exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

asb00-01.spectrawebtop

asb00-01.spectrawebtop
Posted Jul 1, 2000
Site allaire.com

Allaire Security Bulletin (ASB00-01) - The Allaire Spectra 1.0 Webtop allows authenticated users to access sections of the Webtop they may not have been granted access to by typing explicit URLs. This exploit does not give anyone access to the Webtop who does not already have permissions to at least one section of the Webtop.

SHA-256 | 89cd666fa3246d4f7ebefb76dbcea8fd8a1db1e06be3006a22c41234f8219a83

asb00-01.spectrawebtop

Change Mirror Download
Allaire Security Bulletin (ASB00-01)
Addressing Enhancing Authenticated Webtop User Security in Allaire Spectra 1.0

Originally Posted: January 4, 2000
Last Updated: January 4, 2000

Summary
The Allaire Spectra 1.0 Webtop allows authenticated users to access sections of the Webtop
they may not have been granted access to by typing explicit URLs. This exploit does not give
anyone access to the Webtop who does not already have permissions to at least one section of
the Webtop.

Issue
In the application settings file for the Spectra Webtop, there is a line of code that turns on
security settings for the Webtop. This line of code is missing in Version 1.0 of Spectra. You can
still secure sections of the Webtop via the Webtop Permissions area of the System Admin
section, and those sections do not appear to the user. However, the user can access the
secured section by typing in the explicit URL. This exploit does not give anyone access to the
Webtop who does not already have permissions to at least one section of the Webtop.

Affected Software Versions
· Spectra 1.0.

What Allaire is Doing
Allaire intends to address this vulnerability in the next release of Spectra. In the interim, Allaire
has released this bulletin to notify customers of the issue. Allaire recommends that customers
deploying Spectra 1.0 add the missing line of code to the Spectra Webtop application settings
file, as outlined below.

What Customers Should Do
Customers should add the missing line of code to the application settings file for the Webtop.
To do this:

1.Open the file webroot/Allaire/spectra/webtop/application.cfm
2.Add the following line directly under the application initialize section:

<cfset request.cfa.security.bIsSecure = 1>

Your code should then look like this:

. . .
<!--- initialize the webtop --->
<cfa_applicationInitialize
applicationID="088E7FE8-2AA3-11D3-AD400060B0EB2994"
bActiveApp="1"
bActiveLog="1"
sessionmanagement="Yes"
sessiontimeout="30"
mode="design">

<cfset request.cfa.security.bIsSecure = 1>
. . .

3.Save the file and your Webtop security settings will work correctly.

Note that if you have the ColdFusion "Trusted Cache" option enabled in the ColdFusion
Administrator, you will need to turn it off, reload any Webtop section, then turn the "Trusted
Cache" option on again for the change to take effect. Restarting the ColdFusion Server will
also cause the change to take effect.

Revisions
January 4, 2000 -- Bulletin first created.

Reporting Security Issues
Allaire is committed to addressing security issues and providing customers with the information
on how they can protect themselves. If you identify what you believe may be a security issue
with an Allaire product, please send an email to secure@allaire.com. We will work to
appropriately address and communicate the issue.

Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly affects our products
or customers, we will notify customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response. Allaire customers who would
like to receive notification of new security bulletins when they are released can sign up for our
security notification service.

For additional information on security issues at Allaire, please visit the Security Zone at:
http://www.allaire.com/security

THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close