• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Post ColdFusion Security Hotfix APSB13-10 - error on JSON returned with debug on

New Here ,
Apr 17, 2013 Apr 17, 2013

Copy link to clipboard

Copied

After completing the install process of the hotfix I get the following error when debugging ("Enable Request Debugging Output") is on and the response comes from a remote function whose returnformat is JSON.  Did I miss something in the process?  Any thoughts?

This is the test component:

<cfcomponent>

          <cffunction name="myfunc" access="remote" returntype="struct" output="true" returnformat="JSON">

                    <cfscript>

                              var st = {};

                              st["name"] = "ross";

                              return st;

                    </cfscript>

          </cffunction>

</cfcomponent>

Called in the following fashion:

http:/localhost/test.cfc?Method=myfunc

The error:

<head><title>JRun Servlet Error</title></head><h1>500 </h1><body>

<pre>

coldfusion.server.DebuggingService.getShowAjaxDebug()Z</pre><br><pre>

javax.servlet.ServletException: coldfusion.server.DebuggingService.getShowAjaxDebug()Z

at coldfusion.xml.rpc.CFCServlet.invoke(CFCServlet.java:155)

at coldfusion.xml.rpc.CFCServlet.doGet(CFCServlet.java:265)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)

at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)

at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

at jrun.servlet.FilterChain.service(FilterChain.java:101)

at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)

at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

</pre></body>


Views

1.9K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 18, 2013 Apr 18, 2013

Copy link to clipboard

Copied

We are also getting this error.  Along with the bug listed here

https://bugbase.adobe.com/index.cfm?event=bug&id=3540876

This hotfix seems to have broken many things, and who knows what else is not working?  Adobe needs to address this issue as soon as possible, this is unacceptable.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 18, 2013 Apr 18, 2013

Copy link to clipboard

Copied

Thanks Brian for the alerting me to that other issue.

I decided I better create as it is not just me.

https://bugbase.adobe.com/index.cfm?event=bug&id=3544895

Hopefully there will be some traction on these bugs.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 19, 2013 Apr 19, 2013

Copy link to clipboard

Copied

We have also started experiencing this issue since applying the hotfix, although (at least in our case) it only seems to happen if the cfc exists in an application containing an application.cfc file. AFAIK, the folowing workarounds exist:

    1. Disable "Enable Request Debugging Output" in the CF administrator

    2. Create a .cfm proxy to use in your AJAX or Flash remoting requests which will invoke the CFC methods

    3. Append _cf_nodebug=true to the requests as either a URL or POST parameter

In addition to the above error, it appears that the display of debugging info for remote CFC requests also changed with this hotfix (even if no application.cfc exists). Previously debug information was not appended to the debug output of these remote CFC requests (even if <cfsetting showdebugoutput="yes" />) but after applying the hotfix debugging info is now being appended to the output of these remote CFC requests. You can work around this by adding the following code to your application.cfm or application.cfc's onRequestEnd() function:

<!--- Disable debugging into for remote CFC (i.e. AJAX) requests --->

<cfif StructKeyExists(GetHTTPRequestData().headers, "X-Requested-With")>

    <cfsetting showdebugoutput="no" />

</cfif>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 21, 2013 Apr 21, 2013

Copy link to clipboard

Copied

Thanks Richard for your suggested work around and your comments on the bug.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 25, 2013 Apr 25, 2013

Copy link to clipboard

Copied

Due to the issues this security fix introduces, I can't certify it for roll-out to production for our systems engineers. I realize Adobe can't release intimate details of the vulnerabilities publicly (although I'm sure hackers are well aware of the vulnerabilities already and how to expliot them), but can they at least (a) say they are working on a hotfix for the hotfix, or (b) offer some other work arounds to protect ourselves? For example, would removing full access to the CFAdmin from the internet (which is best practice anyway) be sufficient? Are there any other options to this beyond the ones Richard posted or not installing the hotfix?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 25, 2013 Apr 25, 2013

Copy link to clipboard

Copied

LATEST

Has anyone run into this issue on CF10, btw?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation