We recently applied the APSB13-10 update to CF9 and have run into issues with applications. With the setting defaulted only to 100, compared to tomcat's 10,000 max post param default, I am wondering what the reason behind the 100 default is and what is considered the max safe value for this setting. There are no specific details in the CVEs or the APSB-13-10 bulletin that seem to indicate what this is for. Also the details in the adobe bulletin versus the CVEs seem to contradict each other murkying exactly what the vulnerabilities are that are being patched.
The descrepency I am refering to is in the adobe bulletin you state "This hotfix resolves an information leak that can occur in certain multi-threaded use cases. This issue is not exploitable remotely (CVE-2013-1387)." However when looking at that particular CVE it says "Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 10, 9.0.1 before Update 9, 9.0.2 before Update 4, and 10 before Update 9 allows attackers to impersonate users via unknown vectors." Not remotely exploitable information leakage is much differeing that impersonating users.
Are two remotely exploitable issues being fixed as noted by the CVEs, or is the one CVE really only an information leak? What does max post param setting have to do with either of these issues being patched, and what is considered a safe maximum post param setting?