Thanks for the heads up Dave. --- Billy Cravens Web and Software Consulting www.Architechx.com
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Livingston Sent: Friday, June 14, 2002 11:29 AM To: [EMAIL PROTECTED] Subject: Cold Fusion MX Security Patch Cross Site Scripting strikes again. I hadn't seen this come across yet so I figured I'd post it. I found it at securityfocus.com. Dave MPSB02-03: Patch available for default Missing Template page in ColdFusion MX Published: Jun 13, 2002 Updated: Jun 13, 2002 MPSB02-03 - Patch available for default Missing Template page in ColdFusion MX . Originally posted: June 13, 2002 Last updated: June 13, 2002 Summary The default Missing Template handler in ColdFusion MX displays the missing template URI without checking the filename for invalid characters. This may allow a filename to contain executable JavaScript? strings. This exploit is sometimes called "Cross Site Scripting". Affected Software Versions ColdFusion MX (English release, All Editions, All Platforms) What Macromedia Is Doing Macromedia has notified customers of the security issues through standard communication channels. Macromedia also has published a patch which will eliminate this vulnerability. This patch is appropriate for all platforms. What Customers Should Do Customers should either: Create their own Missing Template Handler and specifiy this handler in the Settings page of ColdFusion Administrator. This handler should not display the missing URI Install the patch. The patch consists of a replacement template which can be downloaded from can be downloaded from MPSB02-03: Security Update. This file is a replacement for: Windows: {installation_directory}\CFusionMX\wwwroot\WEB-INF\exception\detail.cfm Unix: {installation_directory}/CFusionMX/wwwroot/WEB-INF/exception/detail.cfm Revisions June 13, 2002 - Bulletin first released. Reporting Security Issues Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to [EMAIL PROTECTED] We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Macromedia, please visit: http://www.macromedia.com/security. ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. Macromedia reserves the right, from time to time, to update the information in this document with current information. David Livingston Network Admin 214-871-9117 [EMAIL PROTECTED] ------------------------------------------------------------------------ - This email server is running an evaluation copy of the MailShield anti- spam software. Please contact your email administrator if you have any questions about this message. MailShield product info: www.mailshield.com ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org ------------------------------------------------------------------------- This email server is running an evaluation copy of the MailShield anti- spam software. Please contact your email administrator if you have any questions about this message. MailShield product info: www.mailshield.com ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org
