Allaire Security Bulletin (ASB99-07)
   Solution Available for Denial-of-Service Attack Using CF Admin.
   Start/Stop Utility
   
   Originally Posted: May 19, 1999
   Last Updated: May 19, 1999
   Summary
   The ColdFusion Administrator includes a utility for starting and
   stopping the ColdFusion service from a browser. When Basic Security is
   enabled, this utility is protected by the Administrator password.
   However, when Advanced Security is enabled, the start/stop utility is
   not password protected and can be accessed by an unauthorized user to
   stop the ColdFusion Server. The exploit is easily addressed by
   securing the utility with Web server security or removing the utility
   from the system.
   
   Issue
   The ColdFusion Administrator Start/Stop Utility is a browser-based
   Java applet that is designed to let administrators start and stop the
   ColdFusion service. The utility is made available through the file
   "startstop.html" stored in the "/CFIDE/Administrator/" directory. When
   Basic Security is enabled this utility is secured by the same password
   used to secure the Administrator. When Advanced Security is enabled,
   it overrides the browser-based password security imposed on the
   Start/Stop Utility. If a server is running Advanced Security, an
   unauthorized user could access the startstop.html page to stop the
   server.
   
   Affected Software Versions
     * ColdFusion Server 4.0 (all editions)
     * ColdFusion Server 4.0.1 (all editions)
       
   What Allaire is Doing
   Allaire intends to address this exploit in the next release of
   ColdFusion Server. In the mean time, Allaire has released this
   bulletin to notify customers of the issue. Allaire recommends that
   customers using Advanced Security remove the start/stop utility, or if
   it is required, secure it with Web server security.
   
   What Customers Should Do
   Customers who are using Advanced Security should remove the file
   "startstop.html" from the /CFIDE/Administrator directory. If the
   browser-based start/stop functionality is required, the file can be
   secured with standard Web server security to prevent unauthorized
   access. The recommended way to stop and start the ColdFusion services
   is via the standard operating system remote service management tools.
   Depending on how your operating system is set up, and the services it
   is running, you may be able to connect to the service manager
   remotely, or you may be able to TELNET into the server to issue a
   command line restart command.
   
   In general, Allaire recommends that customers secure the entire
   /CFIDE/Administrator directory with Web server security in addition to
   either Basic or Advanced ColdFusion Security. Access to the
   /CFIDE/Administrator directory should be limited to administrators,
   and it should be protected with strong, difficult to guess passwords.
   Revisions
   May 19, 1999 -- Bulletin first released.
   
   Reporting Security Issues
   Allaire is committed to addressing security issues and providing
   customers with the information on how they can protect themselves. If
   you identify what you believe may be a security issue with an Allaire
   product, please send an email to secure@allaire.com. We will work to
   appropriately address and communicate the issue.
   
   Receiving Security Bulletins
   When Allaire becomes aware of a security issue that we believe
   significantly affects our products or customers, we will notify
   customers when appropriate. Typically this notification will be in the
   form of a security bulletin explaining the issue and the response.
   Allaire customers who would like to receive notification of new
   security bulletins when they are released can sign up for our security
   notification service.
   
   For additional information on security issues at Allaire, please visit
   the Security Zone at:
   [4]http://www.allaire.com/security
   THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS
   IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES,
   EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
   AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE
   CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
   INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
   BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR
   ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   
   < a l l a i r e >
   Copyright © 1995-99 Allaire Corp., All rights reserved.
   [5]Site problems?    [6]Service questions?     [7]Privacy Policy

References

   1. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10968&Method=Full#allaireHome
   2. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10968&Method=Full#tools
   3. javascript:history.back()
   4. http://www.allaire.com/security
   5. mailto:webmaster@allaire.com
   6. mailto:info@allaire.com
   7. http://www.allaire.com/privacy/