> ASB99-10: Addressing Potential Security Issues with Undocumented CFML Tags and > Functions Used in the ColdFusion Administrator This Security Bulletin (ASB) was the result of an advisory I sent to Allaire earlier this week. Judging by the responses on various mailing lists, I know that this issue is very important to many people - particularly administrators of web hosting sites where people other than "trusted developers" do in fact have access to publish ColdFusion pages. Despite Allaire 'playing down' this issue it is true that any such user could theoretically use these tags to take complete control of a server. I find it quite astonishing that this Bulletin applies to "all versions" of ColdFusion server. Allaire is releasing an application, widely used in Web hosting, with "Security" written on the back of the box. Their customers expect it to be secure, not just "secure" through obscurity - anyone more than a little curious could have seen these undocumented tags and functions in CFSERVER.EXE. The fact that all of this time ColdFusion Administrator has been implemented via "back-door" tags - the login page being somewhat ornamental - casts doubt on Allaire's notion of security. As an Open Source developer I would have rewritten my software overnight, if need be, to solve security issues. Yet Allaire has decided to sit tight and hope this passes. Despite their best efforts to copy Microsoft, in the style of security advisories and so on, I am afraid that (thanks to people like Paul Leach) Microsoft is far more responsive and responsible. I will be releasing an unofficial fix in the near future. Allaire should follow my lead and release an official patch. Matt
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:38 PDT