Allaire Security Bulletin (ASB99-10)
   Addressing Potential Security Issues with Undocumented CFML Tags and
   Functions Used in the ColdFusion Administrator
   
   Originally Posted: July 29, 1999
   Last Updated: July 29, 1999
   
   Summary
   ColdFusion Server includes several undocumented CFML tags and
   functions that are used in the ColdFusion Administrator. In the
   context of the ColdFusion Administrator, access to the functionality
   provided by these undocumented tags and functions is restricted to
   people with administrative privileges. However, the functionality can
   be used just like any other CFML tag or function in a ColdFusion
   application hosted on a server. As a result, developers who have
   permission to create Web applications and executable ColdFusion
   templates on a ColdFusion server can make use of the undocumented
   functions and tags to potentially gain unauthorized access to
   administrative settings including registry, database and advanced
   security settings. The availability of illegal de-encoding utilities
   that can de-encode the ColdFusion Administrator has made knowledge of
   the undocumented tags and functions more widely known.
   
   Issue
   The ColdFusion Administrator is a ColdFusion Web application used to
   set various ColdFusion Server options. The Administrator makes use of
   CFML functions and tags to perform these tasks and employs several
   tags and functions not currently documented in the CFML Language
   Reference. While currently unsupported, ColdFusion developers who have
   permission to create Web applications and executable ColdFusion
   templates on a ColdFusion server can make use of these functions and
   tags in their Web applications to perform certain administrative
   tasks.
   
   The availability of the undocumented tags potentially gives developers
   who have permission to place applications on a ColdFusion server the
   ability to gain unauthorized access to registry, database, and
   Advanced Security settings. In most cases, this does not pose a
   security risk because the developers who have access to a server are
   trusted. However, in a hosted-application environment, such as an ISP
   or a corporate data center that is hosting multiple independent
   developer's applications on a single server, the availability of the
   undocumented tags used in the ColdFusion Administrator makes it more
   difficult to prevent malicious actions by developers who may be using
   the hosting server. The undocumented tags used in the ColdFusion
   Administrator bypass both ColdFusion Basic Security, which can be used
   to disable some tags, and ColdFusion Advanced Security, which can be
   used to disable all documented CFML tags. Currently, no ColdFusion
   functions can be disabled. In general, creating secure
   hosted-application environments requires the use of several layers of
   security including network, firewall, operating system, ColdFusion
   Server, Web server, and database server security.
   In addition to standard CFML tags and functions, the ColdFusion 4.0.1
   Administrator makes use of the following functions and tags:
   Administrative Functions:
     * CF_SETDATASOURCEUSERNAME()
       Sets the default user name for a ColdFusion data source
     * CF_SETDATASOURCEPASSWORD()
       Sets the default password for the ColdFusion data source
     * CF_ISCOLDFUSIONDATASOURCE()
       Verifies a connection to a ColdFusion data source
     * CF_GETDATASOURCEUSERNAME()
       Gets the default user name for a ColdFusion data source
     * CFUSION_VERIFYMAIL()
       Verifies the connection to the default ColdFusion SMTP mail server
     * CFUSION_GETODBCINI()
       Gets ODBC data source information from the Registry
     * CFUSION_SETODBCINI()
       Sets ODBC data source information in the Registry
     * CFUSION_GETODBCDSN()
       Gets the ODBC data source names from the Registry
     * CFUSION_SETTINGS_REFRESH()
       Refreshes some ColdFusion settings not requiring a restart
     * CFUSION_DBCONNECTIONS_FLUSH()
       Disconnects all currently connected ColdFusion datasources
       
   Administrative Tags:
     * CFINTERNALDEBUG
       Used for internal ColdFusion debugging by product development and
       to PCode templates without executing them (used by the CFML Syntax
       Checker).
     * CFNEWINTERNALADMINSECURITY
       Used for updates to Advanced Security information.
     * CFNEWINTERNALREGISTRY
       Used for registry updates. This tag is identical to the CFREGISTRY
       tag but by-passes Basic security.
       
   Affected Software Versions
   · ColdFusion Server (all versions and editions).
   
   What Allaire is Doing
   Allaire has published this security bulletin and notified customers
   about the issue through our standard secuity notificiation procedures.
   Allaire is planning to document all tags and functions in future
   releases, and to expand the scope of the services available as part of
   the Server Sandbox Security in the next release of ColdFusion Server
   Enterprise Edition, in order to give customers hosting multiple
   applications on the same server additional facilities for securing
   their environments. More technical documentation is being developed to
   give adminstrators additional information about configuring security
   for environments hosting multiple applications.
   
   What Customers Should Do
   In general, Allaire recommends that server administrators restrict
   access to servers to trusted developers and tested applications in
   order to prevent the installation of malicious application code.
   Properly securing environments where multiple untrustworthy
   developers, clients or untested web applications (ColdFusion, ASP,
   CGI, Java, etc.) are hosted on a single server requires the full use
   of network, firewall, operating system, Web server, application
   server, and database security. These environments should only be
   configured and managed by experienced administrators with adequate
   knowledge to secure the environments.
   
   Allaire also recommends that server administrators follow the best
   practices for securing the ColdFusion Administrator documented in
   [4]KB Article 10954 Security Best Practice: Securing the ColdFusion
   Administrator.
   
   Revisions
   July 29, 1999 -- Bulletin first created.
   
   Reporting Security Issues
   Allaire is committed to addressing security issues and providing
   customers with the information on how they can protect themselves. If
   you identify what you believe may be a security issue with an Allaire
   product, please send an email to secure@allaire.com. We will work to
   appropriately address and communicate the issue.
   
   Receiving Security Bulletins
   When Allaire becomes aware of a security issue that we believe
   significantly affects our products or customers, we will notify
   customers when appropriate. Typically this notification will be in the
   form of a security bulletin explaining the issue and the response.
   Allaire customers who would like to receive notification of new
   security bulletins when they are released can sign up for our security
   notification service.
   
   For additional information on security issues at Allaire, please visit
   the Security Zone at:
   [5]http://www.allaire.com/security
   THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS
   IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES,
   EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
   AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE
   CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
   INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
   BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR
   ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   
   < a l l a i r e >
   Copyright © 1995-99 Allaire Corp., All rights reserved.
   [6]Site problems?    [7]Service questions?     [8]Privacy Policy

References

   1. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=11714&Method=Full#allaireHome
   2. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=11714&Method=Full#tools
   3. javascript:history.back()
   4. http://www.allaire.com/handlers/index.cfm?ID=10954&Method=Full
   5. http://www.allaire.com/security
   6. mailto:webmaster@allaire.com
   7. mailto:info@allaire.com
   8. http://www.allaire.com/privacy/