Regular readers know I'm always on the lookout for interesting issues regarding SQL Injection and ColdFusion. This year has been a banner year for injection on ColdFusion sites and if you are not on the Cfqueryparam bandwagon yet I have one more example of a code that might seem to be inoculated but is not. It has to do with the use of val( )....
Muse Reader Rob Asks:
I have a silly question. How exactly do you upgrade the JVM on your ColdFusion server? My server is on Win2k3 x64 and the JVM version is 1.6.0_04. Do you specify it manually in the jvm.config file?
I'm glad you asked this question because it reminds me that I sometimes give advice without any follow through - which is the same problem I have with my 8 iron. Upgrading the JVM on a windows installation is pretty easy. Just remember that you will need the correct Java Runtime for your platform and ColdFusion version. Rob specified Win2k3 x64 so I assume he means he is running ColdFusion 8 enterprise 64 bit - in which case the target version is 1.6 update 14 (or 1.6.0_14). I usually start at the Sun Java download page. Once you have the right version in hand the rest is easy.
This issue was brought to my attention by Adrian Lynch on CF-Talk. It seems that if you use the new image functions in ColdFusion 8 against certain kinds of JPG images you can actually cause your JVM to crash. If you have code that uses the latest image functions to handle uploaded images you should definitely take note of this post. I cannot yet see how a user might take advantage of this bug to penetrate your server, but a malicious (or even non-malicious) user could easily perform a denial of service attack and cause your CF server to go up and down like Jack LaLanne doing jumping jacks. So if you fit into that category (handling uploaded images using CF 8 image functionality) here's the scoop.
I have not yet had this problem specifically, but it was pointed out by CFG Tom Forrest who spent some time wrangling with it. He was trying to use the connector widget to connect IIS 7 sites to ColdFusion instances (running in Multi-Server Mode). He reports as follows:
The connector refused to install anything into IIS. When I started it, the first window would appear. When I clicked "add" I would see something to the effect of, Installing required IIS7 components. It may take 2 to 5 minutes to complete. The window that allows you to set all the parameters would open, and you could select any of your running CF servers. However, you couldn't select any of the IIS sites that were created. Assuming you give up and click ok, allowing it to "install to all" you would get an error window stating error creating IIS application extensions ColdFusion.
According to Tom the fix is to install the IIS 6 Management Compatibility role service. This service allows an IIS 7 server to "act like" an IIS 6 server. Once installed the configuration tool began to work.
While I haven't had this specific problem, I have noticed that a number of other things are easier and more familiar with the IIS Management Compatibility installed. Thanks Tom.
Muse Reader Joe Asks:
How do I kill a request? Every other day or so there will be a runaway process that cannot be killed. Clicking on the red exclamation in the monitoring tool does not give an error but it does not kill the request either. My question is how to kill this process?
Ah the immortal thread - like a god coming down from Mt. Olympus and laughing with his (or her) hands on his mighty hips (see why I chose "his"? ... "her mighty hips" ... well, I just didn't want to go there). Such threads are mind bogglingly frustrating. In actual fact, there are some requests spawned by ColdFusion that may not be able to be terminated by ColdFusion. For the long version read on McDuff.
 |
|
|
|
|
|
|
![[More]](http://www.coldfusionmuse.com/index.cfm/2009/6/10/javax.imageio.jpg.crash.jvm#more){kind=link}
