I have certain processes running daily from third parties and it is not possible to change them. In short, these processes hit several of our CFCs with a simple HEAD type call. Those processes always get a 500 Internal Server Error. Any ideas guys?
The requests:
curl --location --head https://example.com/bla/sample.cfc?method=test
<cfhttp method="head" url="https://example.com/bla/sample.cfc?method=test">
The first request is the one made by the third party, the second one is a test from my Coldfusion 11, both requests receive the same answer:
HTTP/1.1 500 Internal Server Error
If I make the same request using GET, I receive an "OK" as a response for both requests, as expected.
The sample.cfc:
<cfcomponent output="false">
<cffunction name="test" access="remote" output="false" returntype="string" returnformat="plain">
<cfreturn "OK">
</cffunction>
</cfcomponent>
The coldfusion-out.log:
[ajp-bio-8014-exec-4] - Starting HTTP request {URL='https://example.com/bla/sample.cfc?method=test', method='head'}
[ajp-bio-8014-exec-4] - HTTP request completed {Status Code=500 ,Time taken=274 ms}
The coldfusion-error.log:
org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [CFCServlet] in context with path [] threw exception [Servlet execution threw an exception] with root cause
java.lang.NoClassDefFoundError: javax/servlet/http/NoBodyResponse
at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:245)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:437)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:197)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
There is no alert in the exception.log or server.log files.
Thank you in advance!!
You'll probably need to configure request filters in your IIS settings.
https://learn.microsoft.com/en-us/iis/manage/configuring-security/configure-request-filtering-in-iis
You can try to reject all
HEADrequests to.cfcfile extensions.Also, you should have all of your CFC methods that accept remote requests validate the request is either a
GETorPOSTas expected. You don't want any function call that updates data from a form post to allow aGET. That could unexpectedly expose information to attackers.