Security officials at Macromedia released two patches Wednesday evening in order to fix a hole in its newest Web authoring tool, ColdFusion MX 6.1.
Both patches are available at the company’s security Web page directories. This is the fourth vulnerability found in ColdFusion MX since its launch in August.
The first vulnerability springs from ColdFusion MX 6.1 Enterprise and all versions of ColdFusion MX 6.1 J2EE edition’s ability to let users create classes within projects that bypass the application’s security sandbox measures. While the vulnerability doesn’t let remote users create classes, users can create them in a shared, hosted environment. Officials consider the patch a critical update to the application.
The update throws up an added layer of defense for developers; users will not be able to create or instantiate new objects when the CreateObject () variable or
The second vulnerability affects all versions of ColdFusion MX 6.1 and ColdFusion MX 6.1 J2EE. If a user sends a form with hundreds of range or type validation requests it can cause the system to bog down, similar to the Internet-based denial of service attack
The update, which Macromedia officials deemed “important,” improves
performance to the point where the requests don’t tie down the system.