Entries Tagged as “Adobe ColdFusion 10”
Administrator | Adobe ColdFusion 10 | Adobe ColdFusion 11
We have seen some cases where the user is trying to login to ColdFusion administrator console and CF keeps throwing login page again and again even though user has provided valid credentials. We heard users tried doing something like password reset, restarting the server which even didn't helped solving the issue. So we were curious to find what causing this issue and will discuss some of the issues we came across that occur when attempting to log into the administrator console.
1) One instance where we have seen this issue because of IIS misconfiguration. IIS uses a default list of global MIME types to determine which types of content to serve. If a client requests a MIME type that is not defined on the Web server, IIS returns a 404 error. In this case IIS admin has created a specific web.config file for coldfusion site. If the coldfusion website specific IIS web.config file contains a duplicate mime type which is also present in the IIS global config mime type list it causes an error in IIS. There by IIS blocks all the file extensions (Except cfm and cfc as they were mentioned in IIS handler mappings). Because of this issue sha1.js file didn't get loaded which in turn caused login failure. Removing/Commenting out the duplicate mime type from website specific web.config file resolves the issue.
Assume your website web.config file added additional mime types for file extensions .less and .ttf.
- <mimeMap fileExtension=".less" mimeType="text/plain" />
- <mimeMap fileExtension=".ttf" mimeType="text/plain" />
The above config causes an error because .ttf is already present in the IIS global web.config file. Remove the mimemap for file extension .ttf to resolve the issue.
To add the ColdFusion website to the trusted list
- Navigate to Internet Options Menu
- Select security Tab and select trusted sites icon
- Click Sites button
- Enter ColdFusion website URL (e.g: http://hostname/) and Click add button
- Click Close button.
- Click Ok button to save the changes.
- Reload the webpage and provide your credentials you should be able to login to the admin console.
We will be keep updating this blog if we come across any other issues which prevents user from logging in to the admin console. Also, let us know if you have come across any admin login issues other than which are mentioned above.
Besides the login issue make sure to mandate that ColdFusion administrator runs only on https as specified in lockdown guide.
Links for ColdFusion lockdown guide
Adobe ColdFusion | Adobe ColdFusion 10 | Announcements | CF Summit | ColdFusion | ColdFusion 11 | General
We are pleased to officially announce the next Adobe ColdFusion Summit to be held October 16th and 17th at Aria Resort & Casino, Las Vegas, Nevada. It's going to be even better than last year and pricing remains very low at $299 early bird rate through July!
Adobe ColdFusion 10 | Updates
ColdFusion 10 Update 13 is now available.
This update introduces support for OS X 10.9 Mavericks. It fixes the web server connector issue on OS X 10.9 reported as bug #3653076.
Users who are on OS X 10.9 or who plan to upgrade to 10.9 should apply this update. Users on other platforms need not apply this update.
For further details you may refer this technote.
Security | Adobe ColdFusion 10
ColdFusion Enterprise installation includes FIPS compliant RSA BSAFE JCE Crypto Provider. Default algorithm used by this library for random number generation is ECDRBG (A variant of Dual Elliptic Curve). RSA has released an advisory regarding same (ESA-2013-068) listing unsafe random bit generation algorithms.
ColdFusion sets the default random number generator algorithm to FIPS186Random (JVM argument -Dcoldfusion.jsafe.defaultalgo=<algorithm>) which is completely safe to use. So good news is by default your ColdFusion 10 installation is secure. Note that CrypotJ libraries are not available in Standard installation of ColdFusion.
ColdFusion 9 family uses BSafe library 3.6 which doesn’t make use of ECDRBG based algorithms. It uses SHA1PRNG as default random number generation algorithm. There is no impact on coldfusion 9. JVM argument -Dcoldfusion.jsafe.defaultalgo is not available in ColdFusion 9 family.
Following table lists unsafe random bit generation algorithms.
|ECDRBG||Dual EC DRBG (128 Bit)|
|ECDRBG128||Dual EC DRBG (128 Bit Default)|
|ECDRBG192||Dual EC DRBG (192 bit)|
|ECDRBG256||Dual EC DRBG (256 bit)|
Pete from CF community has also blogged about the same here
Adobe ColdFusion 10 | Announcements | Updates
We updated the ColdFusion 10 Mandatory Update bits on Nov 21, 2013. This has been done to implement certain internal changes in the code signing mechanism.
Users who are on ColdFusion 10 Update 8 and above are not affected by this change. They need not reapply the Mandatory Udpate. Users on Update level 7 and below can follow this article to reapply the Mandatory Update.
Users on a new ColdFusion 10 installation (build number 282482 or 283922) should apply the Mandatory Update.
Users who need to install updates older than Update 8, can reference this article to download and install the required update.