Allaire Posts Revised Tags and Patches

If you're an ISP or customer hosting multiple ColdFusion applications on a single-server machine, downloading and enabling the first ColdFusion Security Patch listed on this page will prevent undocumented Administrative CFML tags and functions from executing on a server, as explained in Allaire Security Bulletin (ASB99-10). (NOTE: unless you are hosting multiple ColdFusion 3.12 or 4.01 applications on a single server machine, you DO NOT require this patch. This patch is for customers who allow .CFM files written by other developers to execute on their servers.)

The second patch, the ColdFusion Expression Evaluator Patch, fixes the known security issues explained in the Allaire Security Bulletin ASB99-01. This bulletin addresses the fact that one of the sample applications installed with ColdFusion Server, the Expression Evaluator, exposes the ability to read, upload, and delete files on the server. Allaire's patch will limit access to the Expression Evaluator to page requests made from the machine where it is installed.

As an additional measure of protection, Allaire recommends that customers not install (or remove existing) documentation, sample code, example applications and tutorials on production servers and secure access to these files on workstations.

Allaire Security Zone

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie