You May Need to Reapply CF Security Hotfix CVE-2009-1877

Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.

When the hotfix was released I tested it, and found that they didn't fully fix the issue. I reported this back to Adobe, they confirmed that the hotfix was not complete, and came back with another hotfix for me to test within a few days. I confirmed that it was fixed, and waited for Adobe to issue another security bulletin.

Two months go by, and still no bulletin, so I emailed the Adobe security team last week to get a status update. They told me that they updated the hotfix on August 20th. The APSB09-12 page made no mention of this update in the Revisions section. They quickly updated that to show that hotfix was updated, I suggested that they release another security bulletin for the folks that installed the update right away, but they let me know they have no intention of doing that.

To make a long story short, if you installed the security hotfixes when they first were released you need to reapply Hotfix CVE-2009-1877.

If you aren't sure when you installed it you can use my free Hack My CF service to test your server. It will let you know you need to apply Hotfix CVE-2009-1877 again.

Links for hotfix CVE-2009-1877 can be found here:

• Installation instructions for CVE-2009-1877
• CVE-2009-1877 Hotfix for ColdFusion 7.0.2
• CVE-2009-1877 Hotfix for ColdFusion 8
• CVE-2009-1877 Hotfix for ColdFusion 8.0.1