ColdFusion Software Development Company ColdFusion Software Development Company

Archive for the ‘Security and Performance’ Category

ColdFusion 10 and 11 hotfix from Adobe addresses XML parser flaw

A recent hotfix was released by Adobe in order to protect ColdFusion users from a number of flaws

Security updates were released to address vulnerabilities in ColdFusion versions 10 and 11. According to the Adobe Security Bulletin the hotfix includes an updated version of BlazeDS and addresses potential data leak (information disclosure) glitches.

Adobe recommends ColdFusion customers to update their systems and provides technotes for each version. Our Technicians would be more than happy to assist you and help you in case you need to apply ColdFusion updates.

Apparently an unrestricted XML parser may allow for external XML entities processing when parsing such document. The flaw may be exploited by unauthenticated remote hackers. The flaw can allow various attacks including: reading arbitrary, listing web/system directories, SSRF attacks / unauthorized access to restricted services running on the localhost as well as within the victim’s server network; SMB relay attacks; and temporary file uploads which may be used by attackers in combination with LFI vulnerabilities to supply malicious code. Attackers can also read critical ColdFusion configuration files such as neo-security.xml,, and neo-datasource.xml. They can read ColdFusion password hashes including the management console, database credentials, and gain access to a weakly protected ColdFusion system.

Adobe ColdFusion security hotfix 2016 APSB16-16

Adobe has released security hotfixes for ColdFusion versions 10, 11 and the 2016 release. These hotfixes resolve an input validation issue (CVE-2016-1113), a host name verification problem with wild card certificates (CVE-2016-1115) and include an updated version of Apache Commons Collections library to mitigate java deserialization (CVE-2016-1114).

Contact us right away or call us to get this security hotfix for ColdFusion installed and update your System!

Release date: May 10, 2016

Vulnerability identifier: APSB16-16

CVE numbers: CVE-2016-1113, CVE-2016-1114, CVE-2016-1115


ColdFusion 2016 release:

ColdFusion (2016 release) Update 1 (release date May 10, 2016) includes the following changes:

  • Tomcat upgrade to 8.0.32.
  • Addresses a vulnerability mentioned in the security bulletin
  • Several important bug fixes for security, core language features, server, and other areas.

ColdFusion 11:

ColdFusion 11 Update 8 (release date May 10, 2016) includes the following changes:

  • Tomcat upgrade to 7.0.68
  • Addresses a vulnerability mentioned in the security bulletin
  • Several important bug fixes for security, language, AJAX, and other features.
  • This update is cumulative and includes fixes from all the previous ColdFusion 11 updates.

ColdFusion 10:

ColdFusion 10 Update 19 (release date May 10, 2016) includes the following changes:

  • Tomcat upgrade to 7.0.68.
  • Addresses a vulnerability mentioned in the security bulletin
  • Important bug fixes for security and server.
  • This update is cumulative and includes fixes from previous ColdFusion 10 updates.

Adobe recommends that customers apply the appropriate hotfix immediately, therefore you should contact your Administrator, or you can have Our Team at Ecom Solutions help you implement it.

Contact us right away to get this security hotfix for ColdFusion installed and update your System!

Will the New Google Algorithm Find Your Website Mobile-Friendly?

PrintGet Ready for New Google Algorithm Change: Mobilize or Be Penalized

In today’s market, corporations are well aware of the grave effects algorithm changes of Google can have. Having suffered when some such as Demand Media or used SEO for bolstering their brand and ignoring the poor content they were publishing is a lesson they will not forget easily. The result of Panda, Google’s 2011 algorithmic change, led the way for the creation of higher quality writing.

Penguin, another of Google’s algorithm changes, targeted sites with poor quality links in 2012. These links led users to poor quality content and their sites were, therefore, severely penalized in ranking by Google. Basically, irrelevant information caused sites to suffer with ranking in Google.

The word is out for Google’s next algorithm change. If your site is not mobile-friendly by April 21st, it will be penalized in its ranking. It may actually be removed from the mobile search index of Google. Maybe your site looks great and works well when a person visits it from a desktop computer, but how does it look and work from a cell phone or tablet? You most definitely should check this out and make necessary changes by April 21st.

What is Google’s reason for this new algorithm change? Since consumers are using mobile devices more and more, Google believes that businesses should get in step with the times. Sites will now be ranked according to the convenience they offer to the mobile-user. The ranking elements Google will be using are listed below.

Sites must:

  1. Avoid software such as Flash which is not usable on mobile devices. According to Adobe, “Flash Player for mobile devices is officially dead”.
  2. Use readable text without zooming.
  3. Size content to allow users to view it on the screen without having to zoom or scroll horizontally.
  4. Space links apart far enough to allow the correct link to be easily tapped.


Mobilegeddon Is Here!

When conference speakers at last month’s Search Marketing Expo (SMX) West were asked their main takeaways, one response was definitely a sign of the times. “Mobile, mobile, mobile,” was the answer of the senior manager of content marketing for Kenshoo, Kelly Wrather. “I want to grab every website designer and tell them mobile is the thing! It’s the only thing!”

A frequent discussion topic at previous SMX shows has been mobile-optimized websites’ importance. However, this year a sense of urgency was apparent since “Mobilegeddon,” as it is called by some, was due to arrive anytime.

For the past two years, a search ranking factor has been website mobile-friendliness. According to founder and CEO of AudienceBloom, Jayson DeMers, “Websites that aren’t mobile-friendly will see a more negative impact in search visibility than they may already be seeing, and mobile-optimized sites may be rewarded even greater in search rankings.”

Google noted in its June, 2013, Webmaster Central Blog it plans to initiate several ranking changes soon. Google further warned that sites misconfigured for smartphone users will be addressed by these ranking changes.

At the same time, Google pointed out two common mistakes that cause websites to convey poor mobile experiences:

Mistake # 1: Sending smartphone users to a single mobile page due to defective redirects to their site pages listed in search results — For instance, the redirects send users to the home page and not a mobile-optimized version users are seeking.

Mistake #2: Errors of only smartphones – These take place when users of smartphones click Web pages in search results’ listings and receive only error messages.


SSLv3 Poodle Vulnerability Exploit

We have good news and bad news about the Poodle SSLv3 vulnerability…

The good news is We can Fix it! Send us an e-mail or call us

The bad news is that there’s a brand new vulnerability out there related to the latest version of the Secure Sockets Layer protocol and your Servers or your computers might be at risk.


What you need to know:

POODLE is a padding oracle attack affecting Secure Sockets Layer (SSL) version 3 and in particular, CBC-mode ciphers. This vulnerability opens the door for possible man-in-the-middle attacks.

There is no patch yet, but this issue can be manually resolved by a Technician

You will need this done “yesterday” if you have sensitive information on your Servers or computers


Contact us if you need to protect your Servers

Turning your Website PCI Compliant

You turned your Website PCI Compliant! Is it enough?

Some IT Specialists argue that turning your Webstite PCI Compliant is a mere drop in the ocean when it comes to Website and Data Security. There have been several instances where IT Security Professionals haven’t been impressed by the Payment Card Industry Data Security Standards. Should you worry about PCI? We strongly believe you shouldn’t, and here is why: I don’t think there is anything in this world that can be called totally secure, or that can guarantee nothing will ever fail. Turning your Website PCI compliant is like installing gutters on your newly built house. Will they guarantee water won’t EVER drip on the walls? NO. But be sure they will protect your house from rain and water. Having your Website PCI Compliant provides a baseline for Security of your Web Systems. (more…)


We would love to help.
Give us a call:

(718) 793-2828

Get a free project estimate:

Recent Comments