|
|
Info |
Last Modified |
| 6 months ago |
|
|
|
|
Description |
Macromedia ColdFusion MX Updater 1, for JRun4 configurations only, contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when requests compile .cfms and .cfcs and place the .class files under the web server root in a newly created /WEB-INF/cfclassess directory, which will disclose sensitive class file information resulting in a loss of confidentiality.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure
Impact:
Loss of Confidentiality
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Solution |
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
1 - Stop ColdFusion MX 6.1 server.
2 - Install the ColdFusion MX 6.1 Updater
If the ColdFusion MX 6.1 updater has previously been applied, delete the existing /WEB-INF/ directory under the web server root.
For Microsoft IIS, the default is /inetpub/wwwroot/, for Apache, /apache/htdocs/ and for IPlanet/SunOne /{iPlanet | SunOne}/servers/docs/
3 - Create the /servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfclasses directory
4 - Start ColdFusion MX 6.1 server.
Verify that when .cfms are invoked, the .class files are placed in the /servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfclasses directory.
|
|
Products |
|
ColdFusion MX J2EE - JRun4
 |
6.1 |
|
|
|
|
Credit |
- Sean Waddell - swaddell
 espgroup.net - ESP Group
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
