New Allaire ColdFusion DoS

2000-06-07T00:00:00
ID SECURITYVULNS:DOC:309
Type securityvulns
Reporter Securityvulns
Modified 2000-06-07T00:00:00

Description

                            Foundstone, Inc.
                       http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                         Allaire's ColdFusion

----------------------------------------------------------------------------

FS Advisory ID: FS-060700-1-CFM

Release Date: June 7, 2000

Product: ColdFusion Web Application Server

Vendor: Allaire Corporation (http://www.allaire.com)

Vendor Advisory: http://www.allaire.com/security

Type: Denial of service attack

Severity: Medium to High

Author: Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com)

Operating Systems: Windows NT, Solaris, HP-UX

Vulnerable versions: All ColdFusion versions up through and including 4.5.1.

Foundstone advisory: http://www.foundstone.com


Description

    A denial of service vulnerability exists within the Allaire

ColdFusion web application server which allows an attacker to overwhelm the web server and deny legitimate web page requests.

Details

    The problem lies within the ColdFusion mechanism that manages the

parsing of passwords within authentication requests. This problem makes the ColdFusion Administrator login page vulnerable to a denial of service attack. The denial of service occurs during the process of converting the input password and the stored password into forms suitable for comparison when the input password is very large (>40,000 characters).

Proof of Concept

    Use the well-known HTML tag field overflow technique to overflow the

HTML password field on the Administrator login page:

            http://vulnerable.server.here/cfide/administrator/index.cfm

    The attacker simply changes the field size and POST action in the

HTML tags on the page to allow a large string (over 40,000 characters) to be submitted to the ColdFusion server. Small input strings may not immediately crash the system but large enough strings will bring the system to a halt.

Solution

    Workaround

    Allaire provides the following workaround: Customers should back up

all existing data and implement the recommendations made in the article,

    'Securing the ColdFusion Administrator (10954)'. This should resolve

the issue. The article can be found at

    http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full

    Fix

    A fix is expected in the future release of ColdFusion 4.6 (Q4,2000).

Credit

    We would like to thank Allaire for their prompt and serious

attention to the problem.

Disclaimer

    THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000

OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.