Adobe ColdFusion Bug in Component Browser Lets Remote Users Conduct HTTP Response Splitting Attacks
|
SecurityTracker Alert ID: 1027146 |
SecurityTracker URL: http://securitytracker.com/id/1027146
|
CVE Reference:
CVE-2012-2041
(Links to External Site)
|
Date: Jun 12 2012
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 8.0, 8.0.1, 9.0, 9.0.1
|
Description:
A vulnerability was reported in Adobe ColdFusion. A remote user can conduct HTTP response splitting attacks.
A remote user can submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.
Michael Dominice, Yoshi Russell of Intelligent Software Solutions, Inc., and Stephen Duncan of Intelligent Software Solutions, Inc. reported this vulnerability.
|
Impact:
A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.
A remote user may be able to poison any intermediate web caches with arbitrary content.
|
Solution:
The vendor has issued a hotfix for version 9.0.1.
The vendor's advisory is available at:
http://www.adobe.com/support/security/bulletins/apsb12-15.html
|
Vendor URL: www.adobe.com/support/security/bulletins/apsb12-15.html (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (Vista), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|