9.0.2 is just 9.0.1 with all the fixes and updates and VERITY removed.
On Mon, Sep 10, 2012 at 6:28 PM, Tony F <[email protected]> wrote: > > Hi: > > I THINK we are using the latest patched product, although it's hard to > tell because Adobe has done something funky with the recent updates. They > released a 9.0.2 without having any upgrade path from 9.0.1. > > I just noticed that there's a mystery "9.0.2" "clean install only" version > out there, although no way to update from 9.0.1 to 9.02. > > What we have installed is 9.0 + 9.0.1 updater + Cumulative Hot Fix 2 for > 9.0.1. > > Is what we currently have installed the latest and greatest, containing > all patches issued to date? > > Does 9.0.2 have any fixes not included in "9.0.1 Cumulative Hot Fix 2"? > > I really, really, really don't want to have to reinstall, reconfigure, > retest from scratch our production machines unless there's a very good > reason. > > Thanks > > > > > > In the course of investigating a SQL injection attack attempt on our > > site, I came across a strange set of bugs. > > > Using CF9, linux 64, apache. > > > > > > The attacking machine was sending POST requests to random templates > > containing ampersands inside a POST > > > variable (i.e. not properly URL encoded). I am able to simulate > > the effect of the attack request with this: > > > > > > <cfhttp url="http://any_site.com/any.cfm"; method="POST"> > > > <Cfhttpparam name="userid" encoded=no value="1064001"" > > type="formfield"> > > > </cfhttp> > > > > > > ColdFusion freaks out on seeing this and throws an exception before > > it even gets to the template: > > > > > > ROOT CAUSE: java.lang.IllegalArgumentException at coldfusion.filter. > > FormScope.parseQueryString(FormScope. > > > java:355 > > > > > > HTTP 500 is sent to the user. > > > > > > That's all fine and well, and if that was the only issue here, then > > no big deal. Unfortunately, at least on linux (I can't > > > test other platforms), this error then proceeds to destabilize the > > JRun thread the next time a user loads a page and > > > touches that worker thread, throwing the error: > > > > > > 09/06 22:41:41 error (JRun Service: ProxyService [jrun.servlet.jrpp. > > JRunProxyService@75602291]) JRunPRoxyServer. > > > invokeRunnable: java.lang.IllegalStateException > > > > > > This other user, who had nothing to do with the original attack, > > gets sent an HTTP 503 error message as the thread > > > terminates on them. > > > > > > What happened is that the attacker on our site sent > > hundreds/thousands of these malformed requests (through some > > > mis-configured bot program), which has resulted in disruptions to > > regular users who are getting 503 errors forced onto them. > > > > > > So, I was curious if anyone else has seen this behavior before, and > > if so what can be done to stop it. Is there an underlying > > > issue that has been patched that I'm not aware of? I note that > > there have been similar reports of related instability of threads: > > > http://forums.adobe.com/thread/950350 but this seems to be a > > different case. > > > > What exact version of CF are you using? Has it been patched to the > > latest minor version? A lot of these kinds of issues are found and > > patched over the lifetime of the product. I don't know about this > > issue specifically, but that's what I'd do first - patch to the > > latest > > minor version and see if the problem still exists. > > > > Russ's suggestion to run FuseGuard is good overall, but I don't know > > if it would prevent this problem - since it's a CF app itself, I > > suspect it runs after the request has been handed to CF. It's worth a > > try, though, and it's a very good product. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352455 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
