14 DAY TRIAL // Adobe Inc. published on the 17th of August 2009 several security fixes for the ColdFusion web design and development platform and also for the web servlet engine JRun. The updates were labeled as critical and resolved several cross-site scripting vulnerabilities that could have compromised and exposed account information. Seven fixes were issued to tackle XSS problems for the ColdFusion 8.0.1, ColdFusion 8.0, ColdFusion 7.02 and JRun 4.0 platforms.
Exploiting these loopholes, attackers could have created evil links and stolen administrative cookies and other sensitive data using multiple linked XSS and XSRF vulnerabilities. This would have also led to unwanted code execution and could have compromised the ColdFusion websites.
Other fixes treated XSS vulnerabilities for the session handler that could have led to wrongful privilege escalations, and also problems with a double-encoded null character vulnerability that could have compromised user-account information.
A similar ColdFusion security update for another XSS problem was issued in July 2009 and solved zero-day vulnerabilities for the internal embedded text-editor FCKeditor.
JRun patches solved vulnerabilities found in the management console's directory traversals that could have led to the full exposure of the entire folder structure on the server to any attacker.
Regarding the possibility that these vulnerabilities could have been used by hackers, the Adobe Product Security Incident Response Team said that, “Adobe is not currently aware of any exploits in the wild for the security vulnerabilities fixed in this release.”
The ColdFusion and JRun fixes can be found on this page, with the necessary instructions attached.
The hotfixes can be identified by the following security update CVE (Common Vulnerabilities and Exposure) codes: CVE – 2009 - 1872, CVE – 2009 - 1873, CVE – 2009 - 1874, CVE – 2009 - 1875, CVE – 2009 - 1876, CVE – 2009 - 1877 and CVE – 2009 - 1878.