Security update for Adobe ColdFusion
Adobe has issued a security bulletin regarding a vulnerability in ColdFusion MX 7 and ColdFusion 8. Applications running with these products can allow an attacker to hijack another user's session. The attacker would then have access to content on the server with the victim's privileges.
The bug can be exploited if the application places empty strings in the CFID or CFTOKEN session management cookies. All users then use the same session data. Applications which use J2EE session management are not affected. Adobe advises all administrators to install the update as soon as possible.
- Update available for ColdFusion MX 7 and ColdFusion 8 potential session hijacking issue, security advisory from Adobe
(mba)