Keeping your ColdFusion server patched and up to date can be a bit of a challenge. Adobe do not have any kind of automated update service or even a notification service and their RSS feeds are not exactly up to date or reliable either.

There are however some useful resources out there that can make life easier.
As far as actually applying patches and updates goes, if you do not read Adobe's install notes and guides then you can easily miss an important manual step and leave your server vulnerable.
ColdFusion veteran Charlie Arehart has recently published a great blog post covering all the bases and explaining which updates or HorFixes also require manual steps and what to watch for.

Easier updates and management

For an easier way to manage your ColdFusion server and find out whether all your updates are installed try Merlin Manager. Merlin is an AIR based management and monitoring system for ColdFusion 7, 8 and 9 servers.

Merlin has several unique features:

• Works with CF 7, 8, 9 Servers
• Easy to use AIR based Interface
• Save and restore configurations
• Compare server settings
• Monitoring for CF 8 and 9 servers
• Updates and Patches

Hack proof your site

Do you perform any kind of vulnerability testing on your site to make sure it is hack proof? If the answer is no then your site may be vulnerable to any number of attacks or may have already been hacked. Thankfully there are tools to make this easier too.

ColdFusion Server Security Scanner: HackMyCF

Have you ever wondered what your ColdFusion server looks like to a hacker? Try ColdFusion Server Security Scanner: HackMyCF which sends you a email report listing vulnerabilities found on your server. Run manual scans for FREE or subscribe to their automated service.

FuseGuard Web Application Firewall for ColdFusion

The FuseGuard Web Application Firewall (WAF) for ColdFusion blocks
and logs malicious requests on your ColdFusion Applications. Pricing
starts at $349 per application or is available as a monthly subscription from BlueThunder, we will also install Fuseguard into your existing application for you and perform general security analysis and updates to your code if you do not have the skills to do it yourself. Please contact us for more details.

The firewall comes with over 15 filters to help protect against vulnerabilities such as:

• Malicious File Uploads
• Cross Site Scripting / XSS
• SQL Injection
• Session Hijacking
• Cross Site Request Forgery
• CRLF Injection
• Path Traversal Attacks
• Password Dictionary Attacks

CFSearch.com is an old CF project of mine that has been festering unloved for a few years which I have just given a new lease of life. The original site was built back in 1999 and was a ColdFusion directory/search engine type thing allowing users to register their site, product or service and allow it to be searched on. I have barely touched it since then. I kept meaning to build a new site and add features such as a rating and review system but never got round to it, so I eventually just turned it into a Google adwords site.

 

Recently I decided to revive the project using Google's custom search engine technology which does most of the hard work for you, I still need to extract and verify a lot of the sites from the old database as many of them are probably dead by now, but the system is up and running and has enough data in it to be useful and usable and allows you to categorize sites as ColdFusion, Railo or Bluedragon related. I have kept it very minimalist (Google style) for now, but will add more features over time as I get to grips with the Google CSE API.

 

So if you run a CFML related site or blog, have written some cf open source software or sell any CF related products or services then please pop over to cfsearch.com and submit your site.

On the cfdeveloper server a user today reported he was unable to connect to his database getting the following error on his site.

 

 

This left me scratching my head for a while as I could find no problems, until I tried to connect directly to mysql from the web server to the database server and got the following message back.

 

 

 

I didn't realise this about MySQL, but it appears it will block a server if too many errors occur. Simply running 'mysqladmin flush-hosts' on the MySQL server resolves the problem.

I thought this worth posting as I couldn't find anything else n google.

As most of you know, I have been running cfmldeveloper.com (formerly cfdeveloper.co.uk) for neigh on 10 years now, yet despite the fact that it has been going for so long surprisingly a lot of people don't know about it or indeed many other ColdFusion resources or communities.

One of the topics you will see regularly in forums, lists etc is people bemoaning how Adobe don't do enough to promote ColdFusion, and suppose I can agree up to a point, although I don't claim to know what exactly they do not do not do to promote CF. I can however say that I don't personally see ColdFusion mentioned or promoted very often in generic web development communities, websites or magazines, which if you think about it is quite odd as other Adobe products such as Flash and dreamweaver will get constant attention. You would think seeing as these products integrated best with ColdFusion that it would get preference over PHP, but no.

 

One might therefore assume that Adobe and others therefore don't seem to do anything to promote ColdFusion outside the already existing ColdFusion user base and communities, which seems a bit odd as what is the point in promoting ColdFusion to people who already use it?

Perhaps one idea might be for Adobe do not attend (non CF) developer conferences and promote CF or work with magazines to publish articles and have their community managers spend time on other web developer sites like Sitepoint.com or  internet.com promoting CF. So there is a suggestion or two for anyone looking to do a bit of promotion, get out there and write a few articles.

(nb: I have since been informed by Matt Gifford that there are some CF articles being published in mags as he in facts writes them himself. However these are quite few in the grand scale of things and I have not personally seen them.)

 

This is one area where Railo Technologies seem to have got it right, as this is exactly what they have been doing, pushing Railo at non CF events.I know some people at Adobe are not big fans of Railo and this may rub them up the wrong way, but in my view Railo can only be good for the community and growing the existing user base, which is also good for Adobe and ColdFusion surely?. While Railo may rule the open source roost, and be perfect for shared hosting, Adobe has never been really been targeting those markets, they only really target enterprise customers, and those people looking for enterprise solutions are still likely to choose ColdFusion as it still has many advantages feature wise over Railo plus the support of a large well known and successful corporation behind it and well established community with a ton of useful support documentation that Railo can only dream of right now. Plus the self contained installer and effortless deployment of new sites is also a big plus for many, if only they could do away with the need of the virtual directories it would be perfect.

So while Railo may be reeling in the new users with the open source bait,  Adobe can still reap the rewards with enterprise conversions that may otherwise never have even considered CFML, a fact perhaps the Railo haters may have overlooked. After 10 years running cfmldeveloper.com I certainly feel I have done my bit :-)

 

Of course Adobe are free to do as they wish marketing wise, and certainly no-one can say they have done a bad job with CF that's why we all love it and there is certainly no shortage of resources if you know where to find them. So perhaps those doing the moaning should also pull their fingers and get out there and spread the word a bit if it bothers them so much.

 

Spreading the word however can be more difficult than one might expect as I discovered recently when I tried to do just that. I decided to go and signup on several other generic communities/sites and do a bit of ColdFusion promotion and answer a few questions only to be met with what I felt a very sour anti-community attitude over at sitepoint.com. It seems you are not allowed to post links out to or promote any other community or forum. I can understand the need for anti spammer/scammer measures, but to treat other communities in the same wasy seems a bit OTT to me. So clealry you need to be quite subtle your promotions and not quite so blatent as I was.

As you may remember from my previous post, I had issues with Microsoft Access Data Sources not working after upgrading from CF8 to CF9. The reason being that CF9 decided to install the ODBC service on a different port.

 

Well after upgrading cfmldeveloper to CF9.0.1 I had the same problem, users started to report MSAccess DSN's were not working, except this time the service was running fine and on the correct port. This was a real head scratcher, and as is often the case with my issues they are fairly unique/unusual and so there often is nothing on google and even my fellow cfgurus cannot help me.

After further investigation I discovered that existing MSAccess DSN's were actually still working, it was only new DSN's that did not work, giving the following error.

 

[Macromedia][SequeLink JDBC Driver]TCP/IP error, connection refused. 

So I then went into the ColdFusion Administrator to take a look at the DSN's and was unable to do so, getting this error.

 

The ColdFusion ODBC Server service is not running or has not been installed. 
You may also use the "MS Access with Unicode" driver to connect to MS Access datasources

 

As you can imagine this was a bit confusing as the service was indeed running otherwise the old DSN's would not be working.

So I had a look in the <cfusion root>/lib/neo-datasources.xml (this is where the DSN's are stored) and found the cause, The CFADMIN was using the wrong port to connect to the ODBC service and for creating DSN's, it was again using 20000 instead of 19999 which result in the following JDBC URL.

 

<var name='url'><string>jdbc:sequelink:msaccess://localhost:20000;serverDatasource=dofficers</string></var> 

 

Now bear in mind that I am creating DSN's via the HELM control panel via my API, which is the only reason that was even possible, as obviously it was not possible to add a new MSACCESS DSN via the CFADMIN for the same reason.

So this again seemed like a trivial solution, just change the port again right? So as I know the setting had to be in one of the neo XML files I simply did a search for "20000" thinking this would give me what I want, but no, I came up empty and have now spent almost a month trying to resolve this.

So I viewed the source in the cfadmin for the msaccess.cfm page, and there I could see a hidden form field that contained the port number. My next step was to decrypt the CFADMIN and try and find out where the port came from. This also turned out to be a less than simple task as none of the decrypt tools would work for me. It was then suggested to me by fellow cfguru Mark Kruger that I needed to get a copy of the CFADMIN from ColdFusion 6 as the encryption had changed since then, and these tools had not since been updated.

 

I eventually got the files I needed and worked out that the port number came from the service factory, so again I was confused as I was sure the service factory settings came form the neo xml files? Well this is where I feel like a dumbass, I just got confirmation from Mike Nimer (who actually wrote some of the cfadmin) that I should be looking in the neo xml files, so I searched the files again and this time I got a hit in the neo-drivers.xml. So it was there all along, god knows how I missed it last time, maybe windows search screwed up or maybe I typed 2000 instead of 20000 several time sin a row LOL. Anyway the solution was indeed as easy as I had first thought, just open up the neo-drivers.xml and find the following.

 

<var name='port'><string>20000</string></var>

 

and simply change the port to 19999, then restart CF and everything should be good.

 

So why am I having these issues every time I update CF? I think it is because of the fact that when you install a new version of CF it leaves the previous version intact and simply disables the services (or should do at least). And in my case the cf installer is seeing the previous CF version and thinks it is still active and thinks there will be a conflict on the ODBC service port, so is changing it. Obviously in both cases it did not do it properly, the first time it only change the service port and not the service factory settings, the second time round it did the opposite.

 

Now I know some people will just say and did say  "why didn't you just use the Microsoft Access with Unicode" driver instead, and yes this would be a workaround as this driver does not rely on the ODBC service so is better anyway. But Unfortunately the HELM control panel we use only supports the regular MSACCESS DSN, so I needed to get this working again or no-one could use MSACCESS.
And yes we all know that people shouldn't use MSACCESS for production web sites, but they do.