We are also getting this error. Along with the bug listed here
This hotfix seems to have broken many things, and who knows what else is not working? Adobe needs to address this issue as soon as possible, this is unacceptable.
Thanks Brian for the alerting me to that other issue.
I decided I better create as it is not just me.
Hopefully there will be some traction on these bugs.
We have also started experiencing this issue since applying the hotfix, although (at least in our case) it only seems to happen if the cfc exists in an application containing an application.cfc file. AFAIK, the folowing workarounds exist:
1. Disable "Enable Request Debugging Output" in the CF administrator
2. Create a .cfm proxy to use in your AJAX or Flash remoting requests which will invoke the CFC methods
3. Append _cf_nodebug=true to the requests as either a URL or POST parameter
In addition to the above error, it appears that the display of debugging info for remote CFC requests also changed with this hotfix (even if no application.cfc exists). Previously debug information was not appended to the debug output of these remote CFC requests (even if <cfsetting showdebugoutput="yes" />) but after applying the hotfix debugging info is now being appended to the output of these remote CFC requests. You can work around this by adding the following code to your application.cfm or application.cfc's onRequestEnd() function:
<!--- Disable debugging into for remote CFC (i.e. AJAX) requests --->
<cfif StructKeyExists(GetHTTPRequestData().headers, "X-Requested-With")>
<cfsetting showdebugoutput="no" />
Due to the issues this security fix introduces, I can't certify it for roll-out to production for our systems engineers. I realize Adobe can't release intimate details of the vulnerabilities publicly (although I'm sure hackers are well aware of the vulnerabilities already and how to expliot them), but can they at least (a) say they are working on a hotfix for the hotfix, or (b) offer some other work arounds to protect ourselves? For example, would removing full access to the CFAdmin from the internet (which is best practice anyway) be sufficient? Are there any other options to this beyond the ones Richard posted or not installing the hotfix?