Vulnerability

    ColdFusion

Affected

    ColdFusion Web Application Server (Windows NT, Solaris, HP-UX) up through and including 4.5.1.

Description

    Following is based on  Security Advisory by Allaire's  ColdFusion.
    A  denial  of  service  vulnerability  exists  within  the Allaire
    ColdFusion  web  application  server  which  allows an attacker to
    overwhelm the web server and deny legitimate web page requests.

    The problem lies within the ColdFusion mechanism that manages  the
    parsing of passwords within authentication requests. This  problem
    makes  the  ColdFusion  Administrator  login  page vulnerable to a
    denial of  service attack.   The denial  of service  occurs during
    the  process  of  converting  the  input  password  and the stored
    password  into  forms  suitable  for  comparison  when  the  input
    password is very large (>40,000 characters).

    For proof of  concept use the  well-known HTML tag  field overflow
    technique to overflow the HTML password field on the Administrator
    login page:

        http://vulnerable.server.here/cfide/administrator/index.cfm

    The attacker simply changes the field size and POST action in  the
    HTML  tags  on  the  page  to  allow  a  large string (over 40,000
    characters) to be submitted to the ColdFusion server.  Small input
    strings  may  not  immediately  crash  the system but large enough
    strings will bring the system to a halt.

Solution

    Allaire provides the  following workaround: Customers  should back
    up all existing data and implement the recommendations made in the
    article, 'Securing  the ColdFusion  Administrator (10954)'.   This
    should resolve the issue.  The article can be found at

        http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full

    A  fix  is  expected  in  the  future  release  of  ColdFusion 4.6
    (Q4,2000).