Archive: November 2013

3 posts

An update on HTTPOnly marked cookies in Railo 4.1

by kai on 30/11/2013

In January this year, I wrote a blog post to advise people how to make the default installation of a Railo 4 server more secure. One of the elements was to make sure you're using HttpOnly marked cookies for your session cookies (depending on your setup that might be JSESSIONID or CFID/CFTOKEN). In the blog post, I've described how this can be achieved on a Tomcat context level if you're using…

Read the full article →

Displaying PDF documents/forms from Adobe LiveCycle in the browser

by kai on 28/11/2013

Users of Adobe LiveCycle quite regularly interact with PDF documents. Some examples are: Rendering customised documents for print purposes Creating PDF forms for on- and offline use to collect data for further processing Rendering pre-filled PDF forms to send out to customers/users for completion and physical signature etc. In a lot of cases those PDF documents are what's called an XFA-based…

Read the full article →

Adobe ColdFusion and Railo users: be aware of the newest Apache Tomcat trojan/worm

by kai on 27/11/2013

Symantec has recently discovered a trojan/worm-ish thing that threatens application servers running Apache Tomcat. It seems to follow the typical command & control pattern with control servers having been found in Taiwan and Luxembourg so far. This threat is using a very specific attack vector by trying to spread via the Apache Tomcat Managers and their (quite often unchanged) weak passwords and…

Read the full article →