When adding a new SMTP server in Lucee Admin (doesn’t seem to matter the name of the server or what username/password is entered) I’m getting an “invalid syntax, variables are not supported” error message. The page lucee/admin/index.cfm?action=services.mail is returning a 500 error.
Anyone else seeing the same?
Don’t forget to tell us about your stack!
OS: Linux (6.6.31+rpt-rpi-2712) 64bit
Java Version: 17.0.11
Tomcat Version: 9.0.11
Lucee Version: 6.0.3.1
Hi @Andrew_Bollington for us to be able to help you, we need to see the full error message of the 500 error page.
Then you have something set up to not show any detailed error messages. Another place to look for those errors is Lucees application.log file. See this post, it might help you:
I appreciate your help. Here’s the error logged in application.log:
“ERROR”,“http-nio-8888-exec-10”,“07/18/2024”,“11:33:42”,“webadmin6.0.3.1”,“invalid syntax, variables are not supported.;lucee.runtime.interpreter.SecurityInterpreterException: invalid syntax, variables are not supported.
at lucee.runtime.interpreter.ref.var.Variable.getValue(Variable.java:67)
at lucee.runtime.interpreter.CFMLExpressionInterpreter.interpretPart(CFMLExpressionInterpreter.java:279)
at lucee.runtime.interpreter.VariableInterpreter.parse(VariableInterpreter.java:492)
at lucee.runtime.interpreter.VariableInterpreter.getVariableEL(VariableInterpreter.java:224)
at services_mail_cfm414$cf.call(/admin/services.mail.cfm:119)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1060)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:952)
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:933)
at web_cfm$cf.call(/admin/web.cfm:514)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1060)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:952)
at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:933)
at index_cfm$cf.call(/admin/index.cfm:3)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1060)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:952)
at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:220)
at lucee.runtime.listener.ModernAppListener.onRequest(ModernAppListener.java:107)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2716)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2702)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2673)
at lucee.runtime.engine.Request.exe(Request.java:45)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1259)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1205)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
…”
… I think I can see where this is heading. “Limit variable evaluation in functions/tags” is set to on …
ahhh ok. you might have vulnerable code because of this RCE at number III, and that is blocked by default by Lucee. Try changing your code in such a manner that it doesn’t use such vulnerable code (e.g. change a isdefined() to a structKeyExists()). If you can’t do that, you need to make sure that the code/content that is being passed as an arguement to those vulnerable functions is safe.
Hi Andreas - it’s not my code, this is Lucee Admin that I’m running. I think this should be raised as a bug? What do you think?
I see… here is the code in Lucee:
I’d say you can file a bug if there is no other filed already for this. Maybe I can make a quick PR as a contribution myself.
Many thanks for your help Andreas. I’ve just raised a bug report.
thanks @Andrew_Bollington for submitting the bug. I’m linking it here:
https://luceeserver.atlassian.net/browse/LDEV-5030
I think I’m able to fix this to help out the Lucee dev team. Will check it as soon as I can.
@Andrew_Bollington looks like the Lucee Dev Team resolved the issue with prioritiy. It just was deployed the last week.
Fantastic - thanks for the prompt help everyone. Much appreciated.
Andrew
