Thursday, June 24, 2010

Vulnerability affects ColdFusion MX 7 and ColdFusion 8

A vulnerability has been reported in Adobe ColdFusion, which potentially can be exploited by malicious people to hijack user sessions.

The vulnerability is caused due to an unspecified error when using CFID or CFTOKEN and can be exploited to e.g. hijack a user’s session on an application built using ColdFusion.

NOTE: This vulnerability does not affect customers using J2EE session management.

The vulnerability affects ColdFusion MX 7 and ColdFusion 8.

Issue


ColdFusion manages sessions by keying on cookie values for CFID and CFTOKEN, by default. It has been found that ColdFusion will accept empty string values for either or both of these variables. If an application accidentally stored empty values to CFID and CFTOKEN, all users could share the same session data.

Solution


This update will cause ColdFusion to create a new session if CFID and/or CFTOKEN values are empty strings.
ColdFusion 8

You use the ColdFusion 8 Administrator to install hot fixes. The installation process is the same for all platforms and installation choices.

  1. Download hf800-70523.zip (6.25K) and extract the hf800-70523.jar file.
  2. Open the ColdFusion 8 Administrator and select the System Information page.
  3. Next to the Update File field, select the Browse Button and browse to the extracted file. Select the file and click Submit.
  4. Restart ColdFusion.

The ColdFusion 8.0 hot fix JAR file does not need to be retained after installing it with the ColdFusion Administrator. The file has been copied into the correct location.

The ColdFusion 8.0 hot fix JAR file will appear as a new entry in the System Information list.

Hot fixes are installed in the cf_root\lib\updates directory. To uninstall a hot fix, delete the JAR file from the updates directory that are being replaced by the cumulative update, after stopping the ColdFusion 8 application server.

ColdFusion MX 7

You use the ColdFusionMX 7 Administrator to install hot fixes. The installation process is the same for all platforms and installation choices.

  1. Download hf702-70523.zip (106K) and extract the hf702-70523.jar file.
  2. Open the ColdFusionMX 7 Administrator and select the System Information page.
  3. Next to the Update File field, select the Browse Button and browse to the extracted file. Select the file and click Submit.
  4. Restart ColdFusion.

The ColdFusionMX 7.02 hot fix JAR file does not need to be retained after installing it with the ColdFusion Administrator. The file has been copied into the correct location.

The ColdFusionMX 7.02 hot fix JAR file will appear as a new entry in the System Information list.

Hot fixes are installed in the cf_root\lib\updates directory. To uninstall a hot fix, delete the JAR file from the updates directory, after stopping the ColdFusionMX 7.02 application server.

For More information use following link

http://kb2.adobe.com/cps/402/kb402805.html

No comments:

Post a Comment