Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Macromedia ColdFusion Source Code May Be Disclosed to Remote Users
|
|
SecurityTracker Alert ID: 1005563 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 7 2002
|
Impact: Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: A configuration vulnerability was reported when using Macromedia's ColdFusion MX. A remote user may be able to view ColdFusion source code in certain situations.
Macromedia warned of a security issue with ColdFusion MX file extension mappings. According to the report, a remote user may be
able to obtain CFML source in certain situations when ColdFusion MX is *not* running.
When a web server is configured to support
ColdFusion MX, several file extensions are specified to be processed exclusively by ColdFusion (i.e., .jsp, .cfm, .cfc, and .cfml).
It is possible that a web server may display these files as static text files if the file extensions are not correctly specified
on the web server and if ColdFusion MX is not running.
Only customers that have modified their web server configurations are
affected, according to the vendor.
|
Impact: A remote user may be able to view ColdFusion Markup Language source.
|
Solution: No patch has been provided, as this is a web server configuration issue.
The ColdFusion Install kit and the web server scripts
provided for Windows in {cf_home}\CFusionMX\bin\connectors correctly set these extensions.
Macromedia warns that the instructions
in "Installing ColdFusion MX" incorrectly omit the -map switch for Unix platforms. When wsconfig.jar is used to configure a web
server, the -map switch is always required. So, the correct format for this switch with all web servers is:
-map .cfm,.cfc,.cfml,.jsp
For
more information, see the Macromedia security bulletin:
http://www.macromedia.com/v1/Handlers/index.cfm?ID=23499
|
Vendor URL: www.macromedia.com/v1/Handlers/index.cfm?ID=23499 (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 06 Nov 2002 10:40:25 -0500
Subject: ColdFusion MX source disclosure
|
http://www.macromedia.com/v1/Handlers/index.cfm?ID=23499
Macromedia issued a security bulletin (MPSB02-13) warning of an issue with ColdFusion MX
file extension mappings. All editions and platforms of ColdFusion MX are affected.
According to the report, a remote user may be able to obtain CFML source in certain
situations when ColdFusion MX is not running. When a web server is configured to support
ColdFusion MX, several file extensions are specified to be processed exclusively by
ColdFusion (i.e., .jsp, .cfm, .cfc, and .cfml). It is possible that a web server may
display these files as static text files if the file extensions are not correctly
specified on the web server and if ColdFusion MX is not running.
Macromedia reports that only customers that have modified their web server configurations
are affected.
The ColdFusion Install kit and the web server scripts provided for Windows in
{cf_home}\CFusionMX\bin\connectors correctly set these extensions.
Macromedia warns that the instructions in "Installing ColdFusion MX" incorrectly omit the
-map switch for Unix platforms. When wsconfig.jar is used to configure a web server, the
-map switch is always required. So, the correct format for this switch with all web
servers is:
-map .cfm,.cfc,.cfml,.jsp
|
|
Go to the Top of This SecurityTracker Archive Page
|
