Web Trenches

Adobe ColdFusion 9 Hotfix APSB12-06 Causes Problems with Large Forms



The most recent hotfix for ColdFusion 9 can cause problems for people that have very large form submissions.  The fix imposes a form field limit of 100 fields on submit.  There is an override available for the default behavior, though.  I would recommend applying the patch to fix the security flaw, but then adjusting the default behavior if you have any big forms.

Information about the hotfix: http://www.infosecurity-magazine.com/view/24510/adobe-ships-patch-for-coldfusion-flaw-that-could-lead-to-dos-attacks/

If you apply the hotfix, then try to submit a form with more than 100 form fields, the server responds with a generic HTTP 500 error.  Even with detailed errors turned on, it is still just a 500 error.  

The workaround is fairly simple, but does require server access.  

From Adobe:
——-
Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line 

"<var name='postSizeLimit'><number>100.0</number></var>" 

          add the below line and you can change 100 with desired number.

"<var name='postParametersLimit'><number>100.0</number></var>"

——

Change the 100.0 to a higher number to accommodate any form submissions with more fields.  

When I first saw this in the documention, I didn't realize what it was.  I also would have never thought I'd have a form with more than 100 fields, but I did.  This comes into play when you have a number of hidden fields or checkboxes on the form.  It could also impact long forms, such as job applications.

19 Replies to “Adobe ColdFusion 9 Hotfix APSB12-06 Causes Problems with Large Forms”

  1. I’ve been dealing with a random 500 error for 48 hours now! I installed CF 9.02 on a new Windows 2008 R2 server and have been pulling my hair out trying to figure out this issue! THANK YOU FOR POSTING THIS!

  2. This post was a lifesaver. Wasted an hour trying to figure out what the hell was going on with one of my larger forms. Figured out it was throwing the error after 100 fields, but couldn’t for the life of me figure out why – memory limitation? Some obscure setting? THANK YOU

  3. doesn’t increasing the value then open up the original vulnerability again? Or was the issue that was no limit originally ?

  4. The issue was that there was no limit at all. The higher the number the more vulnerable you are to someone blasting your page with a large fake form request, but the difference in risk between 100 and 200 (for example) is pretty insignificant. Also, in most cases forms this large are behind a log in and wouldn’t be left open for an attack like this anyhow.

  5. Thanks for this post. We have one long form that I know of and it was affected when we installed a fix to 9.0.1. I have no idea how long it would have taken to diagnose this issue without your post!!

    http 500 – what a helpful message! At least it helped me find this post!

  6. What are the security implications of increasing this value? Can the value be increased only for a specific application?

  7. @Rick – This question is probably better asked on an Adobe forum, but here is my understanding… the more form fields you allow, the more vulnerable you are to someone attempting a buffer overload or DoS attack on your CF server using your form. So, the risk increases as the number increases. You should set it to the lowest number that still accommodates your form needs.

  8. Wow thank you so much for posting this fix. I was pulling my hair out trying to figure out what was causing this error. You’d think Adobe would at least return an exception error explaining that the field limit had been reached. Thanks again! +100 internets awarded.

  9. this helped a lot. thanks.
    has this issue on production. this needs a coldfusion service restart though which kind of is not that great..

  10. Thanks so much for this post. It provided a fruitful end to a full day of (like David Levin) tearing my hair out. For me I never got the 500 error page. I had to go sleuthing for it in the Firefox network console. The browser itself just displayed a blank page…nothing, nada. I thought I had isolated the problem to a single set of inputs (16) that had a variable name (attached to a counter). I would delete that one statement and it would work, so I mistakenly thought it was the statement that was wrong. Now I realized, it just happened to be the statement that put it over the 100 limit. In any event, thanks again!

  11. Wow, thanks. I thought it was me! I thought it was me! Lots-o-checkboxes are the ultimate gothca on this because the size of the form post is small even though the number of inputs is high. This didn’t occur to me for a long time.

  12. Thanks for this post. I only wish I had searched for ColdFusion and 500 error before I spent 20 hours refactoring my application. Once I found this, I was fixed in 5 minutes.

    Many thanks for the info.

  13. Thanks posting this! I knew the issue was related to form size because my smaller forms were working just fine BUT I couldn’t figure out how to fix it. After spinning my wheels for almost 4 hours I found this post… Problem solved!

    Many Thanks!

  14. I spend like a week trying to figure out what was happening, the 500 error doesn’t provide any information about the bug so I was totally lost. This my favorite post of the month, thank you!!!… I fixed like 5 different websites now.

Leave a Reply

Your email address will not be published. Required fields are marked *