Bugtraq mailing list archives
RE: New Cold Fusion vulnerability
From: "Giovannetti, Mark" <Mark.Giovannetti () CCRS NRCan gc ca>
Date: Thu, 12 Jul 2001 16:23:26 -0400
Maybe we are just paranoid, but since Allaire/Macromedia just released vesion 5 which is not vulnerable, is this just a ploy to get people to upgrade? This and the fact that there is a 3-8% performance degredation when you install the patch makes me want to know more about this. Also, if you are using NT4 and IIS, the patch breaks your server if you don't install MSVCRT 6.0 runtime files beforehand, so be careful. Anyone have any further info? JF Prieur
I'd just like to mention that if you have your IIS server locked down such that the IUSR_machine account has no access (explicit deny) to %systemroot%\system32\ you'll run into an authentication problem. You'll have to grant read access to the file MSVCP60.dll for the IUSR_machine account and may have to grant a similar permission to ISCF.dll in your cfusion\bin directory. For those of you who still allow the use of the Everyone group on your machines or do not use explicit deny ACLs for the IUSR_machine account, this will not be an issue. I'd also like to state that I wasn't impressed with the often urged "upgrade to v5.0" to fix the problem and how "nice" it was of them to supply fixes for three previous releases. Like they're doing us a huge favour. I would certainly like to know more details. Mark Giovannetti
Current thread:
- New Cold Fusion vulnerability Jean-Francois Prieur (Jul 12)
- <Possible follow-ups>
- RE: New Cold Fusion vulnerability Giovannetti, Mark (Jul 15)