This guide is made public to help ColdFusion administrators with applying the ColdFusion & Jrun hotfixes released by Adobe in the security update for vulnerability APSB09-12. It's purpose is to reduce the time required to update a ColdFusion server and provide a checklist that can be referred to during the updating process. All information compiled for this guide has been sourced from Adobe security bulletins and we provide this in the hope it will be a useful resource but provide no warranty and do not accept any liability for it's use.

Read more...

Adobe has just released hotfix updates to address recently discovered cross site scripting vulnerabilities in ColdFusion 7 / 8 & JRun 4.0 servers. Some of which would allow an attacker to retreive CF admin login details from an unsuspecting administrator. Details of some of these ColdFusion vulnerabilities have been posted here by Digital Security Research Group which include XSS vulnerabilities in the following CFIDE scripts:

Read more...

Recently detailed by Ray Camden on his blog in this post, when using cflogin, any string in a users password field after a ":" will be removed before being stored in the cflogin scope. This may be a very infrequent but very hard to diagnose problem for anyone generating passwords from random strings and using cflogin to manage their website user logins.

Read more...