Adobe Macromedia ColdFusion default missing template page allows cross-site scripting

coldfusion-missing-template-css (9360) The risk level is classified as MediumMedium Risk

Description:

Macromedia ColdFusion MX running on Microsoft Windows 2000 and Microsoft Internet Information Services (IIS) 5.0 is vulnerable to cross-site scripting attacks. The default Missing Template handler in ColdFusion MX does not properly filter file names for invalid characters when requesting a '.cfm' file. A remote attacker can exploit this vulnerability by embedding malicious JavaScript code as the file name, which would be executed on the system once the request is sent.


Consequences:

Gain Privileges

Remedy:

Apply the latest patch for this vulnerability, as listed in Macromedia Security Bulletin MPSB02-03. See References.

References:

  • BugTraq Mailing List, Tue Jun 18 2002 - 12:15:39 CDT: ColdFusion MX Cross Site Scripting vulnerability.
  • Macromedia Product Security Bulletin MPSB02-03: Patch available for default Missing Template page in ColdFusion MX.
  • BID-5011: ColdFusion MX Missing Template Cross Site Scripting Vulnerability
  • CVE-2002-1700: Cross-site scripting vulnerability (XSS) in the missing template handler in Macromedia ColdFusion MX allows remote attackers to execute arbitrary script as other users by injecting script into the HTTP request for the name of a template, which is not filtered in the resulting 404 error message.

Platforms Affected:

  • Adobe ColdFusion
  • Microsoft Internet Information Server 5.0

Reported:

Jun 13, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page