Tuesday, March 8, 2011

Update on Security Hot-Fix Feb 2011


There is an update on Security Hot-Fix released in Feb 2011.

List of issues addressed are as follows:

  1. Session is lost for an application accessed within same domain *.
  2. Formatting problem for ResponseTime table on debug template.
  3. A minor fix for CFIDE/wizards/common/_logintowizard.cfm


With Session Fixation vulnerability attacker fixate (set) another person's session identifier (SID) and, once the user authenticates, the attacker has access to the authenticated session.

In ColdFusion's affected versions,any given CFID/CFTOKEN values of ColdFusion Session identifiers was used to create a new session. After the fix for the same, Applications being accessed with in same domain and having client cookie based session Management enabled started mis-functioning. This happened as the cookie was overwritten by later application when accessed in same browser.

With the current update to the patch, all above problems are fixed. ColdFusion will still accept such tokens but after validations.

In case someone still wants to completely swtich off the fix for Session Fixation issue  they can add the following JVM property –Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.


Latest hotfixes containing the fixes for the above issues are updated in the technote. Instructions to apply the hotfix remain same. All the users should re-apply the hotfixes if they have applied it already. Security Bulletin can be found here.