-----FW: <bulk.742.19990430160823at_private>----- Date: Friday, 30 Apr 1999 17:00:00 -0400 From: securityzoneat_private To: SecurityZoneat_private Subject: ColdFusion Security Alert *************************************************************** ** Allaire respects the Web and the privacy of those who use ** it. To avoid future messages from Allaire, send ** e-mail to securityzoneat_private with the subject: REMOVE *************************************************************** Dear ColdFusion Customer -- I am writing to notify you of security vulnerabilities exposed by the example applications installed with ColdFusion Server doc umentation in versions 2.0 and higher. You may have already heard about these issues in one of the email communications that we sent when we first reported them to customers in February 1999, in the Allaire Security Zone (http://www.allaire.com/security) . PROBLEM The example applications installed with the ColdFusion Server documentation expose vulnerabilities that include the ability to view, delete, and upload files. These issues affect example applications included in ColdFusion Server 2.0 and higher. SOLUTION We strongly recommend you address these issues using one of the solutions below: 1. Remove the documentation directory (CFDOCS) from the server (this will not affect functionality of the server). In general, we recommend that you do not install sample code, example applications, or documentation on servers accessible on the Internet. 2. Install the ColdFusion Server 4.0.1 Update, available for download from the DevCenter (http://www.allaire.com/developer). (N ote the 4.0.1 Update requires ColdFusion Server 4.0.) DETAILED INFORMATION More details on these issues and ColdFusion security in general are available in the Allaire Security Zone, http://www.allaire. com/security (see bulletins ASB99-01 and ASB99-02). We strongly recommend that you take a moment to visit the Security Zone to familiarize yourself with ColdFusion security issues. We first addressed these sample application issues in early February. We are contacting customers again because today we receiv ed reports of stepped up attacks exploiting these vulnerabilities, and we want to ensure that customers take steps to protect t hemselves. We apologize that you may have received this letter late on a Friday, but given the importance of this issue, we fel t it was necessary to contact customers again today. Thank you again for choosing ColdFusion. We value your commitment and support. If you have additional questions please feel fre e to visit our site or email us at infoat_private Regards, Steve Clark Vice President of Marketing, Allaire . --------------End of forwarded message------------------------- -- Lars Eilebrecht larsat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:38 PDT