Re: Denial of Service bug?
On Mon, Sep 10, 2012 at 1:28 PM, Tony F wrote: > Does 9.0.2 have any fixes not included in "9.0.1 Cumulative Hot Fix 2"? > There are 3 security hotfixes APSB11-29, APSB12-15 and APSB12-06 that were released after 9.0.1 Cumulative Hotfix 2 (which includes all 9.0.1 Security hotfixes prior to and including APSB11-14 for 9.0.1). Those security hotfixes are included in 9.0.2. Some more info here: http://www.petefreitag.com/item/804.cfm The APSB12-06 hotfix is a DOS vulnerability, the HashDos vulnerability but the attack vector for that does not coincide with what you posted. More on HashDos here: http://www.petefreitag.com/tag/hashdos I tested your example and was able to produce the original error but did not see subsequent requests failing even when running through a load tool 2000 requests / 20 concurrent. Not to say the issue doesn't exist in your setup, it could be specific to your setup or common to other - it sound like it would be worth further investigation. You can pass the issue along to Adobe PSIRT http://www.adobe.com/support/security/alertus.html for proper handling, but make sure you have applied all the security hotfixes first. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Denial of Service bug?
9.0.2 is just 9.0.1 with all the fixes and updates and VERITY removed. On Mon, Sep 10, 2012 at 6:28 PM, Tony F wrote: > > Hi: > > I THINK we are using the latest patched product, although it's hard to > tell because Adobe has done something funky with the recent updates. They > released a 9.0.2 without having any upgrade path from 9.0.1. > > I just noticed that there's a mystery "9.0.2" "clean install only" version > out there, although no way to update from 9.0.1 to 9.02. > > What we have installed is 9.0 + 9.0.1 updater + Cumulative Hot Fix 2 for > 9.0.1. > > Is what we currently have installed the latest and greatest, containing > all patches issued to date? > > Does 9.0.2 have any fixes not included in "9.0.1 Cumulative Hot Fix 2"? > > I really, really, really don't want to have to reinstall, reconfigure, > retest from scratch our production machines unless there's a very good > reason. > > Thanks > > > > > > In the course of investigating a SQL injection attack attempt on our > > site, I came across a strange set of bugs. > > > Using CF9, linux 64, apache. > > > > > > The attacking machine was sending POST requests to random templates > > containing ampersands inside a POST > > > variable (i.e. not properly URL encoded). I am able to simulate > > the effect of the attack request with this: > > > > > > http://any_site.com/any.cfm"; method="POST"> > > > > type="formfield"> > > > > > > > > > ColdFusion freaks out on seeing this and throws an exception before > > it even gets to the template: > > > > > > ROOT CAUSE: java.lang.IllegalArgumentException at coldfusion.filter. > > FormScope.parseQueryString(FormScope. > > > java:355 > > > > > > HTTP 500 is sent to the user. > > > > > > That's all fine and well, and if that was the only issue here, then > > no big deal. Unfortunately, at least on linux (I can't > > > test other platforms), this error then proceeds to destabilize the > > JRun thread the next time a user loads a page and > > > touches that worker thread, throwing the error: > > > > > > 09/06 22:41:41 error (JRun Service: ProxyService [jrun.servlet.jrpp. > > JRunProxyService@75602291]) JRunPRoxyServer. > > > invokeRunnable: java.lang.IllegalStateException > > > > > > This other user, who had nothing to do with the original attack, > > gets sent an HTTP 503 error message as the thread > > > terminates on them. > > > > > > What happened is that the attacker on our site sent > > hundreds/thousands of these malformed requests (through some > > > mis-configured bot program), which has resulted in disruptions to > > regular users who are getting 503 errors forced onto them. > > > > > > So, I was curious if anyone else has seen this behavior before, and > > if so what can be done to stop it. Is there an underlying > > > issue that has been patched that I'm not aware of? I note that > > there have been similar reports of related instability of threads: > > > http://forums.adobe.com/thread/950350 but this seems to be a > > different case. > > > > What exact version of CF are you using? Has it been patched to the > > latest minor version? A lot of these kinds of issues are found and > > patched over the lifetime of the product. I don't know about this > > issue specifically, but that's what I'd do first - patch to the > > latest > > minor version and see if the problem still exists. > > > > Russ's suggestion to run FuseGuard is good overall, but I don't know > > if it would prevent this problem - since it's a CF app itself, I > > suspect it runs after the request has been handed to CF. It's worth a > > try, though, and it's a very good product. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352455 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Denial of Service bug?
Hi: I THINK we are using the latest patched product, although it's hard to tell because Adobe has done something funky with the recent updates. They released a 9.0.2 without having any upgrade path from 9.0.1. I just noticed that there's a mystery "9.0.2" "clean install only" version out there, although no way to update from 9.0.1 to 9.02. What we have installed is 9.0 + 9.0.1 updater + Cumulative Hot Fix 2 for 9.0.1. Is what we currently have installed the latest and greatest, containing all patches issued to date? Does 9.0.2 have any fixes not included in "9.0.1 Cumulative Hot Fix 2"? I really, really, really don't want to have to reinstall, reconfigure, retest from scratch our production machines unless there's a very good reason. Thanks > > In the course of investigating a SQL injection attack attempt on our > site, I came across a strange set of bugs. > > Using CF9, linux 64, apache. > > > > The attacking machine was sending POST requests to random templates > containing ampersands inside a POST > > variable (i.e. not properly URL encoded). I am able to simulate > the effect of the attack request with this: > > > > http://any_site.com/any.cfm"; method="POST"> > > type="formfield"> > > > > > > ColdFusion freaks out on seeing this and throws an exception before > it even gets to the template: > > > > ROOT CAUSE: java.lang.IllegalArgumentException at coldfusion.filter. > FormScope.parseQueryString(FormScope. > > java:355 > > > > HTTP 500 is sent to the user. > > > > That's all fine and well, and if that was the only issue here, then > no big deal. Unfortunately, at least on linux (I can't > > test other platforms), this error then proceeds to destabilize the > JRun thread the next time a user loads a page and > > touches that worker thread, throwing the error: > > > > 09/06 22:41:41 error (JRun Service: ProxyService [jrun.servlet.jrpp. > JRunProxyService@75602291]) JRunPRoxyServer. > > invokeRunnable: java.lang.IllegalStateException > > > > This other user, who had nothing to do with the original attack, > gets sent an HTTP 503 error message as the thread > > terminates on them. > > > > What happened is that the attacker on our site sent > hundreds/thousands of these malformed requests (through some > > mis-configured bot program), which has resulted in disruptions to > regular users who are getting 503 errors forced onto them. > > > > So, I was curious if anyone else has seen this behavior before, and > if so what can be done to stop it. Is there an underlying > > issue that has been patched that I'm not aware of? I note that > there have been similar reports of related instability of threads: > > http://forums.adobe.com/thread/950350 but this seems to be a > different case. > > What exact version of CF are you using? Has it been patched to the > latest minor version? A lot of these kinds of issues are found and > patched over the lifetime of the product. I don't know about this > issue specifically, but that's what I'd do first - patch to the > latest > minor version and see if the problem still exists. > > Russ's suggestion to run FuseGuard is good overall, but I don't know > if it would prevent this problem - since it's a CF app itself, I > suspect it runs after the request has been handed to CF. It's worth a > try, though, and it's a very good product. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352454 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Denial of Service bug?
> In the course of investigating a SQL injection attack attempt on our site, I > came across a strange set of bugs. > Using CF9, linux 64, apache. > > The attacking machine was sending POST requests to random templates > containing ampersands inside a POST > variable (i.e. not properly URL encoded). I am able to simulate the > effect of the attack request with this: > > http://any_site.com/any.cfm"; method="POST"> > type="formfield"> > > > ColdFusion freaks out on seeing this and throws an exception before it even > gets to the template: > > ROOT CAUSE: java.lang.IllegalArgumentException at > coldfusion.filter.FormScope.parseQueryString(FormScope. > java:355 > > HTTP 500 is sent to the user. > > That's all fine and well, and if that was the only issue here, then no big > deal. Unfortunately, at least on linux (I can't > test other platforms), this error then proceeds to destabilize the JRun > thread the next time a user loads a page and > touches that worker thread, throwing the error: > > 09/06 22:41:41 error (JRun Service: ProxyService > [jrun.servlet.jrpp.JRunProxyService@75602291]) JRunPRoxyServer. > invokeRunnable: java.lang.IllegalStateException > > This other user, who had nothing to do with the original attack, gets sent an > HTTP 503 error message as the thread > terminates on them. > > What happened is that the attacker on our site sent hundreds/thousands of > these malformed requests (through some > mis-configured bot program), which has resulted in disruptions to regular > users who are getting 503 errors forced onto them. > > So, I was curious if anyone else has seen this behavior before, and if so > what can be done to stop it. Is there an underlying > issue that has been patched that I'm not aware of? I note that there have > been similar reports of related instability of threads: > http://forums.adobe.com/thread/950350 but this seems to be a different case. What exact version of CF are you using? Has it been patched to the latest minor version? A lot of these kinds of issues are found and patched over the lifetime of the product. I don't know about this issue specifically, but that's what I'd do first - patch to the latest minor version and see if the problem still exists. Russ's suggestion to run FuseGuard is good overall, but I don't know if it would prevent this problem - since it's a CF app itself, I suspect it runs after the request has been handed to CF. It's worth a try, though, and it's a very good product. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352453 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Denial of Service bug?
The answer you will get from most folks is to fix your code to block such attacks, but that can be time consuming.The quick solution would be to install an application firewall on the server which should block stuff like this, here is a cf specific solution. http://foundeo.com/security/ Then you have more time to properly check and secure your code. Regards Russ Michaels On Sep 7, 2012 11:07 PM, "Tony F" wrote: > > Hi list. Long time lurker - > > In the course of investigating a SQL injection attack attempt on our site, > I came across a strange set of bugs. Using CF9, linux 64, apache. > > The attacking machine was sending POST requests to random templates > containing ampersands inside a POST variable (i.e. not properly URL > encoded). I am able to simulate the effect of the attack request with > this: > > http://any_site.com/any.cfm"; method="POST"> > type="formfield"> > > > ColdFusion freaks out on seeing this and throws an exception before it > even gets to the template: > > ROOT CAUSE: java.lang.IllegalArgumentException at > coldfusion.filter.FormScope.parseQueryString(FormScope.java:355 > > HTTP 500 is sent to the user. > > That's all fine and well, and if that was the only issue here, then no big > deal. Unfortunately, at least on linux (I can't test other platforms), > this error then proceeds to destabilize the JRun thread the next time a > user loads a page and touches that worker thread, throwing the error: > > 09/06 22:41:41 error (JRun Service: ProxyService > [jrun.servlet.jrpp.JRunProxyService@75602291]) > JRunPRoxyServer.invokeRunnable: java.lang.IllegalStateException > > This other user, who had nothing to do with the original attack, gets sent > an HTTP 503 error message as the thread terminates on them. > > What happened is that the attacker on our site sent hundreds/thousands of > these malformed requests (through some mis-configured bot program), which > has resulted in disruptions to regular users who are getting 503 errors > forced onto them. > > So, I was curious if anyone else has seen this behavior before, and if so > what can be done to stop it. Is there an underlying issue that has been > patched that I'm not aware of? I note that there have been similar > reports of related instability of threads: > http://forums.adobe.com/thread/950350 but this seems to be a different > case. > > Thanks for any ideas you may have. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352451 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Denial of Service bug?
Hi list. Long time lurker - In the course of investigating a SQL injection attack attempt on our site, I came across a strange set of bugs. Using CF9, linux 64, apache. The attacking machine was sending POST requests to random templates containing ampersands inside a POST variable (i.e. not properly URL encoded). I am able to simulate the effect of the attack request with this: http://any_site.com/any.cfm"; method="POST"> ColdFusion freaks out on seeing this and throws an exception before it even gets to the template: ROOT CAUSE: java.lang.IllegalArgumentException at coldfusion.filter.FormScope.parseQueryString(FormScope.java:355 HTTP 500 is sent to the user. That's all fine and well, and if that was the only issue here, then no big deal. Unfortunately, at least on linux (I can't test other platforms), this error then proceeds to destabilize the JRun thread the next time a user loads a page and touches that worker thread, throwing the error: 09/06 22:41:41 error (JRun Service: ProxyService [jrun.servlet.jrpp.JRunProxyService@75602291]) JRunPRoxyServer.invokeRunnable: java.lang.IllegalStateException This other user, who had nothing to do with the original attack, gets sent an HTTP 503 error message as the thread terminates on them. What happened is that the attacker on our site sent hundreds/thousands of these malformed requests (through some mis-configured bot program), which has resulted in disruptions to regular users who are getting 503 errors forced onto them. So, I was curious if anyone else has seen this behavior before, and if so what can be done to stop it. Is there an underlying issue that has been patched that I'm not aware of? I note that there have been similar reports of related instability of threads: http://forums.adobe.com/thread/950350 but this seems to be a different case. Thanks for any ideas you may have. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352450 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm