Skip navigation
ross_phillips
Currently Being Moderated

Post ColdFusion Security Hotfix APSB13-10 - error on JSON returned with debug on

Apr 17, 2013 1:16 PM

Tags: #cf9 #hotfix

After completing the install process of the hotfix I get the following error when debugging ("Enable Request Debugging Output") is on and the response comes from a remote function whose returnformat is JSON.  Did I miss something in the process?  Any thoughts?

 

This is the test component:

<cfcomponent>

          <cffunction name="myfunc" access="remote" returntype="struct" output="true" returnformat="JSON">

                    <cfscript>

                              var st = {};

                              st["name"] = "ross";

                              return st;

                    </cfscript>

          </cffunction>

</cfcomponent>

 

Called in the following fashion:

http:/localhost/test.cfc?Method=myfunc

 

The error:

<head><title>JRun Servlet Error</title></head><h1>500 </h1><body>

<pre>

coldfusion.server.DebuggingService.getShowAjaxDebug()Z</pre><br><pre>

javax.servlet.ServletException: coldfusion.server.DebuggingService.getShowAjaxDebug()Z

at coldfusion.xml.rpc.CFCServlet.invoke(CFCServlet.java:155)

at coldfusion.xml.rpc.CFCServlet.doGet(CFCServlet.java:265)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBas e.java:327)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:8 9)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)

at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringS ervletFilter.java:42)

at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46 )

at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

at jrun.servlet.FilterChain.service(FilterChain.java:101)

at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java: 286)

at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java: 543)

at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.ja va:203)

at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.j ava:428)

at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

</pre></body>


 
Replies
  • Currently Being Moderated
    Apr 18, 2013 8:07 AM   in reply to ross_phillips

    We are also getting this error.  Along with the bug listed here

    https://bugbase.adobe.com/index.cfm?event=bug&id=3540876

     

    This hotfix seems to have broken many things, and who knows what else is not working?  Adobe needs to address this issue as soon as possible, this is unacceptable.

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 19, 2013 2:08 PM   in reply to ross_phillips

    We have also started experiencing this issue since applying the hotfix, although (at least in our case) it only seems to happen if the cfc exists in an application containing an application.cfc file. AFAIK, the folowing workarounds exist:

     

        1. Disable "Enable Request Debugging Output" in the CF administrator

        2. Create a .cfm proxy to use in your AJAX or Flash remoting requests which will invoke the CFC methods

        3. Append _cf_nodebug=true to the requests as either a URL or POST parameter

     

    In addition to the above error, it appears that the display of debugging info for remote CFC requests also changed with this hotfix (even if no application.cfc exists). Previously debug information was not appended to the debug output of these remote CFC requests (even if <cfsetting showdebugoutput="yes" />) but after applying the hotfix debugging info is now being appended to the output of these remote CFC requests. You can work around this by adding the following code to your application.cfm or application.cfc's onRequestEnd() function:

     

    <!--- Disable debugging into for remote CFC (i.e. AJAX) requests --->

    <cfif StructKeyExists(GetHTTPRequestData().headers, "X-Requested-With")>

        <cfsetting showdebugoutput="no" />

    </cfif>

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 25, 2013 7:56 AM   in reply to ross_phillips

    Due to the issues this security fix introduces, I can't certify it for roll-out to production for our systems engineers. I realize Adobe can't release intimate details of the vulnerabilities publicly (although I'm sure hackers are well aware of the vulnerabilities already and how to expliot them), but can they at least (a) say they are working on a hotfix for the hotfix, or (b) offer some other work arounds to protect ourselves? For example, would removing full access to the CFAdmin from the internet (which is best practice anyway) be sufficient? Are there any other options to this beyond the ones Richard posted or not installing the hotfix?

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 25, 2013 4:18 PM   in reply to WolffenTCI

    Has anyone run into this issue on CF10, btw?

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points