Adobe JRun Administrator Console Cross-Site Scripting Vulnerability

Bugtraq ID:	22547
Class:	Input Validation Error
CVE:	CVE-2006-5860
Remote:	Yes
Local:	No
Published:	Feb 13 2007 12:00AM
Updated:	Feb 13 2007 10:47PM
Credit:	Daiki Fukumori of Secure Sky Technology, Inc is credited with the discovery of this vulnerability.
Vulnerable:	Macromedia JRun 4.0 SP1a Macromedia JRun 4.0 SP1 Macromedia JRun 4.0 build 61650 Macromedia JRun 4.0 - Microsoft IIS 5.1 - Microsoft IIS 5.0 - Microsoft IIS 4.0 Macromedia ColdFusion Server MX Enterprise Macromedia ColdFusion MX Enterprise Multi-Server Edition 7.0
Not Vulnerable:

Adobe JRun Administrator Console Cross-Site Scripting Vulnerability

Adobe JRun is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Adobe JRun Administrator Console Cross-Site Scripting Vulnerability

To exploit this issue, an attacker must entice a victim into following a malicious URI.

Adobe JRun Administrator Console Cross-Site Scripting Vulnerability

Solution:
The vendor has released advisory APSB07-05 to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.


Macromedia JRun 4.0

• Adobe jrun-hotfix-66413.jar
  http://download.macromedia.com/pub/security/bulletins/apsb07-05/jrun-h otfix-66413.jar

Macromedia ColdFusion MX Enterprise Multi-Server Edition 7.0

• Adobe jrun-hotfix-66413.jar
  http://download.macromedia.com/pub/security/bulletins/apsb07-05/jrun-h otfix-66413.jar

Adobe JRun Administrator Console Cross-Site Scripting Vulnerability

References:

• Adobe ColdFusion Homepage (Adobe)
  
• APSB07-05 - Patch available for JRun cross-site scripting issue (Adobe)