Vulnerability

    Cold Fusion

Affected

    Those using Cold Fusion

Description

    Mark Strother  posted following.   For those  of you  who run Cold
    Fusion especially  in a  web hosting  or similar  type environment
    you should check out the following Allaire security bulletin ASAP:

        http://www.allaire.com/handlers/index.cfm?ID=11714&Method=Full

    Here  is  a  brief  summary.   ColdFusion  Server includes several
    undocumented  CFML  tags  and  functions  that  are  used  in  the
    ColdFusion  Administrator.  As  a  result,  developers  who   have
    permission to  create Web  applications and  executable ColdFusion
    templates on a ColdFusion server can make use of the  undocumented
    functions  and  tags  to  potentially  gain unauthorized access to
    administrative settings including registry, database and  advanced
    security settings.

    This Security Bulletin  (ASB) was the  result of an  advisory Matt
    Chapman sent to Allaire earlier.

Solution

    As ASB99-10 points out,  no CFML language functions  are currently
    supported  4.0x  by  Server  Sandbox  Security, leaving the listed
    CFML tags as items needing  to be addressed immediately for  4.0x.
    Of  the  three  tags,  CFINTERNALDEBUG  is  relatively  benign and
    simply PCode's templates into PCode cache without executing  them.
    CFNEWINTERNALADMINSECURITY  is  of  use  if  Advanced  Security is
    configured and  enabled on  the server,  and is  a problem,  as is
    CFNEWINTERNALREGISTRY, which  applies to  both Basic  and Advanced
    Security.   Fix  team  is  committed  to  coming  up with a better
    solution to enable Administrative functionality for 4.5, but  they
    are  also  preparing  a  fix  for  4.0x  for affected customers to
    disable  these  tags  in  4.0x.    Also,  they  are  planning   to
    rename/document these tags and functions, and to expand the  scope
    of the services available as  part of the Server Sandbox  Security
    in the next release.