ColdFire Security Consideration

Given all the security issues around ColdFusion in the past few months I thought it would be good idea to remind ColdFire users about a potential security issue. One of the enhanced features of ColdFire is the ability to dump variables without changing your code. For example, to see the application scope you can just type "application" in the variables tab, reload the page, and there you have your application scope dumped to the ColdFusion Firebug tab. This is a great feature during development but could also be an attack vector if used on a public server. Imagine you were running ColdFire on a public server and storing something like database credentials in the application scope. Depending on the debugging IP addresses configured in the ColdFusion administrator, someone running the ColdFire Firebug extension could come along and dump the application scope and see those credentials. Anyway, this isn't really an issue with ColdFire, it works as intended, just something to be aware of if you use the tool.

Application Specific Custom Tag Paths Fixed in CHF3

As others have posted, ColdFusion 8.0.1 Cumulative Hot Fix 3 (CHF3) was released today. This hot fix contains a lot of new fixes, but I've been waiting for is this one:

Fix for the error "Cannot find CFML template for custom tag" thrown under load when using THIS.customtagpath in Application.cfc and "enable per app settings" is enabled.

In my testing before this hot fix I would see this error in about 8-10% of requests, even under what I would consider light load. After applying the hot fix and running the same JMeter tests I wasn't able to reproduce the issue.

Be sure to check the TechNote for a complete list of what's fixed in this release.

BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.