Understanding the Dream

For those of you who may not follow these things, users of the open-source CFML context creation software known as "mod_cfml" should know that the latest release is actually pretty important with regards to security. The mod_cfml software is a group of programs that work together in order to automate the process of creating contexts within Tomcat. Usually the process of creating contexts is a manual job, which is accomplished by editing various configuration files in order to tell Tomcat where to find the files for specific sites and directories (or contexts) when Tomcat receives requests for them. The idea behind mod_cfml is to simplify server management, and make creating contexts in Tomcat happen automatically by passing off configuration information from Apache or IIS to Tomcat so a new context can be made if it doesn't exist yet. Pretty basic stuff.

The problem is that, before this latest release, this process of automating the context creation using mod_cfml could be exploited to create a Denial of Service attack on the system that is running mod_cfml. Using a specially crafted attack that is targeted at mod_cfml, an attacker could potentially issue multiple requests in rapid succession to a vulnerable system. This process would cause many contexts to be created simultaniously, and could potentially overload and/or crash the server.

The newest version of the mod_cfml Tomcat Valve corrects this problem by adding limitors to how quickly new contexts could be created, and how many contexts can be created within a single day time frame. These limitors protect users from the danger that previously existed and the possibility of a DoS attack that specifically targets this issue.

You can install the latest mod_cfml Tomcat valve by shutting down Tomcat, removing the mod_cfml Tomcat valve from the [tomcat]/lib/ directory, and dropping the latest mod_cfml Tomcat valve back into the [tomcat]/lib/ directory. Now, restart Tomcat and you're good to go. Documentation on adjusting the new limitors in the Tomcat valve can be found here:

http://www.modcfml.org/index.cfm/documentation/modcfml-tomcat-valve/config-options/

Railo users who have installed Railo 4.0.3 or newer will already have the latest version of mod_cfml, and OpenBD installers version 3.0 and up will have the latest release. If you are running with an earlier release and haven't updated your mod_cfml Tomcat Valve, you should consider doing so.

Just recently I found myself needing to verify if a server I was working on - which required image manipulation - was actually running in headless mode. On Linux servers, graphical user interfaces (GUI's) aren't usually running because they take up additional resources (like memory) and server administrators usually want to give all the resources they can to actual server processes rather then a GUI which they only use occasionally. However, the JRE that ColdFusion engines run on needs the window processing engines in order to perform graphic manipulation - image resizing, rotating, etc - all require image processing libraries.

The following code bit allows you to see if your CFML engine (Railo, OpenBD, or ACF) is actually running in headless mode. This is useful if you're debugging a pesky image processing problem and you want to make sure your JRE's access to the XORG libraries aren't the problem.

<cfobject  
    action=create  
    name=geObj
    type="JAVA"  
    class="java.awt.GraphicsEnvironment">
<cfset geResponse = geObj.isHeadless()>
<cfdump var="#geResponse#">

The code calls java directly and returns a true or false response if you're running in headless mode or not.

Hope this helps!

Recently I had the opportunityto work with someone who was trying to use the Vivio Installers for Railo and OpenBD on a W2K8r2 Cloud/VPS system running the Plesk Control Panel and they were having trouble getting the connector to work right. The problem they were encountering was the notorious "Calling LoadLibraryEx on ISAPI filter isapi_redirect-(version).dll failed" error. Usually this error means that you're trying to run a 64-bit connector on a 32-bit machine, but since this was W2K8r2, which ONLY comes in 64-bit, this had me stumped for a little bit.

After some digging, I found that Plesk had updated the IIS7 application pools to actually run in 32-bit mode because Plesk's own DLL's were in 32-bit. I found this out by changing the application pools to disallow 32-bit, and then plesks DLL's stopped working. The IIS7 settings are a bit misleading in this area too. The option in IIS7 is to allow 32-bit DLL's, but when you set that, ONLY 32-bit DLL files can run. Instead of "Allow 32-bit", I think the IIS7 setting should say something along the lines of "run in 32-bit mode. Otherwise it sounds like you can run both 32-bit and 64-bit, which you can't.

The Railo and OpenBD installers use the mod_jk DLL that's provided by the Tomcat project, and both the 64-bit and 32-bit versions are shipped with the installers. During the install process, one of the DLL's is renamed with a generic name and used in the IIS7connect.bat scripts. Those scripts are what run the commands and connect Tomcat to IIS using the mod_jk DLL. This works out in our favor, as it makes the fix for this really easy.

When installing OpenBD or Railo on a Windows 2K8 R2 machine that's running Plesk, here are the steps you will need in order to make it work right:

1. During the Railo/OpenBD install process, go ahead and select to have the IIS7 connector installed. This will perform the bulk of the work for you.
2. After the installation, there will be two dll's in the "connector" directory where you installed Railo. The default location to install Railo is c:\railo\ so the connector directory is located by default at c:\railo\connector. The connectors will be named isapi_redirect-1.2.30.dll and isapi_redirect-1.2.30.32-bit.dll
3. Rename isapi_redirect-1.2.30.dll to isapi_redirect-1.2.30.64-bit.dll
   and
   Rename isapi_redirect-1.2.30.32-bit.dll to isapi_redirect-1.2.30.dll
4. Now Restart IIS, and restart the Tomcat service that Railo or OpenBD is running on.
5. Check to see if things are working correctly now.

Further, a "jakarta" virtual directory will be required in each site as we

ll. You'll more then likely have to add this manually to IIS. Documentation on how to add the Jakarta directory is here:

http://trac.getrailo.org/installers/wiki/VivioInstallerWinAddingSites

Future releases of the Windows installer will probably allow for the manual selection between 64-bit and 32-bit, but the option will defauilt to whatever your system type is. That way it's still easy, but allows for some customization for situations like this.