> In the course of investigating a SQL injection attack attempt on our site, I > came across a strange set of bugs. > Using CF9, linux 64, apache. > > The attacking machine was sending POST requests to random templates > containing ampersands inside a POST > variable (i.e. not properly URL encoded). I am able to simulate the > effect of the attack request with this: > > <cfhttp url="http://any_site.com/any.cfm"; method="POST"> > <Cfhttpparam name="userid" encoded=no value="1064001"" > type="formfield"> > </cfhttp> > > ColdFusion freaks out on seeing this and throws an exception before it even > gets to the template: > > ROOT CAUSE: java.lang.IllegalArgumentException at > coldfusion.filter.FormScope.parseQueryString(FormScope. > java:355 > > HTTP 500 is sent to the user. > > That's all fine and well, and if that was the only issue here, then no big > deal. Unfortunately, at least on linux (I can't > test other platforms), this error then proceeds to destabilize the JRun > thread the next time a user loads a page and > touches that worker thread, throwing the error: > > 09/06 22:41:41 error (JRun Service: ProxyService > [jrun.servlet.jrpp.JRunProxyService@75602291]) JRunPRoxyServer. > invokeRunnable: java.lang.IllegalStateException > > This other user, who had nothing to do with the original attack, gets sent an > HTTP 503 error message as the thread > terminates on them. > > What happened is that the attacker on our site sent hundreds/thousands of > these malformed requests (through some > mis-configured bot program), which has resulted in disruptions to regular > users who are getting 503 errors forced onto them. > > So, I was curious if anyone else has seen this behavior before, and if so > what can be done to stop it. Is there an underlying > issue that has been patched that I'm not aware of? I note that there have > been similar reports of related instability of threads: > http://forums.adobe.com/thread/950350 but this seems to be a different case.
What exact version of CF are you using? Has it been patched to the latest minor version? A lot of these kinds of issues are found and patched over the lifetime of the product. I don't know about this issue specifically, but that's what I'd do first - patch to the latest minor version and see if the problem still exists. Russ's suggestion to run FuseGuard is good overall, but I don't know if it would prevent this problem - since it's a CF app itself, I suspect it runs after the request has been handed to CF. It's worth a try, though, and it's a very good product. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352453 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
