I installed this hotfix on one development and two production servers last night, and most everything seems to be functioning correctly, except for one critical problem.
Several of my sites are running an ancient CF app (iMIS eSeries) that allows people to update their profiles online. The app sends data back to the iMIS member database. After installing the patch, if a user attempts to update their profile, the browser throws the following error: ---- Server error The website encountered an error while retrieving http://[clientsite.org]/source/Members/cMemberProcessEdit.cfm?section=My_Profile&ID=[id]. It may be down for maintenance or configured incorrectly. Here are some suggestions: Reload this webpage later. HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request. --- The form that is being submitted contains 53 fields (mostly text fields). Brian Thornton mentioned in his post that the fix had something to do with "Form Limit, and another bulletin", but the bulletin is vague about the specific. Does anyone know whether this hotfix would prevent a form with too many fields from being submitted? Thanks, Michael -----Original Message----- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Wednesday, September 12, 2012 12:27 PM To: cf-talk Subject: Re: CF DDos update released I have to agree that this bulletin is really lacking. There are organizations that just cannot "do a hot-fix" (DFIU), and the details in this bulletin give us no idea of exposure or a means to verify if we are at a high risk. There have been Adobe patches in the past that we have waited to a regular maintenance window perform because there was little to no risk based on our analysis of the issue. So, is it really worth the over-time, customer frustration and such to apply a hot-fix, that may or may not fix an issue (because we have not details to verify before or after the fact). Based on the bulletin and lack of detail, I would err on the pessimistic side and fear the most. Byron Mann Lead Engineer & Architect HostMySite.com On Wed, Sep 12, 2012 at 11:32 AM, Judah McAuley <ju...@wiredotter.com> wrote: > > On Tue, Sep 11, 2012 at 7:48 PM, <> wrote: >> >> >>i already read tha adobe bulletin, it doesn't really say much. >> >> I doubt you will ever see details and description about any possible attack. >> It would be too easy for those looking for ideas... > > Publication of details of an attack are pretty common. Good guys will > typically find an attack, alert the people who are in a position to > fix the product(s), wait for them to confirm it and start on a fix and > then publish the details of the attack after the vulnerability patch > has been released. The reason for this is so other researchers (and > people wanting to protect their own systems) have an idea of the types > of issues that a product has been vulnerable to so they can poke > around the edges and see if there are similar issues that may have > been missed, thereby strengthening the overall security of the > product. So, yes, the details are for people looking for ideas but > that includes all the good people as well as the bad guys (tm). > Security through obscurity isn't really security at all. > > cheers, > Judah > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352575 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
