Allaire Security Bulletin (ASB00-16)
                  Microsoft: Patch Available for "Stored Procedure Permissions" Vulnerability

                  Originally Posted: July 17, 2000
                  Last Updated: July 17, 2000 

                  Summary

                  Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r)
                  SQL Server 7.0. The vulnerability could allow a malicious user to run a database stored
                  procedure without proper permissions. This is not a problem with ColdFusion Server
                  itself, but it is an issue that can affect ColdFusion users. Allaire recommends that
                  customers follow the instructions posted on the Microsoft Web site to address this issue.

                  Issue

                  This issue is clearly explained in the Microsoft Security Bulletin:

                       Execute permission checks on stored procedures may be bypassed when a
                       stored procedure is referenced from a temporary stored procedure. This
                       omission would allow a malicious user to run a stored procedure that, by design,
                       he should not be able to access.

                       The vulnerability only occurs under a fairly restricted set of conditions:

                        - The database and stored procedure must be owned by the system
                       administrator (sa) login account.

                        - The malicious user must be able to authenticate to the SQL Server, and have
                       user access to the referenced database. 

                  Affected Software Versions

                       Microsoft SQL Server 7.0 

                  What Allaire is Doing

                  This is not an Allaire product. We are recommending that customers reference the
                  information at Microsoft's site to address this issue.

                  What Customers Should Do

                  There is a patch available to correct this problem. It is detailed in the following
                  Microsoft Security Bulletin (MS00-048):

                  http://www.microsoft.com/technet/security/bulletin/ms00-048.asp

                  Please note: this issue and patch may not be required for all users. Allaire
                  customers should review all material in the Microsoft Security Bulletin and
                  related documents carefully before applying the patch. As always, customers
                  should test patch changes in a testing environment before modifying
                  production servers.

                  Revisions
                  July 17, 2000 -- Bulletin first created.

                  Reporting Security Issues 
                  Allaire is committed to addressing security issues and providing customers with the
                  information on how they can protect themselves. If you identify what you believe may
                  be a security issue with an Allaire product, please send an email to secure@allaire.com.
                  We will work to appropriately address and communicate the issue. 

                  Receiving Security Bulletins 
                  When Allaire becomes aware of a security issue that we believe significantly affects
                  our products or customers, we will notify customers when appropriate. Typically this
                  notification will be in the form of a security bulletin explaining the issue and the
                  response. Allaire customers who would like to receive notification of new security
                  bulletins when they are released can sign up for our security notification service. 

                  For additional information on security issues at Allaire, please visit the Security Zone at:
                  http://www.allaire.com/security

                  THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
                  KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
                  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR
                  ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
                  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS
                  SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE
                  EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
                  LIMITATION MAY NOT APPLY. 

                  Allaire reserves the right, from time to time, to update the information in this document
                  with current information.