OpenKB::Server Technical Papers

 /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm 

CVE number: CVE-2009-2265

SUMMARY A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild.  SUMMARY  A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild.

Hotfix

Errror: JAVA.LANG.OUTOFMEMORYERROR: UNABLE TO CREATE NEW NATIVE THREAD”

Within a shared environment the server resources are shared across the virtual website that are on the server. The memory error you were seeing was due to the available Java threads on the server. This means the server did not have enough resources to process your request at that time. You should not encounter this error is the Coldfusion service is restarted daily.

Interesting Read from http://www.egilh.com/blog/archive/2006/06/09/2811.aspx

also Check this Article out

“I recently came across this exception on a couple of java systems that use many threads java.lang.OutOfMemoryError: unable to create new native thread. The strange thing was that the JVM had been assigned a lot of memory (1.5GB) and that it had at least half the memory available. Michele found this article that points out that the more memory you give to the JVM the more likely you are to get java.lang.OutOfMemoryError: unable to create new native thread exceptions when you have many threads.
Which makes perfect sense when you think about it. Each 32 bit process on Windows has 2GB “available” memory as 2GB is reserved to Windows. In my case the JVM grabbed 1.5 GB leaving 500MB. Part of the 500MB was used to map system dlls etc in memory so less than 400 MB was left. Now to the crucial point: When you create a thread in java it creates a Thread object in the JVM memory but it also creates a operating system thread. The operating system creates the thread with a thread stack in the 400MB that is left, not in the 1.5 GB allocated in the JVM. Java 1.4 uses a default stack size of 256kb but Java 1.5 uses a 1MB stack per thread. So, in the 400MB left to process I could only generate ~400 threads. Absurd but true: to create more threads you have to reduce the memory allocated to the JVM. Another option is to host the JVM in your own process using JNI.
This formula gives a decent estimate for the number of threads you can create:
(MaxProcessMemory – JVMMemory – ReservedOsMemory) / (ThreadStackSize) = Number of threads
For Java 1.5 I get the following results assuming that the OS reserves about 120MB:
1.5GB allocated to JVM: (2GB-1.5Gb-120MB)/(1MB) = ~380 threads
1.0GB allocated to JVM: (2GB-1.0Gb-120MB)/(1MB) = ~880 threads
Java 1.4 uses 256kb for the thread stack which lets you create a lot more threads:
1.5GB allocated to JVM: ~1520 threads
1.0GB allocated to JVM: ~3520 threads
I have not tried the 3GB switch but it should in theory let you create more threads.”

Wow ,this by far is the bet article I have came across

Possible error : [Microsoft][ODBC Microsoft Access Driver] Could not find file ‘(unknown)’.

excerpt:
With Microsoft Office 2007, Microsoft strikes again and implements a new format for their Access database standard. I do not recommend using Microsoft Access databases for production applications. In fact, I believe you will pay, sooner or later, for adopting such a practice. Nevertheless, it is useful for testing or development at times, and more importantly, you may be in a situation like me, where there are databases that you do not “own” or control but your ColdFusion apps must use them.

That said, please note that the drivers that come with CF8 do not support Access 2007. This is mentioned in the ColdFusion 8 Release Notes under #69495. The solution is nicely described right in the release notes. Download and install the Data Connectivity Components for Office 2007, set up a Windows ODBC connection, and use ColdFusion’s ODBC socket driver to connect to the Windows ODBC connection. A bit irritating that all of this has to be done, but like I said at the outset, these irritants are the price you pay, among other things, when using Access databases.

Another point to note! You thought you were done, but no, Microsoft has more joy in store for some of us.  The Office 2007 drivers do not support Windows 2000. So if your server is still sitting on a Windows 2000 installation, the final word is either (a) No Access 2007 for you, or (b) Time to upgrade to Windows 2003 SP1 or later.

esasy work around from O?uz

You can use JDBC to connect Access 2007.

- Select “other” for DSN in CF admin,
- JDBC URL: jdbc:odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)};DBQ=c:/od/test.accdb;”;
- Driver Class: sun.jdbc.odbc.JdbcOdbcDriver

But this config does not support Unicode as expected
Reference

This error occurs when the MySQL Date or DateTime columns have a value of all zeros (for example, ‘0000-00-00 00:00:00′).

The MySQL Connector/J 3.0.x converted dates and datetimes with 0 values to nulls. This behavior changed with MySQL Connector/J 3.1 and later versions. The default behavior now is to throw the exception, “java.sql.SQLException: Value ‘0000-00-00′ can not be represented as java.sql.Date” and sqlstate s1009. The MySQL drivers of ColdFusion 8 and ColdFusion MX 7 are versions of the MySQL Connector/J.

For more information, see the MySQL Connector/J 5.0 release notes and review the bullet labelled “Datetimes.”

Solution

ColdFusion

The MySQL Connector/J 3.1 and newer versions support the connectstring property of zeroDateTimeBehavior. The default value of this property is exception and the cause of the error. The other 2 value options are:

*

convertToNull (returns NULL instead of the date)
*

round (returns rounded date of 2001-01-01)

Setting the connectstring value of zeroDateTimeBehavior=convertToNull will eliminate this exception and cause null values to return from the database. In this case, zero value date and datetime will appear as empty strings in ColdFusion output. mirroring the bahavior of the MySQL Connector/J 3.0.

The specific steps to fix this in ColdFusion are to create a MySQL datasource in the ColdFusion administrator as usual. However, you must also click the Advanced Settings button and enter the connectstring value of zeroDateTimeBehavior=convertToNull.

Note: Do not enter apostrophes or quotes. Also, this is case-sensitive and must be entered just as shown.

Reference 1

Reference 2

If you are testing your application using the ip address instead of the domain name. You may notice the sesssions are not saving . 

This is due to the setDomainCookies is set to true within your application.cfm or cfc file. Change this to false and your session cookies will now save .. once the domain has been pointed to the application you can then change this to true