Security Advisories | Cross-site Scripting | Cross site scripting in Coldfusion MX Server Administrator Menu Vulnerability
Vendor: Macromedia
Product Affected: Cold Fusion MX Server 6.1 and prior
Type: Cross-Site Scripting
Severity: Medium
Date released: 20th October 2004

The Nortel Networks Contivity VPN Client authentication error message provides more information than is necessary.

The cross-site scripting bug can be executed URL like so:
http://172.16.0.27:8500/CFIDE/componentutils/componentlist.cfm?
package=<script>alert(document.cookie)</script> 
What makes the issue a little more serious than usual is that the cookie contains not just the administrator's current session ID, but also his obfuscated password. This obfuscation is trivial to defeat.

The loss of the session ID allows an attacker to impersonate the administrator during the particular session. However, by ferreting out the obfuscated password, the attacker can easily decipher the original password, and thus gain permanent access to the Administrator account, and take complete control of the Coldfusion server.

Apply the patch in the Macromedia security bulletin:
http://www.macromedia.com/support/coldfusion/downloads_updates.html

IP-based access control limiting access to the administrator interface only to trusted hosts

Apply the comprehensive security update for Macromedia Coldfusion MX Server 6.1
http://www.macromedia.com/support/coldfusion/downloads_updates.html

Nortel Networks Contivity VPN Client