Probably the biggest advantage with ColdFusion is the simple installer and the way it hides all the complexities of JRUN and Java from you and most of the time just works right out of the big. One of the simplicities of which is requiring you to only create a web site on the web server and it just works. With Railo it is more complex as you also need to add a host entry to the servlet container (railo, Tomcat, Jboss etc).

Thankfully with Railo this extra step can be avoided as well with a simple regular expression that effectively generates the host entry on the fly. This does however only work on Resin, so if you are using another servlet container I think you are out of luck, but I'm not expert so don't take my word for it, check the docs or ask on the relevant forums if you can use a regex in the host entry.

The following single host entry is what I am using on cfmldeveloper.com for the free hosting and simply requires that you stick to a standardised directory format for the home directory of all your sites.

This example presume all the sites are located at

d:\wwwoot\[domain name]\wwwroot

You can of course modify it for your own requirements.

The regex also strips the www from the domain name before evaluating it so that this is not used in the path name. Without this it would evaluate www.mydomain.com and mydomain.com as different paths.

   1: <host regexp="(?:www\.)?(.+)">

   2:  

   3:         <host-name>${host.regexp[1]}</host-name>

   4:         <root-directory>D:/wwwroot/${host.regexp[1]}</root-directory>

   5:         <web-app id="/" root-directory="wwwroot">

   6:                   <!-- enable/disable directory browsing -->

   7:                   <servlet servlet-name="directory" servlet-class="com.caucho.servlets.DirectoryServlet"/>

   8:         </web-app>

   9:     </host>

There has been a lot of noise over the past week about the ColdFusion Directory Traversal Vulnerability. 
If you haven't heard, the basic issue is that ColdFusion allows the inclusion of just about any file on the server (usually Windows servers) to be included by using either a URL parameter or form parameter.  Without special encoding the vulnerability will let you grab any file ending in .xml, but by adding a %00 to the parameter, just about any file gets included in the normal display of the ColdFusion Administrator login page.  This means that no authentication is required to pull this off.  The flaw is in the internationalization tags being used by the Administrator pages which include XML files to render the text for different languages in the CFAdmin section.  In turn the XML files aren't really XML files, but instead are files containing large switch/case statements which, according to the arguments, spit out the value for the piece of text the XML file is called with.  The flaw is that the code calling the file uses user input to decide which file to grab, but doesn't properly sanitize the request, allowing the inclusion of other files from the same disk the CFAdmin section is living on.  As Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive.  Including the CF configuration files which may include things like database connection settings (with passwords saved which can be decrypted easily).  Adrian also points out that once an attacker gains access to the CF Admin, it’s game over.

The patches provided by Adobe for the problem are quite simple, and in most cases shouldn't even require a restart of the ColdFusion services.  The impact of the vulnerability is huge.  As Rafal Los, who rightfully calls this a "Disaster", points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.

Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.

As we have been working with  and hosting ColdFusion since version 5,  we understand how most CF developers work, and how poorly the servers are administered in most installations.  In his post, Rafal Los offers some Google dorks for finding CF servers, and states that "There is really no legitimate reason to have a ColdFusion Admin interface on the public internet" really, I can't think of one, yet there are many results!.  So why are there so many results?

It is a combination of factors, laziness I'm sure being close to the top of the  list, but there are others.  The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the '/CFIDE/' directory.  This directory has other directories inside of it which are used by CF for things like form validation, Ajax, rendering of graphs, etc. and as such some applications stop working if the CFIDE directory does not exist, so it must be mapped as a virtual directory in most cf websites. 
Often it is the webmaster or developer  who is setting up and managing the ColdFusion server and who usually has very little knowledge of server security and limited knowledge of the ColdFusion Administrator and its associated security issues or the CFIDE requirements in an application, even if a real server admin is involved his knowledge of ColdFusion will be little to none.

Thankfully Adobe has finally released a Lockdown Guide written by Pete Freitag which is well done, and I hope is somewhat due to all the advice and feedback I have given Adobe over the years in this dept.  I just hope people read and follow it.

Another problem is those older versions for which no patch is forthcoming.  CF developers are very wary of changing the version of CF their application currently works on.  Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources.  This means that there are now a lot of old applications which are on old versions of CF.

If you run a CF server then you should install the patches and lock down access to your ColdFusion Administrator.
If you have a CFIDE vDir mapped to your sites, DO NOT use the original folder, take a copy of the CFIDE, put it somewhere else and delete the ADMINISTRATOR and ADMINAPI folders, now use this copy for your virtual directories. I have various old CF security and lockdown articles on this blog which you may want to take a look at.

Do you have multiple Gmail accounts? Then you will be happy to hear that Google is rolling out a new feature that lets you sign into multiple Google accounts at once. This is a pretty great feature, and one that will save many people a lot of time.

As far as multiple login goes right now, you can currently be signed into only two separate accounts at once — one Gmail Account, and one Google Apps account. This lets you be logged into your personal stuff, and your work stuff at the same time.

Until now though, there was no way for you to be signed into multiple Google Accounts — say, three Gmail accounts. People maintain multiple accounts for various reasons, now switching between them is a whole lot easier.

In supported applications, like Gmail, Google Calendar, Google Sites, Google Reader, Google Voice, App Engine and Google Code, there will be a dropdown that lets you choose which account you want to look at. I suspect it will be something like Google Analytics, where you can choose which account you want to view.

To set up this functionality, you have to visit your Google Account page, and enable multiple logins — you may not see it yet, but according to Google Operating System, it’s on the way.

I was just asked to help someone troubleshoot a site that worked fine on previous host but didn't work on Windows Server 2008 / IIS7.  None of the images on certain pages were displaying,  the image path looked something like this:

http://www.sitename.com/subfolder/bin/file.jpg

The subfolder wasn't marked as an application, although that doesn't really matter.  The point is that since /bin/ was in the path somewhere, and it turns out that  IIS7 wont allow any file to be displayed with a /bin/ in the path.  It serves up a 404.2 error saying file or directory not found.

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.If you look

If you look in applicationHost.config you will find the following under the <requestFiltering> section:

<hiddenSegments applyToWebDAV="true">

  <add segment="web.config" />

  <add segment="bin" />

  <add segment="App_code" />

  <add segment="App_GlobalResources" />

  <add segment="App_LocalResources" />

  <add segment="App_WebReferences" />

  <add segment="App_Data" />

  <add segment="App_Browsers" />

</hiddenSegments>

So, IIS7 now blocks those key folders and doesn't allow them to be seen.  To the outside world, any page in any of these folders appears to not exist.

The easy solution is to change the folder name, but there may be times when you really do want to keep the path name, such as for SEO purposes.  Not to worry, it can be changed easily enough.  This setting in on purpose though as it is for asp.net, so you usually shouldn't remove it for the whole site.

If it is your own server then you can use AppCmd or do it manually from applicationHost.config or web.config.  Since requestFiltering is allowed to be set at the site or folder level by default, it's probably best to set a web.config file in the folder that you want to allow, which is your only option on shared hosting.

To do this on a per folder level, create a web.config file in your folder and type or paste the following into it.  It should look something like this:

<?xml version="1.0"?>

    <configuration>

      <system.webServer>

        <security>

            <requestFiltering>

                <hiddenSegments>

                  <remove segment="bin" />

                </hiddenSegments>

            </requestFiltering>

        </security>

      </system.webServer>

</configuration>

If you want to make the change to your applicationHost.config file instead, you can do it by adding a location tag to the bottom of the file (well, almost the bottom - along with the other location tags) like this:

<location path="sitename.com/subfolder/bin/debug">

    <system.webServer>

        <security>

            <requestFiltering>

                <hiddenSegments>

                    <remove segment="bin" />

                </hiddenSegments>

            </requestFiltering>

        </security>

     </system.webServer>

</location>

To do this using AppCmd just drop to the command prompt and type the following: (Be sure to change the paths to the correct page before running this.)

C:\Windows\System32\inetsrv\appcmd.exe set config "sitename.com/subfolder/bin/debug" -section:system.webServer/security/requestFiltering /-hiddenSegments.[segment='bin']

After making this change, you will be able to view pages normally, even if they have /bin in the site path.

The open source PHP dynamic language is one of the most widely deployed languages on Web servers today. But what operating systems are PHP developers using to develop and deploy their applications? It's a question that has been asked before and now it's being answered with a new study from Zend, one of the lead commercial backers behind PHP.

The study surveyed 2,000 PHP developers in December and found that 85 percent reported that Linux was their primary operating system as a production environment for PHP.

Windows came in at a distant second at 11 percent while Mac OS X came in third at just 2 percent. However, when Zend drilled down into which platforms respondents prefer for their development, the rankings change dramatically.

According to the study, 42 percent of respondents reported that Windows was their primary operating system for development. Linux came in as No. 2 at 38.5 percent while Mac OS X remained in third place at 19.1 percent.

The findings indicate that while Microsoft Windows remains the top platform for developing in PHP, its lead may be narrowing. Back in 2006, a Microsoft executive reported that 85 percent of PHP developers were developing on Windows, but only 20 percent deployed on a Windows machine. The change comes despite joint work by Zend and Microsoft to improve the capabilities of PHP on Windows servers.

that the new study was based on over 2,000 completed surveys conducted in December 2009, some of which came from Zend customers. The survey was made public through the Zend Framework website, the Zend monthly newsletter, Twitter and DevZone.

I have also noticed recently from reading blogs and lists that the majority of CFML open source developers seem to deploy Railo or Open BlueDragon on Linux, which is a major paradigm shift from ColdFusion developers who primary use Windows.

I don't think this is a matter of preference but rather one of necessity as pretty much all the PHP documentation is for Linux, most PHP apps are written for Linux/Apache and are not supported on windows even if you can get them working.

If you have tried to install Railo then will have discovered this can also be quite a task and a challenge to get working, especially on windows/IIS7, and there are far more blog posts and docs explaining how to get it running on Linux, as well as ready made virtual disk images, which I suspects encourages people to take the path of least resistance and install Linux.

In the case of CFML this does however tend to be done using virtualisation software such as virtualbox or vmware to run a linux development servers on windows, so cfml developers do still seem to be using windows as their primary desktop OS, so I do wonder if Zend took this into consideration with their study and if many of those who listed Linux as their primary development OS may in fact be running it as a virtual machine on windows. This feeling is further extrapolated by the fact that developers are mainly using servers distros like CentOS.

You also need to consider all the obvious facts as well:- While Linux has a lot going for it and plenty of software, most of the best/popular software, especially web dev/design products like Dreamweaver and the rest of the Adobe line is not available on Linux. Sure there are alternatives, but they are certainly not in the same league and you can't walk into PC World and buy any of it. For those who have always been running a Linux desktop this will of course not matter at all, but for the rest this will be a big issue, especially if it is software you have spent a lot of money on, so running a virtual machine makes sense.

Of course it could be the other way round entirely and developers are running a windows VM on linux, but this would seem an off way of doing it if their primary tools are on windows.

Before the Linux fanboys start ranting, let me make it 100% clear that this is not a linux vs windows slanging match and I will delete all churlish comments attempting to turn it into one. If you comment keep it on-topic and professional.