Allaire Security Bulletin (ASB00-14) - Allaire has recently been notified by Foundstone, Inc. (see Revisions section below for contact information) of a denial of service attack against an unprotected installation of the ColdFusion Administrator. This issue only affects ColdFusion Servers that have not followed Allaire's recommendations in the Allaire Security Best Practices article 10954.
5f15d73015593185e82770c379eda7d3e8ca9790e0e0bf36811eca22b5c1d3c0
Allaire Security Bulletin (ASB00-14)
Workaround available for Denial of Service attack against ColdFusion Administrator
Originally Posted: June 7, 2000
Last Updated: June 7, 2000
Summary
Allaire has recently been notified by Foundstone, Inc. (see Revisions section below for contact
information) of a denial of service attack against an unprotected installation of the ColdFusion
Administrator. This issue only affects ColdFusion Servers that have not followed Allaire's
recommendations in the Allaire Security Best Practices article 10954. The article is available at
the link below.
Allaire Security Best Practices article 10954
Foundstone has further details and a sample exploit available at Foundstone, Inc..
Issue
Allaire has recently been notified of a security issue in the Allaire ColdFusion Administrator. This
issue makes the ColdFusion Administrator vulnerable to a denial of service attack. The denial of
service occurs during the process of converting the input password and the stored password
into forms suitable for comparison when the input password is very large.
Affected Software Versions
ColdFusion Server 4.x
ColdFusion Server 4.5
ColdFusion Server 4.5.1
What Allaire is Doing
Allaire has published this bulletin, notifying customers of the problem. Allaire has also previously
published recommendations that prevent the issue. These recommendations are available in
Allaire's Security Best Practices area of the Security Zone.
What Customers Should Do
Allaire provides the following workaround. Customers should back up all existing data and
implement the recommendations made in the article, 'Securing the ColdFusion Administrator
(10954)'. This should resolve the issue. The article can be found below.
Securing the ColdFusion Administrator (Article 10954)
Revisions
June 7, 2000 -- Bulletin first created.
Special thanks to Stuart McClure of Foundstone, Inc. for bringing this issue to our attention.
Reporting Security Issues
Allaire is committed to addressing security issues and providing customers with the information
on how they can protect themselves. If you identify what you believe may be a security issue
with an Allaire product, please send an email to secure@allaire.com. We will work to
appropriately address and communicate the issue.
Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly affects our products
or customers, we will notify customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response. Allaire customers who would
like to receive notification of new security bulletins when they are released can sign up for our
security notification service.
For additional information on security issues at Allaire, please visit the Security Zone at:
http://www.allaire.com/security
THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.