Info

Disclosure

Sep 22, 2003

Discovery

Unknown

Dates

Exploit

Jul 13, 2007

Solution

Unknown

Description

ColdFusion contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate any input that is passed to the default error handlers. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Adobe / Macromedia has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround: turn off the "Robust Exception Information" and "Debugging" options.

Products

Macromedia, Inc.	ColdFusion MX	6.0
		6.1
	ColdFusion MX J2EE	6.0
		6.1
	ColdFusion	5.0

References

Related OSVDB ID: 15814 35997
Secunia Advisory ID: 9807
Vendor Specific Advisory URL: http://www.adobe.com/devnet/security/security_zone/mpsb03-06.html
http://www.macromedia.com/devnet/security/security_zone/mpsb03-06.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/2578

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Macromedia, Inc.

ColdFusion MX

ColdFusion MX J2EE

ColdFusion

References

Credit