MPSB03-04
Patch for Apache 1.3.x, 2.0 View Source Vulnerability
in ColdFusion MX and JRun 4.0 on Windows
Originally posted: July 8, 2003
Last updated: July 8, 2003
Severity Rating
Critical
Summary
ColdFusion MX and JRun 4.0 will show source code
while browsing .cfm, .cfc,.cfml (ColdFusion MX)
or .jsp (JRun) pages if the user appends an encoded
space to the end of a URL. This vulnerability
only affects Apache 1.3.x and 2.x versions on
Windows platforms.
Note:
This bulletin affects Macromedia JRun-based editions
of ColdFusion MX listed below. Versions on other
J2EE platforms such as ColdFusion MX for WebSphere,
ColdFusion MX for SunOne, ColdFusion MX for BEA,
and so forth, are not affected, nor are prior
versions of ColdFusion or JRun.
Affected Software Versions
- ColdFusion MX (Standard Edition)
- ColdFusion MX for J2EE (JRun)
- JRun 4.0 (All Editions)
What Macromedia is Doing
Macromedia has published this bulletin including
patches and notified customers using affected
versions.
What Customers Should Do
Use the following steps to resolve the security
issue.
- Confirm the minimum software requirements
for this patch.
- Download the security update patch specified
below.
Apache 1.3 and
2.0 connectors
Making the Changes
Ensure the ColdFusion MX server and Apache web
server are not running. In Control Panel/Services
do the following:
- Stop the Apache and ColdFusion MX Application
Server services.
- Some DLLs may still be locked even after shutdown.
To ensure the connector modules and connector
installer (wsconfig.jar) will be replaced cleanly:
- Open Windows Task Manager to the processes
tab.
- Make sure jrun.exe and apache.exe are
not running before proceeding further. If
either process is running from services,
change the ColdFusion MX Application Server
and Apache services "startup type"
parameter from automatic to "manual"
and reboot.
The Apache connector modules for Windows
are:
- mod_jrun.so (Apache 1.3.x)
- mod_jrun20.so (Apache 2.0.4x)
For ColdFusion MX Standard
Unzip MPSB03-04.zip downloaded
above and apply the mod_jrun.so
or mod_jrun20.so to an
existing ColdFusion MX installation to the:
{cf_root}/runtime/lib/wsconfig/1
directory or the subdirectory containing
the old Apache module - replacing the original
mod_jrun[N].so file.
For ColdFusion MX J2EE for JRun 4.0
and JRun 4.0
Unzip MPSB03-04.zip downloaded above
and apply the mod_jrun.so
or mod_jrun20.so to an existing
JRun 4.0 or ColdFusion MX for JRun 4.0 installation
to the {jrun4_root}/lib/wsconfig/1
directory or the subdirectory containing
the old Apache module- replacing the original
mod_jrun[N].so
- Start Apache. Verify correct installation
by checking the version in the Apache {apache_root}/logs/error.log
file.
The build should be 63297.
[date] [notice] jrApache[init] JRun 4.0 (Build
63297) Apache 2 module - Jul 3 2003 ... (Apache
2.0.4x)
[date] [notice] jrApache[init] JRun 4.0 (Build
63297) Apache module - Jul 3 2003 ... (Apache
1.3.x)
- Start ColdFusion MX
Note: Back up your existing files before
making changes. As always, test the changes in
a non-production environment before applying the
changes to production servers.
Revisions
Bulletin first created on July 8, 2003.
Acknowledgements
Macromedia would like to thank the following individuals
for working with us to help protect our customers
from security attacks.
- Matthew Argyle of University College Chichester
for finding the source code disclosure.
- Jerry Logue of Aquilent for reporting the
disclosure through our secure@macromedia.com
email alias on our Alert
Us page.
Reporting Security
Issues
Macromedia is committed to addressing
security issues and providing customers with the
information on how they can protect themselves.
If you identify what you believe may be a security
issue with a Macromedia product, please alert
us. We will work to appropriately address
and communicate the issue.
Receiving Security
Bulletins
When Macromedia becomes aware of a security issue
that we believe significantly affects our products
or customers, we will notify customers when appropriate.
Typically this notification will be in the form
of a security bulletin explaining the issue and
the response. Macromedia customers who would like
to receive notification of new security bulletins
when they are released can sign up for our security
notification service.
For additional information
on security issues at Macromedia, please visit
the Security Zone at:
http://www.macromedia.com/security.
ANY INFORMATION, PATCHES,
DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA
IN THIS BULLETIN ARE PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS
SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS
OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT,
TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES
DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES,
SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.
IN NO EVENT SHALL MACROMEDIA,
INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL,
PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION
OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED
ON ANY THEORY OF LIABILITY INCLUDING BREACH OF
CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE),
PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA,
INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
(USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR
INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR
LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO
HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO
STATE.
Macromedia reserves the
right, from time to time, to update the information
in this document with current information.
|
