JRun HTTP 500 Response Error Hander Not Working WIth CF Standard

2
votes

We use automated security probing and its revealed a vulernability which is causing a 500 response returning the default error. The information leakage on the returned error by JRun is considered the vulnerability. This 500 error is occurring above CF in JRun and cannot be handled by CF.

Here is a test code snippet to cause the internal JRun error:

<cfhttp url="https://www.domain.com/FormController.cfc" method="post" result="r"><cfhttpparam type="header" name="Accept" value="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" />
<cfhttpparam type="header" name="Accept-Charset" value="ISO-8859-1,utf-8;q=0.7,*;q=0.7" />
<cfhttpparam type="header" name="Accept-Encoding" value="gzip;q=1.0, x-gzip;q=0.9, x-bzip2;q=0.9, deflate;q=0.8, identity;q=0.5, base64;q=0.1, quoted-printable;q=0.1, compress;q=0, *;q=0" />
<cfhttpparam type="header" name="Accept-Language" value="en-us,en;q=0.5" />
<cfhttpparam type="header" name="User-Agent" value="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1 WhiteHat Security" />
<cfhttpparam type="header" name="Content-Length" value="158" />
<cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded" />
<cfhttpparam type="body" value="Method=%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216%u002e%u002e%u2216boot%u002eini%00">
</cfhttp>

<cfdump var="#r#">
<cfoutput>#r.filecontent#</cfoutput>

I used the information provided here: Handling 500 JRun servlet in ColdFusion to add a custom handler in to JRun for a 500 error like this:

<error-page>
  <error-code>500</error-code>
  <location>/WEB-INF/error-pages/500error.jsp</location>
</error-page>

The 500error.jsp file just output some basic information like an 'Opps an error occured..." and the status code and the message but not the stack trace.

This worked fine in development on my MBP using CF9 Developer version. When I put it into production last night (on a CF9 Standard / Win2k server) I expected it to just work. When I ran the test snippet again with the request though instead of returning the custom error it returned the standard error servlet error. I double checked the paths and thought maybe there was an error in the jsp. I changed it to pure html and still the default error.

Out of pure randomness I tried http://www.domain.com/error-pages/500error.jsp. I didn't this anything would happen other than a 404 but I actually got this:

500

A License exception has occurred: You tried to access a restricted feature for the Standard edition: JSP


coldfusion.license.LicenseManager$LicenseIllegalAccessException: A License exception has occurred: You tried to access a restricted feature for the Standard edition: JSP
    at coldfusion.license.LicenseManager.byte(Unknown Source)
    at coldfusion.license.LicenseManager.checkJSP(Unknown Source)
    at coldfusion.license.JspLicenseServlet.service(Unknown Source)
    at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
    at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
    at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
    at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
    at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
    at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
    at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
    at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
    at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
    at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

So, it seems like jsp is not a feature of Standard edition? So I then tried to just change 500error.jsp to 500error.html. Made the change in the file name, made it static html, updated the web.xml, restarted, and now I get a 403 Forbidden on the POST and from hitting http://www.domain.com/error-pages/500error.html.

So I'm not sure what's going on. Is custom handling at the JRun level like this just not allowed with Standard edition? It works on Developer edition because it is basically unrestricted? Couldn't find an answer in the docs. Is there another way to handle this 500 other than the JRun solution?

Thanks

2
jspcoldfusionerror-handlingjrun
did you try providing a .cfm page for the error page? I'd be curious as to whether that worked? - barnyr
No luck. Using /WEB-INF/error-pages/500error.cfm resulted in a standard CF file not found error that the file at the path could not be found. - crazy4mustang
Just for grins, did you try using an html page located elsewhere, ie outside of /web-inf/? - Leigh

2 Answers

1
votes

After searching the Adobe docs and lots of obscure forum posts I found that Standard Edition in fact DOES NOT support JSP but Developer and Enterprise do. So that answers one question.

As far as changing the error handler from jsp to html, I don't think that is possible either. Unless there is a setting I'm missing. Anything other than a jsp error results in a 403 error on both IIS and Apache.

On IIS I checked all the permissions for the /WEB-INF/error-pages directory I created and I can't find anything preventing access. I also tried dropping the html file into the /WEB-INF/ root with no luck. So at this point I'm inclined to give up. I suppose a 403 error for an obscure hack attempt like this is fine.

0
votes

It seems like that the error handling is different from your development server to production server. Can you compare the setting for "Error Pages" under IIS settings. Check what is set for 500 errors and also, check the feature settings(on the left) for Error responses.

Hope that helps.