Buffer Overflow in Macromedia's ColdFusion and JRun

Reported November 12, 2002, by eEye Digital Security.





  • Macromedia ColdFusion 6.0 and earlier (with IIS ISAPI)

  • Macromedia JRun 4.0 and earlier (with IIS ISAPI)





A buffer overflow vulnerability exists in Macromedia’s ColdFusion 6.0 and JRun 4.0 that might enable a potential attacker to execute arbitrary code in the SYSTEM context of the vulnerable system. This vulnerability stems from various heap overflows in the IIS ISAPI handlers when handling Uniform Resource Identifier (URI) filenames. By supplying a filename over 4096 bytes in size, an attacker can overwrite heap memory. To gain control of the remote IIS process with SYSTEM-level access, an attacker can overwrite various structures in the process heap. For more details about this vulnerability, see the discoverer’s Web site.




The discoverer posted the following demonstration as proof of concept:


The following requests can be used to duplicate the attack.


For JRun:

telnet example.com 80

GET /\[+4096 byte buffer\].jsp HTTP/1.0




For Coldfusion:

telnet example.com 80

GET /\[+4096 byte buffer\].cfm HTTP/1.0







Macromedia has released patches for both the ColdFusion and JRun products.


ColdFusion MX Advisory:



JRun Advisory:





Discovered by Riley Hassell of eEye Digital Security.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.