An update on HTTPOnly marked cookies in Railo 4.1

by kai 30/11/2013

In January this year, I wrote a blog post to advise people how to make the default installation of a Railo 4 server more secure. One of the elements was to make sure you’re using HttpOnly marked cookies for your session cookies (depending on your setup that might be JSESSIONID or CFID/CFTOKEN). In the blog […]

Read the full article →

Adobe ColdFusion and Railo users: be aware of the newest Apache Tomcat trojan/worm

by kai 27/11/2013

Symantec has recently discovered a trojan/worm-ish thing that threatens application servers running Apache Tomcat. It seems to follow the typical command & control pattern with control servers having been found in Taiwan and Luxembourg so far. This threat is using a very specific attack vector by trying to spread via the Apache Tomcat Managers and […]

Read the full article →

ColdFusion – just another security hole…

by kai 16/05/2013

It’s getting to the point where people who’re looking at this must be saying: “Man, this is getting really embarrassing for Adobe”. There’s another (unspecified) security hole that users were made aware of May 8, 2013. The patch was then announced for and released on May 14, 2013, for the days in-between there was only the recommendation […]

Read the full article →

Some more differences when moving to Railo

by kai 14/05/2013

You might remember that I’ve blogged about the differences between Railo and ColdFusion in the past. Here’s another one to look out for – this popped up on the railo mailing list the other day. A poster was asking about some Adobe CF-specific code that was used to retrieve a list of datasources (working on Adobe CFMX […]

Read the full article →

Railo Express Tomcat – updates

by kai 13/05/2013

I’ve just updated the Railo Express on Tomcat bundles that I’m compiling. They now feature Apache Tomcat 7.0.40 (which is a very recommended upgrade from .39) and various Railo versions: Tomcat 7.0.39 and Railo!m0IUhYDR!abAZeAh-dukXRw8EpMHV8lWAhGpyXuiyHhpvrNouaKw Tomcat 7.0.40 and Railo!6sx3GIrT!LJRexzWxkbQItSg_PdaRaEgsSDhzNzglO6y-Sjz__tk Tomcat 7.0.40 and Railo!25ZiFZaL!Q-RzyFRjWz43Xdy7senMmSHHi1wNFgj2cywGyv9X1Tk Tomcat 7.0.40 and Railo!f94nnI7a!MuHpoltxQANMISy6l7b8Gx_iZJw8hTf-e5wZ4s4QLrg

Read the full article →

CFCamp 2013 – Back in Germering

by kai 14/04/2013

The last two CFCamp events in Munich have been such a success so that the team around Michi Hnat is putting it on again. CFCamp 2013 will happen on October 14 and 15 (Monday and Tuesday) in Germering (right next to Munich). I’m blogging about it now, because I want to make people aware of […]

Read the full article →

Be aware: there’s another new security hotfix for Adobe ColdFusion 9 and 10

by kai 14/04/2013

Late last week, Adobe’s CF team has released another security hotfix for Adobe ColdFusion 9 and 10. You can find the security bulleting and the respective technote here: Security bulletin: Tech note: Installing it follows the common pattern of recent security hotfixes and updaters. And with me saying that it should be clear that it’s […]

Read the full article →

Railo and ColdFusion on Java 7: don’t forget the crypto extensions

by kai 02/04/2013

So – more on the whole Java 7 thing again. The other day I got an “Illegal key size or default parameters” error on one of my dev VMs. I was using the VM for quite a while and from what I could see the codebase had not changed significantly. Weird. All of a sudden […]

Read the full article →

Recent Adobe ColdFusion hotfixes

by kai 11/03/2013

A few days ago, Adobe released a set of hotfixes for the currently supported versions of ColdFusion (9 and 10). Those hotfixes cater for a variety of things, among others – support for Java 7. ColdFusion 9 and 9.0.1 Unfortunately things are not as easy as they could have been. On Feb 27, 2103 Adobe […]

Read the full article →

CFML differences between Railo and ColdFusion 9/10 (Part 2)

by kai 18/02/2013

Yeah, so much for “I’ll post part 2 tomorrow…“. Sorry guys, life and work got kind of in the way. Here’s part 2 now though 🙂 4. Date comparison If you use if constructs for string comparison in ColdFusion, the server will always check if a string on either side of your if-condition could potentially […]

Read the full article →