Foundstone, Inc.
                           http://www.foundstone.com
                          "Securing the Dot Com World"

                               Security Advisory

                             Allaire's ColdFusion

----------------------------------------------------------------------------
---------
FS Advisory ID:         FS-060700-1-CFM

Release Date:           June 7, 2000

Product:                ColdFusion Web Application Server

Vendor:                 Allaire Corporation (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security

Type:                   Denial of service attack

Severity:               Medium to High

Author:                 Stuart McClure (stuart.mcclure@foundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      Windows NT, Solaris, HP-UX

Vulnerable versions:    All ColdFusion versions up through and including
4.5.1.

Foundstone advisory:    http://www.foundstone.com
----------------------------------------------------------------------------
---------

Description

        A denial of service vulnerability exists within the Allaire
ColdFusion
        web application server which allows an attacker to overwhelm the web
server
        and deny legitimate web page requests.

Details

        The problem lies within the ColdFusion mechanism that manages the
parsing of
        passwords within authentication requests. This problem makes the
ColdFusion
        Administrator login page vulnerable to a denial of service attack.
The denial
        of service occurs during the process of converting the input
password and the
        stored password into forms suitable for comparison when the input
password is
        very large (>40,000 characters).

Proof of Concept

        Use the well-known HTML tag field overflow technique to overflow the
HTML
        password field on the Administrator login page:

                http://vulnerable.server.here/cfide/administrator/index.cfm

        The attacker simply changes the field size and POST action in the
HTML tags on
        the page to allow a large string (over 40,000 characters) to be
submitted to
        the ColdFusion server. Small input strings may not immediately crash
the
        system but large enough strings will bring the system to a halt.

Solution

        Workaround

        Allaire provides the following workaround: Customers should back up
all
        existing data and implement the recommendations made in the article,

Solution

        Workaround

        Allaire provides the following workaround: Customers should back up
all
        existing data and implement the recommendations made in the article,

        'Securing the ColdFusion Administrator (10954)'. This should resolve
the
        issue. The article can be found at

        http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full

        Fix

        A fix is expected in the future release of ColdFusion 4.6 (Q4,2000).

Credit

        We would like to thank Allaire for their prompt and serious
attention to the
        problem.

Disclaimer

        THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000
OF
        FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF
PRINTING,
        BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS
TO
        ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE PUBLISHER
        ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
        CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
        RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY
MAY BE
        REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY
IS NOT
        MODIFIED IN ANY WAY.