you are running Cumulative hotfix 1 or cumulative hotfix 2, etc. You can also see things like the JVM version you are running, etc.

For a limited time you can use coupon code 543m to take $5 off the first 3 months of your subscription.

If you're curious about FuseGuard and how it works please head over to Adobe.com and register now!

As you may know Adobe released Cumulative Hotfix 2 for ColdFusion 9.0.1 on Friday. So here's what a server that is running cumulative hotfix 1 for 9.0.1 but not cumulative hotfix 2 looks like in a HackMyCF subscription:

The current known limitations of this feature are:

• Not enabled for ColdFusion 8.0.0 or below at this time (does work for 8.0.1 however).
• Requires a paid subscription and the probe installed (not possible on free version).

Also announcing the HackMyCF Probe

The probe is a cfm file that you place on your server, subscribers can specify a url to the cfm file for each server in their account. Then when we scan your server we also connect to this probe.cfm, which allows us to get information such as the exact ColdFusion version number (though we can usually determine this with out the probe), the JVM version, which hotfix jar files have been installed, and it also allows us to get a MD5 sum of certain files.

The addition of the probe allows us to find more potential vulnerabilities on your server, for example we can determine if ColdFusion is running as the SYSTEM, we can determine if you are running a version of the JVM that is selectable to a easy to execute denial of service (we could detect this without the probe, but since that would crash your server, we need to use the probe to detect it).

We launched the probe feature in HackMyCF several months ago, however it has been a somewhat soft launch (we haven't been promoting it too much yet). It has been in use now by lots of customers and is pretty solid (we haven't to update the probe.cfm file, even this latest feature uses existing functionality).

If your not familiar with two factor authentication the basic premis is that in order to authenticate you must provide more than one type of authentication, for example Something you know (a password), and Something you have (a hardware token device, a smart card, or a smartphone).

DuoSecurity's solution to this problem was compelling because they allow you to use a smartphone for your second factor by sending a push notification, you simply tap approve, and you're in. This is much easier they keying in a code for the end user (though they also support that via text message, or landline phone call) .

After I had integrated this solution into a SSH server for authentication, the folks at Duo asked if I would be interested in writing a ColdFusion port of their DuoWeb API (which allows you to use their technology to authenticate into Web Applications). I ofcourse said yes, and you can download duo_web for ColdFusion on github.

Here's a video showing how the push technology works:

Next I thought hey it would be great if you could add Two Factor Authentication to ColdFusion Administrator, and it turns out you can:

Setup Duo Security

1. Sign up for an account at DuoSecurity you can create an account for up to 10 users for free.
2. Next create a new integration in your account, for integration type select "Web SDK"
3. An integration key, a secret key, and an API hostname will be generated for you to use below.

Now Download duo_coldfusion and place it in the web root of the site used to login to ColdFusion administrator.

Next create an Application.cfc file in the /CFIDE/administrator directory with the following code:

<cfcomponent>
	<cfset this.name = "cfadmin">
	<cfset this.sessionmanagement = true>
	
	<cfset variables.appKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
	<cfset variables.iKey = "XXXXXXXXX">
	<cfset variables.sKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
	<cfset variables.duoHost = "api-XXXXXXXX.duosecurity.com">
	
	
	<cffunction name="OnRequest">
		<cfargument name="template">
		<cfinclude template="Application.cfm">
		<cfset var local = StructNew()>
		<cfif arguments.template contains "logout.cfm" AND isAuthenticatedTwoFactor()>
			<cfset StructDelete(session, "duoAuthenticated")>
			<cfinclude template="#arguments.template#">
			<cfreturn>
		</cfif>
		<cfif StructKeyExists(form, "sig_response")>
			<cfset local.duo_user = CreateObject("component", "duo_coldfusion.DuoWeb").verifyResponse(iKey=variables.iKey, aKey = variables.appKey, sKey=variables.sKey, sig_response=form.sig_response)>
			<cfif local.duo_user IS "pete">
				<cfset session.duoAuthenticated = true>
			</cfif>
		</cfif>
		<cfif IsUserLoggedIn() AND NOT isAuthenticatedTwoFactor()>
			<cfset local.post_action = "/CFIDE/administrator/index.cfm">
			<cfset session.duo_sig_request = CreateObject("component", "duo_coldfusion.DuoWeb").signRequest(iKey=variables.iKey, aKey = variables.appKey, sKey=variables.sKey, username=GetAuthUser())>
			<!--- show second factor authenication page --->
			<!doctype html>
			<html>
				<head>
					<title>Please Authenticate</title>
					<script src="/duo_coldfusion/js/Duo-Web-v1.bundled.min.js"></script>
					<cfoutput>
					<script>
					  Duo.init({
					    'host': '#JSStringFormat(variables.duoHost)#',
					    'sig_request': '#JSStringFormat(session.duo_sig_request)#',
					    'post_action': ''
					  });
					</script>
					</cfoutput>
				</head>
				<body>
					<h2>Authenticate</h2>
					<iframe id="duo_iframe" width="100%" height="500" frameborder="0"></iframe>
				</body>
			</html>
		<cfelse>
			<!--- two factor authentication --->
			<cfinclude template="#arguments.template#">	
		</cfif>
		
	</cffunction>
	
	<cffunction name="isAuthenticatedTwoFactor" returntype="boolean">
		<cfreturn StructKeyExists(session, "duoAuthenticated") AND session.duoAuthenticated>
	</cffunction>

</cfcomponent>

Next you need to generate a unique value for variables.appKey it MUST be 40 chars long. Plug in the values you got on the duo web site when you created your integration for the variables.iKey (integration key), variables.sKey (secret key), and the variables.duoHost.

<cfset variables.appKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
<cfset variables.iKey = "XXXXXXXXX">
<cfset variables.sKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
<cfset variables.duoHost = "api-XXXXXXXX.duosecurity.com">

Finally go and log into the ColdFusion administrator, after you enter your password you will be given a prompt which will let you pick your second factor method. If it authenticates you will be logged in and send to the CF Administrator.

It will look something like this when you are up and running:

ColdFusion Developer Week is a series of free, live webinars hosted by seasoned ColdFusion experts who will cover a wide range of topics from what ColdFusion is, how to code it, all the way through to more in depth topics such as ORM and ColdFusion Builder Extensions. If you are a new developer, someone with little or no ColdFusion experience, or even if you have been using ColdFusion all your life, this event is ideal for you. The ColdFusion Developer Week provides something for everyone, so sign up now!

Here's the schedule of webinars, I will be giving a presentation on ColdFusion security on Friday (listen to recording):

Monday

• Getting Started with Web Application Developement Using ColdFusion - Terry Ryan (10AM PT / 1PM ET)
• Working with PDFs Made Easy with ColdFusion - Tim Cunningham (1PM PT / 4PM ET)
• Introduction to ColdFusion Components (CFCs) - Raymond Camden (4PM PT / 7PM ET)

Tuesday

• Improve Your ColdFusion Code Through Unit Testing - Jamie Krug (10AM PT / 1PM ET)
• Using ColdFusion Frameworks for Application Development - Mark Mandel (1PM PT / 4PM ET)
• Understanding and Using the ColdFusion Server Monitor - Charlie Arehart (4PM PT / 7PM ET)

Wednesday

• ColdFusion Builder: The Professional IDE to Boost Your Productivity - Sagar Ganatra (10AM PT / 1PM ET)
• Expand Functionality with ColdFusion Builder Extensions - Simon Free (1PM PT / 4PM ET)

Thursday

• Developing Your First Application Using ColdFusion 9 and ORM - Bob Silverberg (10AM PT / 1PM ET)
• Speed Up Your Apps with Caching in ColdFusion (11:30AM PT / 2:30PM ET)
• ColdFusion and Mobile - Browser-Based Applications Made Easy - Dave Ferguson (1PM PT / 4PM ET)
• Become ColdFusion Empowered in Under an Hour - Nic Tunney (4PM PT / 7PM ET)

Friday

• Accessing ColdFusion Services From Flex Applications - Matt Gifford (10AM PT / 1PM ET)
• Securing your ColdFusion Applications - Pete Freitag (me) (11:30AM PT / 2:30PM ET)
• Make Your Site Searchable with Solr - Scott Stroz (1PM PT / 4PM ET)
• Bringing ColdFusion to Java SpringMVC (4PM PT / 7PM ET)

Make sure you go over to http://adobe.com/go/cfdeveloperweek to register.