Internet Security Systems Security Advisory August 7, 2001 Remote Vulnerabilities in Macromedia ColdFusion Example Applications Synopsis: Internet Security Systems (ISS) X-Force has discovered multiple remote vulnerabilities in Macromedia ColdFusion. ColdFusion is an enterprise application used to develop, maintain, administer, and deliver Web sites on the Internet. The vulnerabilities may allow remote attackers to execute arbitrary commands as a privileged user on a vulnerable ColdFusion installation. Affected Products and Releases: ColdFusion Server for Windows 4.x ColdFusion Server for Solaris 4.x ColdFusion Server for HP-UX 4.x ColdFusion Server for Linux 4.x ColdFusion Server 5.0 is not vulnerable Description: Macromedia ColdFusion ships with several small "helper" applications that are meant to educate users on a small subset of ColdFusion's features. These applications are not installed by default, and Macromedia has documented and continues to recommend that production ColdFusion servers should not have the example applications installed. ColdFusion ships with two vulnerable "Exampleapps". These applications may be queried via a normal Web browser. Both of these example applications employ a rudimentary security mechanism to attempt to block all access except from the ColdFusion server itself. It is possible for remote attackers to spoof the source of the query and bypass this restriction. Both vulnerable scripts behave like CGI (Common Gateway Interface) applications. It is possible for the attacker to interact with the example applications to create files, view files, or execute commands on the vulnerable target. Recommendations: Macromedia will not release a patch to address the vulnerabilities described in this advisory. Macromedia recommends that customers do not install example applications or documentation on production ColdFusion servers. Example applications are stored in the /CFDOCS/exampleapps directory. Macromedia recommends that the entire /CFDOCS directory tree be removed from production servers and only installed on development installations that that are not exposed to potentially hostile networks. All ColdFusion customers should familiarize themselves with the ColdFusion "Best Security Practices" document available at the following address: http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full ISS X-Force will provide detection and assessment support for these vulnerabilities in upcoming X-Press Updates for RealSecure Network Sensor and Internet Scanner. Additional Information: Allaire/Macromedia Security Zone: http://www.allaire.com/security Macromedia Security Bulletin, "ColdFusion Example Applications Potentially Expose Server": http://www.allaire.com/developer/securityzone/securitybulletins.cfm The Common Vulnerabilities and Exposures (CVE) project has assigned the Name CAN-2001-0535 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. ISS Consulting can offer security assessments and penetration testing for your organization. ISS Managed Security Services can also provide automated scanning and 24x7 IDS monitoring for these security issues. ISS SecureU offers educational courses on ISS products and detailed ethical hacking classes on these and other security issues. Credits: This vulnerability was discovered and researched by Mark Dowd of ISS X-Force. ISS would like to thank Macromedia for their response and handling of this vulnerability. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforceat_private for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforceat_private of Internet Security Systems, Inc.
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:17:17 PDT