Copy link to clipboard
Copied
Security vulnerablity exists within CF administrator log in page (/CFIDE/administrator/login.cfm) HTML form. Does anyone know how to apply a solution or work-around?
Web site security scanning reports the CF adminstrator log in page uses <input> password field autocomplete=on (default). Solution is to edit web page form appending attribute "autocomplete=off". But since the entire CFIDE directory uses ColdFusion's encryption, page is not editable.
A week ago (1/8/14), at Adobe's telephone customer support direction, I submitted a request for help to Adobe's support site (bugbase.adobe.com). Requests to this site go into the ether ("not externally visible"). No response whatever has been provided.
The basic fix is for Adobe to send or provide an updated web page. Problem is a site security issue.
Like I said, the security-related bugs are handled differently from all non-security-related ones. They get hidden from the public bug tracker (for security reasons). Since the public bug tracker is what sends out the auto response emails, you won't get any for security-related bugs. You'll have to contact Adobe directly to get status updates.
-Carl V.
Copy link to clipboard
Copied
I think bugs related to security are automatically "hidden" for security reasons. Other (non-security) bugs result in notification emails whenever their status changes or comments are added. You may have to get back in touch with Adobe phone support to find out how you can track the status.
-Carl V.
Copy link to clipboard
Copied
Viewing page source (View|Source - IE) shows <input> password field uses attribute "autocomplete=false". "false" does work for me to disable automatic fill in. However security scan must be looking for the correct HTML syntax "autocomplete=off" (http://www.w3.org/wiki/HTML/Elements/input/password).
Adobe telephone customer support said I would get a response by email or telephone after submitting "bugbase" request. Any response has never come. As a customer, and for my customer, even an automated email from Adobe would be appreciated.
Copy link to clipboard
Copied
Like I said, the security-related bugs are handled differently from all non-security-related ones. They get hidden from the public bug tracker (for security reasons). Since the public bug tracker is what sends out the auto response emails, you won't get any for security-related bugs. You'll have to contact Adobe directly to get status updates.
-Carl V.
Copy link to clipboard
Copied
I called Adobe customer support, Support found the bug number, discussed the concern, and issue is progressing.
Thanks Carl
Copy link to clipboard
Copied
Here is the Bug# 3690477. We are looking into.
Regards,
Anit Kumar