Skip navigation
Currently Being Moderated

Form error after security hotfix apsb12-15

Jul 5, 2012 8:50 AM

I tried posting this in the general CF area two weeks ago with no reply, so I thought I'd try here.

 

I applied the hotfix last week and everything seemed to be working, thought all was well.

It turns out that forms that used to work without a hitch suddenly generated error 500 with no clue as to the real issue.

These forms are simple fill it in, create a pdf file, display the file.  Nothing too creative.  With no error message, and nothing to tell me what is going on with this, I was forced to unload hf901-00005.jar and go back to hf901-00003.jar

It is all working again, but I'd really like to have the security patch AND have my forms work.

Any clues??

 
Replies
  • Currently Being Moderated
    Jul 5, 2012 12:42 PM   in reply to sduncanute

    sduncanute wrote:


    forms that used to work without a hitch suddenly generated error 500 with no clue as to the real issue.

     

    These forms are simple fill it in, create a pdf file, display the file.  Nothing too creative.  With no error message, and nothing to tell me what is going on with this, I was forced to unload hf901-00005.jar and go back to hf901-00003.jar

     

    It is all working again, but I'd really like to have the security patch AND have my forms work.

     

    Hi sduncanute,

     

    Yes (I experienced the same exact issue when populating PDF forms after upgrading to CF10), and there are actually 2 issues here (but the issues are not PDF-related).  In short, there is a solution.  I'll explain:

     

    First issue: Tomcat errors are not written to start.log or exception.log.  This is why you aren't seeing any logged error.  This is Bug #3126106 and is marked Fixed in CF10 (I haven't verified this, but need to.  This here is a note-to-self. =P).  However, I'm unsure if this is fixed in CF 9.0.2.

     

    Second issue: As apsb12-15 states:

     

    -----------

    1. This hot fix has a new setting in ColdFusion, Post Parameter Limit. This setting limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, the server doesn't process the request and throws an exception. This process protects against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). This setting isn't exposed in the ColdFusion Administrator console. But you can easily change this limit in the neo-runtime.xml file. See point 5 below.
    2. Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line

     

    "<var name='postSizeLimit'><number>100.0</number></var>"

     

    Add the line below and you can change 100 with the desired number.

     

    "<var name='postParametersLimit'><number>100.0</number></var>"

    -----------

     

    Basically, the Tomcat error (which you're not seeing) is being thrown b/c the form is attempting to post more than 100 fields.  So, just do as it says above: Add that bolded line and replace 100.0 w/ a number high enough to cover the number of fields in your form.

     

    I'll note that CF10 permits this setting to be adjusted via the CF Admin's Settings page via the "Maximum number of POST request parameters" setting.

     

    Thanks,

    -Aaron

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 5, 2012 1:58 PM   in reply to sduncanute

    sduncanute wrote:

     

    This sounds like the answer I needed.  I'll have to wait until the next server update window, but I'll give this a go.  I don't think they've fixed the Tomcat error in 9.0.2 

    Hi Sue,

     

    You're welcome and please do let us know later if that setting resolves the issue.

     

    Thanks!,

    -Aaron

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 29, 2013 1:59 AM   in reply to sduncanute

    Hi Sue,

     

    Glad it worked, and thank you very much for confirming!

     

    Thanks,

    -Aaron

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 3, 2013 4:21 PM   in reply to itisdesign

    ColdFusion Security Hotfix APSB13-03 on ColdFusion 9

    http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13 -03.html

     

    FYI, this hotfix seems to have the same problem & fix (altering new-runtime.xml as above - thank you Aaron!)

     

    Notes:

    After applying the hotfix, users were getting intermittent "The service is unavailable" and "503: Service unavailable" errors.

    Error also happened on pages with few or no Form Fields & at various times throughout the day. Unable to find anything in various logs.

    Eventually found we could at least replicate the error with a POST request  with >100 fields (A).

    Then noticed that a subsequent page request (within a short timeframe) returned an error, but reloading page B worked.
    So I guess requests like A were also causing the problems for other page requests at around the same time?!

     

    kj

     
    |
    Mark as:
  • Currently Being Moderated
    May 23, 2013 7:48 AM   in reply to K Johnstone

    kj,

     

    Thanks for posting up the comment about intermittent server issues. I just applied the hotfix for APSB13-13 (http://www.adobe.com/support/security/bulletins/apsb13-13.html) and was running into the same issues. Modifying the neo-runtime.xml, as per Aaron's post, did the trick.

     

    -kash

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points