Cross Site Scripting strikes again. I hadn't seen this come across yet
so I figured I'd post it. I found it at securityfocus.com.
Dave
MPSB02-03: Patch available for default Missing Template page in
ColdFusion MX
Published: Jun 13, 2002
Updated: Jun 13, 2002
MPSB02-03 - Patch available for default Missing Template page in
ColdFusion MX .
Originally posted: June 13, 2002
Last updated: June 13, 2002
Summary
The default Missing Template handler in ColdFusion MX displays the
missing template URI without checking the
filename for invalid characters. This may allow a filename to contain
executable JavaScript? strings. This exploit is sometimes called "Cross
Site Scripting". Affected Software Versions
ColdFusion MX (English release, All Editions, All Platforms)
What Macromedia Is Doing
Macromedia has notified customers of the security issues through
standard communication channels. Macromedia also has published a patch
which will eliminate this vulnerability. This patch is appropriate for
all platforms.
What Customers Should Do
Customers should either:
Create their own Missing Template Handler and specifiy this handler in
the Settings page of ColdFusion Administrator. This handler should not
display the missing URI
Install the patch. The patch consists of a replacement template which
can be downloaded from can be
downloaded from MPSB02-03: Security Update. This file is a replacement
for:
Windows:
{installation_directory}\CFusionMX\wwwroot\WEB-INF\exception\detail.cfm
Unix:
{installation_directory}/CFusionMX/wwwroot/WEB-INF/exception/detail.cfm
Revisions
June 13, 2002 - Bulletin first released.
Reporting Security Issues
Macromedia is committed to addressing security issues and providing
customers with the information on how they can protect themselves. If
you identify what you believe may be a security issue with a Macromedia
product, please send an email to [EMAIL PROTECTED] We will work to
appropriately address and communicate the issue.
Receiving Security Bulletins
When Macromedia becomes aware of a security issue that we believe
significantly affects our products or customers, we will notify
customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response.
Macromedia customers who would like to receive notification of new
security bulletins when they are released can sign up for our security
notification service.
For additional information on security issues at Macromedia, please
visit: http://www.macromedia.com/security.
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY
MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER
EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO
WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME
STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE
EXCLUSION MAY NOT APPLY TO YOU.
IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS,
BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON
ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF
WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE,
EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES
DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT
APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM
STATE TO STATE.
Macromedia reserves the right, from time to time, to update the
information in this document with current information.
David Livingston
Network Admin
214-871-9117
[EMAIL PROTECTED]
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org
