[NEWS] Remote Vulnerabilities in Macromedia ColdFusion Example Applications

From: support@securiteam.com
Date: 08/09/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Remote Vulnerabilities in Macromedia ColdFusion Example Applications
Message-Id: <20010809041054.CAB07138C4@mail.der-keiler.de>
Date: Thu,  9 Aug 2001 06:10:54 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  Remote Vulnerabilities in Macromedia ColdFusion Example Applications
------------------------------------------------------------------------

SUMMARY

Internet Security Systems (ISS) X-Force has discovered multiple remote
vulnerabilities in Macromedia ColdFusion. ColdFusion is an enterprise
application used to develop, maintain, administer, and deliver Web sites
on the Internet. The vulnerabilities may allow remote attackers to execute
arbitrary commands as a privileged user on a vulnerable ColdFusion
installation.

DETAILS

Vulnerable systems:
ColdFusion Server for Windows 4.x
ColdFusion Server for Solaris 4.x
ColdFusion Server for HP-UX 4.x
ColdFusion Server for Linux 4.x

Immune systems:
ColdFusion Server 5.0

Macromedia ColdFusion ships with several small "helper" applications that
are meant to educate users on a small subset of ColdFusion's features.
These applications are not installed by default, and Macromedia has
documented and continues to recommend that production ColdFusion servers
should not have the example applications installed.

ColdFusion ships with two vulnerable "Exampleapps". These applications may
be queried via a normal Web browser. Both of these example applications
employ a rudimentary security mechanism to attempt to block all access
except from the ColdFusion server itself. It is possible for remote
attackers to spoof the source of the query and bypass this restriction.

Both vulnerable scripts behave like CGI (Common Gateway Interface)
applications. It is possible for the attacker to interact with the example
applications to create files, view files, or execute commands on the
vulnerable target.

Recommendations:
Macromedia will not release a patch to address the vulnerabilities
described in this advisory. Macromedia recommends that customers do not
install example applications or documentation on production ColdFusion
servers. Example applications are stored in the /CFDOCS/exampleapps
directory.

Macromedia recommends that the entire /CFDOCS directory tree be removed
from production servers and only installed on development installations
that that are not exposed to potentially hostile networks.

All ColdFusion customers should familiarize themselves with the ColdFusion
"Best Security Practices" document available at the following address:
 <http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full>
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

ADDITIONAL INFORMATION

The information has been provided by <mailto:xforce@iss.net> X-Force.

Allaire/Macromedia Security Zone:
 <http://www.allaire.com/security> http://www.allaire.com/security

Macromedia Security Bulletin, "ColdFusion Example Applications Potentially
Expose Server":
 <http://www.allaire.com/developer/securityzone/securitybulletins.cfm>
http://www.allaire.com/developer/securityzone/securitybulletins.cfm

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages