In association with heise online

10 January 2007, 14:58

ColdFusion MX 7 hands over the data

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe have released a hotfix to prevent ColdFusion MX 7 from continuing to disclose protected data on the Internet Information Server (IIS). iDefense is reporting a flaw in the handling of URLs containing, for instance, encoded null bytes and a file extension for ColdFusion. Attackers can use this flaw to examine any files that the Web server has access to, in order to gather additional information in preparation for attacks. It may even be possible to collect passwords for logins, etc. by these means.

The flaw was discovered in version 7.0.2, but the vendor says that versions 7 and 7.0.1 are also vulnerable. However, the problem only occurs in relation to Microsoft's IIS. The hotfix patches the hole; for details, see the security advisory. The vendor says that users of version 7 have to upgrade to 7.0.1 first, before installing the hotfix. Adobe also strongly recommends backing up your data on productive systems, beforehand.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit