kcmurphy1
asked on
Coldfusion JSP 404 errors cause JRun errors instead of IIS
Hi there -
We had a vulnerability test done, and our coldfusion content was dinged for showing detailed JRun error messages. Except we don't... unless you go to a nonexistent JSP file on the server, or something nonexistent inside the /servlet folder.
If you do that, you get a very ugly 404 and stacktrace from JRun:
/ThisIsReallyRidiculous.js
java.io.FileNotFoundExcept
at jrun.servlet.file.FileServ
at jrun.servlet.ServletInvoke
at jrun.servlet.JRunInvokerCh
at jrun.servlet.JRunRequestDi
at jrun.servlet.ServletEngine
at jrun.servlet.jrpp.JRunProx
at jrunx.scheduler.ThreadPool
at jrunx.scheduler.WorkerThre
Here's the text of the report:
Vulnerability: ISAPI services enabled on xxx.xxx.xxx.xxx
Description: ISAPI filters and extensions are used to modify or enhance the functionality provided by IIS. Some versions of IIS enable unnecessary filters and extensions by default, and these services have been shown to be historically insecure. It is considered good security practice to remove unneeded components, especially those with a poor track record.
Vulnerability: Verbose Jrun error messages enabled on xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, and xxx.xxx.xxx.xxx
Description: A detailed JRun error message was discovered. Detailed error messages can include diagnostics, path and OS information, software versions, and other sensitive information of use to attackers.
None of the suggestions we were given by the consultant helped resolve the problem. Does anyone have any suggestions on getting rid of this thing?
Our environment is CF8 & IIS 2003
--JC
We had a vulnerability test done, and our coldfusion content was dinged for showing detailed JRun error messages. Except we don't... unless you go to a nonexistent JSP file on the server, or something nonexistent inside the /servlet folder.
If you do that, you get a very ugly 404 and stacktrace from JRun:
/ThisIsReallyRidiculous.js
java.io.FileNotFoundExcept
at jrun.servlet.file.FileServ
at jrun.servlet.ServletInvoke
at jrun.servlet.JRunInvokerCh
at jrun.servlet.JRunRequestDi
at jrun.servlet.ServletEngine
at jrun.servlet.jrpp.JRunProx
at jrunx.scheduler.ThreadPool
at jrunx.scheduler.WorkerThre
Here's the text of the report:
Vulnerability: ISAPI services enabled on xxx.xxx.xxx.xxx
Description: ISAPI filters and extensions are used to modify or enhance the functionality provided by IIS. Some versions of IIS enable unnecessary filters and extensions by default, and these services have been shown to be historically insecure. It is considered good security practice to remove unneeded components, especially those with a poor track record.
Vulnerability: Verbose Jrun error messages enabled on xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, and xxx.xxx.xxx.xxx
Description: A detailed JRun error message was discovered. Detailed error messages can include diagnostics, path and OS information, software versions, and other sensitive information of use to attackers.
None of the suggestions we were given by the consultant helped resolve the problem. Does anyone have any suggestions on getting rid of this thing?
Our environment is CF8 & IIS 2003
--JC
You could try catching it with CFError and logging it internally with a custom error page. That's pretty odd that you get a java.io exception, possible its a cf8 bug with robust exceptions ignoring that type of nested exception. Is that the whole trace?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, that's the whole trace. Custom error pages don't work, I'm using those already.
Some other sites that have the same problem:
http://www.chicagofed.com/happenshere.jsp
http://www.chicagofed.com/servlet/happensinservletstoo
http://www.coldfusionjedi.com/happenshere.jsp
http://www.coldfusionjedi.com/servlet/happensinservletstoo
http://www.bpurcell.org/happenshere.jsp
http://www.bpurcell.org/servlet/happensinservletstoo
http://forta.com/blog/happenshere.jsp
http://forta.com/servlet/happensinservletstoo
Some other sites that have the same problem:
http://www.chicagofed.com/happenshere.jsp
http://www.chicagofed.com/servlet/happensinservletstoo
http://www.coldfusionjedi.com/happenshere.jsp
http://www.coldfusionjedi.com/servlet/happensinservletstoo
http://www.bpurcell.org/happenshere.jsp
http://www.bpurcell.org/servlet/happensinservletstoo
http://forta.com/blog/happenshere.jsp
http://forta.com/servlet/happensinservletstoo
> Some other sites that have the same problem:
That's a little embarrassing... there's no .cfm error page handler either.
Anyway, try the suggestion above. It should do the trick. I assume you already have separate 404 handlers for your cf apps.
That's a little embarrassing... there's no .cfm error page handler either.
Anyway, try the suggestion above. It should do the trick. I assume you already have separate 404 handlers for your cf apps.
ASKER
Thanks!
I had that the code from the first link in both default-web.xml and web.xml, but the one using exception-type was only in default.
Copying it to web.xml made it work.
Looks like error-code and exception-type are definitely not interchangeable, or maybe error-code simply doesn't work. (If I had to guess I'd say error-code only applies when you're intentionally throwing a code instead of generating a real exception)
Thanks again!
I had that the code from the first link in both default-web.xml and web.xml, but the one using exception-type was only in default.
Copying it to web.xml made it work.
Looks like error-code and exception-type are definitely not interchangeable, or maybe error-code simply doesn't work. (If I had to guess I'd say error-code only applies when you're intentionally throwing a code instead of generating a real exception)
Thanks again!
> Looks like error-code and exception-type are definitely not interchangeable, or maybe error-code
> simply doesn't work. (If I had to guess I'd say error-code only applies when you're intentionally
> throwing a code instead of generating a real exception)
You could be right. I only tested exception-type. So that's good too know.
> simply doesn't work. (If I had to guess I'd say error-code only applies when you're intentionally
> throwing a code instead of generating a real exception)
You could be right. I only tested exception-type. So that's good too know.
ASKER
Yeah. Chicago Fed has one, but I'm a bit surprised the other three don't.
Pity you can't put something to make it bubble properly back up to the cfm level or the IIS level. The only way I could find to make IIS not send it on to JRun was to remove the wildcard extension, and that ended up breaking CF for some reason.
Thanks again!
Pity you can't put something to make it bubble properly back up to the cfm level or the IIS level. The only way I could find to make IIS not send it on to JRun was to remove the wildcard extension, and that ended up breaking CF for some reason.
Thanks again!