Security updates fix Macromedia flaws

Adobe Systems Inc. recommends users of Macromedia ColdFusion and JRun Server apply updates that plug security holes attackers could exploit to bypass security controls, gain administrative privileges and cause a denial-of-service.

The San Jose, Calif.-based vendor has released three separate advisories in recent days. The first and second advisories address flaws in ColdFusion, a program used to develop and deploy applications.

More on Macromedia Microsoft warns of Macromedia Flash flaw Vulnerabilities plague Flash Player 7, Apple QuickTime Macromedia sites suffer under attacks

Furthermore, the vendor said it adds "powerful application services for business reporting, rich-forms generation, printable document generation, full-text search, and graphing and charting."

The security updates address:

• A JRun clustered Sandbox security vulnerability. ColdFusion Sandbox security relies on the Java SecurityManager, Adobe noted, adding, "When ColdFusion is running on a JRun 4 cluster member and the SecurityManager is disabled, Sandbox security silently fails without throwing an exception." With Sandbox security disabled, the vendor said, "a remote attacker using an application set up to use Sandbox security could potentially bypass security controls."
• A CFMAIL injection vulnerability. An application written to use the CFMAIL tag could be used to attach arbitrary files and send mail with any content, Adobe said, adding, "This is due to weak input validation in the 'Subject' field."
• A CFOBJECT Sandbox security vulnerability. Setting CFOBJECT /CreateObject(Java) to be disabled in Sandbox security has no effect, "allowing a local attacker to still create an object," Adobe said.
• An administrator hash exposure vulnerability. The password hash used to authenticate the ColdFusion Administrator is exposed via an API call, allowing a local developer to obtain the hash and authenticate as administrator, Adobe said.

The third advisory addressed two flaws in the JRun server:

• View Source vulnerabilities. A remote attacker could enter a malformed URL causing JRun to return Web application source code, Adobe said.
• A JWS denial-of-service vulnerability. The JRun Web Server improperly handles long URLs and headers, allowing a remote attacker to cause a denial of service, Adobe said.

Danish vulnerability clearinghouse Secunia has labeled the flaws "moderately critical" because they could be exploited to expose sensitive information or cause a denial-of-service.