Allaire Security Bulletin (ASB99-09)

   Solutions to Issues that Allow Users to Execute Commands through
   Microsoft Access
   
   Originally Posted: June 1, 1999
   Last Updated: June 8, 1999
   
   Summary
   Some Microsoft ODBC drivers for Microsoft Access may allow users to
   execute Visual Basic for Applications (VBA) commands on the hosted
   server without permission. URL, form and cookie variables in a dynamic
   query in many development environments (e.g. ColdFusion, ASP, CGI,
   etc.) can be used to exploit this hole appending malicious VBA
   statements to existing queries. This problem can be easily fixed by
   upgrading to the Microsoft ODBC driver for Access included in MDAC 2.1
   sp1a, available from Microsoft. In general, Allaire recommends that
   customers use proper coding methods for validating dynamic query
   variables passed on URL strings, http forms or cookies. This is not a
   security issue with ColdFusion itself. However, ColdFusion customers
   using Access are vulnerable to this issue. (This issue is similar to
   the vulnerabilities documented in [4]ASB99-04, which are associated
   with appending malicious SQL statements to query strings sent to some
   enterprise databases.)
   
   Issue
   In a Web application there are often circumstances where queries are
   built dynamically using variables that are passed on URLs or in forms.
   Some versions of the Microsoft Access ODBC driver support the ability
   to append VBA commands to a SQL string. As a result, a malicious
   attack could be made by using URL, form or cookie variables to send
   VBA commands through a query. These VBA commands could potentially be
   used to damage the server or to gain unauthorized access to
   information and systems. (The potential for a similar problem using
   SQL statements and some enterprise database was documented in
   ASB99-04).
   
   Some versions of the Microsoft Access ODBC driver allow for appending
   VBA commands to a SQL string. The VBA commands are appended by using
   the pipe character, or Chr(124), which is treated as a reserved
   character by the Access ODBC driver. See the following MS Knowledge
   Base article for details:
   [5]http://support.microsoft.com/support/kb/articles/q147/6/87.asp
   
   This reserved character allows users to modify a URL, form or cookie
   variable to execute VBA commands against the Web server using the ODBC
   driver. The following string is an example of one that can be used to
   initiate an attack by writing a file to the web servers hard drive:
        '|shell("cmd /c 1 > c:\temp\foo.txt")|'

   This string could be passed to an application using a URL variable, so
   the page could be called as follows:
        http://myserver/page.cfm?x='|shell("cmd /c 1 > c:\temp\foo.txt")|'

   This code, when executed as part of the following dynamically created
   query, will cause a file to be created at the location
   c:\temp\foo.txt.
        
                SELECT  *
                FROM    USERS
                WHERE   lname = '#URL.X#'
        
   This code could also be vulnerable when processing form input from a
   template using a form variable called 'X'. Please note that you should
   always validate user-initiated input, including URL, form, and cookie
   variables.
   
   Affected Software Versions 
     * ColdFusion Server (all versions and editions) running with
       Microsoft Access through ODBC
       
   What Allaire is Doing
   This issue is not a problem with ColdFusion, but can occur when using
   Microsoft Access and some versions for the Access ODBC driver. It is
   not a problem with ColdFusion, but it can affect ColdFusion
   applications that use Access. To respond to this issue, Allaire has
   published an Allaire Security Bulletin (ASB99-09) notifying customers
   of the problem and remedies that can be used to address it. We have
   sent a notification of the bulletin to customers who have subscribed
   to Allaire Security Notifications.
   
   What Customers Should Do
   This issue appears to be fixed by the installation of the Microsoft
   Access ODBC driver included with MDAC 2.1 sp1a. We strongly recommend
   that customers install this ODBC driver. It should not adversely
   affect the functionality of ColdFusion applications using Access. This
   MDAC can be downloaded from the Microsoft site:
   [6]http://download.microsoft.com/msdownload/mdac/sp1a/x86/en/mdac_typ.
   exe
   
   Note: Allaire recommends that all services (ColdFusion, ColdFusion
   Executive, ColdFusion RDS, Bright Tiger, Siteminder, IIS, IIS Admin,
   etc.) that interact with the Access ODBC driver be stopped before the
   MDAC update is applied. If you have any installation questions please
   reference Microsoft's web site at [7]http://www.microsoft.com/odbc.
   MDAC updates may affect existing database connectivity and should be
   tested in a non-production environment before deployment.
   
   In addition, Allaire recommends that customers write their code to
   validate variables that are passed into SQL statements, configure
   their database security properly, and use standard database
   application development practices such as stored procedures where
   appropriate to protect themselves. These are general requirements of
   production applications regardless of the development platform.
   
   There are many ways to address the issues raised by the risk of
   malicious SQL statements being inserted into dynamic queries. The
   Allaire Technical Brief Securing Databases for ColdFusion
   Applications, details some of the steps you can take to secure your
   databases.
   
   It is important to note that each individual application may require
   its own particular steps in both coding and database configuration in
   order to be fully secured. Some of the techniques for securing
   database applications built with ColdFusion are detailed in the
   Allaire Technical Brief - Securing Databases for ColdFusion
   Applications.
   
   Revisions
   June 1, 1999 -- Bulletin first released.
   June 8, 1999 -- Additional information regarding MDAC installation
   added.
   
   Reporting Security Issues 
   Allaire is committed to addressing security issues and providing
   customers with the information on how they can protect themselves. If
   you identify what you believe may be a security issue with an Allaire
   product, please send an email to [8]secure@allaire.com. We will work
   to appropriately address and communicate the issue.
   
   Receiving Security Bulletins
   When Allaire becomes aware of a security issue that we believe
   significantly affects our products or customers, we will notify
   customers when appropriate. Typically this notification will be in the
   form of a security bulletin explaining the issue and the response.
   Allaire customers who would like to receive notification of new
   security bulletins when they are released can sign up for our security
   notification service.
   
   For additional information on security issues at Allaire, please
   visit: [9]http://www.allaire.com/security
   
   THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS
   IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES,
   EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
   AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE
   CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
   INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
   BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR
   ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   
   < a l l a i r e >
   Copyright © 1995-99 Allaire Corp., All rights reserved.
   [10]Site problems?    [11]Service questions?     [12]Privacy Policy

References

   1. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=11069&Method=Full#allaireHome
   2. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=11069&Method=Full#tools
   3. javascript:history.back()
   4. http://www1.allaire.com/handlers/index.cfm?ID=8728&Method=Full
   5. http://support.microsoft.com/support/kb/articles/q147/6/87.asp
   6. http://download.microsoft.com/msdownload/mdac/sp1a/x86/en/mdac_typ.exe
   7. http://www.microsoft.com/odbc
   8. mailto:secure@allaire.com
   9. http://www.allaire.com/security
  10. mailto:webmaster@allaire.com
  11. mailto:info@allaire.com
  12. http://www.allaire.com/privacy/