A HEAD call to a CFC always returns a 500 (CF11)

Question

I have certain processes running daily from third parties and it is not possible to change them. In short, these processes hit several of our CFCs with a simple HEAD type call. Those processes always get a 500 Internal Server Error. Any ideas guys?

The requests:

curl --location --head https://example.com/bla/sample.cfc?method=test

<cfhttp method="head" url="https://example.com/bla/sample.cfc?method=test">

The first request is the one made by the third party, the second one is a test from my Coldfusion 11, both requests receive the same answer:

HTTP/1.1 500 Internal Server Error

If I make the same request using GET, I receive an "OK" as a response for both requests, as expected.

The sample.cfc:

<cfcomponent output="false">    
    <cffunction name="test" access="remote" output="false" returntype="string" returnformat="plain">
        <cfreturn "OK">
    </cffunction>
</cfcomponent>

The coldfusion-out.log:

[ajp-bio-8014-exec-4] - Starting HTTP request {URL='https://example.com/bla/sample.cfc?method=test', method='head'}
[ajp-bio-8014-exec-4] - HTTP request completed  {Status Code=500 ,Time taken=274 ms}

The coldfusion-error.log:

org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [CFCServlet] in context with path [] threw exception [Servlet execution threw an exception] with root cause
java.lang.NoClassDefFoundError: javax/servlet/http/NoBodyResponse
    at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:245)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
    at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:437)
    at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:197)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

There is no alert in the exception.log or server.log files.

Thank you in advance!!

Answer 1

You'll probably need to configure request filters in your IIS settings.

https://learn.microsoft.com/en-us/iis/manage/configuring-security/configure-request-filtering-in-iis

You can try to reject all HEAD requests to .cfc file extensions.

Also, you should have all of your CFC methods that accept remote requests validate the request is either a GET or POST as expected. You don't want any function call that updates data from a form post to allow a GET. That could unexpectedly expose information to attackers.