MPSB03-06 Security Patch available for ColdFusion MX/ColdFusion cross-site scripting vulnerability with default error handlers
Originally posted: September 18, 2003
Last updated: September 18, 2003
Summary
ColdFusionMX Web Sites that use the default ColdFusionMX Site-Wide Error Handler page or the default ColdFusionMX Missing Template Handler page may be susceptible to a cross-site scripting attack using the HTTP Referer[sic] header field.
ColdFusion 5.0 and earlier versions are not at risk for this attack with the
default Missing Template Handler.
ColdFusion 5.0 and earlier versions are at risk with the default Error
Handler page if no page is specified. .
Severity Rating
Macromedia categorizes this issue as a important update and recommends users download and apply the patches immediately.
Affected Software Versions
- ColdFusion MX 6.0 and 6.1 (All editions)
- ColdFusion MX 6.0 J2EE (All editions)
- ColdFusion MX 6.1 J2EE (All editions)
- ColdFusion 5.0 and prior versions
Technical Details
ColdFusionMX Web Sites which use the default ColdFusion Error Handler page or the default ColdFusion Missing Template Handler page may be susceptible to a cross-site scripting attack using the HTTP Referer[sic] header field.
ColdFusionMX sites which specify both a site-wide Missing Template Handler and a site-wide Error Handler in ColdFusion Administrator are not vulnerable, as long as the user-supplied handlers are not otherwise vulnerable to cross-site scripting.
What Macromedia is Doing
Macromedia has published this bulletin including patches and notified customers using affected versions.
What Customers Should Do
Download the security update patches from the locations specified below
| ColdFusion MX 6.0 (All editions) | Upgrade to 6.1 then install the replacement Default Site-wide Error Handler page below |
| ColdFusion MX 6.1 (All edtions) | 6.1 Default Site-wide Error Handler page (12 KB ZIP) |
| ColdFusion 5.0 and prior versions (All editions) | Example Site-wide Error handler page (1 KB ZIP) |
NOTE: All ColdFusion administrators are reminded not to enable "Robust Exception Information" or "Debugging" on production web sites that are publicly accessible. These settings are very useful for developing web sites, but they can be misused for cross-site scripting attacks if they are accidentally left enabled on a publicly accessible web site.
Making the Changes
To correct this vulnerability, follow the directions based on the version of ColdFusion.
- ColdFusion MX versions
- For ColdFusionMX 6.0, upgrade to ColdFusion MX 6.1.
- Replace detail.cfm with the one found in the patch file for your
version. The default locations are below:
Windows: {cf_root}\wwwroot\WEB-INF\exception\detail.cfm
Unix/Linux: {cf_root}/wwwroot/WEB-INF/exception/detail.cfm
- ColdFusionMX for J2EE versions
- For ColdFusionMX 6.0, upgrade to ColdFusion MX 6.1.
- Replace the ColdFusion Default Site-wide Error Handler page, detail.cfm, with
the one from the downloaded mpsb03-06_6_1.zip file.
Windows, Unix/Linux: (example JRun4) /jrun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/exception/detail.cfm
- ColdFusion 5 and prior versions
Production web sites should have a Site-wide Error Handler and a Missing Template Handler template that are appropriate to the site.- Check that the ColdFusion administrator specifies a Site-wide Error Handler. If it does not, and the default ColdFusion Site-wide Error Handler is being used.
- Prepare a suitable template for your site and specify this
template in ColdFusion administrator. This template should not
display the ColdFusion HTTP_REFERER variable, or any other FORM,
COOKIE, or CGI data from the request.
You can download an example of a simple Site-wide Error Handler template above in the "ColdFusion 5.0 and prior versions" section.
Note: The same Site-wide Error Handler can be used for Windows or Unix.
Revisions
September 18, 2003 — Bulletin first created.
Acknowledgements
Macromedia would like to thank the following organization and individual for working with us to help protect our customers from security attacks
- Vagabond Co, LTD of Japan
- Robert Fly (robertfly@hotmail.com)
Reporting Security Issues
Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.
Receiving Security Bulletins
When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.
For additional information on security issues at Macromedia, please visit: http://www.macromedia.com/security.
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.
IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.
Macromedia reserves the right, from time to time, to update the information in this document with current information.
