Sep 13, 2016

Large forms and the new ColdFusion HashDos Security HotFix

I recently took an issue where a CF Server started to return 500 Errors after the HashDos security fix was deployed.
 
http://www.adobe.com/support/security/bulletins/apsb12-06.html
 
The issue came down to how many form elements they were submitting.  The new HashDos fix adds a new parameter which needs to be closely looked at if you think you have forms longer then 100 elements.
 
The error does not go to your error handler, and creates an error like your server is down.  
 
HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request
 
It does not leave any log entries in the ColdFusion logs.  So this can be tricky to figure out if you don't immediately relate it to the security fix. It can also be frustrating since it will come up only after submitted large time consuming forms.
 
The security kb describes how to adjust a new parameter in the neo-runtime.xml, which is NOT in the CF Admin.
 
You need to edit your neo-runtime.xml file and add a new parameter called postParametersLimit and adjust it to your largest form size. Once you change this setting to allow for your largest form you should be fine.
 
Here is the code I used to test a large form:
<code>
<cfform name="test" method="post">
<cfinput type="submit" name="submitform">
<cfloop from="1" to="110" index="i">
 
    <cfinput name="f#i#" type="text" value="#i#" /><br />
    
</cfloop>
</cfform>
</code>

No comments:

Post a Comment