Digital Edition

SYS-CON.TV
Workaround Issued For Newly-Discovered Vulnerability In ColdFusion 6.1
ColdFusion 7.0 - CFMX 7 - Is Not Affected

Although ColdFusion 7.0 is not affected, a vulnerability which if exploited would allow malicious native-code to execute, potentially without a user being aware, has been discovered in the ColdFusion MX 6.1 Updater. Macromedia has issued what is calls "a workaround addressing the problem" and notes that this issue will be fixed in the next updater.

The details of the vulnerability are as follows:

The ColdFusion MX 6.1 Updater renames the /jrun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfclasses directory to cfclasses-backup but does not recreate the ..../cfusion-war/WEB-INF/cfclasses directory. After restarting the ColdFusion server, subsequent requests compile .cfms and place the .class files incorrectly under the web server root in a newly created /WEB-INF/cfclasses directory, rather than under the application root /jrun4/.../cfusion-war/WEB-INF/cfclasses.

Macromedia categorizes this issue as a "critical" update and recommends users immediately patch their installations. The company thanked Sean Waddell from ESP Group "for reporting this vulnerability and for working with us to help protect our customers' security."

 

About ColdFusion News Desk
CFDJ News Desk monitors the world of ColdFusion to present developers with updates on technology advances, new features and performance enhancements concerning ColdFusion, business trends, ColdFusion-related products, standards discussions, and industry commentary.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The explosion of new web/cloud/IoT-based applications and the data they generate are transforming ou...
CI/CD is conceptually straightforward, yet often technically intricate to implement since it require...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple ...
Enterprises are striving to become digital businesses for differentiated innovation and customer-cen...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As au...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, wi...
The now mainstream platform changes stemming from the first Internet boom brought many changes but d...
DXWorldEXPO LLC announced today that Ed Featherston has been named the "Tech Chair" of "FinTechEXPO ...
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in developm...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: D...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with e...
In this presentation, you will learn first hand what works and what doesn't while architecting and d...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitori...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use ...
If your cloud deployment is on AWS with predictable workloads, Reserved Instances (RIs) can provide ...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear...
We build IoT infrastructure products - when you have to integrate different devices, different syste...
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling ...