Allaire Spectra 1.0 Webtop Vulnerability
Thu, 04/30/2009 - 22:19 — victor
Name:
Allaire Spectra 1.0 Webtop Vulnerability
Filename:
http.db
SPID:
409
Impact:
Allaire Spectra is a web-based e-commerce product. The container editor tool in Spectra, allows any user to access an object whether or not they have the proper permissions. Once a user calls for a specific object, they are able to view the object within the container editor preview tab.
Solution:
From the advisory:1: Open the file webroot/Allaire/spectra/webtop/application.cfm2:Add the following line directly under the application initialize section:<cfset request.cfa.security.blsSecure = 1>Your code should then look this:<!---initialize the webtop ---><cfa_applicationinitializeapplicationID=088E7FE8-2AA3-11D3-AD400060B0EB2994bActiveApp=1bActiveLog=1sessionmanagement=Yessessiontimeout=30mode=design><cfset request.cfa.security.blsSecure = 1>Save the file and restart your software.If you have the ColdFusion Trusted Cache option enabled in the ColdFusion Administrator, you will need to turn it off, reload any Webtop section, then turn the Trusted Cache option on again for the change to take effect. Restarting the ColdFusion Server software will also cause the change to take affect Please upgrade to the latest stable version from http://www.allaire.com/ and click on Allaire SpectraUpdate.
Risk:
Low
Privacy Statement | Link Policy | User Policy | SecPoint® Blog | SecPoint® Forum
SecPoint® Pictures | SecPoint® Event Pictures | SecPoint® Exploit Archive | SecPoint® Web Shop | SecPoint® Library
SecPoint® Video | SecPoint® Sitemap
© Copyright 1999-2008: SecPoint®
SecPoint ApS - Lergravsvej 53 - 2300 Copenhagen S - Phone +45 70 235 245
| Recent awards | Compatible with | Visit us on Facebook! | Visit us on LinkedIn! | Visit us on Myspace! | |||||
 |
 |
 |
 |
 |
 Group! |
 |
 follow us on Twitter!  |
||