Update Protection against Adobe ColdFusion Server URL Parameter Manipulation Cross-Site Scripting (APSB09-12)
| Check Point Reference: | CPAI-2009-191 | |
| Date Published: | ||
| Severity: | ||
| Source: | Adobe vulnerability identifier: APSB09-12 | |
| Industry Reference(s): | CVE-2009-1875 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Adobe ColdFusion 8.0.1 and earlier | ||
| Vulnerability Description A Cross Site Scripting (XSS) vulnerability has been discovered in Adobe ColdFusion server. Adobe ColdFusion is an application server for developing dynamically generated Web sites. A remote attacker could exploit this issue to execute a cross-site scripting attack that could potentially lead to code execution. |
||
|
Update/Patch Available Apply Hotfix: Adobe vulnerability identifier: APSB09-12 |
|
|
Vulnerability Details The vulnerability is due to an error in the Adobe ColdFusion server that fails to sufficiently validate input when processing client HTTP requests. A remote attacker could trigger this issue via a specially crafted HTTP request. Successful exploitation of this issue will allow the attacker to inject arbitrary web script or HTML to the vulnerable server. |
Protection Overview In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.
This protection will detect and block attempts to exploit this vulnerability.
Note: If your ColdFusion server is configured to listen on a port other than 80, make sure to define this port as an HTTP service.
To configure the defense, select your product from the list below and follow the related protection steps.