Flaws have been found in multiple versions of Adobe Systems Inc.’s Macromedia ColdFusion that could allow remote or local attackers to bypass security restrictions. Malicious local users can also disclose potentially sensitive information.

One of the flaws, which Secunia has dubbed moderately critical, is in the Sandbox Security function. It fails silently without giving an exception when ColdFusion is running on a JRun 4 cluster member with the Java SecurityManager disabled.

According to the alert, this could allow the bypass of some security controls in applications that rely on Sandbox Security.

Another flaw has to do with an input validation error when handling the “Subject” field of the CFMAIL tag. The flaw “can be exploited in an application that uses the tag to attach arbitrary files and send mails with any content,” according to Secunia’s advisory.

more from [url=http://www.eweek.com/article2/0,1895,1902746,00.asp]Eweek[/url]

---

Filed under: Security - @ December 20, 2005 3:28 am