exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

asb99-08.cfcrypt_exe

asb99-08.cfcrypt_exe
Posted Sep 23, 1999

asb99-08.cfcrypt_exe

SHA-256 | 8075f05b1d795301e1310537a0fdf25dfacb6c3d1cd93e3b265f7812409bf766

asb99-08.cfcrypt_exe

Change Mirror Download
   
Allaire Security Bulletin (ASB99-08)
Pages Encrypted with CFCRYPT.EXE Can Be Illegally Decrypted

Originally Posted: May 19, 1999
Last Updated: May 19, 1999
Summary
ColdFusion supports the ability to "encrypt" the CFML templates in an
application or component, using the CFCRYPT.EXE utility, so they can
be redistributed or sold without exposing the source code to casual
viewing. Allaire has received reports of illegal utilities that will
"decrypt" encrypted CFML templates. In general, this does not mean
that end users can access source code through a browser, because under
normal use, CFML is pre-processed on the server. The decoding exploit
only affects applications or components that are being distributed to
other users as source (e.g. custom tags or third party applications
built on ColdFusion Server).

Issue
The encryption capability in ColdFusion was designed to make it more
difficult to view the code in applications or components that are
redistributed as source. ColdFusion uses industry standard encryption
technology, but as with any interpreted language such as CFML or Perl
and any byte-coded language such as Java, it is theoretically possible
to reverse engineer either encrypted scripts or compiled applications.

In order to create a decryption utility, one must first reverse
engineer the ColdFusion template encryption process. Although this is
illegal, Allaire has received reports of the availability of
decryption utilities for this purpose. (It should be noted that
Allaire has a decryption utility that is reserved for special
technical support cases where customers have accidentally encrypted
their only copy of their own original source code.)

It is important to understand that this exploit only affects
applications that are redistributed. Under proper server
configuration, end users cannot access source code in a ColdFusion
application because it is pre-processed on the server each time a page
is requested. Also, most Web server programming environments including
Perl and ASP do not provide support for even basic encryption.

Affected Software Versions
* ColdFusion Application Server 3.x (all editions)
* ColdFusion Server 4.x (all editions)

What Allaire is Doing
Allaire is investigating the possibility of including stronger and
more flexible encryption options in the next release of ColdFusion
Server.
What Customers Should Do
In general, people using CFRYPT.EXE to hide source code should
recognize that there is the possibility of pages being illegally
decrypted. Customers who are creating commercial applications for
redistribution or sale should include a license agreement that clearly
states users are not authorized to decrypt encrypted pages.
Organizations using CFCRYPT.EXE to protect code internally should
recognize the risk that decoding may pose and adjust accordingly.
Revisions
May 19, 1999 -- Bulletin first released.

Reporting Security Issues
Allaire is committed to addressing security issues and providing
customers with the information on how they can protect themselves. If
you identify what you believe may be a security issue with an Allaire
product, please send an email to secure@allaire.com. We will work to
appropriately address and communicate the issue.

Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe
significantly affects our products or customers, we will notify
customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response.
Allaire customers who would like to receive notification of new
security bulletins when they are released can sign up for our security
notification service.

For additional information on security issues at Allaire, please visit
the Security Zone at:
[4]http://www.allaire.com/security
THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE
CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.

< a l l a i r e >
Copyright © 1995-99 Allaire Corp., All rights reserved.
[5]Site problems? [6]Service questions? [7]Privacy Policy

References

1. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10969&Method=Full#allaireHome
2. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10969&Method=Full#tools
3. javascript:history.back()
4. http://www.allaire.com/security
5. mailto:webmaster@allaire.com
6. mailto:info@allaire.com
7. http://www.allaire.com/privacy/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close