|
COMMAND Macromedia ColdFusion Example Applications SYSTEMS AFFECTED Macromedia ColdFusion 4.x PROBLEM Following is based on a Internet Security Systems Security Advisory. ISS X-Force has discovered multiple remote vulnerabilities in Macromedia ColdFusion. ColdFusion is an enterprise application used to develop, maintain, administer, and deliver Web sites on the Internet. The vulnerabilities may allow remote attackers to execute arbitrary commands as a privileged user on a vulnerable ColdFusion installation. Macromedia ColdFusion ships with several small "helper" applications that are meant to educate users on a small subset of ColdFusion's features. These applications are not installed by default, and Macromedia has documented and continues to recommend that production ColdFusion servers should not have the example applications installed. ColdFusion ships with two vulnerable "Exampleapps". These applications may be queried via a normal Web browser. Both of these example applications employ a rudimentary security mechanism to attempt to block all access except from the ColdFusion server itself. It is possible for remote attackers to spoof the source of the query and bypass this restriction. Both vulnerable scripts behave like CGI (Common Gateway Interface) applications. It is possible for the attacker to interact with the example applications to create files, view files, or execute commands on the vulnerable target. SOLUTION ColdFusion Server 5.0 is not vulnerable. Macromedia will not release a patch to address the vulnerabilities described in this advisory. Macromedia recommends that customers do not install example applications or documentation on production ColdFusion servers. Example applications are stored in the /CFDOCS/exampleapps directory. Macromedia recommends that the entire /CFDOCS directory tree be removed from production servers and only installed on development installations that that are not exposed to potentially hostile networks. All ColdFusion customers should familiarize themselves with the ColdFusion "Best Security Practices" document available at the following address: http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full