Not sure what the exploit is, but there is a patch for it. ________________________________________________________________________ _________________________________________________ Macromedia Product Security Bulletin (MPSB01-07) Macromedia releases patch that addresses ColdFusion Server security issues. Originally Posted: July 11, 2001 Summary Macromedia has released a patch that addresses two ColdFusion Server security issues which affect all server versions from 2.0 through 4.5.1 SP2 (all editions). The security issues were discovered through a routine internal security audit. The security issues potentially expose read and delete access to files on machines running ColdFusion Server as well as overwriting ColdFusion Server templates with zero byte files. Customers are strongly encouraged to upgrade their servers to ColdFusion Server 5 or install the patch as soon as possible. The security issues DO NOT affect ColdFusion Server 5. Issue As part of a routine internal security audit of ColdFusion Server, Macromedia discovered two potential security issues. One issue could allow unauthorized read and delete access to files on a machine running ColdFusion Server. The other issue could allow ColdFusion Server templates to be overwritten with a zero byte file of the same name. The issues affect ColdFusion Server versions 2.0 through 4.5.1 SP2 (all editions). The security issues DO NOT affect ColdFusion Server 5. Macromedia has released a patch that addresses the issues on the versions listed below. The patch has been thoroughly tested for stability. Customers should expect a 3 - 8% performance degradation as a result of installing the patch. Macromedia strongly recommends that customers install the patch on all production servers or upgrade to ColdFusion Server 5. Affected Software Versions * ColdFusion Server 2.x, 3.x, 4.x What Macromedia Is Doing Macromedia has notified customers of the security issues through standard communication channels and released a patch that addresses the issues. The patch is now available for download for the following server versions: 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, 4.5.1 SP2. The patches apply to both English language and localized editions (French, German, and Japanese). Download - MPSB01-07 ColdFusion Security Patch (Windows Editions) <http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/public dl/update/en/coldfusion/45/CFMPSB0107Windows.exe> Download - MPSB01-07 ColdFusion Security Patch (Solaris Editions) <http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/public dl/update/en/coldfusion/45/CFMPSB0107Solaris.tar.gz> Download - MPSB01-07 ColdFusion Security Patch (Linux Editions) <http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/public dl/update/en/coldfusion/45/CFMPSB0107Linux.tar.gz> Download - MPSB01-07 ColdFusion Security Patch (HP-UX Editions) <http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/public dl/update/en/coldfusion/45/CFMPSB0107HPUX.tar.gz> To install this patch for Windows, download and run the executable file. To install this patch for Solaris, Linux or HP-UX, download the appropriate file, and review the readme.txt file before installing Customers running ColdFusion Server versions 2.0 or 3.0 are strongly encouraged to upgrade their servers to a more recent release. No patch will be made available for versions 2.0 or 3.0. Customers running Versions 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, or 4.5.1 SP2, are strongly encouraged to install the patch immediately on all production servers. (Note: Macromedia's standard support policy is one release back. But for these particular issues, Macromedia has released patches three releases back. To stay current with the latest features, enhancements, and updates, customers are encouraged to move to the most recent release of the server.) Revisions July 11, 2001 - Bulletin first released. -Jonah Kowall Director of IT PowerSteering Software (www.psteering.com)
