Thursday, February 10, 2011

Security Hot-Fix update for ColdFusion and Session

With the recent Security Hot-Fix for ColdFusion, an important vulnerability is fixed - Session Fixation.


Previous behavior with out the Hot-Fix - One can create a ColdFusion session with self provided CFID and CFTOKEN and then mail a victim customer a URL with those tokens. Now both of them can use same session.


Earlier if one has two different Applications in sub directories for both the applications Session tokens for ColdFusion Session used to be same thus both Applications will work fine with in the same browser.


Now after applying the hot-fix,  If user wants to support such different Applications with sub directories, they can set session Cookies with Domain and path.


Example: 


For second application in sub Directory do this in OnSessionStart - 


 <cfcookie name="CFID" value="SESSION.CFID" path="/subdir">
 <cfcookie name="CFTOKEN" value="SESSION.CFTOKEN" path="/subdir"> 




Hope this was helpful.

Wednesday, February 9, 2011

Security fix alert for JVM Hang issue by Oracle

Oracle released a fix for security alert CVE-2010-4476 — the “Java Hangs on 2.2250738585072012e-308 bug.” The fix comes as FPUpdater Tool, which updates rt.jar. 

ColdFusion Security hotfix released

ColdFusion Security hotfix released for CF8.0, 8.0.1,9.0,9.0.1. See bulletin for details.