News

Security updates fix Macromedia flaws

Attackers could exploit vulnerabilities to bypass security controls, gain administrative privileges and cause a denial-of-service. But fixes are available.

Adobe Systems Inc. recommends users of Macromedia ColdFusion and JRun Server apply updates that plug security holes...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

attackers could exploit to bypass security controls, gain administrative privileges and cause a denial-of-service.

The San Jose, Calif.-based vendor has released three separate advisories in recent days. The first and second advisories address flaws in ColdFusion, a program used to develop and deploy applications.

More on Macromedia

Microsoft warns of Macromedia Flash flaw

Vulnerabilities plague Flash Player 7, Apple QuickTime

Macromedia sites suffer under attacks

Adobe said on its Web site that ColdFusion helps users "extend or integrate with Java or .NET applications, connect to enterprise data and applications, create or consume Web services, or interface with SMS on mobile devices or instant messaging clients."

Furthermore, the vendor said it adds "powerful application services for business reporting, rich-forms generation, printable document generation, full-text search, and graphing and charting."

The security updates address:

A JRun clustered Sandbox security vulnerability. ColdFusion Sandbox security relies on the Java SecurityManager, Adobe noted, adding, "When ColdFusion is running on a JRun 4 cluster member and the SecurityManager is disabled, Sandbox security silently fails without throwing an exception." With Sandbox security disabled, the vendor said, "a remote attacker using an application set up to use Sandbox security could potentially bypass security controls."
A CFMAIL injection vulnerability. An application written to use the CFMAIL tag could be used to attach arbitrary files and send mail with any content, Adobe said, adding, "This is due to weak input validation in the 'Subject' field."
A CFOBJECT Sandbox security vulnerability. Setting CFOBJECT /CreateObject(Java) to be disabled in Sandbox security has no effect, "allowing a local attacker to still create an object," Adobe said.
An administrator hash exposure vulnerability. The password hash used to authenticate the ColdFusion Administrator is exposed via an API call, allowing a local developer to obtain the hash and authenticate as administrator, Adobe said.

The third advisory addressed two flaws in the JRun server:

View Source vulnerabilities. A remote attacker could enter a malformed URL causing JRun to return Web application source code, Adobe said.
A JWS denial-of-service vulnerability. The JRun Web Server improperly handles long URLs and headers, allowing a remote attacker to cause a denial of service, Adobe said.

Danish vulnerability clearinghouse Secunia has labeled the flaws "moderately critical" because they could be exploited to expose sensitive information or cause a denial-of-service.

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Resources

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.