Re: CF DDos update released

2012-09-14 Thread David Boyer
On Tue, Sep 11, 2012 at 7:48 PM, wrote: i already read tha adobe bulletin, it doesn't really say much. I doubt you will ever see details and description about any possible attack. It would be too easy for those looking for ideas... Publication of details of an attack are pretty common.

Re: CF DDos update released

2012-09-14 Thread Russ Michaels
perhaps it might help if a few other people got on their case as well, especially hosts, who will be the main ones who do not like this fix. On Fri, Sep 14, 2012 at 12:00 PM, David Boyer dave.cft...@yougeezer.co.ukwrote: On Tue, Sep 11, 2012 at 7:48 PM, wrote: i already read tha adobe

RE: CF DDos update released

2012-09-13 Thread Patti, Michael
being submitted? Thanks, Michael -Original Message- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Wednesday, September 12, 2012 12:27 PM To: cf-talk Subject: Re: CF DDos update released I have to agree that this bulletin is really lacking. There are organizations that just

RE: CF DDos update released

2012-09-13 Thread Brian Thornton
- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Wednesday, September 12, 2012 12:27 PM To: cf-talk Subject: Re: CF DDos update released I have to agree that this bulletin is really lacking. There are organizations that just cannot do a hot-fix (DFIU), and the details in this bulletin

Re: CF DDos update released

2012-09-13 Thread Pete Freitag
On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.comwrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does not do anything to limit the number of

RE: CF DDos update released

2012-09-13 Thread Patti, Michael
I'm seeing (the HTTP Error 500) is the expected behavior when CF intercepts what it deems to be a CSRF attack? Thanks again for your help. -Michael -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Thursday, September 13, 2012 10:53 AM To: cf-talk Subject: Re: CF DDos

RE: CF DDos update released

2012-09-13 Thread Patti, Michael
and restarting CF, I'm now able to submit that form successfully. Thanks in helping me to resolve this situation! -Michael -Original Message- From: Patti, Michael Sent: Thursday, September 13, 2012 11:28 AM To: cf-talk Subject: RE: CF DDos update released I have the ability to change

Re: CF DDos update released

2012-09-13 Thread Pete Freitag
: Re: CF DDos update released On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton br...@cfdeveloper.com wrote: It was a field max to limit crsf.. number of fields is limited or allowed by W3c standards so I strongly doubt that to be changed I this case.. This particular hotfix does

Re: CF DDos update released

2012-09-12 Thread Judah McAuley
On Tue, Sep 11, 2012 at 7:48 PM, wrote: i already read tha adobe bulletin, it doesn't really say much. I doubt you will ever see details and description about any possible attack. It would be too easy for those looking for ideas... Publication of details of an attack are pretty common.

Re: CF DDos update released

2012-09-12 Thread Byron Mann
I have to agree that this bulletin is really lacking. There are organizations that just cannot do a hot-fix (DFIU), and the details in this bulletin give us no idea of exposure or a means to verify if we are at a high risk. There have been Adobe patches in the past that we have waited to a

Re: CF DDos update released

2012-09-12 Thread Russ Michaels
also having to edit hundreds or possibly thousands of security sandboxes is really not acceptable, not to mention the fact that disabling that function will break many sites, such as those using popular frameworks. This really isn't a very acceptable solution. On Wed, Sep 12, 2012 at 6:26 PM,

CF DDos update released

2012-09-11 Thread Brian Thornton
http://blogs.coldfusion.com/post.cfm/security-hot-fix-for-coldfusion-september-2012 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive:

Re: CF DDos update released

2012-09-11 Thread Russ Michaels
anyone seen details of what the vulnerability actually is ? that is a huge job to update thousands of security sandboxes. On Tue, Sep 11, 2012 at 7:34 PM, Brian Thornton br...@cfdeveloper.comwrote: http://blogs.coldfusion.com/post.cfm/security-hot-fix-for-coldfusion-september-2012

Re: CF DDos update released

2012-09-11 Thread Brian Thornton
Yes... Form Limit, and another bulletin... http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.html This guy found the problem.. http://misterdai.yougeezer.co.uk/ Kudos to Davd Boyer... On Tue, Sep 11, 2012 at 2:44 PM, Russ Michaels r...@michaels.me.uk wrote: anyone

Re: CF DDos update released

2012-09-11 Thread Russ Michaels
i already read tha adobe bulletin, it doesn't really say much. On Tue, Sep 11, 2012 at 7:49 PM, Brian Thornton br...@cfdeveloper.comwrote: Yes... Form Limit, and another bulletin... http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb12-21.html This guy found the

Re: CF DDos update released

2012-09-11 Thread Claude Schnéegans
i already read tha adobe bulletin, it doesn't really say much. I doubt you will ever see details and description about any possible attack. It would be too easy for those looking for ideas... ~| Order the Adobe Coldfusion