ISSalert: ISS Advisory: Remote Vulnerabilities in Macromedia ColdFusion Example Applications

From: X-Force (xforce@iss.net)
Date: 08/07/01


Date: Tue, 7 Aug 2001 11:02:15 -0400
Message-Id: <200108071502.LAA28504@amber.iss.net>
To: alert@iss.net
From: X-Force <xforce@iss.net>
Subject: ISSalert: ISS Advisory: Remote Vulnerabilities in Macromedia ColdFusion Example Applications


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
August 7, 2001

Remote Vulnerabilities in Macromedia ColdFusion Example Applications

Synopsis:

Internet Security Systems (ISS) X-Force has discovered multiple remote
vulnerabilities in Macromedia ColdFusion. ColdFusion is an enterprise
application used to develop, maintain, administer, and deliver Web sites
on the Internet. The vulnerabilities may allow remote attackers to
execute arbitrary commands as a privileged user on a vulnerable
ColdFusion installation.

Affected Products and Releases:

ColdFusion Server for Windows 4.x
ColdFusion Server for Solaris 4.x
ColdFusion Server for HP-UX 4.x
ColdFusion Server for Linux 4.x

ColdFusion Server 5.0 is not vulnerable

Description:

Macromedia ColdFusion ships with several small "helper" applications
that are meant to educate users on a small subset of ColdFusion’s
features. These applications are not installed by default, and
Macromedia has documented and continues to recommend that production
ColdFusion servers should not have the example applications installed.

ColdFusion ships with two vulnerable "Exampleapps". These applications
may be queried via a normal Web browser. Both of these example
applications employ a rudimentary security mechanism to attempt to block
all access except from the ColdFusion server itself. It is possible for
remote attackers to spoof the source of the query and bypass this
restriction.

Both vulnerable scripts behave like CGI (Common Gateway Interface)
applications. It is possible for the attacker to interact with the
example applications to create files, view files, or execute commands
on the vulnerable target.

Recommendations:

Macromedia will not release a patch to address the vulnerabilities
described in this advisory. Macromedia recommends that customers do not
install example applications or documentation on production ColdFusion
servers. Example applications are stored in the /CFDOCS/exampleapps
directory.

Macromedia recommends that the entire /CFDOCS directory tree be removed
from production servers and only installed on development installations
that that are not exposed to potentially hostile networks.

All ColdFusion customers should familiarize themselves with the
ColdFusion "Best Security Practices" document available at the following
address:
 
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

Additional Information:

Allaire/Macromedia Security Zone:

http://www.allaire.com/security

Macromedia Security Bulletin, "ColdFusion Example Applications
Potentially Expose Server":

http://www.allaire.com/developer/securityzone/securitybulletins.cfm

The Common Vulnerabilities and Exposures (CVE) project has assigned the
Name CAN-2001-0535 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

ISS Consulting can offer security assessments and penetration testing
for your organization. ISS Managed Security Services can also provide
automated scanning and 24x7 IDS monitoring for these security issues.
ISS SecureU offers educational courses on ISS products and detailed
ethical hacking classes on these and other security issues.

Credits:

This vulnerability was discovered and researched by Mark Dowd of ISS
X-Force. ISS would like to thank Macromedia for their response and
handling of this vulnerability.

______

About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of
this information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBO3ACjTRfJiV99eG9AQHFIAP/V6GGQ/z7Pehi+tUGOqpBOoNvO28h2cDP
x9eDv5eG/1ZeDoyLK47d27NylhwGCh9IgcJK7N2iW5h20LESf7aqpNfN+YS7L1VU
hcAxt9XORSWSF3yg4i0uTF6jcKtTE7nBKdwn/IvDK/+3NBUPMQ8Llkr8JBLhA1Dy
sAL0wuWklYQ=
=p+G6
-----END PGP SIGNATURE-----