Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Allaire's ColdFusion
FS Advisory ID: FS-060700-1-CFM
Release Date: June 7, 2000
Product: ColdFusion Web Application Server
Vendor: Allaire Corporation (http://www.allaire.com)
Vendor Advisory: http://www.allaire.com/security
Type: Denial of service attack
Severity: Medium to High
Author: Stuart McClure (email@example.com) Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: Windows NT, Solaris, HP-UX
Vulnerable versions: All ColdFusion versions up through and including 4.5.1.
A denial of service vulnerability exists within the Allaire
ColdFusion web application server which allows an attacker to overwhelm the web server and deny legitimate web page requests.
The problem lies within the ColdFusion mechanism that manages the
parsing of passwords within authentication requests. This problem makes the ColdFusion Administrator login page vulnerable to a denial of service attack. The denial of service occurs during the process of converting the input password and the stored password into forms suitable for comparison when the input password is very large (>40,000 characters).
Proof of Concept
Use the well-known HTML tag field overflow technique to overflow the
HTML password field on the Administrator login page:
http://vulnerable.server.here/cfide/administrator/index.cfm The attacker simply changes the field size and POST action in the
HTML tags on the page to allow a large string (over 40,000 characters) to be submitted to the ColdFusion server. Small input strings may not immediately crash the system but large enough strings will bring the system to a halt.
Workaround Allaire provides the following workaround: Customers should back up
all existing data and implement the recommendations made in the article,
'Securing the ColdFusion Administrator (10954)'. This should resolve
the issue. The article can be found at
http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full Fix A fix is expected in the future release of ColdFusion 4.6 (Q4,2000).
We would like to thank Allaire for their prompt and serious
attention to the problem.
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000
OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.