Secunia

Some vulnerabilities have been reported in Macromedia ColdFusion, which can be exploited by malicious people to bypass certain security restrictions, or by malicious, local users to disclose potentially sensitive information and bypass certain security restrictions.

1) The Sandbox Security functionality fails silently without throwing an exception when ColdFusion is running on a JRun 4 cluster member with the Java SecurityManager disabled. This may allow the bypass of certain security controls in applications that relies on Sandbox Security.

2) An input validation error exists when handling of the "Subject" field of the CFMAIL tag. This can be exploited in an application that uses the tag to attach arbitrary files and send mails with any content.

3) An error exists in the enforcing of the "CFOBJECT/CreateObject(Java)" setting in the Sandbox Security functionality. This may be exploited to call restricted methods through an object of a specially crafted class written to the ColdFusion library directory even when the setting has been disabled.

The vulnerability may be related to:
SA12693

4) The password hash used to authenticate the ColdFusion Administrator can be obtained by developers via an API call. This can be exploited by malicious developers to obtain the hash and authenticate as Administrator.

The vulnerabilities have been reported in version 7.0. ColdFusion MX 6.0, 6.1, and 6.1 with JRun, are affected by vulnerabilities #1 and #2.

Solution
Apply updates.
Further details available in Customer Area

Provided and/or discovered by
1) Russ Michaels
2) Mike Nicholls
3) Andy Allan
4) Fabio Terracini

Changelog
Further details available in Customer Area

Original Advisory
http://www.macromedia.com/devnet/security/security_zone/mpsb05-12.html
http://www.macromedia.com/devnet/security/security_zone/mpsb05-14.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area