我每天都有来自第三方的某些流程在运行,无法更改它们。简言之,这些过程通过一个简单的HEAD类型调用击中了我们的几个CFC。这些进程总是会出现500内部服务器错误。有什么想法吗?
请求:
curl --location --head https://example.com/bla/sample.cfc?method=test
<cfhttp method="head" url="https://example.com/bla/sample.cfc?method=test">
第一个请求是第三方提出的,第二个请求是我的Coldfusion 11的测试,两个请求都收到了相同的答案:
HTTP/1.1 500 Internal Server Error
如果我使用GET进行相同的请求;OK";作为对两个请求的响应。
sample.cfc:
<cfcomponent output="false">
<cffunction name="test" access="remote" output="false" returntype="string" returnformat="plain">
<cfreturn "OK">
</cffunction>
</cfcomponent>
coldfusion-out.log:
[ajp-bio-8014-exec-4] - Starting HTTP request {URL='https://example.com/bla/sample.cfc?method=test', method='head'}
[ajp-bio-8014-exec-4] - HTTP request completed {Status Code=500 ,Time taken=274 ms}
coldfusion-error.log:
org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [CFCServlet] in context with path [] threw exception [Servlet execution threw an exception] with root cause
java.lang.NoClassDefFoundError: javax/servlet/http/NoBodyResponse
at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:245)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:437)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:197)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
exception.log或server.log文件中没有警报。
提前感谢!!
您可能需要在IIS设置中配置请求筛选器。
https://learn.microsoft.com/en-us/iis/manage/configuring-security/configure-request-filtering-in-iis
您可以尝试拒绝所有对.cfc文件扩展名的HEAD请求。
此外,您应该让所有接受远程请求的CFC方法验证请求是否为预期的GET或POST。您不希望任何函数调用更新表单帖子中的数据以允许GET。这可能会意外地将信息暴露给攻击者。