Vapor-Security Alert

I thought that MySpace had the silliest security issues with their new "profile is securely protected", but I was wrong. I was just shown a so-called security announcement about Adobe Macromedia ColdFusion Information Disclosure and Cross Site Scripting Issues and I just had to chuckle.

The first item says that there is an input validation error when processing a malformed request which can result in installation path information being shown. The example they gave was an error thrown when the malformed request contained a file extension which is not handled by the server. This example makes no sense at all. If the extension is not handled by the ColdFusion server then the file/request will never get to the ColdFusion server from the webserver. Bottom line is that the description of this 'security hole' makes no sense and the information retrieved is not a moderate threat but a very low level one.

The second item is also one that makes no sense to me. It says that accessing the "CFIDE/administrator/login.cfm" template directly without supplying a host name could (not will, just could) cause an application to disclose the internal IP address of the server. They say that this can be done using a "get" request. Now can someone please show me how to do this? How do you call a template without using a hostname? Every test I see for calling this template uses an IP or hostname.

Now the third item may actually be an issue but I've never seen cross site scripting as that big an issue. I can't even say if this has already been fixed in the latest patch released last week. I'll have to check.

I'm rather surprised that such a poorly written 'security' advisory was put up. I really expect better from anyplace that advertises themselves as a "Security Incident Response Team". It feels very much like a vaporware scare put up just to get more Google hits and subscriptions. Harsh words, but that's my feeling.