You May Need to Reapply CF Security Hotfix CVE-2009-1877

October 22, 2009
coldfusion

Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.

When the hotfix was released I tested it, and found that they didn't fully fix the issue. I reported this back to Adobe, they confirmed that the hotfix was not complete, and came back with another hotfix for me to test within a few days. I confirmed that it was fixed, and waited for Adobe to issue another security bulletin.

Two months go by, and still no bulletin, so I emailed the Adobe security team last week to get a status update. They told me that they updated the hotfix on August 20th. The APSB09-12 page made no mention of this update in the Revisions section. They quickly updated that to show that hotfix was updated, I suggested that they release another security bulletin for the folks that installed the update right away, but they let me know they have no intention of doing that.

To make a long story short, if you installed the security hotfixes when they first were released you need to reapply Hotfix CVE-2009-1877.

If you aren't sure when you installed it you can use my free Hack My CF service to test your server. It will let you know you need to apply Hotfix CVE-2009-1877 again.

Links for hotfix CVE-2009-1877 can be found here:



Related Entries

2 people found this page useful, what do you think?

Comments

hello, on hackmycf.com, passing an ip address of the server results in an error saying invalid address passed.
@Sameer That's correct it doesn't support passing an IP right now. I will work on fixing that but you can pass a hostname that points to the ip in the mean time.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?