A new security hotfix for ColdFusion was released today:
http://www.adobe.com/support/security/bulletins/apsb11-29.html
I'll use this as a reminder to folks to check out the Hack My CF service from Foundeo. It scans your ColdFusion servers, for free, and gives you a report of vulnerabilities. Most likely they already support this recent fix, and if not, they will soon.
Archived Comments
How is it that after all these years applying fixes to ColdFusion is still so byzantine?
I know, I know. It is being fixed in Zeus. It took too long, but it's being fixed.
Destroyed our CF9 "server_settings.cfm" essentially killing that page. Had to un-inststal CF9.01 entirely. Not happy.
I believe there was an update post release - can you check? If not, please ping me directly.
An update "post release"? Serious? No sign of it and have already re-installed CF9 - minus the HF3 patch. Note at this stage not even 9.01. It just works.
You wouldn't see a 'sign of it' it would just be a replaced zip. If you still have the issue after trying the path, ping me directly and I'll try to help.
I'm being told by our CF Admins that this HotFix will remove the default "action" attribute of <cfform> tags using the cgi.script_name when it is omitted. Is that true? It sounds like it would then break a lot of sites that just use <cfform> for self-submitting pages.
I believe the issue stemmed from the fact that it would also pick up cgi.query_string too, which means someone could include something naughty in the url. For now, I'd recommend just hard coding in the action.
They just updated our Dev Box with the HotFix and it did indeed break all of the places we use <cfform>. To be honest, I'm a little shocked Adobe made this change. As of right now they have the action attribute as optional which was pretty convenient when dealing with forms inside cfdiv tags. You can get the same result with <cfform action="#cgi.SCRIPT_NAME#?#cgi.QUERY_STRING#"> but that's not as simple and clean as the old way.
Does Adobe have any documentation explaining this change in the cfform tag? I imagine a non-trivial number of developers are having the same issue as we are.
Why shocked? If it was documented- then you had to expect it, right?
Oh, but doesn't the official documentation say the opposite? To go ahead and leave off action attribute and the form will submit to itself? At least here it says its been changed to optional since version MX:
http://help.adobe.com/en_US...
We were lucky that our application had yet to launch. Others with live sites, who took the same shortcut with cfform as we did, will get a nasty surprise when they apply this HotFix.
Yeah, sometimes the docs get a bit behind updates/hot fixes. Not a great answer, but, it's the truth.
This hotfix has broken out 8.0.1 dev box twice now. Both times I get 500 errors for executequery or createobject. Brutal.