Thanks for the heads up. Ouch, so many fixes in one go makes it a bit of a nightmare (testing then applying to all servers).

Hotfix 1873 is supposed to stop the viewing of any file on the server. e.g. http://[server]/server/[profile]/logging/logviewer.jsp?logfile=../../../../../../../boot.ini

But a regular CF install doesn't include a file called logviewer.jsp. It also refers to a "runtime" directory but CF does't have one. Surely then this hotfix isn't necessary for CF installs, perhaps only users of a standalone JRun install?

Hotfix 1876 does scary stuff in a cmd prompt with the Connector Upgrade. The readme only mentions the Apache web server so does that mean IIS users don't need to run it? I tried it on a test box with IIS and it ran okay. I'd love to know if this has been tested on a clustered IIS environment as it can takes ages to get a cluster running smoothly. (Pete, I know you probably don't have the answers, just saying though.)

Any idea which of the 7 hotfixes are the most relevant and critical to CF please? Adobe don't give any details away.

Thanks Pete. I'm running multi instance mode. Still not certain about doing 1876. If there was more tech info about the security issue I would test to see if my installs are vulnerable and if there's another way to fix. e.g. at the firewall level.

@Pete thanks and nice work finding the xss vulnerabilities.

@gary I feel your pain trying to deploy this update. I've got 3 servers to do and all the seperate instruction text files and binaries to sort through is making this more of a headache than it should be.

UPDATE: just found a post via a tweet which lists all the update instructions and file links on one single printable page at: http://www.coldfusionsecurity.org/post.cfm/help-applying-coldfusion-hotfixes-for-vulnerability-apsb09-12

This should save some time but I'm still wondering why Adobe couldn't have done this themselves or bundled all these 'critical's into one zip or *gasp* an auto updater...I can dream can't I?

CF8 on Windows XP with IIS 5.0: CVE-2009-1872 and CVE-2009-1877 worked fine.

CVE-2009-1875 worked fine.

CVE-2009-1876 broke CF twice - must only apply to Apache or later versions of IIS.

CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875.

Can anyone confirm the issues with CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?

"CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875.

Can anyone confirm the issues with CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?"

I have the same problem.

Hi guys,

Sorry i got a silly question, hope you will bear with me. One of the above comments say 1873 and 1874 is only for J2EE.

I'm running a standalone on Windows, but there is also a JRun.exe process. Do the JRUN need patching or not, do I need to update the JRUN and apply these patches?

Thanks for your help!

Confused, Andrew