Thanks Charlie for the detailed email. Yes, we are on 9.0 and we didnt upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on the adobe page. It makes sense to protect those CFIDE folders you mentioned.
One thing we did notice is that after the applying security hotfix, we started to get this error "*coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server*". Quick google search led <http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms>me to this post<http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms>. I ended up adding <var name='postParametersLimit'><number>500.0</number></var> to the {ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I am guessing that we might have missed an earlier patch/hotfix in which Adobe introduced this postParametersLimit setting. We were surprised by error message in the beginning but since we had recently applied the security fix, we knew it had to do with fix. Thanks, <Ajas Mohammed /> http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart <char...@carehart.org>wrote: > :-) > > Thanks. I will note that they did just yesterday kindly add me to the > acknowledgements section of the security advisory, a first for me. :-) > Various issues caused the delay. Nothing nefarious. I got a call from > someone on PSIRT explaining the situation. I was just happy to get the > mention. > > The good news is that I’ve gotten “payment” by a burst of new business > from people needing help with this. Of course, I posted the first two > entries making no mention of my services. That really wasn’t my motivation. > But come, the work has. And some of those have then realized I could help > with other things, which has led to still more work, so it’s been all the > more beneficial. > > Of course, it’s a bit like being a roofer after a tornado blows through. > You don’t want to say you’re “glad for the work”, as you feel for people > who were affected. > > I have a part 4/post mortem in the works, but sadly too busy to get time > to write it up. Perhaps over the weekend. > > /charlie > > **** > > *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Steve Ross > *Sent:* Friday, January 18, 2013 10:17 AM > *To:* ACFUG ColdFusion Discussion > *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers** > ** > > ** ** > > Adobe should be paying you Charlie... **** > > ** ** > > On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed <ajash...@gmail.com> wrote: > **** > > Thanks Charlie, Cameron for keeping us updated with the latest. > > Charlie, thanks for those blog entries. Really appreciate all your help. > > **** > > <Ajas Mohammed /> **** > > **** > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink <http://www.fusionlink.com> > ------------------------------------------------------------- >
