Edventures in Normalcy

ColdFusion needs to be limited, or in certain cased, granted more access, in the case of NAS shares, etc.

Defaults:
https://helpx.adobe.com/coldfusion/kb/running-coldfusion-specific-user.html

Way too open, give the user full control of:

“WebDocument Directory
c:\cfusion or c:\cfusionmx (and all subdirectories)
c:\winnt
c:\winnt\system32”

Okay, web root seems fine, the ColdFusion install directory seems fine. My OS installation folder, is not fine by me.

The first two give me a majority of what is needed, with few asides for other softwares:

Accounting for Fusion Reactor:
http://docs.intergral.com/display/FR455/Installing+FusionReactor+in+Locked+Down+Environments

I did find another person talking about the matter:
http://jochem.vandieten.net/2008/04/06/windows-file-permissions-for-the-coldfusion-account/

But they include ripping out existing permissions.

https://books.google.com/books?id=rI0OZhmcuc0C&pg=PT382&lpg=PT382&dq=Running+ColdFusion+as+a+specific+user&source=bl&ots=imQn_gDv_q&sig=QfRQ3DCqXzCNZ-sgcufo7iVtpxc&hl=en&sa=X&ved=0ahUKEwj-kMPvsKfKAhWGdj4KHQ7lAAsQ6AEIPTAE#v=onepage&q=Running%20ColdFusion%20as%20a%20specific%20user&f=false

Spoke to a coworker, the idea to add the ColdFusion user to the IIS_Users group which would inherently add permissions to the web locations.  Clean and direct, I like it.

In some cases, FusionReactor may be behind a load balancer or CDN, or any other type of proxy that updates the source IP as seen by the server. It helps to see where the requests are actually originating from. For that, FusionReactor has an option for this:
http://www.fusion-reactor.com/support/kb/frs-351/

See the Requests>Settings>Proxy, which lets you tell FR that you need it to use some alternative header for the “real” ip address..

You will see that in the “proxy header” field there is a drop-down, but it doesn’t show your specific header, rather a couple of the most common alternatives. Just paste the name of your header into that field and save the configuration changes.

Once you have saved this change, you should be able to check the Requests>History page to confirm that you now see the real IP’s showing up.

I was getting this error in the exception log:

“Error”,”ajp-bio-8012-exec-37″,”04/12/13″,”11:51:15″,”mgtemplate”,”Java method security exception.A security exception occurred while invoking Java method on a “”java.lang.Class”” object. MethodName is getName. Possible cause: Either the createobject function and cfobject tag are disabled in the security sandbox or you are trying to create a class in the ColdFusion package and that is disabled. The specific sequence of files included or processed is: C:\inetpub\mgtemplate\RemotingService.cfc, line: 1 ”
coldfusion.runtime.StructBean$SecurityException: Java method security exception.
at coldfusion.runtime.StructBean.checkPermission(StructBean.java:96)
at coldfusion.runtime.StructBean.invoke(StructBean.java:482)
at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2465)
at Statement870.evaluate(:1)
at coldfusion.runtime.CFPage.evaluateCondition(CFPage.java:9340)
at cfAbstractRemotingService2ecfc1188850940$funcRESETCFHTMLHEAD.runFunction(C:\inetpub\ModelGlue\gesture\remoting\AbstractRemotingService.cfc:59)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472)
at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47)
at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220)
at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:2659)
at cfAbstractRemotingService2ecfc1188850940$funcEXECUTEEVENT.runFunction(C:\inetpub\ModelGlue\gesture\remoting\AbstractRemotingService.cfc:40)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472)
at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47)
at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220)
at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:2659)
at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2455)
at cfRemotingService2ecfc1182307450$funcEXECUTEEVENT.runFunction(C:\inetpub\mgtemplate\RemotingService.cfc:17)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472)
at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47)
at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:518)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:660)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:469)
at coldfusion.filter.ComponentFilter.invoke(ComponentFilter.java:193)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:436)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:112)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.xml.rpc.CFCServlet.invoke(CFCServlet.java:155)
at coldfusion.xml.rpc.CFCServlet.doPost(CFCServlet.java:331)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:414)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:204)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:298)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)

I was also watching the server and saw that coldfusion.exe was attempting these file touches per procmon.exe:

11:08:40.3218412 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3223507 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\axis2\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3224855 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\gateway\lib\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3226892 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\wwwroot\WEB-INF\cfform\jars\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3228584 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\wwwroot\WEB-INF\flex\jars\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3229917 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\lib\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3231216 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\bin\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3232705 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\lib\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3234821 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\classes\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3236827 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\wwwroot\WEB-INF\classes\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3239420 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\lib\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3241352 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\classes\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3243784 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\lib\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3246013 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\classes\coldfusion\runtime\StructBean.SecurityException_en_US.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3248251 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3252732 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\axis2\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3254280 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\gateway\lib\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3256051 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\wwwroot\WEB-INF\cfform\jars\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3257616 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\wwwroot\WEB-INF\flex\jars\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3259245 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\lib\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3260489 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\bin\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3261651 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\lib\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3262954 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\classes\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3265052 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\wwwroot\WEB-INF\classes\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3266873 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\lib\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3268189 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\classes\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3270259 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\lib\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:08:40.3271909 AM coldfusion.exe 2864 CreateFile C:\ColdFusion10\cfusion\lib\oosdk\classes\coldfusion\runtime\StructBean.SecurityException_en.properties PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a

I compared ColdFusion versions, settings, JVM configs and settings and versions. I was at a loss. It turns out, within the ColdFusion Administrator the check box for the below was checked:
Disable access to internal ColdFusion Java components
Disables the ability for CFML code to access and create Java objects that are part of the internal ColdFusion implementation. This prevents an unauthenticated CFML template from reading or modifying administration and configuration information for this server.

Once I unchecked this and saved my settings, the section on the site worked.

Determining the version of ColdFusion can be a task you need to perform from time to time, to find out the version, create a page on the site with the following content:

As far as I can tell, there is not a simpler way of obtaining version without access to the ColdFusion Administrator Interface.

ColdFusion does not create the proper tables for client variable storage when using MySQL as the database engine.  This is valid in ColdFusion 9 and also still present in ColdFusion 10.  These tables should be created manually for client variable storage to function.

Two tables are required. CDATA and CGLOBAL. Details about theses tables are as follows:

The CDATA table must have the following columns:

Column | Data type

cfid | CHAR(64), TEXT, VARCHAR, or any data type capable of taking variable length strings up to 64 characters

app | CHAR(64), TEXT, VARCHAR, or any data type capable of taking variable length strings up to 64 characters

data | MEMO, LONGTEXT, LONG VARCHAR, CLOB, or any data type capable of taking long, indeterminate-length strings

The CGLOBAL table must have the following columns:

Column | Data type

cfid | CHAR(64), TEXT, VARCHAR, or any data type capable of taking variable length strings up to 64 characters

data | MEMO, LONGTEXT, LONG VARCHAR, CLOB, or any data type capable of taking long, indeterminate-length strings

lvisit | TIMESTAMP, DATETIME, DATE, or any data type that stores date and time values

If the database has not yet been created, you can create the database and tables with this:

To create the tables, the following queries can be used (this is if you have already created the database and have an appropriately privileged user that is able to access the database):

com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Could not create connection to database server. Attempted reconnect 3 times. Giving up.
The root cause was that: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Could not create connection to database server. Attempted reconnect 3 times. Giving up.

CF can not open a TCP socket to the database server. Check that the database server is actually running, listening on port 3306 and not locked by a firewall.

After restarting ColdFusion, and seeing it not a performance issue, I realized the file I was trying to save to was to a folder that did not exist.

One of two things, either the patch was not applied\incorrectly applied, seen here:

http://www.bennadel.com/blog/1289-ColdFusion-8-0-1-Bug-Coldfusion-Image-ImageWriter-ImageWritingException.htm

with CF stopped

or the path is wrong in the code, per our example:

http://www.hosting.com/support/cfusion/captcha/

destination=”tmp/readme#tc#.png”

being run from example.com/subfolder

would result int he file trying to be written to:

C:\Websites\userdir\subfolder\tmp\