6862484 2001-08-07 11:03 -0400  /138 rader/ ISS XForce <xforce@iss.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-07  18:47  av Brevbäraren
Extern mottagare: 'bugtraq@securityfocus.com' <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <18658>
Ärende: ISS Security Advisory: Remote Vulnerabilities in Macromedia ColdF
------------------------------------------------------------
 usion Example Applications From: ISS XForce <xforce@iss.net> To:
"'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com> Message-ID:
<DF3CC311E898D311A3670008C709BD23064F53D2@msgatl01.iss.net>

Internet Security Systems Security Advisory
August 7, 2001

Remote Vulnerabilities in Macromedia ColdFusion Example Applications

Synopsis:

Internet Security Systems (ISS) X-Force has discovered multiple
remote vulnerabilities in Macromedia ColdFusion.  ColdFusion is an
enterprise application used to develop, maintain, administer, and
deliver Web sites on the Internet.  The vulnerabilities may allow
remote attackers to execute arbitrary commands as a privileged user
on a vulnerable ColdFusion installation.

Affected Products and Releases:

ColdFusion Server for Windows 4.x
ColdFusion Server for Solaris 4.x
ColdFusion Server for HP-UX 4.x
ColdFusion Server for Linux 4.x

ColdFusion Server 5.0 is not vulnerable

Description:

Macromedia ColdFusion ships with several small "helper" applications
that are meant to educate users on a small subset of ColdFusion's
features.  These applications are not installed by default, and
Macromedia has documented and continues to recommend that production
ColdFusion servers should not have the example applications installed.

ColdFusion ships with two vulnerable "Exampleapps".  These
applications may be queried via a normal Web browser.  Both of these
example applications employ a rudimentary security mechanism to
attempt to block all access except from the ColdFusion server itself.
It is possible for remote attackers to spoof the source of the query
and bypass this restriction.

Both vulnerable scripts behave like CGI (Common Gateway Interface)
applications.  It is possible for the attacker to interact with the
example applications to create files, view files, or execute commands
on the vulnerable target.

Recommendations:

Macromedia will not release a patch to address the vulnerabilities
described in this advisory.  Macromedia recommends that customers do
not install example applications or documentation on production
ColdFusion servers.  Example applications are stored in the
/CFDOCS/exampleapps directory.

Macromedia recommends that the entire /CFDOCS directory tree be removed
from production servers and only installed on development
installations that that are not exposed to potentially hostile
networks.

All ColdFusion customers should familiarize themselves with the
ColdFusion "Best Security Practices" document available at the
following address:
 
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

ISS X-Force will provide detection and assessment support for these
vulnerabilities in upcoming X-Press Updates for RealSecure Network
Sensor and Internet Scanner.

Additional Information:

Allaire/Macromedia Security Zone:

http://www.allaire.com/security

Macromedia Security Bulletin, "ColdFusion Example Applications
Potentially Expose Server":

http://www.allaire.com/developer/securityzone/securitybulletins.cfm

The Common Vulnerabilities and Exposures (CVE) project has assigned
the Name CAN-2001-0535 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

ISS Consulting can offer security assessments and penetration testing
for your organization. ISS Managed Security Services can also provide
automated scanning and 24x7 IDS monitoring for these security issues.
ISS SecureU offers educational courses on ISS products and detailed
ethical hacking classes on these and other security issues.

Credits:

This vulnerability was discovered and researched by Mark Dowd of ISS
X-Force. ISS would like to thank Macromedia for their response and
handling of this vulnerability.

______

About Internet Security Systems (ISS) Internet Security Systems is a
leading global provider of security management solutions for the
Internet, protecting digital assets and ensuring safe and
uninterrupted e-business. With its industry-leading intrusion
detection and vulnerability assessment, remote managed security
services, and strategic consulting and education offerings, ISS is a
trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10
U.S.  telecommunications companies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout
North America and international operations in Asia, Australia,
Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition.  There are NO warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own
risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
(6862484) /ISS XForce <xforce@iss.net>/---(Ombruten)