Entries Tagged as ColdFusion
Easily Restart ColdFusion Service
Posted by Paul Alkema | Tags: ColdFusion
Today I installed ColdFusion 9 developer edition on my local pc. When asked which server type I wanted to use, I opted to user ColdFusion 9's built-in web server. However later I wanted to restart the server however and because I didn't have IIS I didn't have an easy way to handle this so wrote a BAT file to restart the service.
I would think there would be a better way to do this, however I was unable to find a different way of restarting the ColdFusion service with ColdFusion 9's built-in web server.
To use my BAT file, create a blank text document and insert the code below.
NET STOP "coldfusion 9 application server" NET START "coldfuion 9 appliation server"
Save the file and rename it cfrestart.bat. That should do it! Now if you click on the file it should restart the service.
How to Remove the Shadow From cfwindow
Posted by Paul Alkema | Tags: ColdFusion , Javascript
While trying to get rid of cfwindow's drop shadow I came across an excellent article written by Todd Sharp on how to exactly this using a javascript function. The one issue I ran into while trying to use this method, was how to easily create windows on the fly using the ColdFusion.Window.create function.
My final solution to this, was to go into the cfwindow.js file in the application server and change the shadow attribute to false.
Find
_22c.shadow=true;
Replace With
_22c.shadow=false;
This will need to be replaced twice, as this statement appears twice in the file.
Note: A down side to using this method is that you'll have to redo this every time there is a server upgrade. Also, in order to use this method you have to have the ability to actually edit this file, which for users on a shared server is unlikely. Have better solution? I'd love to hear from you!
How to subscribe a user in Exact Target via their API
Posted by Paul Alkema | Tags: ColdFusion
Since obviously the Exact Target community has no appreciation for the ColdFusion community, I feel that I should post the code that I wrote to subscribe a user to a list.
Here's my cfc...
<cfcomponent>
<cffunction
name="subscribeUser"
access="public"
returntype="string"
hint="Subscribes a user to the specified list in Exact Target.">
<cfargument
name="company"
type="string"
required="yes"
/>
<cfargument
name="country"
type="string"
required="no"
/>
<cfargument
name="emailAddress"
type="string"
required="yes"
/>
<cfargument
name="firstName"
type="string"
required="yes"
/>
<cfargument
name="lastName"
type="string"
required="yes"
/>
<cfargument
name="emailType"
type="string"
required="yes"
/>
<cfargument
name="userid"
type="string"
required="yes"
default=""
/>
<cfargument
name="listId"
type="numeric"
required="no"
default="<listid>">
<cfset var cfhttp = "">
<cfhttp
url="http://cl.exct.net/subscribe.aspx?lid=#arguments.listId#"
method="post">
<!--- company --->
<cfhttpparam
name="COMPANY"
type="FormField"
value="#arguments.company#"
/>
<!--- country --->
<cfhttpparam
name="Country"
type="FormField"
value="#arguments.country#"
/>
<!--- email address --->
<cfhttpparam
name="email address"
type="FormField"
value="#arguments.emailAddress#"
/>
<!--- first name --->
<cfhttpparam
name="FIRST NAME"
type="FormField"
value="#arguments.firstName#"
/>
<!--- last name --->
<cfhttpparam
name="LAST NAME"
type="FormField"
value="#arguments.lastName#"
/>
<!--- email type --->
<cfhttpparam
name="Email Type"
type="FormField"
value="#arguments.emailType#"
/>
<!--- user id --->
<cfhttpparam
name="MID"
type="FormField"
value="#arguments.userId#"
/>
<!--- action --->
<cfhttpparam
name="SUBACTION"
type="FormField"
value="sub_add_update"
/>
</cfhttp>
<cfreturn cfhttp.FileContent />
</cffunction>
</cfcomponent>
Here's my cfc invoke..
<cfinvoke
component="email-subscribe"
method="subscribeUser"
company="{user's company}"
emailAddress="{user's email address}"
firstName="{user's first name}"
lastName="{user's last name}"
country="{user's country}"
emailType="{user's email type}"
userid="{}"
returnvariable="confirmation"
/>
The above CF code will add a user to the designated mailing list.
Tags: ColdFusion, Exact Target, ExactTarget, ColdFusion API, Paul Alkema
One of The Worst Security Holes in CAPTCHA's and How You Can Fix Them.
Posted by Paul Alkema | Tags: ColdFusion
There have been several occasions where people have used security holes in CAPTCHA's to purchase large amounts of specific items like tickets or other items. Is this wrong to do? I would say yes. In this article I'm going to teach you how to manually take advantage of this security hole and what you can do to prevent it for happening.
The first steps to understand the issues with most CAPTCHA's is to understand how they work. The way that most CAPTCHA's are as follows
- A random word(s) or alpha numeric string is generated
- This string is rendered into an image which displays to the users, and the user is prompted to input the text they see in the image. In ColdFusion many times people will use the CfImage attribute action="captcha".
- The string is then usually encrypted and placed into a hidden form element that's located inside of the submitting form.
- After submitting the form, typically the text that the user entered is encrypted using the same type of encryption as the randomly generated string.
- Finally, the encrypted user entered string is compared to the encrypted randomly generated string. If they match, than the user isn't a bot, if they don't, than the user is a bot.
This method, is either the exact method or extremely similar to how most CAPTCHA applications are written. You may be wondering what the issue with this is. I think that most people think, wow because I'm encrypting all of my strings and my CAPTCHA is so hard to read that your CAPTCHA is fool-proof. The reality is this type of CAPTCHA only stops one type of spammer.
There are three types of spammers.
- Automated Spam Bots. An automated spam bots written on a large scale that normally posts random spam on random sites by crawling from site to site.
- Manual Bots. A small application written with the intent to do one purpose, for one web site.
- Manual Human Spam. Usually a paid human with the intent to spam a single or multiple sites.
The above method stops most Automated Spam Bots, but not all of them. The security issue that I'm pointing out today has really more to do with manual bots and how easy it is to write one. Please note, that the reason that I am helping you to write this is in absolutely no way to help anyone under any circumstances to hack, spam or do anything illegal in any way. It's for informational purposes, so that the web development community can better understand how to prevent this type of issue.
How to Write a Manual Bot
- First go to the web page that has the CAPTCHA that you would like your bot to get through. Note the action page that the form submits to0. You can take note of this by viewing the source code.
- Fill out the form completely as if you were to submit the form including the CAPTCHA text.
- Note all of the form field names including the hidden fields and record all of their values.
- Write a small script that allows you to send those HTTP form elements with the values recorded to your web page's action page. I know I make it sound easy, but that's because at least in ColdFusion it is easy.
I have a test page with an example page with a typical CAPTCHA. HERE.
When I fill out the form in my example CAPTCHA page above and I take note of the form elements and values this is what I get.
EXAMPLE
Action
http://paulalkema.com/assets/content/unsuspecting-page.cfm
Form
submitted=1
captcha_check=6501AA9BA0B073BC (this contains the encrypted version of the captcha.)
captcha=h7eunmjq (This was blank before, but I manually entered this as a value.)
Now that we have this data recorded you can build a script that could do this dynamically.
CODE EXAMPLE
<cfhttp
url="http://paulalkema.com/assets/content/unsuspecting-page.cfm"
method="post">
<cfhttpparam
name="submitted"
type="FormField"
value="1">
<cfhttpparam
name="captcha_check"
type="FormField"
value="6501AA9BA0B073BC">
<cfhttpparam
name="captcha"
type="FormField"
value="h7eunmjq">
</cfhttp>
<cfoutput>
#cfhttp.FileContent#
</cfoutput>
The above code would submit all of the form variables to my action page, where my action page would then except that I'm not a bot. I have an example of the exact script above working HERE.
You may be a little skeptical that someone would actually go out of their way to do this to spam your site and you very well may be right, but the reality is that someone could do it. In March 2010, 4 people were indicted for using a script to simultaneously buy thousands of concert tickets through an automated script similar to this.
How to Prevent It
So what do you do to prevent it? I think the primary issue with the above technique is that your sending a generated encrypted version of your CAPTCHA and comparing it to a user typed version of the CAPTHA and if you write a script that can resend this information, the script can be run repeatedly and the action page. Solution? Send the generated encrypted version of your CAPTCHA through server side variables. If your using ColdFusion a possible solution would be to send your the generated encrypted version of your CAPTCHA through session variables..
SEO: Coldfusion, Captcha, Cfhttp, Issues With Captcha, Hack Captcha, Captcha Security
Pull a List of All Coldfusion Datasources, Along With Username and Passwords
Posted by Paul Alkema | Tags: ColdFusion
There are special times when you may need to get a list of your datasources or retrieve the passwords for your datasources. If this is your case, no problem.
The script below will pull all datasources, along with the username and a decrypted password.
// Create Data Source Object dataSourceObb=createobject("java","coldfusion.server.ServiceFactory"). getDatasourceService().getDatasources(); // Loop Through DataSources for(i in dataSourceObb) { if(len(dataSourceObb[i]["password"])){ // Get username username=(dataSourceObb[i]["username"]); // Get and decrypt password decryptPassword=Decrypt(dataSourceObb[i]["password"], generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede", "Base64"); // Output all datasources along with username and passwords writeoutput("" & "DataSource: " & i & "
" & "Username: " & username & "
Password: " & decryptPassword &"
"); } }
Enjoy!
UPDATE: When this post was originally posted, this worked on 9, however since then 9.0.1 has been released. This version has fixed this issue.
Tags: Coldfusion, Datasource Passwords, ColdFusion Passwords, ColdFusion ServiceFactory, Paul Alkema
