Internal Server Error 500 on form post

Report · Mar 23, 2013

I created a form in cold fusion that has a variable number of form fields (i.e. like line items on an invoice). There are about 5 input fields per line item. When I have only about 10 lines and do the form post, the page executes just fine, but when the number of line items increases to, say, 30, I get an internal server error on when I post the data with the submit button. Doesn't seem like its an error in my code because it works with a smaller number of items, is there a setting that makes the server die when it has too may data fields posted?

Report · Mar 24, 2013

Hi fschneider,

It will be helpful if u post the error message you are getting.

Stiil according to your problem description it seems that it is a problem with large amount of data.

In order to change limit of post data you can perform the folllowing steps(coldfusion 9):

1.Open coldfusion administrator.

2.Click on the setting(left upper corner)

3.scroll down or search "Maximum size of post data" change it as per your requirment.

Hope it will solve your issue.

Thanks

Saurav

Report · Mar 25, 2013

I run into all the time!

see: http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms

Bottom line Increase: postSizeLimit and postParametersLimit

One gotcha: Make sure they are not in their twice. CF will set it to the LAST entry in the neo-runtime.xml file (comment #8)

Tim

Report · Mar 26, 2013

Hi,

The Post Parameter Limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, the server doesn't process the request and throws an exception. This process protects against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). This setting isn't exposed in the ColdFusion Administrator console. Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Please try the following:-

Open file neo-runtime.xml
Locate "<var name='postSizeLimit'><number>100.0</number></var>"
Add "<var name='postParametersLimit'><number>100.0</number></var>" below the above code. You can change 100 with the desired number.

Regards,

Anit Kumar

Report · Apr 25, 2013

What are the security issues of setting this value higher than 100? Any increased exposure to an attack? Can you limit the increased value to a specific application via a setting in the application.cfc/cfm?

Report · Apr 25, 2013

Hackers and script kiddies use this method of sending huge numbers of post parameters to overwhelm the webserver. When the beta of the Hotfix came out I tested this by having a page that would send increasingly larger number of post requests over and over again. For my server, with my memory and CPU, I didn't really start to see the server "act badly" till the post parameters were in the 10s of thousands, so I felt very safe setting this number to 1000.

Tim

Report · Apr 25, 2013

The risk here is not just sending a lot of random form fields to the server - the server CAN typically handle thousands of form fields without performance issues. The DOS issue arrises when the form fields are named such that they all have the same hashcode (eg String.hashCode() equals the same value). This creates collisions in the underlying hashtable that is used to store the form scope -- these collisions are what makes the page REALLY slow to execute. For example on a quad core server sending ~60,000 form fields took over 30 minutes to execute.

This setting is only server wide (because the issue can go up all the way to the servlet container, JRun or Tomcat)

I wrote a blog entry on this which goes into some more detail: http://www.petefreitag.com/item/808.cfm

--

Pete Freitag

Foundeo Inc. makers of HackMyCF.com & FuseGuard