ms.odbc.coldfusion.txt

`Date: Tue, 1 Jun 1999 11:45:35 -0700  
From: [email protected]  
To: [email protected]  
Subject: New Allaire Security Bulletin (ASB99-09)  
  
Dear Allaire Customer --  
  
We have recently become aware of a serious security vulnerability that may affect  
customers using Microsoft Access with ColdFusion. This issue is not a problem with  
ColdFusion, but can occur when using some versions of the Microsoft Access ODBC driver.  
  
We have created a new Allaire Security Bulletin that documents this issue and the steps  
that customers can take to protect themselves. If you are using Microsoft Access with  
your Web applications we strongly recommend that you review this new bulletin:  
  
ASB99-09: Solutions to Issues that Allow Users to Execute Commands through  
Microsoft Access  
  
You can find this new bulletin and information about other security issues in the  
Allaire Security Zone:  
  
http://www.allaire.com/security  
  
As a Web application platform vendor, one of our highest concerns is the security  
of the systems our customers deploy. We understand how important security is to  
our customers, and we're committed to providing the technology and information customers  
need to build secure Web applications. Allaire has set up an email address that customers  
can use to report security issues associated with an Allaire product: [email protected].  
  
Thank you for your time and consideration on this issue.  
  
-- Allaire Security Response Team  
  
----------------------------------------------------------------------------------------  
  
<http://www.allaire.com/handlers/index.cfm?ID=11069&Method=Full>  
  
Allaire Security Bulletin (ASB99-09)  
  
Solutions to Issues that Allow Users to Execute Commands through Microsoft Access   
  
Originally Posted: June 1, 1999   
Last Updated: June 1, 1999   
  
Summary   
Some Microsoft ODBC drivers for Microsoft Access may allow users to execute Visual Basic  
for Applications (VBA) commands on the hosted server without permission. URL, form and  
cookie variables in a dynamic query in many development environments (e.g. ColdFusion, ASP,  
CGI, etc.) can be used to exploit this hole appending malicious VBA statements to existing  
queries. This problem can be easily fixed by upgrading to the Microsoft ODBC driver for Access  
included in MDAC 2.1 sp1a, available from Microsoft. In general, Allaire recommends that  
customers use proper coding methods for validating dynamic query variables passed on URL  
strings, http forms or cookies. This is not a security issue with ColdFusion itself. However,  
ColdFusion customers using Access are vulnerable to this issue. (This issue is similar to the  
vulnerabilities documented in ASB99-04, which are associated with appending malicious SQL  
statements to query strings sent to some enterprise databases.)   
  
Issue   
In a Web application there are often circumstances where queries are built dynamically using  
variables that are passed on URLs or in forms. Some versions of the Microsoft Access ODBC  
driver support the ability to append VBA commands to a SQL string. As a result, a malicious  
attack could be made by using URL, form or cookie variables to send VBA commands through a  
query. These VBA commands could potentially be used to damage the server or to gain  
unauthorized access to information and systems. (The potential for a similar problem using SQL  
statements and some enterprise database was documented in ASB99-04).   
  
Some versions of the Microsoft Access ODBC driver allow for appending VBA commands to a  
SQL string. The VBA commands are appended by using the pipe character, or Chr(124), which  
is treated as a reserved character by the Access ODBC driver. See the following MS  
Knowledge Base article for details:   
http://support.microsoft.com/support/kb/articles/q147/6/87.asp   
  
This reserved character allows users to modify a URL, form or cookie variable to execute VBA  
commands against the Web server using the ODBC driver. The following string is an example  
of one that can be used to initiate an attack by writing a file to the web server’s hard drive:   
  
'|shell("cmd /c 1 > c:\temp\foo.txt")|'  
  
This string could be passed to an application using a URL variable, so the page could be called  
as follows:   
  
http://myserver/page.cfm?x='|shell("cmd /c 1 > c:\temp\foo.txt")|'  
  
This code, when executed as part of the following dynamically created query, will cause a file to  
be created at the location c:\temp\foo.txt.   
  
<CFQUERY name="getUsers2" DATASOURCE="test1">  
SELECT *   
FROM USERS  
WHERE lname = '#URL.X#'  
</CFQUERY>  
  
This code could also be vulnerable when processing form input from a template using a form  
variable called 'X'. Please note that you should always validate user-initiated input, including  
URL, form, and cookie variables.   
  
Affected Software Versions   
  
ColdFusion Server (all versions and editions) running with Microsoft Access through  
ODBC   
  
What Allaire is Doing   
This issue is not a problem with ColdFusion, but can occur when using Microsoft Access and  
some versions for the Access ODBC driver. It is not a problem with ColdFusion, but it can  
affect ColdFusion applications that use Access. To respond to this issue, Allaire has published  
an Allaire Security Bulletin (ASB99-09) notifying customers of the problem and remedies that  
can be used to address it. We have sent a notification of the bulletin to customers who have  
subscribed to Allaire Security Notifications.   
  
What Customers Should Do   
This issue appears to be fixed by the installation of the Microsoft Access ODBC driver included  
with MDAC 2.1 sp1a. We strongly recommend that customers install this ODBC driver. It  
should not adversely affect the functionality of ColdFusion applications using Access. This  
MDAC can be downloaded from the Microsoft site:   
  
http://download.microsoft.com/msdownload/mdac/sp1a/x86/en/mdac_typ.exe   
  
In addition, Allaire recommends that customers write their code to validate variables that are  
passed into SQL statements, configure their database security properly, and use standard  
database application development practices such as stored procedures where appropriate to  
protect themselves. These are general requirements of production applications regardless of the  
development platform.   
  
There are many ways to address the issues raised by the risk of malicious SQL statements being  
inserted into dynamic queries. The Allaire Technical Brief – Securing Databases for ColdFusion  
Applications, details some of the steps you can take to secure your databases.   
  
It is important to note that each individual application may require its own particular steps in  
both coding and database configuration in order to be fully secured. Some of the techniques  
for securing database applications built with ColdFusion are detailed in the Allaire Technical Brief  
- Securing Databases for ColdFusion Applications.   
  
Revisions   
June 1, 1999 -- Bulletin first released.   
  
Reporting Security Issues   
Allaire is committed to addressing security issues and providing customers with the information  
on how they can protect themselves. If you identify what you believe may be a security issue  
with an Allaire product, please send an email to [email protected]. We will work to  
appropriately address and communicate the issue.   
  
Receiving Security Bulletins   
When Allaire becomes aware of a security issue that we believe significantly affects our products  
or customers, we will notify customers when appropriate. Typically this notification will be in the  
form of a security bulletin explaining the issue and the response. Allaire customers who would  
like to receive notification of new security bulletins when they are released can sign up for our  
security notification service.   
  
For additional information on security issues at Allaire, please visit:  
http://www.allaire.com/security   
  
THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS"  
WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER  
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND  
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION  
OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,  
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL  
DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED  
OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  
EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL  
DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.   
`