SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Adobe ColdFusion Vendors:   Macromedia
Macromedia ColdFusion Source Code May Be Disclosed to Remote Users
SecurityTracker Alert ID:  1005563
SecurityTracker URL:  http://securitytracker.com/id/1005563
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 7 2002
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A configuration vulnerability was reported when using Macromedia's ColdFusion MX. A remote user may be able to view ColdFusion source code in certain situations.

Macromedia warned of a security issue with ColdFusion MX file extension mappings. According to the report, a remote user may be able to obtain CFML source in certain situations when ColdFusion MX is *not* running.

When a web server is configured to support ColdFusion MX, several file extensions are specified to be processed exclusively by ColdFusion (i.e., .jsp, .cfm, .cfc, and .cfml). It is possible that a web server may display these files as static text files if the file extensions are not correctly specified on the web server and if ColdFusion MX is not running.

Only customers that have modified their web server configurations are affected, according to the vendor.

Impact:   A remote user may be able to view ColdFusion Markup Language source.
Solution:   No patch has been provided, as this is a web server configuration issue.

The ColdFusion Install kit and the web server scripts provided for Windows in {cf_home}\CFusionMX\bin\connectors correctly set these extensions.

Macromedia warns that the instructions in "Installing ColdFusion MX" incorrectly omit the -map switch for Unix platforms. When wsconfig.jar is used to configure a web server, the -map switch is always required. So, the correct format for this switch with all web servers is:

-map .cfm,.cfc,.cfml,.jsp

For more information, see the Macromedia security bulletin:

http://www.macromedia.com/v1/Handlers/index.cfm?ID=23499

Vendor URL:  www.macromedia.com/v1/Handlers/index.cfm?ID=23499 (Links to External Site)
Cause:   Configuration error
Underlying OS:  Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  ColdFusion MX source disclosure


http://www.macromedia.com/v1/Handlers/index.cfm?ID=23499

Macromedia issued a security bulletin (MPSB02-13) warning of an issue with ColdFusion MX
file extension mappings.  All editions and platforms of ColdFusion MX are affected.

According to the report, a remote user may be able to obtain CFML source in certain
situations when ColdFusion MX is not running.  When a web server is configured to support
ColdFusion MX, several file extensions are specified to be processed exclusively by
ColdFusion (i.e., .jsp, .cfm, .cfc, and .cfml).  It is possible that a web server may
display these files as static text files if the file extensions are not correctly
specified on the web server and if ColdFusion MX is not running.

Macromedia reports that only customers that have modified their web server configurations
are affected.

The ColdFusion Install kit and the web server scripts provided for Windows in
{cf_home}\CFusionMX\bin\connectors correctly set these extensions.

Macromedia warns that the instructions in "Installing ColdFusion MX" incorrectly omit the
-map switch for Unix platforms.  When wsconfig.jar is used to configure a web server, the
-map switch is always required.  So, the correct format for this switch with all web
servers is:

     -map .cfm,.cfc,.cfml,.jsp



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC