ColdFusion MX 7 hands over the data
Adobe have released a hotfix to prevent ColdFusion MX 7 from continuing to disclose protected data on the Internet Information Server (IIS). iDefense is reporting a flaw in the handling of URLs containing, for instance, encoded null bytes and a file extension for ColdFusion. Attackers can use this flaw to examine any files that the Web server has access to, in order to gather additional information in preparation for attacks. It may even be possible to collect passwords for logins, etc. by these means.
The flaw was discovered in version 7.0.2, but the vendor says that versions 7 and 7.0.1 are also vulnerable. However, the problem only occurs in relation to Microsoft's IIS. The hotfix patches the hole; for details, see the security advisory. The vendor says that users of version 7 have to upgrade to 7.0.1 first, before installing the hotfix. Adobe also strongly recommends backing up your data on productive systems, beforehand.
- Adobe Macromedia ColdFusion Source Code Disclosure Vulnerability, iDefense's security advisory
- Patch available for ColdFusion MX 7 information disclosure issue, Adobe's security advisory