Yes don't forget to count hidden form fields as well :) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure?
On Thu, Sep 13, 2012 at 12:51 PM, Patti, Michael <[email protected]>wrote: > > I just read Pete's post about the HashDos vulnerability ( > http://www.petefreitag.com/item/808.cfm) and then went back to the adobe > bulletin about this ( > http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html). > > After adding <var name='postParametersLimit'><number>500.0</number></var> > and restarting CF, I'm now able to submit that form successfully. > > Thanks in helping me to resolve this situation! > > -Michael > > -----Original Message----- > From: Patti, Michael > Sent: Thursday, September 13, 2012 11:28 AM > To: cf-talk > Subject: RE: CF DDos update released > > I have the ability to change security groups for my profile within > eSeries, and when I do that, it lowers the number of fields displayed on > the profile edit screen to 38. When I submit the form, it's still throwing > the same error, so I think Brian and Pete are correct that this isn't about > a limit to the number of fields submitted. I'm honestly not sure where I'd > change the default for number of fields that can be submitted, but I'm > fairly certain that can be ruled out as a cause. > > I'm still stumped as to why this particular form refuses to submit. It > definitely has something to do with one of the recent hotfixes. Before > last night, I had only applied hf901-00003.jar (on CF 9.0.1 standard), so I > was a few behind when I installed hf901-00006.jar. I followed the > instructions in Section 2 of > http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.htmlto > the letter, and given that every other form submission I've tested works > fine, I don't think this is a case of a corrupted install. > > I'm poking around the source code of the form submission script to see if > something in there might be causing it to stop; but does anyone know > whether what I'm seeing (the HTTP Error 500) is the expected behavior when > CF intercepts what it deems to be a CSRF attack? > > Thanks again for your help. > > -Michael > > -----Original Message----- > From: Pete Freitag [mailto:[email protected]] > Sent: Thursday, September 13, 2012 10:53 AM > To: cf-talk > Subject: Re: CF DDos update released > > > On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton <[email protected] > >wrote: > > > > > It was a field max to limit crsf.. number of fields is limited or > > allowed by W3c standards so I strongly doubt that to be changed I this > case.. > > > > This particular hotfix does not do anything to limit the number of form > fields submitted, however a previous hotfix did - ABSP12-06 which added the > postParameterLimit setting to neo-runtime.xml - this value defaults to 100 > so submitting 53 form fields should not trigger it (unless you lowered the > default value). Note that if you installed the latest hotfix you also > installed this one because the security hotfixes are mostly cumulative (for > 9.0.1 at least). This was added to mitigate the effects of the HashDos > vulnerability, see more about that here: > http://www.petefreitag.com/item/808.cfm > > I'm not sure how limiting the number of fields would limit a CSRF attack, > can you explain? Also I'm not aware of a standard limiting the number of > fields, but please prove me wrong if there is one. There are limits on the > size of the URL imposed by browsers, and in some HTML specifications but in > the HTTP RFC it says "The HTTP protocol does not place any a priori limit > on the length of a URI" > http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not > aware of any standard limiting the size or number of fields of a FORM post > in the HTTP protocol, my understanding is that it is up to the server to > determine what is acceptable. > > -- > Pete Freitag - Adobe Community Professional http://foundeo.com/ - > ColdFusion Consulting & Products http://petefreitag.com/ - My Blog > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352595 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
