Ajas,
The PostParametersLimit is actually due to a different issue. (I was
also hit with this one.)
A brief note about it is here:
http://arstechnica.com/business/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack/
Essentially, there is a dos attack possible by posting many parameters
to a web page. Whenever you post multiple form elements to a webserver
(with either POST or GET) It generates a hash in order to refer to them.
" /If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
keys. The algorithmic complexity of inserting n elements into the table
then goes to O(n**2), making it possible to exhaust hours of CPU time
using a single HTTP request./" I have read that when properly executed,
this attack can cause a single page request to take over 1/2hour on a
server without any other traffic. So in order to circumvent the problem,
many platforms decided the easy way to stop the problem would be to not
process any page that returns more than 100 form (or URL) parameters.
Of course anyone that has a legitimate reason to have that many form
fields needs to increase the maximum. In addition to Coldfusion, I know
apache also has a default limit of 100 on any patched server.
--Frank
On 01/21/2013 03:42 PM, Ajas Mohammed wrote:
Thanks Charlie for the detailed email. Yes, we are on 9.0 and we didnt
upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on the adobe
page. It makes sense to protect those CFIDE folders you mentioned.
One thing we did notice is that after the applying security hotfix, we
started to get this error
"*coldfusion.filter.FormScope$PostParametersLimitExceededException:
POST parameters exceeds the maximum limit specified in the server*".
Quick google search led
<http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms>me
to this post
<http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms>.
I ended up adding <var
name='postParametersLimit'><number>500.0</number></var> to the
{ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I am
guessing that we might have missed an earlier patch/hotfix in which
Adobe introduced this postParametersLimit setting. We were surprised
by error message in the beginning but since we had recently appliedthe
security fix, we knew it had to do with fix.
Thanks,
<Ajas Mohammed />
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart <char...@carehart.org
<mailto:char...@carehart.org>> wrote:
:-)
Thanks. I will note that they did just yesterday kindly add me to
the acknowledgements section of the security advisory, a first for
me. :-) Various issues caused the delay. Nothing nefarious. I got
a call from someone on PSIRT explaining the situation. I was just
happy to get the mention.
The good news is that I’ve gotten “payment” by a burst of new
business from people needing help with this. Of course, I posted
the first two entries making no mention of my services. That
really wasn’t my motivation. But come, the work has. And some of
those have then realized I could help with other things, which has
led to still more work, so it’s been all the more beneficial.
Of course, it’s a bit like being a roofer after a tornado blows
through. You don’t want to say you’re “glad for the work”, as you
feel for people who were affected.
I have a part 4/post mortem in the works, but sadly too busy to
get time to write it up. Perhaps over the weekend.
/charlie
*From:*ad...@acfug.org <mailto:ad...@acfug.org>
[mailto:ad...@acfug.org <mailto:ad...@acfug.org>] *On Behalf Of
*Steve Ross
*Sent:* Friday, January 18, 2013 10:17 AM
*To:* ACFUG ColdFusion Discussion
*Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your
servers
Adobe should be paying you Charlie...
On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed <ajash...@gmail.com
<mailto:ajash...@gmail.com>> wrote:
Thanks Charlie, Cameron for keeping us updated with the latest.
Charlie, thanks for those blog entries. Really appreciate all your
help.
<Ajas Mohammed />
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
