In conjunction with the ColdFusion 8 FCKEditor security issue mentioned last week, Adobe has just published a security bulletin entitled Hotfix available for potential ColdFusion 8 input sanitization issue. If you are using ColdFusion 8.x, you MUST read this bulletin.
ColdFusion 8 Security Bulletin Posted
9 responses to “ColdFusion 8 Security Bulletin Posted”
-
FYI, under the optional recommendations, ‘Edit jvm.config file and add the JVM argument “–Dcoldfusion.fckupload=true‒, causes the CF service to not start.
This is in the cfusion8-err.log: "java.lang.NoClassDefFoundError: Dcoldfusion/fckupload=true". -
Hi Jason,
Do you have any other details on this? Did you apply the hotfix jar as mentioned in the instructions?
–Dcoldfusion.fckupload=true is nothing but a system property passed to JVM like some of the others property that you may have in jvm.config. It should ideally not cause this esception.
Can you provide more details? -
Yes, we applied the hotfix and restarted. When I add the JVM argument CF won’t start, when I take it out, CF starts.
-
Note that you need to add this system property if you are using file upload capability with fckeditor using cftextarea tag.
Can you mail me java.args line from jvm.config? Which OS are you using?
You can mail me on hkhandel {at} adobe.com
Thanks,
Hemant -
@Jason : Looks like a new line character is getting added when you copy the -Dcoldfusion.fckuplod=true argument.
Do not copy the java argument from the instructions. Type the argument instead in the jvm.config file and you should be all fine. -
Yes, that worked. Good catch!
-
Thank you! Same problem here… i needed to type argument!
-
Hi Ben
Any idea why this hotfix wasn’t announced on this RSS feed:
http://rss.adobe.com/www/support/recent/recent_cf.xml
Do you happen to know if there’s a more up to date feed I should be following for security announcements?
Many thanks. -
I had the same issue with the java argument, thanks for the find.
Leave a Reply