Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Allaire's ColdFusion ---------------------------------------------------------------------------- --------- FS Advisory ID: FS-060700-1-CFM Release Date: June 7, 2000 Product: ColdFusion Web Application Server Vendor: Allaire Corporation (http://www.allaire.com) Vendor Advisory: http://www.allaire.com/security Type: Denial of service attack Severity: Medium to High Author: Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: Windows NT, Solaris, HP-UX Vulnerable versions: All ColdFusion versions up through and including 4.5.1. Foundstone advisory: http://www.foundstone.com ---------------------------------------------------------------------------- --------- Description A denial of service vulnerability exists within the Allaire ColdFusion web application server which allows an attacker to overwhelm the web server and deny legitimate web page requests. Details The problem lies within the ColdFusion mechanism that manages the parsing of passwords within authentication requests. This problem makes the ColdFusion Administrator login page vulnerable to a denial of service attack. The denial of service occurs during the process of converting the input password and the stored password into forms suitable for comparison when the input password is very large (>40,000 characters). Proof of Concept Use the well-known HTML tag field overflow technique to overflow the HTML password field on the Administrator login page: http://vulnerable.server.here/cfide/administrator/index.cfm The attacker simply changes the field size and POST action in the HTML tags on the page to allow a large string (over 40,000 characters) to be submitted to the ColdFusion server. Small input strings may not immediately crash the system but large enough strings will bring the system to a halt. Solution Workaround Allaire provides the following workaround: Customers should back up all existing data and implement the recommendations made in the article, Solution Workaround Allaire provides the following workaround: Customers should back up all existing data and implement the recommendations made in the article, 'Securing the ColdFusion Administrator (10954)'. This should resolve the issue. The article can be found at http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full Fix A fix is expected in the future release of ColdFusion 4.6 (Q4,2000). Credit We would like to thank Allaire for their prompt and serious attention to the problem. Disclaimer THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.