Serious security vulnerability affects Microsoft Access users with ColdFusion; see bulletin ASB99-09.
`Date: Tue, 1 Jun 1999 11:45:35 -0700
From: [email protected]
To: [email protected]
Subject: New Allaire Security Bulletin (ASB99-09)
Dear Allaire Customer --
We have recently become aware of a serious security vulnerability that may affect
customers using Microsoft Access with ColdFusion. This issue is not a problem with
ColdFusion, but can occur when using some versions of the Microsoft Access ODBC driver.
We have created a new Allaire Security Bulletin that documents this issue and the steps
that customers can take to protect themselves. If you are using Microsoft Access with
your Web applications we strongly recommend that you review this new bulletin:
ASB99-09: Solutions to Issues that Allow Users to Execute Commands through
Microsoft Access
You can find this new bulletin and information about other security issues in the
Allaire Security Zone:
http://www.allaire.com/security
As a Web application platform vendor, one of our highest concerns is the security
of the systems our customers deploy. We understand how important security is to
our customers, and we're committed to providing the technology and information customers
need to build secure Web applications. Allaire has set up an email address that customers
can use to report security issues associated with an Allaire product: [email protected].
Thank you for your time and consideration on this issue.
-- Allaire Security Response Team
----------------------------------------------------------------------------------------
<http://www.allaire.com/handlers/index.cfm?ID=11069&Method=Full>
Allaire Security Bulletin (ASB99-09)
Solutions to Issues that Allow Users to Execute Commands through Microsoft Access
Originally Posted: June 1, 1999
Last Updated: June 1, 1999
Summary
Some Microsoft ODBC drivers for Microsoft Access may allow users to execute Visual Basic
for Applications (VBA) commands on the hosted server without permission. URL, form and
cookie variables in a dynamic query in many development environments (e.g. ColdFusion, ASP,
CGI, etc.) can be used to exploit this hole appending malicious VBA statements to existing
queries. This problem can be easily fixed by upgrading to the Microsoft ODBC driver for Access
included in MDAC 2.1 sp1a, available from Microsoft. In general, Allaire recommends that
customers use proper coding methods for validating dynamic query variables passed on URL
strings, http forms or cookies. This is not a security issue with ColdFusion itself. However,
ColdFusion customers using Access are vulnerable to this issue. (This issue is similar to the
vulnerabilities documented in ASB99-04, which are associated with appending malicious SQL
statements to query strings sent to some enterprise databases.)
Issue
In a Web application there are often circumstances where queries are built dynamically using
variables that are passed on URLs or in forms. Some versions of the Microsoft Access ODBC
driver support the ability to append VBA commands to a SQL string. As a result, a malicious
attack could be made by using URL, form or cookie variables to send VBA commands through a
query. These VBA commands could potentially be used to damage the server or to gain
unauthorized access to information and systems. (The potential for a similar problem using SQL
statements and some enterprise database was documented in ASB99-04).
Some versions of the Microsoft Access ODBC driver allow for appending VBA commands to a
SQL string. The VBA commands are appended by using the pipe character, or Chr(124), which
is treated as a reserved character by the Access ODBC driver. See the following MS
Knowledge Base article for details:
http://support.microsoft.com/support/kb/articles/q147/6/87.asp
This reserved character allows users to modify a URL, form or cookie variable to execute VBA
commands against the Web server using the ODBC driver. The following string is an example
of one that can be used to initiate an attack by writing a file to the web serverΒs hard drive:
'|shell("cmd /c 1 > c:\temp\foo.txt")|'
This string could be passed to an application using a URL variable, so the page could be called
as follows:
http://myserver/page.cfm?x='|shell("cmd /c 1 > c:\temp\foo.txt")|'
This code, when executed as part of the following dynamically created query, will cause a file to
be created at the location c:\temp\foo.txt.
<CFQUERY name="getUsers2" DATASOURCE="test1">
SELECT *
FROM USERS
WHERE lname = '#URL.X#'
</CFQUERY>
This code could also be vulnerable when processing form input from a template using a form
variable called 'X'. Please note that you should always validate user-initiated input, including
URL, form, and cookie variables.
Affected Software Versions
ColdFusion Server (all versions and editions) running with Microsoft Access through
ODBC
What Allaire is Doing
This issue is not a problem with ColdFusion, but can occur when using Microsoft Access and
some versions for the Access ODBC driver. It is not a problem with ColdFusion, but it can
affect ColdFusion applications that use Access. To respond to this issue, Allaire has published
an Allaire Security Bulletin (ASB99-09) notifying customers of the problem and remedies that
can be used to address it. We have sent a notification of the bulletin to customers who have
subscribed to Allaire Security Notifications.
What Customers Should Do
This issue appears to be fixed by the installation of the Microsoft Access ODBC driver included
with MDAC 2.1 sp1a. We strongly recommend that customers install this ODBC driver. It
should not adversely affect the functionality of ColdFusion applications using Access. This
MDAC can be downloaded from the Microsoft site:
http://download.microsoft.com/msdownload/mdac/sp1a/x86/en/mdac_typ.exe
In addition, Allaire recommends that customers write their code to validate variables that are
passed into SQL statements, configure their database security properly, and use standard
database application development practices such as stored procedures where appropriate to
protect themselves. These are general requirements of production applications regardless of the
development platform.
There are many ways to address the issues raised by the risk of malicious SQL statements being
inserted into dynamic queries. The Allaire Technical Brief Β Securing Databases for ColdFusion
Applications, details some of the steps you can take to secure your databases.
It is important to note that each individual application may require its own particular steps in
both coding and database configuration in order to be fully secured. Some of the techniques
for securing database applications built with ColdFusion are detailed in the Allaire Technical Brief
- Securing Databases for ColdFusion Applications.
Revisions
June 1, 1999 -- Bulletin first released.
Reporting Security Issues
Allaire is committed to addressing security issues and providing customers with the information
on how they can protect themselves. If you identify what you believe may be a security issue
with an Allaire product, please send an email to [email protected]. We will work to
appropriately address and communicate the issue.
Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly affects our products
or customers, we will notify customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response. Allaire customers who would
like to receive notification of new security bulletins when they are released can sign up for our
security notification service.
For additional information on security issues at Allaire, please visit:
http://www.allaire.com/security
THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION
OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL
DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo