Macromedia Issues Workaround for ColdFusion MX Flaw

The software developer patches a critical security vulnerability that could lead to the exposure of sensitive information.

Software developer Macromedia late Thursday released a temporary workaround to fix a critical security vulnerability in its flagship ColdFusion MX product. San Francisco-based Macromedia Inc. said the patch affects users of ColdFusion MX 6.1 for JRun4 (Updater 1). ColdFusion 7.0 is not affected.

The flaw, which was discovered and reported by the ESP Group LLC, can be exploited by malicious people to disclose some potentially sensitive information, Macromedia said in an online advisory.

The problem is caused by an error in the way the ColdFusion MX 6.1 Updater 1 is configured to place files into directories. According to Macromedia, the default configuration places certain class files incorrectly inside the Web root, opening them up for download by users.

Macromedia promised the issue will be fixed in the next update.

ColdFusion MX is the newest edition of Macromedias popular application server. Click here to read more about ColdFusion MX 6.1. It is part of the companys Macromedia MX product family, which combines client- and server-based products and development tools for integrating images, sounds, text and video on the Web.

Other products in the MX suite include Dreamweaver, Flash, Fireworks and Freehand.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.