Issue

A possible cross-site scripting (XSS) vulnerability has been discovered in ColdFusion's handling of forms. This issue has been discovered in ColdFusion MX 6.1 through ColdFusion MX 7.0.2. This has been logged as issue 64586.

Solution

A hot fix has been created to correct this issue. Please follow the instructions below to apply the hot fix.

ColdFusion MX 7.0.2

  1. Download and unzip the hot fix. (2K)

  2. Open the ColdFusion MX Administrator and select the System Information page. Next to the Update File field, either:
    • Type in the file path and click Submit.



      OR

    • Select the Browse Button and browse to the downloaded file. Select the file and click apply.
  3. Restart ColdFusion MX.

The ColdFusion MX 7 hot fix JAR file does not need to be retained after installing it with the ColdFusion Administrator. The file has been copied into the correct location.

The ColdFusion MX 7 hot fix JAR file will appear as a new entry in the System Information list.

ColdFusion MX 7.0.1

  1. Download and unzip the hot fix. (2K)

  2. Open the ColdFusion MX Administrator and select the System Information page. Next to the Update File field, either:
    • Type in the file path and click Submit.



      OR

    • Select the Browse Button and browse to the downloaded file. Select the file and click apply.
  3. Restart ColdFusion MX.

The ColdFusion MX 7 hot fix JAR file does not need to be retained after installing it with the ColdFusion Administrator. The file has been copied into the correct location.

The ColdFusion MX 7 hot fix JAR file will appear as a new entry in the System Information list.

ColdFusion MX 6.1 - Server Configuration

Follow the instructions below to install the hot fix for ColdFusion MX 6.1 in the server configuration. For J2EE servers including JRun, use the instructions under the J2EE Configuration section.

Windows

  1. Download and unzip the hot fix (1K).

  2. Stop ColdFusion.
  3. Create the directory cf_root\runtime\servers\lib if it does not exist.
  4. Save the downloaded JAR file into the following directory cf_root\runtime\servers\lib\.
  5. Restart ColdFusion.
  6. Examine the ColdFusion MX Administrator System Information page and confirm that hf64586_611.jar shows in the Java Class Path list.

Unix

  1. Download and unzip the hot fix (1K).

  2. Stop ColdFusion.
  3. Create the directory cf_root/runtime/servers/lib if it does not exist.
  4. Save the downloaded JAR file into the following directory: cf_root/runtime/servers/lib/
  5. Edit the file cf_root/runtime/bin/jvm.config:
    1. Locate the JVM classpath section.
    2. Add {application.home}/runtime/servers/lib as the first entry in the java.class.path list.



      For example:

      # JVM classpath java.class.path={application.home}/runtime/servers/lib, {application.home}/runtime/../../src, {application.home}/lib/cfusion.jar, {application.home}/runtime/lib/webservices.jar
  6. Restart ColdFusion.
  7. Examine the ColdFusion MX Administrator System Information page and confirm that hf64586_611.jar shows in the Java Class Path list.

ColdFusion MX 6.1 - J2EE Configuration ColdFusion MX 6.1 - J2EE Configuration with JRun

Follow the instructions below to install the hot fix for ColdFusion MX 6.1 in the J2EE configuration with a J2EE server including JRun:

  1. Download and unzip the hot fix (1K).

  2. Save the downloaded JAR file into thecf_root/WEB-INF/lib directory.
  3. Change the Context Parametercf.class.path

    in the Deployment Descriptor (cf_root/WEB-INF/web.xml)

    for the Web Application "Macromedia ColdFusion MX" (cfusion.war)



    from:

    ./WEB-INF/cfusion/lib/cfusion.jar



    to:

    ./WEB-INF/lib/hf64586_611.jar,./WEB-INF/cfusion/lib/cfusion.jar



    • Note that the two paths in cf.class.path each start with a period and are separated by a comma.
    • Do not confuse ./WEB-INF/lib (which contains the hot fix jar file) with ./WEB-INF/cfusion/lib (which contains cfusion.jar).
  4. Stop and restart the J2EE server for changes to take effect.
  5. Examine the ColdFusion MX Administrator System Information page and confirm that hf64586_611.jar shows up in the Version section like 6,1,0 hf64586_611. Note: You will not see this jar in the Java Class Path because the hot fix jar is being loaded in the Coldfusion Class Path.
  6. Repeat steps for each deployed instance of ColdFusion.

About changing the Deployment Descriptor

  • Deployment Descriptor Context Parameters can be changed using the J2EE Administrator Control Panel (WebLogic and JRun) or by using the Application Assembly Tool (Websphere). If your J2EE server does not have such a tool, you must make sure that the Context Parameter change is made for all deployed instances of ColdFusion. It may be necessary to un-deploy CFMX, make the change, then re-deploy CFMX. See your J2EE documentation for other methods.
  • Be sure to Persist (WebLogic) or Save (Websphere) your changes after you change the value for cf.class.path.
  • You will usually need to stop and restart your J2EE server to make these changes effective.

Additional Information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy