Adobe has just released hotfix updates to address recently discovered cross site scripting vulnerabilities in ColdFusion 7 / 8 & JRun 4.0 servers. Some of which would allow an attacker to retreive CF admin login details from an unsuspecting administrator. Details of some of these ColdFusion vulnerabilities have been posted here by Digital Security Research Group which include XSS vulnerabilities in the following CFIDE scripts:
Recently detailed by Ray Camden on his blog in this post, when using cflogin, any string in a users password field after a ":" will be removed before being stored in the cflogin scope. This may be a very infrequent but very hard to diagnose problem for anyone generating passwords from random strings and using cflogin to manage their website user logins.
DO NOT store usernames or passwords in or trust your application variables as they can be accessed by other websites on the same server instance. Many ColdFusion developers will read this bold warning as old news but unfortunately many more are not aware of the problem and are storing very dangerous information like database, email or admin usernames and passwords within the application scope and leaving their databases & sites open to attack. Thanks to a recent comment (thanks Bradley) we have been reminded that it's time again to get this warning out there.
Recent Comments