Allaire Security Bulletin (ASB00-14)
                  Workaround available for Denial of Service attack against ColdFusion Administrator

                  Originally Posted: June 7, 2000
                  Last Updated: June 7, 2000 

                  Summary

                  Allaire has recently been notified by Foundstone, Inc. (see Revisions section below for contact
                  information) of a denial of service attack against an unprotected installation of the ColdFusion
                  Administrator. This issue only affects ColdFusion Servers that have not followed Allaire's
                  recommendations in the Allaire Security Best Practices article 10954. The article is available at
                  the link below. 

                  Allaire Security Best Practices article 10954

                  Foundstone has further details and a sample exploit available at Foundstone, Inc..

                  Issue

                  Allaire has recently been notified of a security issue in the Allaire ColdFusion Administrator. This
                  issue makes the ColdFusion Administrator vulnerable to a denial of service attack. The denial of
                  service occurs during the process of converting the input password and the stored password
                  into forms suitable for comparison when the input password is very large.

                  Affected Software Versions

                       ColdFusion Server 4.x 
                       ColdFusion Server 4.5 
                       ColdFusion Server 4.5.1 

                  What Allaire is Doing

                  Allaire has published this bulletin, notifying customers of the problem. Allaire has also previously
                  published recommendations that prevent the issue. These recommendations are available in
                  Allaire's Security Best Practices area of the Security Zone.

                  What Customers Should Do

                  Allaire provides the following workaround. Customers should back up all existing data and
                  implement the recommendations made in the article, 'Securing the ColdFusion Administrator
                  (10954)'. This should resolve the issue. The article can be found below.

                  Securing the ColdFusion Administrator (Article 10954)

                  Revisions
                  June 7, 2000 -- Bulletin first created.

                  Special thanks to Stuart McClure of Foundstone, Inc. for bringing this issue to our attention.

                  Reporting Security Issues
                  Allaire is committed to addressing security issues and providing customers with the information
                  on how they can protect themselves. If you identify what you believe may be a security issue
                  with an Allaire product, please send an email to secure@allaire.com. We will work to
                  appropriately address and communicate the issue. 

                  Receiving Security Bulletins
                  When Allaire becomes aware of a security issue that we believe significantly affects our products
                  or customers, we will notify customers when appropriate. Typically this notification will be in the
                  form of a security bulletin explaining the issue and the response. Allaire customers who would
                  like to receive notification of new security bulletins when they are released can sign up for our
                  security notification service. 

                  For additional information on security issues at Allaire, please visit the Security Zone at:
                  http://www.allaire.com/security

                  THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
                  ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
                  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
                  ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
                  DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
                  EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
                  DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
                  CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.