ColdFusion 9.0.1 Update Fails to Install on Windows 2008

I’ve run into this twice in as many weeks, on Windows 2008 when running the ColdFusion 9.0.1 updater it will fail to complete successfully.  Each time failing with the same message in the install log:

ANT Script Error:
Status: ERROR
Additional Notes: ERROR - cfmx-patch-move-files-all.xmlFailed to copy C:ColdFusion9libcfperfmon_9.dll to C:Windowssystem32cfperfmon_9.dll due to C:Windowssystem32cfperfmon_9.dll (The process cannot access the file because it is being used by another process)

Each time, however, I was able to simply rename the dll while ColdFusion was stopped and the upgrade continues successfully.

ColdFusion Won’t Start After Importing a .car

Recently did an upgrade to ColdFusion 9 from ColdFusion 8 for a customer and ran into an issue with ColdFusion failing to restart after I was done importing the .car file I had created.   In the coldfusion-out.log file I was seeing the following entry:

Error: no known VMs. (check for corrupt jvm.cfg file)

Checking out the jvm.config file, I realized that I’d imported the old JVM path that referenced ColdFusion 8 (and no longer existed), updating to the ColdFusion 9 path allowed ColdFusion to start correctly.

ColdFusion Administrator Custom Extensions

I recently began playing around with some of the available custom extensions available for the ColdFusion Administrator.  Since I spent awhile searching both Google and RIAForge I figured I’d put together a quick list of the ones I’ve found so far.  This is not meant to be a review post, just informational.  If I missed one, leave a comment and I’ll update the post to include the extension.
Author: John Mason

cfUpdater is a free and open source project and custom extension tool for the ColdFusion Administrator to make handling and managing ColdFusion updates easier. This tool is based on the CF Update manager found in my Merlin Manager project and runs off of the CF RSS feeds I manage. You can alter this to pull from an internal RSS feed if needed. This project also includes an auto updater which emails reports to you of updates it was able to install and others that you will be required to install manually.
CF Admin Searcher
Author: Ray Camden

CF Admin Search is a ColdFusion Administrator extension that provides a quick way to perform ad hoc queries against Solr and Verity collections. Results will include all of the typical data stored in collections, including category and custom fields. jQuery is used to quickly return the results and adds support for toggling the extended results.
CFAdmin Utility Extensions
Author: John Blayter

Some common utilities for the ColdFusion administrator. Things that are hidden or take multiple clicks are just now 2 clicks away.

1. FusionReactor JDBC wrapper

2. Server snapshot that with one click you can email yourself a snapshot of the server and get back to getting the server back up and working. 

3. Clear trusted cache and call the garbage collection
Author: Ray Camden

Here is a problem: You use ColdFusion to generate email. You are testing on your laptop, or other development machine, and the email doesn’t actually go anywhere. To read the mail you need to dig down to ColdFusion’s undelivered mail folder, find the right text file, open it up, and even then what you see is a bit messy.

SpoolMail is the solution. SpoolMail is simply a HotMail/Gmail/etc web based reader for the email in your undelivered folder. Along with reading the mail, you can delete the mail or move it back into the spool. 
Author: Paul Connell

A Coldfusion Administrator Extension that allows adding/viewing/removing of SSL certificates in the Java certificate store from within the Administrator.
IP Ranger
Author: Nathan Mische

IP Ranger is a ColdFusion administrator extension which allows IP ranges to be added to the debugging IP address list. IPv4 IP address ranges may be added using wildcards (192.*.*.*), octect ranges (192.168.1-10.1-120), or a combination of both (192.168.*.1-120). IP Ranger also allows you to verify, delete, and refresh IP address ranges.
Author: Ray Camden

ColdFusion includes the ability to cache files. This adds a huge performance boost on production servers. However, if you want to update a file. you have to clear the entire cache to see your changes reflected. cacheCleaner is a ColdFusion Administrator extension that gives you a simple way to clear files or folders out of the cache.
Author: Webapper

SeeDSN is a web-based administrative utility for use with SeeFusion.  Using SeeDSN, administrators of ColdFusion instances configured with SeeFusion can easily wrap/unwrap datasources with the JDBC wrapper required for reporting query information within SeeFusion.
Author: Mister Dai (Dave)

List of currently active applications.
List of sessions for a selected application.

And more.

Updated: 9 June 2010

Access DSNs in 64bit ColdFusion

A few weeks ago I had to assist with migrating a customer with a large amount of Access databases (over 60) to a new server.  Turns out their new server was completely 64-bit (Windows and ColdFusion) and I didn’t find out about the Access databases until after the server was completely deployed.  Had I been involved earlier I would have put a stop to that.  However, I had to make Access play nice with ColdFusion, here’s how I did that.
The first step is to open the 32-bit ODBC Datasource manager in Windows, on this server it was at C:\windows\SysWOW64\odbcad32.exe, where I had to add a system DSN for each Access DSN I was configuring.
Windows system DSNs
As you can see there are a large amount of System DSNs for each database, we’ll be setting up the DSN named ‘blank’ in this post.
After you have a System DSN created for each DSN you need in ColdFusion, you can start adding them to ColdFusion.  As you can see in the image below we set the data source up exactly as we did in the Windows ODBC manager, same name and path.

Now, when you hit Submit you’re going to get a very ugly error:

Unable to update the NT registry.
Variable DRIVERPATH is undefined.

Don’t fear, the data source is now available for ColdFusion to use.  Now, why didn’t I just use an ODBC socket?  Well, you simply can’t – when you go to create an ODBC socket in the ColdFusion Administrator it generates a drop down of 64-bit System DSNs and won’t show you the 32-bit Access DSNs (see the Additional Reading section).
Remember, you’re milage will vary on this and you should be converting those Access databases over to SQL Server or MySQL :)
Additional Reading
Why my 32 bit applications cannot see the ODBC DSNs that I created on my 64 bit machine ?

Disable ColdFusion Administrator Migration Wizard

Ran into an issue recently with a customer who’s upgrade to ColdFusion 9 caused the Migration Wizard to freeze up when you opened the ColdFusion Administrator for the first time.  Turns out, you can disable this very simply with the following code taking advantage of the ColdFusion Admin API:

<cfset cfadminob = createObject("component","cfide.adminapi.administrator").login("password") >
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("MXMigrationFlag","No")>
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("migrationFlag","No")>
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("SetupWizardFlag","No")>
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("migrateCF5","No")>
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("migrateCF6","No")>
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("setupSampleApps","No")>
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("setupOdbc","No")>
<cfset createObject("component","cfide.adminapi.administrator").setAdminProperty("setupEnabldRds","No")>

Alternately, you could re-enable the wizard by setting all these values to “Yes”, I’ve seen a few installs that don’t have the wizard enabled.

Quick Note About IIS 7.5 FTP Virtual Hosts

With the release of IIS 7.5 (available in Windows Server 2008 R2 and Windows 7), FTP is finally re-integrated into the main IIS Manager.  Those of you still using 7.0 know that you need to use the IIS 6 Manager to manage FTP sites.  One of the great new features in IIS 7.5 FTP is the ability to setup virtual hosts for FTP (multiple FTP sites on port 21 with the same IP) similar to how you would setup web sites with host headers in IIS.  One of the trip ups when you attempt to log in to FTP is the user name needs to include the virtual host name.  Consider the following setup:
IIS Bindings
Notice that one of the bindings is ftp:, when you actually connect with an FTP client the username needs to be entered as:

Notice the pipe (|) between the virtual host and the user name.  Assuming you don’t put that in, you’ll likely see the following in the IIS FTP logs and in your FTP client:
Response:    220 Microsoft FTP Service
Command:    USER brent
Response:    530-Valid hostname is expected.
Response:     Win32 error:   No such host is known.
Response:     Error details: Hostname didn’t match any configured ftp site.
Response:    530 End
Error:    Could not connect to server

For more information on configuring virtual hosts in IIS 7.5 see

ColdFusion 8/9 64-bit Unable to Load Library Error

As more developers begin to move their clients to 64-bit operating systems and 64-bit ColdFusion, you will likely encounter the following error message:

Unable to load library  

This indicates that the dll for this tag was compiled for 16-bit systems only, which worked fine on 32 bit systems because there was a 16 bit to 32 bit compatability layer.  However, the newer Windows 2008 builds no longer support such compatability and would only support 32 bit tags and up.  So far, for most of the occurances I’ve seen of this, they are on older tags where the original publisher no longer exists so I am not holding out for 64-bit versions.  Luckily, most of the functionality that needed to be provided in a cfx tag is now built in to ColdFusion 8 and 9.

TinyMCE TinyBrowser Plugin Vulnerability

After the FCKEditor vulnerability that was patched by Adobe a few weeks ago, it turns out that a plugin for TinyMCE is also exploitable for remote file uploads that could be used to gain malicious access to the server hosting your application.
The details of this particular exploit are posted at Milw0rm (  Keep in mind this only affects the TinyBrowser plugin and not TinyMCE, so if you just have a default TinyMCE without this plugin you should be ok.
That being said, some general security tips as usual:

  • Always upload outside the web root initially and perform additional checks on those files prior to making them web accessible.  If you cannot access a location outside the root of your site (shared hosting) have you hosting provider adjust permissions on a temporary folder in your web root to disallow those files from being served (by the web server) but can still be accessed by your application.
  • Keep any upload scripts behind an authentication scheme, whether it be HTTP authentication (a pop-up password box) or with something like cflogin.  Make sure you test that these files cannot be accessed without first being logged in, you make think “OK, you need to log in to the /admin/ directory” but, can you still access /admin/tinymce/, etc. without logging in?
  • Use secure passwords.  I can’t say this enough, I’ve seen MANY applications where the administrator is admin/admin or admin/admin123, which are the first things that an attacker (more likely their scripts and software) are going to attempt.  I have seen a bit of a surge in brute force attempts on admin login screens recently – many of them successful because the passwords were woefully insecure.
  • Define a password policy.  Set things like password length and complexity as part of the business logic of your application and use regular expressions to enforce them.  Another good idea, is to log every login failure (keep things like CGI.QUERY_STRING and CGI.REMOTE_ADDR so you know where these request are coming from).  If you want to go a step ahead of simple logging, send alerts on each password failure with the same information.  You could even keep track of failed logins and lock the user for a period of time after x failed log in attempts.  While these things may add a bit of time and complexity to your development cycles they could very well save you hundreds of thousands of dollars and man-hours in the future.