Adobe ColdFusion CFID/CFTOKEN Bug May Let Remote Users Hijack Sessions
|
|
SecurityTracker Alert ID: 1018944 |
|
SecurityTracker URL: http://securitytracker.com/id/1018944
|
|
CVE Reference:
CVE-2007-5905
(Links to External Site)
|
Date: Nov 13 2007
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): MX 7, 8
|
Description:
A vulnerability was reported in Adobe ColdFusion. A remote user may be able to hijack user sessions in certain cases.
The system will accept empty string values for the CFID and CFTOKEN values. If an application is made to store empty values, arbitrary users can share session data.
Michael Chabot reported this vulnerability.
|
Impact:
A remote user may be able to hijack user sessions.
|
Solution:
The vendor has issued solution instructions, available at:
http://www.adobe.com/go/kb402805
The Adobe advisory is available at:
http://www.adobe.com/support/security/bulletins/apsb07-19.html
|
Vendor URL: www.adobe.com/support/security/bulletins/apsb07-19.html (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (OS X), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 13 Nov 2007 16:25:43 -0500
Subject: Update available for ColdFusion MX 7 and ColdFusion 8 potential session hijacking issue
|
http://www.adobe.com/support/security/bulletins/apsb07-19.html
CVE-2007-5905
|
|
