Copy link to clipboard
Copied
Last couple of months I have been getting a lot of hits from a Synapse bot. I think whoever coded it must have made an error, as some of the links are truncated to url/.../index.cfm. (oddly Bing bot seems to have picked up a couple of these).
I say 'bot', but this UA comes from a wide range of IP addresses from all over the globe;I am suspicious. and I don't think it is a site coding error as it is only triggered with a 'synapse' UA.
Here is the odd thing. On the test server - in theory identical to the production server - this generates a 404 error, as you would expect. However, on the production server - theoretically identical, same version of CF (CF9), same config/admin setup, etc - it generates and exception error. This is more annoying than anything else as it is filling the error log, and setting off unnecessary alarms. I guess I could write some code in the error.cfm to redirect to 404 if the URL has '...' in it, but would like to understand more about why the two instances of CF are bahaving differently.
Here is some relevant information:
from the CGI variables:
HTTP_REFERER | [empty string] |
HTTP_USER_AGENT | Mozilla/4.0 (compatible; Synapse) |
PATH_INFO | /.../271/James-McBride |
PATH_TRANSLATED | c:\xxxxxxxx\xxxxxxxxx\...\full\index.cfm |
REMOTE_USER | [empty string] |
REQUEST_METHOD | GET |
SCRIPT_NAME | /.../full/index.cfm |
and the CFERROR
Browser | Mozilla/4.0 (compatible; Synapse) | ||||||||||||
DateTime | {ts '2013-06-29 11:18:50'} | ||||||||||||
Diagnostics | String index out of range: -1 null <br>The error occurred on line -1. | ||||||||||||
GeneratedContent | [empty string] | ||||||||||||
HTTPReferer | [empty string] | ||||||||||||
Mailto | [empty string] | ||||||||||||
Message | String index out of range: -1 | ||||||||||||
QueryString | [empty string] | ||||||||||||
RemoteAddress | 2.144.163.234 | ||||||||||||
RootCause |
|
Any thoughts, ideas or observations would be welcome!
Copy link to clipboard
Copied
I am having the exact same issue, it seems that any combination such as "/........................../myfile.cfm" will result in the samething. I am using CF10 with all the latests updates...
Copy link to clipboard
Copied
Done a bit more testing and I think this is an issue with CF itself. Just having "..." (or more than ..) in the url anywhere will trigger this for example: /...index.cfm will reuslt in the same error. Even if the page does not exist the error will still occur.
Copy link to clipboard
Copied
Not sure why it would be considered a ColdFusion issue.
With URLs, '.' and '..' hold value. The first means "The current directory" whereas the latter means "Move up a directory", however "..." (and anything more) means nothing. Dots are also used to separate pathing and filenames from their extension, ie: "folder/files.gif" so that IIS knows which handler to pass off to in order to handle the request. When you call a ".cfm" file, IIS passes off the request to ColdFusion's handler mapping to process the request.
It seems to me like someone is trying to scrape data from your page. Maybe via a poorly written HTTP get request and then parsing the data returned. If the error messages really bug you, you could either go so far as to do a reverse IP lookup (looks like the IP shown there is from the Islamic Republic of Iran), and contact the technical owner for more information on what may be originating from that range.
Copy link to clipboard
Copied
Aegis,
Have a look at the first post. We understand what the dots mean. Agreed that it is a pooly written bot/scraper (although odd Bing picked it up); that's what I said initially.
The problem - and questrion - is about how ColdFusion is handling it. specifically suggestions why it is handled differently on two different CF servers. On the live server it creates an error. On the test server it is handled as a 404 error. In theory the two servers are identical, IIS is identical, base OS is identical..so I was asking for ideas as to why the two CF instances manage the error differently.
Copy link to clipboard
Copied
The simplest answser is that the difference between the 2 environments, is the environment. If you don't have it PERFECTLY duplicated between one and the other, things can behave differently. You state it's identical, but chances are is cannot be. There's no reason why identical environments would operate differently in the exact same situation.
What are the feaure settings for the error handling? Are they using Custom, Detailed, Combination? Are you using a server-wide missing template handler?
Copy link to clipboard
Copied
I have also had the same issue developing on my localmachine using the built in CF web server. Like P3142 says I would expect a URL such as /.../fakefile.cfm to return a 404, on servers that do not have CF installed this is what will happen.