| VID |
22427 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Macromedia JRun Server is vulnerable to a source disclosure vulnerability via an HTTP request that ends in ';.cfm'. Macromedia JRun is an application server that works with most popular web servers such as Apache and IIS. Macromedia ColdFusion MX versions 6.0, 6.1, 6.1 J2EE and JRun version 4.0 are vulnerable to an information disclosure vulnerability in the Macromedia JRun. This vulnerability could allow a remote attacker to view the source code of files that are not associated with Macromedia extensions (.php, .asp, .pl) by appending ";.cfm" to the end of the URL. Only the Microsoft IIS connector is affected (JRun 3.x not affected).
* References:
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html
http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html
http://www.macromedia.com/devnet/security/security_zone/mpsb05-13.html
http://www.idefense.com/application/poi/display?id=148&type=vulnerabilities&flashstatus=true
http://www.kb.cert.org/vuls/id/977440
http://secunia.com/advisories/12647/
* Platforms Affected:
Macromedia, JRun, 4.0
Macromedia, ColdFusion MX J2EE, 6.1
Macromedia, ColdFusion MX, 6.1
Macromedia, ColdFusion MX, 6.0
Microsoft Windows Any version |
| Recommendation |
For Macromedia ColdFusion MX:
Update to the latest version of the ColdFusion MX from:
http://www.adobe.com/support/coldfusion/downloads.html
For JRun version 4.0:
Update to the latest version of the JRun from:
https://www.adobe.com/products/jrun/lownload/ |
| Related URL |
CVE-2004-0928 (CVE) |
| Related URL |
11245,11331 (SecurityFocus) |
| Related URL |
17484 (ISS) |
|
