While filling out a membership application for a well known technology body I noticed that the web application wasn’t behaving quite right. I decided to have a look at the cookies it had dropped into my browser as part of my pre-coffee trouble shooting.
There were two cookies. One named CFID and one CFTOKEN. Hmmm, OK, I’m guessing that this is probably a coldfusion app based on the naming convention. Since things were not going according to plan I decided to delete the CFTOKEN and start over. So, I deleted the cookie and then refreshed the browser. I wasn’t prepared for what came next. The application puked.
500 Internal Server Error
Oops
Error Occurred While Processing Request
The system has attempted to use an undefined value, which usually indicates a programming error, either in your code or some system code.
Null Pointers are another name for undefined values.
The error occurred in C:\Inetpub\wwwroot\REDACTED\ProdSite\PortalTools\Application.cfm: line 53
51 : sessionmanagement=”Yes”
52 : sessiontimeout=”#CreateTimeSpan(0,0,20,0)#”
53 : applicationtimeout=”#CreateTimeSpan(1,0,0,0)#”>
54 :
55 :
Please try the following:
* Check the ColdFusion documentation to verify that you are using the correct syntax.
* Search the Knowledge Base to find a solution to your problem.
Browser Mozilla/5.0 (my browser info…)
Remote Address 127.0.0.1
Referrer http://oops.website.foo/PortalTools/Login.cfm
Date/Time 23-May-07 09:13 AM
Stack Trace
at cfApplication2ecfm*********.runPage (C:\Inetpub\wwwroot\REDACTED\ProdSite\PortalTools\Application.cfm:53)
OK, so this system is running on a windows server. The dump was good enough to provide me with the application, operating system and the website directory path. As well, the Java dumped out this information.
java.lang.NullPointerException
at coldfusion.runtime.ClientScopeKey.hashCode(ClientScopeKey.java:29)
at java.util.Hashtable.get(Hashtable.java:333)
at coldfusion.runtime.ClientScopeServiceImpl.GetClientScope(ClientScopeServiceImpl.java:168)
at coldfusion.tagext.lang.ApplicationTag.setupClientScope(ApplicationTag.java:565)
at coldfusion.tagext.lang.ApplicationTag.doStartTag(ApplicationTag.java:283)
at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1871)
at cfApplication2ecfm*********.runPage (C:\Inetpub\wwwroot\REDACTED\ProdSite\PortalTools\Application.cfm:53)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:147)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:357)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:62)
at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:30)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:93)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:80)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:47)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:35)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:43)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.CfmServlet.service(CfmServlet.java:105)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:252)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:527)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:192)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:348)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:451)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:294)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Now, maybe I’m a little naive but, I would hope that an application would behave much better with a null pointer when something as simple as the cookie was deleted. Somehow this doesn’t seem right.
I then checked what the header information for the web server was:
Date: Wed, 23 May 2007 13:13:43 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Apache/2.0.52 (CentOS)
Accept-Ranges: bytes
200 OK
OK, now the application server:
Date: Wed, 23 May 2007 13:33:54 GMT
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
server-error: true
500 Internal Server Error
Well, I know that ColdFusion has a history of problems (example). I would hope that this one that I stumbled across is easily fixed. This type of disclosure would be a boon to a hacker looking to cause a problem. This may be a well documented issue (if so, my apologies) but, in all honesty I have not done a great deal of digging on this.
[tags]ColdFusion, Web Application, Information Leakage[/tags]
