I just read Pete's post about the HashDos vulnerability (http://www.petefreitag.com/item/808.cfm) and then went back to the adobe bulletin about this (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html).
After adding <var name='postParametersLimit'><number>500.0</number></var> and restarting CF, I'm now able to submit that form successfully. Thanks in helping me to resolve this situation! -Michael -----Original Message----- From: Patti, Michael Sent: Thursday, September 13, 2012 11:28 AM To: cf-talk Subject: RE: CF DDos update released I have the ability to change security groups for my profile within eSeries, and when I do that, it lowers the number of fields displayed on the profile edit screen to 38. When I submit the form, it's still throwing the same error, so I think Brian and Pete are correct that this isn't about a limit to the number of fields submitted. I'm honestly not sure where I'd change the default for number of fields that can be submitted, but I'm fairly certain that can be ruled out as a cause. I'm still stumped as to why this particular form refuses to submit. It definitely has something to do with one of the recent hotfixes. Before last night, I had only applied hf901-00003.jar (on CF 9.0.1 standard), so I was a few behind when I installed hf901-00006.jar. I followed the instructions in Section 2 of http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.html to the letter, and given that every other form submission I've tested works fine, I don't think this is a case of a corrupted install. I'm poking around the source code of the form submission script to see if something in there might be causing it to stop; but does anyone know whether what I'm seeing (the HTTP Error 500) is the expected behavior when CF intercepts what it deems to be a CSRF attack? Thanks again for your help. -Michael -----Original Message----- From: Pete Freitag [mailto:[email protected]] Sent: Thursday, September 13, 2012 10:53 AM To: cf-talk Subject: Re: CF DDos update released On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton <[email protected]>wrote: > > It was a field max to limit crsf.. number of fields is limited or > allowed by W3c standards so I strongly doubt that to be changed I this case.. > This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says "The HTTP protocol does not place any a priori limit on the length of a URI" http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352582 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
