Macromedia patched two holes Wednesday evening to fix two vulnerabilities in ColdFusion MX 6.1.
Both patches are available at the company’s security Web page directories. This is the fourth vulnerability found in this version of ColdFusion MX since its release in August.
The first vulnerability springs from ColdFusion MX 6.1 Enterprise and all versions of ColdFusion MX 6.1 J2EE edition’s ability to let users create classes within projects that bypass the application’s security sandbox measures. While the vulnerability doesn’t let remote users create classes, users can create them in a shared, hosted environment. Officials consider the patch a critical update to the application.
The update throws up an added layer of defense for developers; users will not be able to create or instantiate new objects when the CreateObject () variable or tags are disabled. If someone tries anyway, a “security exception occurred while invoking java method on a “java.lang.Class” object.” error message will appear at compile time.
The second vulnerability affects all versions of ColdFusion MX 6.1 and ColdFusion MX 6.1 J2EE. If a user sends a form with hundreds of range or type validation requests it can cause the system to bog down, similar to the Internet-based denial of service attack.
The update, which Macromedia officials deemed “important,” improves
performance to the point where the requests don’t tie down the system.
This article was originally published on internetnews.com.