Solved

Curious: why is this page trying to load files from CFIDE?

Posted on 2014-04-19
6
519 Views
Last Modified: 2014-04-19
ColdFusion 9
MS SQL Server 2012
Windows 2008 Server 64-bit R2

Good morning!

Page: http://test2.ebwebwork.com/editNewsTest.cfm

My problem today: If you view this page in Firefox and press F12 to bring up the console, then you will see a couple of 404 errors:


GET http://test2.ebwebwork.com/CFIDE/scripts/cfform.js [HTTP/1.1 404 Not Found 172ms]
GET http://test2.ebwebwork.com/CFIDE/scripts/masks.js [HTTP/1.1 404 Not Found 197ms]

I am trying to rebuild this web site without using CFIDE.

Is there something I can do in application.cfc to tell ColdFusion to not try to load files from CFIDE?

I also see, in page source, that ColdFusion adds this stuff, which I don't think I need or want:

<script type="text/javascript">
<!--
    _CF_checkebwebworkForm = function(_CF_this)
    {
        //reset on submit
        _CF_error_exists = false;
        _CF_error_messages = new Array();
        _CF_error_fields = new Object();
        _CF_FirstErrorField = null;


        //display error messages and return success
        if( _CF_error_exists )
        {
            if( _CF_error_messages.length > 0 )
            {
                // show alert() message
                _CF_onErrorAlert(_CF_error_messages);
                // set focus to first form error, if the field supports js focus().
                if( _CF_this[_CF_FirstErrorField].type == "text" )
                { _CF_this[_CF_FirstErrorField].focus(); }

            }
            return false;
        }else {
            return true;
        }
    }
//-->
</script>

Open in new window


Thank you for your advice about managing CFIDE. I've been staring at this for a while and doing research but not finding any solution. =)

Eric

editNewsTest.cfm:
<!-----
Name:        editNews.cfm
Author:      Eric Bourland / gdemaria / _agx_
Description: this interface allows a user to create and edit database records that contain news items
Created:     March 2011
Edited: April 2014
ColdFusion Version 9
MS SQL Server 2012
----->


 <!--- Set default value for newsID in scope URL --->
<cfparam name="url.newsID" default="">

<!--- Define newsID in scope FORM, then set form.newsID equal to the newsID passed in the URL: for use later in the application --->
<cfparam name="form.newsID" default="#url.newsID#">

<cfparam name="form.newsTitle" default="">
<cfparam name="form.newsContent" default="">
<cfparam name="form.newsAuthor" default="">
<cfparam name="newsDateCreated" default="">
<cfparam name="form.NewsDate" default="">
<cfparam name="form.newsExcerpt" default="">

<!--- in user-editable fields, set up protection against XSS  --->
    <cfloop collection="#FORM#" item="field">
      <cfset FORM[ field ] = ReReplaceNoCase (FORM[ field ], "<script.*?>.*?</script>", "", "all")>
    </cfloop>

<cfquery datasource="#application.datasource#" name="editNews">
SELECT newsID, newsTitle, NewsDate, newsAuthor, newsContent, newsExcerpt, newsDateCreated
FROM #REQUEST.NewsTable#
WHERE newsID = <cfqueryparam value="#val(url.newsID)#" cfsqltype="cf_sql_integer">
</cfquery>

		   
<!---- begin CFTRY; catch errors ---->
<cftry>  
 
<!---- populate cftry with error message ---->
<cfset variables.error = ""> 
 
<!--- begin form.doSave --->

<cfif IsDefined("form.doSave")>

<!--- when an newsID Exists, the action is UPDATE --->
   
<cfif val(form.newsID)>
                
   

<!--- CFELSE: if newsID does not exist, then create new record --->
				<cfelse> 
                
      
                    
                    
<!--- use the result attribute value (newPage) to set form field value --->
      <cfset form.newsID = newPage.IDENTITYCOL>
              
<!--- END queries to update or insert database records ---> 

<!--- END cfif val(form.newsID) -- if a topic needed to be updated or added, then it was done --->
					    </cfif>  


<!--- done? relocate --->

<cfif val(url.NewsID)>
<cflocation url="/admin/editNews.cfm?NewsID=#url.NewsID#" addtoken="yes">

<cfelse>                     
<cflocation url="/admin/manageNews.cfm" addtoken="no">
				     
</cfif>
             
<!--- END: Save action --->

<!--- END form.doSave --->
                    </cfif>
       
<!--- END queries to update or insert database records ---> 
        

<!--- this CFCATCH will trap errors --->
            <cfcatch type="Any">
                 <cfset variables.error = cfcatch.message>
            </cfcatch>

<!--- END CFTRY --->  
			</cftry>
       
       
<!--- fetch the data from the database only when there are no errors; let the form variables pass back from the data table into the form to display ---->
 
<cfif len(variables.error) eq 0>
    
<!--- get data from table #REQUEST.NewsTable# and convert the data into form variables --->
			  <cfquery name="getPageDetails" datasource="#application.datasource#">
			    SELECT newsID, newsTitle, NewsDate, newsAuthor, newsContent, newsExcerpt, newsDateCreated
                FROM #REQUEST.NewsTable#
                WHERE newsID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.newsID)#">
 			  </cfquery>

  			<cfloop index="aCol" list="#getPageDetails.columnList#">
			       <cfset "form.#aCol#" = getPageDetails[aCol][getPageDetails.currentRow]>
			  </cfloop>
    
</cfif>



<!----- if record already exists then update record; otherwise, add new record ----->
				<cfif val(url.newsID)>
					  <cfset FormTitle="Update News">
					  <cfset ButtonText="Update">
				<cfelse>
						<cfset FormTitle="Create News Record">
						<cfset ButtonText="Create News Record">

				</cfif>

       
       
       <!--- BEGIN HTML / CSS PAGE HEADER --->
<cfinclude template="/admin/admin_header.cfm">


<!--- if there an error, display error in readable form --->

<cfif len(variables.error)> 
	  <cfoutput>
	    <div class="errorbox">#variables.error#</div>
	    </cfoutput>
   


             <div class="center">
               <input type=button value="Go Back" onClick="history.go(-1)">
             </div>
             
             <cfabort>
</cfif>

<cfparam name="url.cftoken" default="">

<cfif len(url.cftoken)> 

<div class="center"><button class="medium green"><span class="icon white medium" data-icon="C"></span> Update Succeeded. Good work.</button></div>

</cfif>

	<!--- Add or Update News Form begins here --->
	<cfform name="ebwebworkForm" class="ebwebworkForm">
                
 
 <!--- Embed newsID (PK) to assign a value to it --->
 <cfoutput>
<input type="hidden" name="newsID" value="#form.newsID#" />
 </cfoutput>

    <ul>
        <li>
<cfoutput>
<legend><h2>#FormTitle#</h2></legend>
</cfoutput>

     <img src="https://lh6.googleusercontent.com/-rXrwzErpu7Q/U06TdnsBKfI/AAAAAAAAAoA/5QepC-sHWpc/s800/red_asterisk.png" alt="Required Field" width="16" height="16"> Required
      </li>

<li>
  <label for="newsTitle"><h3>News Title:</h3></label>
  	 <cfoutput><input name="newsTitle" placeholder="Enter News Title" value="#form.newsTitle#" tabindex="1" size="70" type="text" autofocus="true" required="yes" /></cfoutput>
        <span class="form_hint">Enter News Title</span>         
</li>
        
        
 <li>
    
<label for="NewsDate"><h3>News Date:</h3></label>
<cfoutput><input name="NewsDate" placeholder="Enter Date in mm/dd/yyyy format" value="#DateFormat(NewsDate, "mm/dd/yyyy")#" tabindex="2" pattern="(0[1-9]|1[0-9]|2[0-9]|3[01]).(0[1-9]|1[012]).[0-9]{4}" size="70" required="yes" /></cfoutput>
<span class="form_hint">Enter Date in mm/dd/yyyy format</span>
        
</li>
        
        

<li>

<label for="newsAuthor"><h3>Author:</h3></label>
<cfoutput><input name="newsAuthor" placeholder="Enter Author Name" value="#form.newsAuthor#" tabindex="3" size="70" required="yes" /></cfoutput>
<span class="form_hint">Enter Author Name</span>
        
</li>



            <p class="center">Use the TinyMCE Editing Interface to edit content:</p>



<li>
<label for="newsContent"><h3>News Description:</h3></label>

    <span class="smallred">Enter and format content here.</span>
     
      <textarea name="newsContent"
      		wrap="virtual"  
      		tabindex="4"
      		width="600"
	  		height="300"
      		style="width:600px;height:300px;"
      		required="yes">

           <cfoutput>#form.newsContent#</cfoutput>
   
	  </textarea>
</li>

     
     <li>
     <label for="newsExcerpt"><h3>News Excerpt:</h3></label>
     <span class="smallred width600px">Display an excerpt to encourage readers. Just text, no images. There is no need to format this excerpt text. Your web site style sheet automatically applies formatting per the established style of your web site template.</span>
      <textarea name="newsExcerpt"
            wrap="virtual"  
            tabindex="5"
            width="600"
			height="100"
            style="width:600px;height:100px;"
            required="yes">

           <cfoutput>#form.newsExcerpt#</cfoutput>
   
	  </textarea>
</li>
    
    
    <li>
<div class="submitButton">
   <cfoutput>  
   <button type="submit" class="green">#ButtonText#</button>
   </cfoutput>
</div>  
</li>
    
    
    </ul>



</cfform>


</body></html>

Open in new window



application.cfc:

<!--- Filename: Application.cfc
 Created by: Raymond Camden (ray@camdenfamily.com)
 Modified by: Eric B, gdemaria, July 2010 --->

<cfcomponent output="false">

  <!--- Name the application. --->
  <cfset this.name="Appalachian Coal Country Team">
  <cfset this.scriptProtect = "Yes">
  
  <cfset this.applicationTimeout = CreateTimeSpan(0,0,360,0)>
  
  <!--- Turn on session management. --->
  <cfset this.sessionManagement="true">
  
  <!--- Set session timeout period --->
  <cfset this.sessionTimeout = CreateTimeSpan(0,0,360,0)>

  <cfset this.clientManagement = "false">

  
  
<!--- function: onApplicationStart --->
  <cffunction name="onApplicationStart" output="false" returnType="void">

    <!--- Any variables set here can be used by all of the application's pages --->
    <cfset APPLICATION.dataSource = "coalCountryTeam">
   
    
<!--- Set up Application variables. Locking the Application scope is not necessary in this method. --->
		<cfset Application.configured = 1>
		<cfset Application.datetimeConfigured = TimeFormat(Now(), "hh:mm tt") & "  " & DateFormat(Now(), "mm.dd.yyyy")>
		<cfset Application.currentSessions = 0>
  
  </cffunction> 
  
   
    <cffunction name="clearSessionVariables" returntype="void">
      <!--- defined all session variables, so they will always exist ---->
      <cfset session.auth = structNew()>
      <cfset session.auth.isLoggedIn  = false>
      <cfset session.auth.UserID  = "">
      <cfset session.auth.Title   = "">
      <cfset session.auth.FirstName   = "">
      <cfset session.auth.MiddleInitial   = "">
      <cfset session.auth.LastName    = "">
      <cfset session.auth.Address    = "">
      <cfset session.auth.City    = "">
      <cfset session.auth.State    = "">
      <cfset session.auth.ZIP    = "">
      <cfset session.auth.Telephone   = "">
      <cfset session.auth.UserEmail    = "">
      <cfset session.auth.UserPassword    = "">
      <cfset session.auth.UserRoleID  = "">
      <cfset session.auth.lastError  = "">
  </cffunction>
  
  <cffunction name="onSessionStart" returntype="void">
      <!--- defined all session variables, so they will always exist ---->
      <cfset clearSessionVariables()>
  </cffunction>
  

<!--- function: onRequestStart ---> 

<cffunction name="onRequestStart">
<cfargument type="String" name="targetPage" required="true" /> 

    <!--- All these folders/top level files require a login, specific roles are addressed below ---->  
    <cfset var securefolders = "admin,manage">  
    <cfset var currentFolder = listFirst(cgi.script_name,"/")> <!--- the user's current location ---->      
    
<cfset REQUEST.companyName = "Appalachian Coal Country Team">

<!--- process login credentials --->

 <!--- begin cfif isDefined("form.userEmail") and isDefined("form.userPassword") ---> 
    <cfif isDefined("form.userEmail") and isDefined("form.userPassword") and isDefined("form.doLogin")>
     
   
         <!--- check box to remember UserEmail was checked, so make a cookie for it ---> 
                <cfif isDefined("form.SaveUserEmail") and form.SaveUserEmail is "Yes"> 
          <cfcookie name="SaveUserEmail" value="#form.UserEmail#" expires="7"> 
        </cfif> 
         
        <!--- user is attempting to log in, so process the login request ----> 
        <cfif NOT checkLogin(form.userEmail, form.userPassword)> 
           <cfinclude template="LoginForm.cfm"> <!--- login failed, so show login form ----> 
           <cfreturn false>  
           <!--- close cfif NOT checkLogin(form.userEmail, form.userPassword) ---> 
        </cfif> 
    <!--- close cfif isDefined("form.userEmail") and isDefined("form.userPassword") and isDefined("form.doLogin") ---> 
    </cfif> 
 
<!--- /process login credentials --->


<cftry>

<!--- test for access to secureFolders --->
     <cfif listFindNoCase(secureFolders, currentFolder)>  <!---- are we in a secure area? --->  
       <cfif session.auth.isLoggedIn is False> <!--- This is a secure area, if the user is not logged in, go to login page ---->  
           <cfinclude template="LoginForm.cfm">
            <cfthrow message="Please log in with proper credentials to access this area.">
           <cfabort>  
       <cfelse> <!--- the user is logged in, then check roles ---->  
           <cfswitch expression="#currentFolder#">  
              <cfcase value="admin">  
                  <cfif listFind("1",session.auth.UserRoleID) eq 0> <!---- role 1 has access to admin --->  
                      <cfinclude template="LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfcase value="manage">  
                  <cfif listFind("1,7",session.auth.UserRoleID) eq 0>  <!---- roles 1, 3 have access to liaison --->  
                      <cfinclude template="LoginError.cfm">
                      <cfabort>  
                  </cfif>  
              </cfcase>  
              <cfdefaultcase> <!---- all other secure folders ---->  
              </cfdefaultcase>  
           </cfswitch>  
       </cfif> <!---- end if user is logged in or not ---->  
    </cfif>  <!---- end if user is in a secure area or not ---->  
    
    <!--- /test for access to secureFolders --->
         
      <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>

    
    
         
         
             <!--- if query_string contains cast(, then abort! --->                                              
    <cfif cgi.query_string contains "cast(">
      <cfabort>
    </cfif>
    
              <!--- if query_string contains replace(, then abort! --->                                              
    <cfif cgi.query_string contains "replace(">
      <cfabort>
    </cfif>

   </cffunction>
  <!--- close function: onRequestStart --->
 
 
 <!--- begin cfif isDefined("form.doLogin") --->
    <cfif isDefined("form.doLogin")>
    
     
<!--- begin function checkLogin --->
<cffunction name="checkLogin">

  <cfargument name="p_UserEmail" required=false default="" />
  <cfargument name="p_password" required=false default="" />

  <cfset var UserPassword = trim(arguments.p_password)>
  <cfset var UserEmail     = trim(arguments.p_UserEmail)>
  <cfset var getUser = "">

  <cftry>
      <cfif len(UserPassword) eq 0 or len(UserEmail) eq 0>
         <cfthrow message="Please enter UserEmail and password">
      </cfif> 
    
      <cfquery name="getUser" datasource="#APPLICATION.dataSource#">
       SELECT UserID, FirstName, UserRoleID, UserEmail, UserPassword
        FROM #REQUEST.usersTable#
       WHERE UserEmail = <cfqueryparam cfsqltype="cf_sql_varchar" value="#UserEmail#" maxlength="255"> 
      </cfquery>
      <cfif getuser.recordCount eq 0>
        <cfthrow message="Incorrect email address and/or password. Be sure to enter the correct, original email address with which you registered. Please type your password carefully.">
      <cfelseif getUser.UserPassword is not UserPassword>
        <cfthrow message="Invalid Password.">
       </cfif>
    
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.isLoggedIn = "Yes">
      <cfset SESSION.auth.UserID     = getUser.UserID>
      <cfset SESSION.auth.FirstName  = getUser.firstName>
      <cfset SESSION.auth.UserRoleID = getUser.UserRoleID>
      <cfset SESSION.auth.UserEmail  = getUser.UserEmail>
      <cfset SESSION.auth.lastError  = "">
      

 <!--- Now that user is logged in, send her to web root --->

 <cflocation url="/admin/managePages.cfm" addtoken="no">

      
      <cfreturn true>
      
      
  <cfcatch>
      <cfset clearSessionVariables()>
      <cfset SESSION.auth.lastError  = cfcatch.message>
      <cfreturn false>
  </cfcatch>
  </cftry>
    
</cffunction>
<!--- close function checkLogin --->

      <!--- close cfif isDefined("form.doLogin") --->
    </cfif>


</cfcomponent>

Open in new window

0
Comment
Question by:Eric Bourland
  • 3
  • 3
6 Comments
 
LVL 14

Accepted Solution

by:
RickEpnet earned 500 total points
ID: 40010439
If you have this
<cfform name="ebwebworkForm" class="ebwebworkForm">

The cffrom.js needs to load.

Do you have the CFIDE folder there either physically or virtually?
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 40010444
You did run this website through the "Web Server Configuration Tool" right?
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 40010445
Rick, I understand.

I used to include /CFIDE/ as a virtual directory -- but I removed it, because I am concerned about security issues that inhere in CFIDE. I'm going to try FORM instead of CFFORM. I'll try that now and let you know what happens.

Eric
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 3

Author Comment

by:Eric Bourland
ID: 40010447
>>>>You did run this website through the "Web Server Configuration Tool" right?

I am afraid I did not. =( I've never done this, in fact.

Can you point me in the right direction to try this?

Rick, thank you for your help.

Eric
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 40010452
If when you had the CFIDE in the path it worked? then it was run. But if you are getting rid of Coldfusion which it looks like that is what you are doing you do not need it at all.

BTW you do not need to get rid of the CFIDE to be secure. Taking out the Admin folder goes a long way to securing CF.

You can run your server through here and it will tell you where you need to lock stuff down

http://hackmycf.com/
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 40010524
Rick, thanks very much for this. I am using the FORM rather than CFFORM; I have also chased out the 404 errors I was getting.

I am not getting rid of ColdFusion. I'm choosing to not use CFIDE for client-side form validation anymore. I'm also choosing to not include /CFIDE/ as a virtual directory in my web sites anymore. Otherwise I am using trusty ol' ColdFusion as per usual. It's a mature, evolving platform in which I have been very productive over the years. =)

I am working to review server-side validation methods before I move this form to production.

Thank you again for your time and expertise. Hope your weekend is going great. Take care.

Eric
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article  is about submitting  form through  ColdFusion.Ajax.submitForm to the action page and send a response back in JSON format which later can be decoded using ColdFusion.JSON.decode. By this way you can avoid the usual page refresh for subm…
This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now