Pete Freitag's Homepage

[...] Adobe this week released a security hotfix for the HashDos vulnerability for ColdFusion versions 8.0 through 9.0.1. Today I was setting [...]

[...] Adobe released a security hotfix APSB11-29 for ColdFusion 8 and 9 on Tuesday, which fixes two XSS (Cross Site Scripting) [...]

[...] .NET defaults this limit to 1000, tomcat defaults to 10,000. Update: - Adobe has released a security hotfix to address this issue on ColdFusion 8 and 9. If you are running CF 6 or 7 you may still be [...]

[...] I received a question today about the postParameterLimit that was added to ColdFusion 8,9 by security hotfix APSB12-06 and exists in ColdFusion 10 by default (it is also configurable in the CF10 [...]

[...] ) hotfixes you have installed, and which ones you don't. As you may know Adobe released Cumulative Hotfix 2 for ColdFusion 9.0.1 on Friday. So here's what a server that is running cumulative hotfix [...]

[...] a listing of Cumulative Hotfixes installed, that way its easy to know if you are running Cumulative hotfix 1 or cumulative hotfix 2, etc. You can also see things like the JVM version you are running, [...]

[...] 9.0.1 update, run {cf-root}/runtime/bin/wsconfig.exe Install ColdFusion 9.0.1 Cumulative Hotfix 2 - This includes all security hotfixes prior to and including APSB11-14. Install [...]

[...] often find myself explaining how the session fixation security hotfix (APSB11-04) might cause session loss under certain circumstances, so I figured it was time for a blog entry explaining it. Ok, [...]

[...] curious you can see the source code here: ApplicationSessionCookieConfig:141 This can lead to session loss, BUT it is also a good security feature The secure flag on a cookie means that it will only [...]

[...] This week (September 12-16 2011) is ColdFusion Developer Week over at Adobe.com: ColdFusion Developer Week is a series of free, live webinars hosted by seasoned ColdFusion experts who will cover [...]

[...] it to cf.Objective() this year - no worries, Adobe is hosting the second annual ColdFusion Developer Week. A series of conference grade webinars that are free! Register Here I'll be [...]

[...] if you are running the latest web server connector? As part of your HackMyCF report (with our cfm file installed on your server) you can now see if you are running the latest connector for (CF9+). [...]

[...] installed (not possible on free version). Also announcing the HackMyCF Probe The probe is a cfm file that you place on your server, subscribers can specify a url to the cfm file for each server in [...]

[...] can however detect it, if you have a HackMyCF Subscription, and have setup the HackMyCF probe (a cfm file you place on your server which allows for encrypted communication). You also get even more [...]

[...] 't had to do anything overly complex with it yet, it does seam to be quite flexible. Here's a quick example of redirecting a www domain to the non www version: Note that's just one way of doing it, by [...]

[...] it very difficult for a Cross Site Scripting (XSS) attack to be successful. Here's a quick example that requires all javascript to be loaded from the same origin of the current page (' [...]

[...] Here's a quick example showing how to upload a file directly to Amazon S3 (bypassing your server). The tricky part in [...]

[...] Adobe has asked me to do an online e-seminar: Protecting ColdFusion Applications with FuseGuard thursday November 3rd at 10am PT / 1pm ET. If you're curious about [...]

[...] a trail and see how easy it is to add an additional layer of security to your ColdFusion applications with FuseGuard. If you want to see how it works you can also watch this 10 minute [...]

[...] Services From Flex Applications - Matt Gifford (10AM PT / 1PM ET) Securing your ColdFusion Applications - Pete Freitag (me) (11:30AM PT / 2:30PM ET) Make Your Site Searchable with Solr - Scott [...]

[...] ? The only circumstances I'm aware of which causes session loss is due to having multiple ColdFusion applications that reside on the same domain, with different application names. So assume I have a [...]

[...] Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the unprefixed, W3C standard header Content-Security-Policy has landed. [...]

[...] official docs Compare - you will be able to see compatibility among different CFML servers (Adobe ColdFusion, Railo and OpenBD), you can even get a quick link to each vendors official documentation. I [...]

[...] Searchable with ColdFusion 10 and Solr Speed your websites using Caching in ColdFusion 10 Adobe ColdFusion : The most popular server side platform for PDFs Revamped Scheduled Tasks in ColdFusion 10 [...]

[...] and administrators. One great way to learn about improving the security of your ColdFusion server and applications is to attend the cf.Objective() conference, May 15-18th 2013. Here [...]

[...] It's not always obvious which Cumulative hotfixes are installed on a ColdFusion server. I'm pleased to announce that the paid subscriptions for HackMyCF now let you know which [...]