Copy link to clipboard
Copied
After completing the install process of the hotfix I get the following error when debugging ("Enable Request Debugging Output") is on and the response comes from a remote function whose returnformat is JSON. Did I miss something in the process? Any thoughts?
This is the test component:
<cfcomponent>
<cffunction name="myfunc" access="remote" returntype="struct" output="true" returnformat="JSON">
<cfscript>
var st = {};
st["name"] = "ross";
return st;
</cfscript>
</cffunction>
</cfcomponent>
Called in the following fashion:
http:/localhost/test.cfc?Method=myfunc
The error:
<head><title>JRun Servlet Error</title></head><h1>500 </h1><body>
<pre>
coldfusion.server.DebuggingService.getShowAjaxDebug()Z</pre><br><pre>
javax.servlet.ServletException: coldfusion.server.DebuggingService.getShowAjaxDebug()Z
at coldfusion.xml.rpc.CFCServlet.invoke(CFCServlet.java:155)
at coldfusion.xml.rpc.CFCServlet.doGet(CFCServlet.java:265)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
</pre></body>
Copy link to clipboard
Copied
We are also getting this error. Along with the bug listed here
https://bugbase.adobe.com/index.cfm?event=bug&id=3540876
This hotfix seems to have broken many things, and who knows what else is not working? Adobe needs to address this issue as soon as possible, this is unacceptable.
Copy link to clipboard
Copied
Thanks Brian for the alerting me to that other issue.
I decided I better create as it is not just me.
https://bugbase.adobe.com/index.cfm?event=bug&id=3544895
Hopefully there will be some traction on these bugs.
Copy link to clipboard
Copied
We have also started experiencing this issue since applying the hotfix, although (at least in our case) it only seems to happen if the cfc exists in an application containing an application.cfc file. AFAIK, the folowing workarounds exist:
1. Disable "Enable Request Debugging Output" in the CF administrator
2. Create a .cfm proxy to use in your AJAX or Flash remoting requests which will invoke the CFC methods
3. Append _cf_nodebug=true to the requests as either a URL or POST parameter
In addition to the above error, it appears that the display of debugging info for remote CFC requests also changed with this hotfix (even if no application.cfc exists). Previously debug information was not appended to the debug output of these remote CFC requests (even if <cfsetting showdebugoutput="yes" />) but after applying the hotfix debugging info is now being appended to the output of these remote CFC requests. You can work around this by adding the following code to your application.cfm or application.cfc's onRequestEnd() function:
<!--- Disable debugging into for remote CFC (i.e. AJAX) requests --->
<cfif StructKeyExists(GetHTTPRequestData().headers, "X-Requested-With")>
<cfsetting showdebugoutput="no" />
</cfif>
Copy link to clipboard
Copied
Thanks Richard for your suggested work around and your comments on the bug.
Copy link to clipboard
Copied
Due to the issues this security fix introduces, I can't certify it for roll-out to production for our systems engineers. I realize Adobe can't release intimate details of the vulnerabilities publicly (although I'm sure hackers are well aware of the vulnerabilities already and how to expliot them), but can they at least (a) say they are working on a hotfix for the hotfix, or (b) offer some other work arounds to protect ourselves? For example, would removing full access to the CFAdmin from the internet (which is best practice anyway) be sufficient? Are there any other options to this beyond the ones Richard posted or not installing the hotfix?
Copy link to clipboard
Copied
Has anyone run into this issue on CF10, btw?