ColdFusion Security Hotfix

This post is more than 2 years old.

A new security hotfix for ColdFusion was released today:

I'll use this as a reminder to folks to check out the Hack My CF service from Foundeo. It scans your ColdFusion servers, for free, and gives you a report of vulnerabilities. Most likely they already support this recent fix, and if not, they will soon.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Nathan Dintenfass posted on 12/14/2011 at 11:12 AM

How is it that after all these years applying fixes to ColdFusion is still so byzantine?

Comment 2 by Raymond Camden posted on 12/14/2011 at 5:09 PM

I know, I know. It is being fixed in Zeus. It took too long, but it's being fixed.

Comment 3 by Peter Tilbrook posted on 12/14/2011 at 5:18 PM

Destroyed our CF9 "server_settings.cfm" essentially killing that page. Had to un-inststal CF9.01 entirely. Not happy.

Comment 4 by Raymond Camden posted on 12/14/2011 at 5:47 PM

I believe there was an update post release - can you check? If not, please ping me directly.

Comment 5 by Peter Tilbrook posted on 12/16/2011 at 2:42 PM

An update "post release"? Serious? No sign of it and have already re-installed CF9 - minus the HF3 patch. Note at this stage not even 9.01. It just works.

Comment 6 by Raymond Camden posted on 12/16/2011 at 2:46 PM

You wouldn't see a 'sign of it' it would just be a replaced zip. If you still have the issue after trying the path, ping me directly and I'll try to help.

Comment 7 by Brendan posted on 12/20/2011 at 10:45 PM

I'm being told by our CF Admins that this HotFix will remove the default "action" attribute of <cfform> tags using the cgi.script_name when it is omitted. Is that true? It sounds like it would then break a lot of sites that just use <cfform> for self-submitting pages.

Comment 8 by Raymond Camden posted on 12/21/2011 at 2:05 AM

I believe the issue stemmed from the fact that it would also pick up cgi.query_string too, which means someone could include something naughty in the url. For now, I'd recommend just hard coding in the action.

Comment 9 by Brendan posted on 12/21/2011 at 3:50 AM

They just updated our Dev Box with the HotFix and it did indeed break all of the places we use <cfform>. To be honest, I'm a little shocked Adobe made this change. As of right now they have the action attribute as optional which was pretty convenient when dealing with forms inside cfdiv tags. You can get the same result with <cfform action="#cgi.SCRIPT_NAME#?#cgi.QUERY_STRING#"> but that's not as simple and clean as the old way.

Does Adobe have any documentation explaining this change in the cfform tag? I imagine a non-trivial number of developers are having the same issue as we are.

Comment 10 by Raymond Camden posted on 12/21/2011 at 4:02 AM

Why shocked? If it was documented- then you had to expect it, right?

Comment 11 by Brendan posted on 12/21/2011 at 7:33 PM

Oh, but doesn't the official documentation say the opposite? To go ahead and leave off action attribute and the form will submit to itself? At least here it says its been changed to optional since version MX:

We were lucky that our application had yet to launch. Others with live sites, who took the same shortcut with cfform as we did, will get a nasty surprise when they apply this HotFix.

Comment 12 by Raymond Camden posted on 12/21/2011 at 7:44 PM

Yeah, sometimes the docs get a bit behind updates/hot fixes. Not a great answer, but, it's the truth.

Comment 13 by Dana K posted on 12/23/2011 at 4:26 AM

This hotfix has broken out 8.0.1 dev box twice now. Both times I get 500 errors for executequery or createobject. Brutal.