Allaire Security Bulletin (ASB99-11)
                  Solutions to Issues that Allow Users to Execute Commands on NT Servers through
                  MDAC RDS

                  Originally Posted: July 27, 1999
                  Last Updated: April 3, 2000

                  Summary
                  Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 could allow the remote
                  author of a malicious SQL query to take unauthorized actions on a Microsoft SQL Server,
                  MSDE database, or on the underlying system that was hosting the SQL Server or MSDE
                  database.

                  As indicated in Microsoft Security Bulletin MS98-004 and MS99-025 (links below), some
                  Microsoft Data Access Components (MDAC) could allow unauthorized access to a web server
                  hosted on Microsoft Windows NT. This is not a problem with ColdFusion Server. However,
                  Allaire customers running on Windows NT should take the steps outlined below to protect
                  themselves from this vulnerability.

                  [NOTE: ColdFusion RDS ("Remote Development Services") are an entirely different technology
                  than the MDAC RDS ("Remote Data Services") and do not make use of MDAC RDS. The
                  remainder of this Bulletin uses "RDS" to refer to the MDAC Remote Data Services, not the
                  ColdFusion Remote Development Services.]

                  Issue
                  The Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 vulnerability would
                  allow the remote author of a malicious SQL query to take unauthorized actions on a SQL Server
                  or MSDE database or on the underlying system that was hosting the SQL Server or MSDE
                  database. This means that a user could potentially pass a query through a URL to a SQL Server
                  provided that site/server was using SQL Server Security. The commands would be executed
                  with the full privileges of the owner or administrator of the database.

                  This vulnerability can be exploited remotely via ODBC, OLE DB or DB-Library. This means
                  ColdFusion Administrators who allow users to make Query and Select statements to the SQL 7
                  server and utilize SQL Server Security, are potentially vulnerable. This also applies to sites which
                  parse database queries through URLs. These queries can be modified by malicious users to
                  become database strings with which they can abuse this particular flaw.

                  This vulnerability can be exploited remotely via ODBC, OLE DB or DB-Library. This means
                  ColdFusion Administrators who allow users to make Query and Select statements to the SQL 7
                  server and utilize SQL Server Security, are potentially vulnerable. This also applies to sites which
                  parse database queries through URLs. These queries can be modified by malicious users to
                  become database strings with which they can abuse this particular flaw.

                  MDAC Remote Data Services (RDS ) is a component of MDAC that enables controlled
                  Internet access to remote server data resources. However, because the RDS DataFactory (a
                  component of RDS) and VbBusObj.VbBusObjCls (an RDS sample component) allows implicit
                  remote data access requests, it can be exploited to allow unauthorized server access. Internet
                  clients can potentially access ODBC database datasources available to the server, or when
                  combined with the VBA pipe character vulnerability (as described in Allaire Security Bulletin
                  ASB99-09), potentially execute commands on the server.

                  Affected Software Versions

                       This is an issue that affects customers running Microsoft Windows NT. (Because
                       Windows NT is a popular operating system for hosting Allaire ColdFusion Server,
                       Allaire has published this bulletin to notify Allaire customers of the issue.) 

                  What Allaire is Doing
                  This issue is not a problem with ColdFusion, but can occur when using Microsoft Data Access
                  Components, Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 on
                  Windows NT and can affect ColdFusion customers who are using Windows NT servers. To
                  respond to this issue, Allaire has published an Allaire Security Bulletin (ASB99-11) notifying
                  customers of the problem and remedies that can be used to address it. We have sent a
                  notification of the bulletin to customers who have subscribed to Allaire Security Notifications.

                  What Customers Should Do
                  For the SQL Server 7.0/MSDE vulnerability, users should download the latest patch from
                  Microsoft at: http://www.microsoft.com/downloads/release.asp?ReleaseID=19132

                  ColdFusion Windows NT customers who are not using the features of MDAC RDS should take
                  the following actions:

                     1.Install MDAC 2.1 GA (sp2) or higher. This step is optional but recommended. If
                       MDAC components are installed after the steps that follow, these steps should be
                       repeated.

                       NOTE: Allaire recommends that ALL services (ColdFusion, ColdFusion Executive,
                       ColdFusion RDS, Bright Tiger, Siteminder, IIS, IIS Admin, etc.) that interact with
                       ODBC drivers be stopped before the MDAC install is run. If you have any installation
                       questions please reference Microsoft's web site at http://www.microsoft.com/data.
                       MDAC updates may affect existing database connectivity and should be tested in a
                       non-production environment before deployment.

                     2.Delete the following registry entries if they exist:

                       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
                       Parameters\ADCLaunch\RDSServer.DataFactory

                       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
                       Parameters\ADCLaunch\AdvancedDataFactory 

                       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
                       Parameters\ADCLaunch\VbBusObj.VbBusObjCls

                     3.Ensure the following registry key exists and is set as follows:

                       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo
                       "handlerRequired"=dword:00000001
                       "DefaultHandler"="MSDFMAP.Handler"

                     4.For Windows NT sites running Microsoft IIS, the "/msadc" Virtual Directory on the
                       "Default" Web site should be removed using the IIS Management Console. This Virtual
                       Directory will be recreated with each new install or upgrade of Microsoft Data Access
                       Components to the "Default" Web site.

                     5.Delete the folder %SYSTEM%\Program Files\Common Files\System\msadc\samples
                       and all subfolders.


                  Allaire strongly recommends that all ColdFusion Windows NT customers who wish to
                  make use of the features of MDAC RDS or customers who use Windows NT as their
                  server operating system should closely review the Microsoft Security Bulletins
                  MS98-004 and MS99-025.

                  All ColdFusion Windows NT customers should review Allaire Security Bulletin (ASB99-09):
                  "Solutions to Issues that Allow Users to Execute Commands through Microsoft Access".

                  Related Links and Resources:

                       Microsoft Security Bulletin (MS00-014)
                       http://www.microsoft.com/technet/security/bulletin/ms00-014.asp

                       Microsoft MS00-014 FAQ
                       http://www.microsoft.com/technet/security/bulletin/fq00-014.asp

                       Microsoft Security Bulletin MS99-025

                       Microsoft Security Bulletin MS98-004

                       Microsoft MS99-025 FAQ

                       .Rain.Forest.Puppy's NT Bugtraq posting archived at the NT Bugtraq web site
                       (originally identifying the issue)

                       Russ Cooper's IIS RDS Vulnerability article on the NT Bugtraq web site 



                  Revisions
                  July 27, 1999 -- Bulletin first released.
                  April 3, 2000 - Bulletin updated with Microsoft® SQL Server 7.0 and Microsoft Data Engine
                  (MSDE) vulnerability information.

                  Reporting Security Issues
                  Allaire is committed to addressing security issues and providing customers with the information
                  on how they can protect themselves. If you identify what you believe may be a security issue
                  with an Allaire product, please send an email to secure@allaire.com. We will work to
                  appropriately address and communicate the issue.

                  Receiving Security Bulletins
                  When Allaire becomes aware of a security issue that we believe significantly affects our products
                  or customers, we will notify customers when appropriate. Typically this notification will be in the
                  form of a security bulletin explaining the issue and the response. Allaire customers who would
                  like to receive notification of new security bulletins when they are released can sign up for our
                  security notification service.

                  For additional information on security issues at Allaire, please visit the Security Zone at:
                  http://www.allaire.com/security

                  THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
                  ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
                  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
                  ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
                  DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
                  EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
                  DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
                  CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.