Yeah, I hated that parameter and a lack of GUI to change it. When you
have many servers to patch, it's annoying to have to edit this value in
an XML file over and over again. I understand it's value, and I think
it's a good thing - but they could have taken a few extra hours of dev
time to mimic the behavior of 10 instead of just going half way.
On 1/21/2013 1:51 PM, Dawn Hoagland wrote:
It was introduced in APSB12-06 released March of 2012. They
introduced the setting, defaulted it to 100, but didn't update the
Administrator to allow editing from the GUI so it must be added
directly in the XML.
http://www.adobe.com/support/security/bulletins/apsb12-06.html
On Mon, Jan 21, 2013 at 3:42 PM, Ajas Mohammed <ajash...@gmail.com
<mailto:ajash...@gmail.com>> wrote:
Thanks Charlie for the detailed email. Yes, we are on 9.0 and we
didnt upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on
the adobe page. It makes sense to protect those CFIDE folders you
mentioned.
One thing we did notice is that after the applying security
hotfix, we started to get this error
"*coldfusion.filter.FormScope$PostParametersLimitExceededException: POST
parameters exceeds the maximum limit specified in the server*".
Quick google search led
<http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms>me
to this post
<http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms>.
I ended up adding <var
name='postParametersLimit'><number>500.0</number></var> to the
{ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I
am guessing that we might have missed an earlier patch/hotfix in
which Adobe introduced this postParametersLimit setting. We were
surprised by error message in the beginning but since we had
recently appliedthe security fix, we knew it had to do with fix.
Thanks,
<Ajas Mohammed />
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart
<char...@carehart.org <mailto:char...@carehart.org>> wrote:
:-)
Thanks. I will note that they did just yesterday kindly add me
to the acknowledgements section of the security advisory, a
first for me. :-) Various issues caused the delay. Nothing
nefarious. I got a call from someone on PSIRT explaining the
situation. I was just happy to get the mention.
The good news is that I’ve gotten “payment” by a burst of new
business from people needing help with this. Of course, I
posted the first two entries making no mention of my services.
That really wasn’t my motivation. But come, the work has. And
some of those have then realized I could help with other
things, which has led to still more work, so it’s been all the
more beneficial.
Of course, it’s a bit like being a roofer after a tornado
blows through. You don’t want to say you’re “glad for the
work”, as you feel for people who were affected.
I have a part 4/post mortem in the works, but sadly too busy
to get time to write it up. Perhaps over the weekend.
/charlie
*From:*ad...@acfug.org <mailto:ad...@acfug.org>
[mailto:ad...@acfug.org <mailto:ad...@acfug.org>] *On Behalf
Of *Steve Ross
*Sent:* Friday, January 18, 2013 10:17 AM
*To:* ACFUG ColdFusion Discussion
*Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check
your servers
Adobe should be paying you Charlie...
On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed
<ajash...@gmail.com <mailto:ajash...@gmail.com>> wrote:
Thanks Charlie, Cameron for keeping us updated with the latest.
Charlie, thanks for those blog entries. Really appreciate all
your help.
<Ajas Mohammed />
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink <http://www.fusionlink.com>
-------------------------------------------------------------
--
Dawn
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
