[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: New Allaire Security Zone Bulletins and KB Article
From:       Matt Chapman <matthewc () CSE ! UNSW ! EDU ! AU>
Date:       1999-07-31 2:43:06
[Download RAW message or body]

> ASB99-10: Addressing Potential Security Issues with Undocumented CFML Tags and
> Functions Used in the ColdFusion Administrator

This Security Bulletin (ASB) was the result of an advisory I sent to
Allaire earlier this week.

Judging by the responses on various mailing lists, I know that this
issue is very important to many people - particularly administrators
of web hosting sites where people other than "trusted developers" do
in fact have access to publish ColdFusion pages. Despite Allaire
'playing down' this issue it is true that any such user could
theoretically use these tags to take complete control of a server.

I find it quite astonishing that this Bulletin applies to "all
versions" of ColdFusion server. Allaire is releasing an application,
widely used in Web hosting, with "Security" written on the back of the
box. Their customers expect it to be secure, not just "secure" through
obscurity - anyone more than a little curious could have seen these
undocumented tags and functions in CFSERVER.EXE. The fact that all
of this time ColdFusion Administrator has been implemented via
"back-door" tags - the login page being somewhat ornamental - casts
doubt on Allaire's notion of security.

As an Open Source developer I would have rewritten my software
overnight, if need be, to solve security issues. Yet Allaire has
decided to sit tight and hope this passes. Despite their best efforts
to copy Microsoft, in the style of security advisories and so on, I am
afraid that (thanks to people like Paul Leach) Microsoft is far more
responsive and responsible.

I will be releasing an unofficial fix in the near future. Allaire
should follow my lead and release an official patch.

	Matt

[prev in list] [next in list] [prev in thread] [next in thread]