FCKEditor will stop working with FireFox 3.5.7, 3.6 and future releases. There is a "Year 2010" bug that breaks the regular expression method they use to find what browser you are using. I found this in FCKEditor v.2.6.4.1. ColdFusion 8 and 9 appears to be okay, however I would double check them.

The issues lies in the file fckutils.cfm located in the FCKEditor root install directory. It checks for your useragent such as "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6".

The glitchy code can be found on line 47:

Replace this line with:

This will give the expression another 90 years of matching. You can also pass "checkBrowser=false" to the FCKEditor component to disable this check.

If you don't have a fckutils.cfm file, a similar line can be found in fckeditor.cfc.

Another "fix" is to upgrade to CKEditor as it's a Javascript only add-on.

Thanks to Pete Freitag for find a fix for this.

The "ColdFusion Muse", aka "My Boss", has posted something I'd consider VERY important - this is a MUST read. This may save you frusteration, dollars, or more!

He explains a potential vulnerability related to executing malicious code on your server without you knowing and can be very difficult to track down. After you read this, you may say duh - why didn't I think of that?

http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.vector

For years I've never been aware of a method to return only so many rows to the ColdFusion memory space using dbtype="query". I've always just ran the query then limited it down the code with things like <cfoutput query="q" maxrows="1">.

In a MSSQL query, you can limit the query like: SELECT TOP 1 FROM TABLE

This will not work with a query of queries.

Today I found a solution...

Move the maxrows attribute to the cfquery tag. For example: <cfquery name="q" dbtype="query" maxrows="1"> will return only the first row back to the memory space.

As many know, I've used Dreamweaver to develop my ColdFusion application for many years now and have very few complaints. I have always felt it's the most efficient IDE for me.

But over the past few months or so I have trialed ColdFusion Builder (Bolt) in the Alpha and Beta releases. I would try an Alpha release, submit a bug, stop using it, and try again with the next release. That's expected in Alpha releases.

But lately I've been using the Beta installed via the standalone method. I can see some advantages in the future to using this IDE. For example the variable insight is usefull. If I declared an application variable in my Application.cfc, it will pick it up while coding.

I've been using the Beta for at least a week now. But the bugs still linger. I've had to go back to Dreamweaver for one project and will go back to it all together for now.

Here's why:

• The IDE constantly hangs, making my frusteration go up and my productivity go down.
• On one project, it constantly tries to build the workspace - hanging the program.
• On the other project, it appears it lags when looking up tags and/or variables - hanging the program.
• The double quote auto-insert is annoying and I stopped trying to figure out how to turn it off.
• The tag suggest, variable suggest, and tag insight features are hard to tell what is selected as the suggestion and I don't want to go search for different color options.
• The color coding is much poorer contrast than Dreamweaver, making it harder to scan the code.
• Word Wrap? Come on - why hide it?
• I really like the Dreamweaver tag autoclose when you type "</", and hate the tag auto close when you first type the tag.
• I'd like to see a <br /> tag appear when I press shift-Enter
• I understand I can change a lot of this in the preferences - but using Dreamweaver - it's all defaults - and I love it.

I hope this IDE comes a long ways, because as of now - I have no intention of buying it unless there's some major improvement. Many people like to use Eclipse for web development. But I've just found it to be a real pain. For example - what if you don't want a feature anymore? What happened to Uninstall? Arrg!

Well - there's just my thoughts.

Our last Nebraska Coldfusion Users Group meeting featured Jimmy Winter show off his Blue Dragon Coldfuion implementation on the Amazon Cloud. Prior to that there's also been a bit of buzz to Coldfusion Cloud Services.

Well - I found out after reading Ben Forta's blog today that Adobe announced plans to support Coldfusion 9 in cloud computing deployments.

Some key points mentioned are:

• ColdFusion will introduce new licensing options for cloud environments, where there is no per CPU model. ColdFusion Standard will allow a single cloud instance, and ColdFusion Enterprise will allow up to 10 cloud instances.
• Aobe plans to support Amazon EC2 (Elastic Compute Cloud) specifically by creating ready-to-use Amazon Machine Image

This appears to be a great step for Adobe to keep in the game!

Let's say you have an application requirement that uploads files to your web server and then lets your visitors either view or save them. They could be Documents, Spreadsheets, Photos, or anything else you can think of. However you want to be able to control who is able to access these files. How do you accomplish that with not allowing direct linking (ex. http://www.cfwebtools.com/files/xyz.docx)?

You can serve the files via a ColdFusion page. There are a few different methods to do this, and they really come down to MIME typing.

Option 1:
Allow the user to save or open any file.

The cfheader of attachment and filename prompt the user to either save or externally open the document with the software and their computer. The client computer will determine which MIME type to use to associate with an application.

Option 2:
Allow the user to save or open only files with MIME types my server is aware of.

Now - the MIME types supported are defined in your webserver, whether it's IIS, Apache or other. Apache MIME types can be configured in the mime.types files in the httpd/conf directory. The getMimeTypes() method communicates with the web server and returns the associated MIME type for the file.

Now, be aware that there may be an issue with IIS communicating MIME types to ColdFusion on Windows 2K Server. I've had an application break using this method for additional types such as .docx extensions. I have not yet found a solution for it, and just use option #1 to work around it.

Option 3:
Allow the user to view supported types inside the browser such as MS Word documents and PDF files. If not supported in the browser, it will attempt to open the file externally.

You can also define the MIME type in the code by replacing the mimeType variable with the type such as "application/msword".

These methods allow you to access any attached storage device on the server. Therefore you can save the files out of the web directory, making the file inaccessable without using your ColdFusion script. Imagine the possibilites like adding user authentication or IP restriction.

Today I attempted to create a struct in ColdFusion 8 via shorthand using the syntax:

My case was creating a state list with abbreviation for keys and the state name as the value. However I have determined that not all key names can be used. If it is a reserved ColdFusion word, it may not work. For example "IN" and "OR".

What I want:

But that leaves me with an "Invalid CFML construct found...".

So as a workaround I did this:

So much for shorthand. Has anyone found a better solution for this?

I've been using the Ext Javascript Framework for awhile now and it's allowed me to present content in a bit more friendly manner. But lately I've been convinced to start into jQuery as well. I'll have the Learning jQuery 1.3 book on its way today too!

Today I ran into a jQuery presentation from the infamous Ray Camden. He presented online for the Connecticut ColdFusion User Group, Intro to jQuery with ColdFusion. He will be presenting an abbreviated version at CFUnited. Check it out here. It seems to be a little choppy, but you should get some usefull info from it with a ColdFusion perspective.

I've heard numerous requests for Adobe to enable 64-bit processor support on all editions of ColdFusion. So far it's only been available to ColdFusion Enterprise customers.

Well today, Ben Forta just announced that all ColdFusion 9 (Centaur) editions will now support 32-bit or 64-bit processors. Cool!

I have now experienced a couple of servers exploited to inject harmful code into .js files. There's a lack of information out there and I believe I have finally ran into what I was looking for.

There appears to be a vulnerability with the FCKeditor file upload feature. It appears it affects at least ColdFusion and PHP servers. Attackers are able to use the file uploader to run malware on the server injecting a <script> tag into the end of every .js file. The script includes the URL: "http://bit.ly/dUdvv". Avast, an anti-virus program, recognizes it as a IFRAME virus when you visit the compromised website.

ColdFusion has a built-in instance of FCKeditor through the <CFTEXTAREA> tag. It is advised that if you use this tag and have rich-text enabled, that you disable the file upload feature. This includes the lastest install of 8.0.1. To see if your file upload connector is enabled, go to "CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm", and look at the config.cfm. You can also delete the filemanager directory found under "CFIDE\scripts\ajax\FCKeditor\editor".

I have seen that after removing the infected code from the .js files, they are once again re-infected. One company's soltion was to move all website files to a brand-new ColdFusion server to get rid of this issue. So there must be a program or service running that hides itself well.

The latest version of FCKeditor is 2.6.4. It also appears that the AJAX file manager CKFinder may also have this issue. I have not yet been able to determine if this version is safe. So far I've only seen this on Windows servers. So if anyone has additional information on this, please comment below.

Other sources of information:
http://isc.sans.org/diary.html?storyid=6715
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat