COMMAND

	Macromedia ColdFusion MX Cross site scripting

SYSTEMS AFFECTED

	ColdFusion Server version: 6.0.0.46617

PROBLEM

	Ory Segal of Sanctum Inc. found :
	

	Macromedia\'s ColdFusion MX comes with a default 404  error  page.  This
	404 error page presents the path of the file  requested,  and  does  not
	filter it for hazardous characters, which might  be  used  for  a  cross
	site scripting attack. For example, the following request will pop-up  a
	message containing the current session cookies:
	

	http://CF_MX_SERVER/<script>alert(document.cookie)</script>.cfm

	

	

SOLUTION

	Patch available from the vendor\'s web site at:
	

	http://www.macromedia.com/v1/handlers/index.cfm?ID=23047