Aug 31, 2014

Not able to run vbscript using cfexecute on Windows 64 bit Machine - Solution

Goal: To run VBScript using CFexecute using command base script Cscript.exe

Environment:  ColdFusion 10, Windows7 , 64 bit Machine.

My VB Script(Excel.vbs) performs simple office automation .

So first I tried with command line to run Excel.VBS.

C:\Windows\System32 > cscript //nologo D:\Excel.vbs D:\test.xls

and got expected o/p Success (Good my Excel VBS is correct)

Now, I have to see whether CF runs correctly or not.
So I use cfexecute to run Excel.VBS.

<cfexecute name = "C:\Windows\System32\CScript.exe"
            arguments = "//NoLogo D:\Excel.vbs D:\test.xls"
            variable = "savedOutput"
            timeout = "3600">
<cfdump var="#savedOutput#">

But, I got this error message -

Error: 424 Source: Microsoft VBScript runtime error Description: Object required

Then what is wrong with ColdFusion, same VBScript is running using command line but CFExecute throws error.

So I tried two things :
  •  Checked whether account which runs ColdFusion is having admin rights or not?
    • Yes CF running with Admin privilege.
  • Tried using batch file
    batchFile.bat :
    @echo off
    pushd %~dp0
    cscript cscript //nologo D:\Excel.vbs D:\test.xls

    <cfexecute name = "D:\batchFile.bat"
                       variable = "savedOutput"
                       arguments="/C /Q"
                       timeout = "3600">
    <cfdump var="#savedOutput#">

    Same Error: 424 Source: Microsoft VBScript runtime error Description: Object required
So what will be the solution for this ?
After checking some threads on office automation I found this solution.

We have to add the Desktop folder in the systemprofile and system32 folder to open file by Excel if you have Windows Service or IIS on Windows 7 x64 (dev machine) and Server 2008 x64.

So I added Desktop folder under these 2 directories -

O/P: Now my cfexecute code gives success and VBScript performs desired office operation.

Also, verify that ColdFusion is allowed to "Interact with Desktop" is enabled or not on Services.

Note: If you are doing office automation then you have to add the Desktop folder inside systemProfile irrelevant of technology you are using under above Environments.

Hope it helps you :)

Aug 29, 2014

POI Compatibility Issues with ColdFusion

In this post I will discuss with Issues coming with the latest POI 3.10 in ColdFusion 9/10..

Recently I worked on Import/Export features of Excel documents in my project. Moreover, this excel documents are too much complex with Multiple trigger and rich with Macros.

In result, I faced lots of Issue in reading such files and faced n no of errors with POI.

Let's discuss How ColdFusion reads excel sheets  ?

What is POI ?
- POI is open source java library used to read Microsoft documents.

Why POI in ColdFusion ?
- ColdFusion ships with POI to read Excel sheets. CF also ships with Open Office, by default excel read/manipulation handle by POI. If you want to use Open Office then Configure local/remote Open Office directories under CF Admin. ColdFusion 10 comes with POI 3.6 jar files.

POI jar files present under lib directory of ColdFusion: (Below jar files comes up with POI 3.10)
  1. dom4j-1.6.1.jar
  2. poi.jar
  3. poi-ooxml.jar
  4. poi-ooxml-schemas.jar
  5. poi-scratchpad.jar
  6. stax-api-1.0.1.jar
  7. xmlbeans-2.6.0.jar
Now let's discuss some errors which I have got while reading those XLS/XLSX files using ColdFusion 10. 

Some Errors while reading those XLS/XLSX files with ColdFusion 9/10 using inbuilt tags/function available in ColdFusion :
  • (with XLS) java.lang.NullPointerException at org.apache.poi.hssf.model.LinkTable.getExternalBookAndSheetName  
  • (with XLS)Duplicate PageSettingsBlock record (sid=0x89c) 
  • (with XLS) Unexpected celltype (5)  
    • This error may comes when you have some dirty data or cell value starting with #.
      But everything fine in my case.
  • (with XLS) coldfusion.excel.ExcelProcessException: An exception occurred while using action=read. NullPointerExceptioN.
    • There was nothing wrong in my cfspreadhseet syntax
  • (with XLSX) The supplied POIFSFileSystem does not contain a BIFF8 'Workbook' entry. Is it really an excel file?
    • Some of the XLSX files are failing
  • (with XLSX) The Supplied spreadsheet seems to be encrypted .xlsx file. It must be decrypted before use by HSSF

What I have tried so far with inbuilt Tags/Function available in CF :    Sucess/Failure ?
  • As all issues are pointing towards POI issue. So I download the latest version of POI 3.10 and extracted all jar files and put it under \lib directory.

    Success: 6/5 issues with 100% success rate with  XLS solved using updated POI except encrypted error coming up with some XLSX file.

    Adverse effects (Failures):  
    • Formatting rows/columns/cells of Excel Sheets with styles like fonts and color are not working and throw an error "Java: no Method error with fonts and color".
      • Cause: ColdFusion expecting Font.getCharSet to return a byte, while the latest version of POI returns an int. Stackoverflow thread
    •  Some of the XLSX file which was easily readable using POI 3.6 is now unreadable and through
In the next post I will discuss some workaround for it.

Aug 15, 2014

Mach-II Framework - Basic beginner start.

 My journey towards learning Mach-II framework

Few days back, I have added post regarding CF frameworks.
In this post we are going to understand what Mach-II is and what this beautiful framework provides.

There is already a superb Github directory from where you can learn Mach-II.
This post will help you to get familiar with some basics of Mach-II and early hurdles you face if you are a beginner.

Below points will cover whatever I've learned so far in Mach-II.

Let's begin: -
What Mach-II  is ?
  • MVC framework for ColdFusion
    • Benifit of MVC : Separation of codes into different layers which help to reuse and organize your code better using the Model(mainly CFCs), View(shows your content) and Controller(which link Model and Views)
    • In Mach-II controller comprises of plugins,listeners and filters
  • Object Oriented F/W
  • Event Driven Framework
  • mach-ii.xml where all configuration needs to be done. 
    • XML contains : Properties, Events, Listeners, Page Views, Filters, Plugins 
  • II stands for Implicit Invocation
    • As Mach-II is an event driven framework, so all events are handled though event handlers which in turn announced a component for which event is registered.
    • Know More here Implicit-Invocation-Architectures in MVC
  • Easy to maintain and provide flexibility in developing robust application.
How to setup Mach-II ?
  •  First download Mach-II f/w code and skeleton from
    MachII Github or Mach-II home
  •  A basic folder structure which I kept up while learning Mach-II

  • Once code downloaded,  now we have to run mach-II application based on where you kept our framework files and skeleton files.
    If you are keeping f/w files outside web root,  then we have to add a mapping in CF administrator. You can also extend Mach-II f/w codes to setup your mach-ii f/w environment.
    Here is the link which shows you various ways to setup your mach-ii application
  • Above Image shows my application folder comprises of both f/w codes + skeleton.
    • I pointed this directory as a Virtual Directory in my IIS and named as "mach2test"
    • Now we need to open /config/ mach-II.xml.  In property applicationRoot we have to specify the root of our application.
      <property name="applicationRoot" value="/mach2test" />
    • Now,  once we have added value for applicationRoot, we have to add mapping or inherit f/w codes using extends attribute.
      So for this I have added "MachII.mach-ii" in application.cfc to inherit mach-ii.cfc
       <cfcomponent displayname="learnMach-ii" output="false" extends="MachII.mach-ii">
    • Now code setup is over, you are ready to run your first o/p in the browser.
      http://localhost/mach2test/index.cfm. If you have downloaded Mach-II skeleton then first o/p will be Hello Mach-II!

Flow of Mach-II Application:
  • All Mach-II request flows from index.cfm because it follows pattern called Front Controlerl
    • Wiki: It provides a centralized entry point for handling requests.
  •  As Mach-II is event driven in nature, so everything goes on by calling an event which creates event objects. Let's look for one example to get a clear Idea on Mach-II flow.
  • Say for example: If you have a basic login page in your application
    • URL : http://localhost/mach2test/index.cfm?event=login. So first request goes to central page index.cfm and start looking for Mach-II.xml
    • As we are calling an event called login (If we don't specify any eventParameter then defaultEvent will execute) so It will look for event-handers where an event is login
    • Now event handler told to open a view called login.cfm.
    • In login.cfm - we have one form whose action calls "index.cfm?event=checkLogin"
    • Now, once again flows go to Mach-II.xml and look for checkLogin event. checkLogin event handler calls listener loginListener which looks for validateLogin method present under loginComponent CFC which resides under the model.
    •  validateLogin() return success/failure and announces an event loginSucess and shows home.cfm or  loginFailure which shows error message.
 Hope you get a basic flow of Mach-II framework.
I am still driving deeper into Mach-II framework, hope I will be coming with some more post related to Mach-II soon. 

Happy Learning :)

Aug 3, 2014

ColdFusion Frameworks - Which one to choose ?

Someone asks me a few days back regarding Skill set of ColdFusion frameworks -

Conversation Starts.

Anonymous - Do you know any of the CF frameworks like Mach-II ?
Me - No, I have not worked with any of them in my project so far, but I am having some Idea about MVC frameworks.

Anonymous: Ok, good. So how long It will take you to learn Mach-II framework ?
Me: Probably x days to get acquainted with all stuffs in it.
Anonymous: Ok, tx.

Conversation ends.

I am not great fan of Frameworks yet.

Yes, I heard that Frameworks do make developer's life easy and you can do some stuffs very easily by writing a few lines of code rather than a bunch of plain codes.

Once I attended Seminar on FuseBox framework months back.  Holy crap that was too much of fuses and circuits drama.
To just add a Login Functionality. We have to take care of  too many settings.

So, what to do now ?
Lot's of question coming to my mind.

After lot's of reading and searches, I thought that It's the best time to learn some frameworks not because someone asking me to learn but I found interesting after seeing this "Sunsetting Mach-II".  
Even if the core developers move out from Mach-II but still Mach-II and FuseBox are most popular CF frameworks.

Frameworks available for ColdFusion
1. Mach-II - one of the first Object Oriented ColdFusion frameworks.
2. FuseBox
3. ColdBox
4. Cold Spring
5. Model-Glue
6. F/W 1
7. CF wheels
*There may be much more of it.

So, I am going to take Mach-II as my first CF framework which will be added to my skill set then FuseBox.

What I want from these frameworks -
1. Easy to Use
2. Rapid Development
3. Good Community Support

Let's Begin ..

May 9, 2014

isapi_redirect 500 Internal Server Error

Today I was Installing Dev Version of ColdFusion Splendor in my Machine.
I completed CF 11 Installation successfuly but when I try to run CFM code then I got this strange error.

500 Internal Server Error -

I was not aware of such kind of error in past so
What is isapi_redirect DLL ?
What is the need of  isapi_redirect DLL in running .cfm page?

Here comes the Answer -

As we know IIS is an External Web server and It tends to process HTML content and Tomcat/Jrun is Built In web server which in turns execute Java and JSP applications.

As we know ColdFusion is built on top of Java EE so we need some one to run those Javabyte codes and that is why we need Tomcat/Jrun.

So,  here isapi_redirect is Middle guy which send your request from IIS to Tomcat. In technical term,  It is a Plugin which helps IIS to send servlet/JSP request to Tomcat to  process any client request.

So, now solve our Main Issue - 500 Internal Server (Check above screenshot showing error message )

Steps to Follow to solve it -
Open ISAPI Filters in IIS
>  Right Click/ Click Action "Add"
> Give any filter name say "CFIASPI"  and under Executable Text box give path of your isapi_redirect DLL present under #root#\config\wsconfig\1\isapi_redirect.dll
>  Now restart IIS once 
>  Load your CFM page, Issue solved

If issue not solved even after adding required DLL under ISAPI.
-- Check web.xml under your project folder and see for any reference of ISAPI present or not.
    Above scenario may only happen when you have CF 10 already Installed  and due to mismatch in handler mapping It cause to read wrong path of ISAPI DLL.
-- If  found in web.xml check config setting for ISAPI. Validate its path.

If you still facing any issue,  Please share. It is also new to me.
Hope it may help :)

May 8, 2014

May 2, 2014

Securing ColdFusion Server - Seminar Response

Here is my Feedback Summary of Seminar which I have given last week - How to Secure your ColdFusion Server

Quick Look on Seminar Slides:

Thanks all for your useful responses. 
Check Slide here
Check Video here

Hope you all have taken preventive measures to secure your ColdFusion Server.

ColdFusion Security - How to Secure your ColdFusion Server

Recently I have given Seminar on ColdFusion Security -  How to Secure your ColdFusion Server in company Level

In seminar I discussed about recent CF vulnerabilities, how CF server can be hacked, how we can prevent such attacks by securing our CF server etc

Here is my slide - Please look into it.

Video Presentation here
Hope it may help you :)

May 1, 2014

Cookies : setDomainCookies Funda

All knows what setDomainCookies does.
If not Please revisit "setDomainCookies  Used to set CFID and CFTOKEN cookies for a domain (not just a host) ". and generally we use to set it as false always.

I faced real time problem in my Application few days back.
We create multiple websites through single Applications, Hosted with different domains.

The issue was here:
Let's say we have 2 different websites altogether.
Named as

The problem was when you open and on another tab
kasleRealty websites show same content of shamRealty.
More simple way: you have open in one tab and then opened Facebook in another tab, opens with google page in it.
Weird right ?

I thought this might be some IIS related Issue, but once I clear my browser cookie/cache. Issue was not reproducible.

I start looking into Cookie assignment and found this:
CFID and CFTOKEN was generating twice in website
one for (CFID:2313, CFTOKEN:234124)
and one for (CFID:23412 , CFTOKEN:345435)

These give us a hint that why domain specific CFID/CFTOKEN is generating.
We start Looking into Application Level settings and found that by mistake we have enabled setDomainCookies to true.

Funda : Don't enable setDomainCookies to true until your application is not running in Clustered Environment because If CFID and CFToken variable combinations already exist on each host in the cluster, ColdFusion migrates the host-level variables on each cluster member to the single, common domain-level variable.
source - Adobe

So we have turned off setDomainCookies and Issue was solved.
Hope it may help

Apr 29, 2014

ColdFusion Splendor - Released (Finger Crossed)

ColdFusion Splendor released yesterday

Hope this will not be like a CF 10 with lots of bugs all around.

If product is like CF 10 (not 10.0.1 ..) then seriously we have to look around ColdFusion Road Map.

Also please give CF world a time and timespan between 2 product release. Hope you understand what I am telling about.

Finger Crossed, Hope CF Splendor will be Awesome Product for Adobe.
Right now, lets accept it and be Pride of CF

Welcome <cfSplendor>

Apr 26, 2014

ColdFusion Security Statistics Report 2014 - My look

2014 Website Security Statistics Report   released few days back which gives brief Info about security issues related to all web technologies.

Here are few points and some care which we need to take:

1. ColdFusion 5th most widely used languages.
2. But the main Point in the report which brings me sad is "10.59% of ColdFusion sites had at least one SQL Injection vulnerability, the highest among all Programming Languages"

Who is responsible ?

Yes, we developers who are not writing secure CFML code to stop SQL Injection Vulnerabilities.
Not using QueryParam is not at all accepted in CF World.

Writing a Parametrized Query can stop most of SQL Injection Vulnerabilities. Please follow it.

3. XSS (46%), SQL Injection(11%) and Information Leakage(24%) Vulnerabilities are major  concerns.

Hope we will write Secure CFML code and protect our ColdFusion Sever to prevent such vulnerabilities in future.

Apr 24, 2014

How ColdFusion Server was allowing to Install IIS malware which Steals data

I was preparing for my company Level seminar on ColdFusion Security this week and gone through numerous blog and slides to learn about recent ColdFusion attacks.

The one which brings me more Interest is IIS Malware attack.

What is it ?
How IIS malware injected in your server ?

Lot's of questions to be asked but the reason for such attack was CF Backdoor Vulnerability.

Yes, If you keep your Door open some one will come and steal some data from your Server.
Here Door terms your ColdFusion Server.

Lets check  this IIS Malware Injection through flow chart.

iis malware injection
Flow Chart of IIS Malware Injection though CF Backdoor Vulnerability

CF vulnerability allowing to create a Web Shell (A Web shell is a type of Remote Access Tool (RAT) or backdoor Trojan file) in server which in turns execute DLL and adds that module in IIS.

Injected DLL was capturing the post request for specific page example paymentProcess.cfm (Installer added this page during installing DLL) and writing POST parameters info in some log file.

Specifically design DLL was also undetectable by modern Anti-Virus.
Even SSL can't stop this. As it captures data after SSL post is decrypted by the server.

It says that how much Imp was to read ColdFusion Lock Down guide. If you have locked your server then well and good. If not then check lock down guides and lock your server soon.

If you are not aware of CF lock down guide please visit :

I will be coming with next blog which will contain detail recent CF Vulnerabilities.

Hope it may help

Apr 13, 2014

Get Active threads / Kill any specific Thread using CF Admin API.

As we know we can create threads using <cfthread> tag.
We can run, join or terminate a thread but lets say we have a real world scenario and we want to show all CF threads in our web Application which are running and do all operations though web App.

So for this we have to get Metadata Info for all threads.

In my Last post   we have discussed about how we can access CF Administrative APIs.
So to achieve this we are going to use CF Admin API using servermonitoring.cfc.
You can also visit Server Monitoring in ColdFusion Administrator and see those threads and Manage it.

getActiveThreadsRunning() will return all metadata info of Threads which are running currently like ThreadName, TimeTaken,CFStrackTrace etc.

Let’s move on to see how we can Kill any thread.
You may get into situation where any threads are running for longer period of time and because of that other process are waiting in queue:

We can call abortCFThread() present under servermonitoring.cfc to achieve this.

Hope it will help you.
Happy Coding :)

ColdFusion Administrative API: An OverView

Most of the times or generally we use to do Admin level settings via going to CF Admin Page
But we can also change admin Level settings through code base using CF Admin APIs
Say for example Login in CF admin, adding a datasource or to see how many threads are running in our CF server.

All these can be achieved through Admin APIs which perform all CF Administrative work.

ColdFusion Provides reach Admin API located under CF directory (<CF Directory>\cfusion\wwwroot\CFIDE\adminapi).

There are almost 18 Components in total present in CF 10
CF11(Splendor: Beta Version) adds one more which is document.cfc.

Most of the CF Administrative work we can achieve it using these admin CFCs.

Above Image shows a list of Admin APIs present in CF splendor.

As all CF admin APIs are encrypted but we can check list of methods available under each CFC by calling them.
Let’s say we have to see what are the methods present under adminsitrator.cfc

use: http://coldfusion10/CFIDE/adminapi/administrator.cfc
enter your RDS password and you can check the methods available under administrator.cfc.

To call any CF admin APIs, you have to first Log in to CF administrator:
So first we have to create objects for those CFC and call it:
So, walk over to all the Admin APIs and get familiar with It.

Hope it will help you.
Happy Coding :)