Forta.com - Blog

Categories

• Acrobat (3) [RSS]
• Adobe (90) [RSS]
• AdobeMAX06 (45) [RSS]
• AdobeMAX07 (59) [RSS]
• AdobeMAX08 (66) [RSS]
• AdobeMAX09 (39) [RSS]
• AdobeMAX10 (1) [RSS]
• AIR (219) [RSS]
• Appearances (191) [RSS]
• Books (72) [RSS]
• CFEclipse (15) [RSS]
• ColdFusion (1382) [RSS]
• Data Services (34) [RSS]
• Fish Tank (5) [RSS]
• Flash (198) [RSS]
• Flex (499) [RSS]
• Home Automation (5) [RSS]
• Jobs (116) [RSS]
• JRun (14) [RSS]
• Labs (43) [RSS]
• LiveCycle (34) [RSS]
• MAX (232) [RSS]
• Mobile (120) [RSS]
• Regular Expressions (17) [RSS]
• RIA (21) [RSS]
• SQL (40) [RSS]
• Stuff (536) [RSS]
• Tips (CF Studio) (80) [RSS]
• Tips (CF) (795) [RSS]
• Tips (Dreamweaver) (91) [RSS]
• Tips (Flex Builder) (2) [RSS]
• Using CF (162) [RSS]

Other BLOGs

• Charlie Arehart
• Lee Brimelow
• Ray Camden
• Christophe Coenraets
• Sean Corfield
• Mihai Corlan
• Cornel Creanga
• Mark Doherty
• John Dowdell
• Danny Dura
• Enrique Duvos
• Steven Erat
• Kevin Hoyt
• Serge Jespers
• Adam Lehman
• Duane Nickull
• Miti Pricope
• Andrew Shorten
• Ryan Stewart
• James Ward
• Greg Wilson
• Full As A Goog

RSS Feeds

• Feed
• Subscribe

ColdFusion 8 Security Bulletin Posted

Posted At : 3:31 PM
Related Categories: ColdFusion :

In conjunction with the ColdFusion 8 FCKEditor security issue mentioned last week, Adobe has just published a security bulletin entitled Hotfix available for potential ColdFusion 8 input sanitization issue. If you are using ColdFusion 8.x, you MUST read this bulletin.

TrackBacks

There are no trackbacks for this entry.

No trackback URL. Trackbacks are only allowed via interactive form.

[Add Trackback]

Comments

[Add Comment] [Subscribe to Comments]

FYI, under the optional recommendations, 'Edit jvm.config file and add the JVM argument “–Dcoldfusion.fckupload=true”', causes the CF service to not start.

This is in the cfusion8-err.log: "java.lang.NoClassDefFoundError: Dcoldfusion/fckupload=true".

# Posted By Jason | 7/8/09 6:10 PM

Hi Jason,

Do you have any other details on this? Did you apply the hotfix jar as mentioned in the instructions?

–Dcoldfusion.fckupload=true is nothing but a system property passed to JVM like some of the others property that you may have in jvm.config. It should ideally not cause this esception.

Can you provide more details?

# Posted By Hemant Khandelwal | 7/8/09 8:36 PM

Yes, we applied the hotfix and restarted. When I add the JVM argument CF won't start, when I take it out, CF starts.

# Posted By Jason | 7/8/09 8:55 PM

Note that you need to add this system property if you are using file upload capability with fckeditor using cftextarea tag.

Can you mail me java.args line from jvm.config? Which OS are you using?

You can mail me on hkhandel {at} adobe.com

Thanks,
Hemant

# Posted By Hemant Khandelwal | 7/8/09 9:05 PM

@Jason : Looks like a new line character is getting added when you copy the -Dcoldfusion.fckuplod=true argument.

Do not copy the java argument from the instructions. Type the argument instead in the jvm.config file and you should be all fine.

# Posted By Rakshith | 7/8/09 9:30 PM

Yes, that worked. Good catch!

# Posted By Jason | 7/9/09 10:33 AM

Thank you! Same problem here... i needed to type argument!

# Posted By galdir | 7/21/09 4:18 PM

Hi Ben
Any idea why this hotfix wasn't announced on this RSS feed:

http://rss.adobe.com/www/support/recent/recent_cf....

Do you happen to know if there's a more up to date feed I should be following for security announcements?

Many thanks.

# Posted By Geoff | 7/22/09 11:42 AM

I had the same issue with the java argument, thanks for the find.

# Posted By Mike | 8/21/09 8:27 AM

[Add Comment]