I don't know how many of you subscribe to the security zone mailing list but if you are an ISP this one is of interest...
L. ----- Original Message ----- From: "Macromedia Security Zone" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 10, 2003 4:56 PM Subject: New Macromedia Security Zone Bulletins Posted > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > IMPORTANT: > > Several security issues that may affect Macromedia JRun > and ColdFusion customers have come to our attention > recently. > > To learn about these new issues and what actions you can > take to address them, please visit the Security Zone at > the Macromedia website: > > http://www.macromedia.com/security > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > MSPB03-01 - Patch available for ColdFusion MX Enterprise > Edition sandbox security issue that allows templates to > include arbitrary files. > > Originally Posted: January 9, 2003 > ~~~~~~~ > SUMMARY > > The <cfinclude> tag and the <cfmodule> tag will accept > filenames with relative paths as arguments. CFMX does > not check the Sandbox Security Files/Dirs permissions > before including files with these tags. This could > allow a template to access unauthorized data using > these tags. > > This does not affect any prior versions of ColdFusion. > > ~~~~~~~ > WHAT CUSTOMERS SHOULD DO: > > > We strongly encourage customers to download and install > this patch immediately. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Reporting Security Issues > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Macromedia is committed to addressing security issues and > providing customers with the information on how they can > protect themselves. If you identify what you believe may > be a security issue with a Macromedia product, please > send an e-mail to [EMAIL PROTECTED] We will work to > appropriately address and communicate the issue. > > ~~~~~~~ > Receiving Security Bulletins: > > When Macromedia becomes aware of a security issue that we > believe significantly affects our products or customers, > we will notify customers when appropriate. Typically, this > notification will be in the form of a security bulletin > explaining the issue and the response. Macromedia customers > who would like to receive notification of new security > bulletins when they are released can sign up for our > security notification service. > > For additional information on security issues at Macromedia, > please visit the Security Zone at: > > http://www.macromedia.com/security > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN > IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. > MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, > WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A > PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF > NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) > SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED > WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. > > IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE > LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT > LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, > SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS > INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, > BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF > CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), > PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. > OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN > ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) > SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF > LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE > ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND > YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE > TO STATE. > > Macromedia reserves the right to update the information in > this document with current information. > -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
