|
Allaire: Securing the ColdFusion Administrator - This information is intended to supplement the printed version of Administering ColdFusion Server, Chapter 9, "Configuring Advanced Security." URL: http://www.allaire.com/documents/cf4/allaire_support/adminsecurity.cfm
|
|
Allaire: Security Zone - The emergence of Web applications and "public" computing over the Internet creates new security challenges that IT managers and developers alike need to address. Allaire is committed to helping customers build secure systems through both functionality in our products and customer education. As such, we use the Security Zone to periodically publish security bulletins and technical briefs that provide information to customers about issues we believe are significant. URL: http://www.allaire.com/developer/securityzone
|
|
CF (Cold Fusion) # 1 - By default, on Windows NT installations, the CF function, GetTempDirectory may return C:\WINNT. The GetTempPath function gets the temporary file path as follows:
1. The path specified by the TMP environment variable.
2. The path specified by the TEMP environment variable, if TMP
is not defined.
3. The current directory, if both TMP and TEMP are not defined URL: http://home.ntware.com/bugs/cf__cold_fusion___1.html
|
|
CF (Cold Fusion) # 2 - One of the sample applications installed with ColdFusion Server, the Expression Evaluator, exposes the ability to read and delete files on the server. A range of sample code and example applications are provided with ColdFusion Server to assist customers in learning and using the product. Among these is an application called the Expression Evaluator, which is installed in the //CFDOCS/expeval/ directory. The Expression Evaluator lets users process expressions such as 1 + 1 to see how ColdFusion expression evaluation works. Used normally, the application is restricted to access from the local machine based on the 127.0.0.1 IP address. However, some pages in the Expression Evaluator can be accessed directly, exposing the ability to read and delete files anywhere on the server where the evaluator is installed. URL: http://home.ntware.com/bugs/cf__cold_fusion___2.html
|
|
CF (Cold Fusion) # 3 - ColdFusion Server 4.0 includes some example applications and sample code that expose security issues. There are basically 3 sets of security issues that have been identified with the example applications and sample code. First, one of the features of the example applications is a page that displays the source code of the examples in a browser. This page exposes the ability to view source code in other files on the server. Second, the sample code, sometimes referred to as "runnable code snippets," that are included as references in the electronic version of the CFML Language Reference expose a number of security issues including the ability to view files and directory information, make http calls from a machine, and launch denial-of-service attacks. Third, the Syntax Checker, which is provided to verify that existing CFML code will run on version 4.0, can be used remotely to initiate a denial-of-service attack by fully occupying the ColdFusion service with unnecessary file processing. URL: http://home.ntware.com/bugs/cf__cold_fusion___3.html
|
|
CF (Cold Fusion) # 4 - Following is based on Allaire Security Bulletin. Microsoft IIS exposes the ability to use an NTFS attribute to read the source code of ASP, CFML, Perl and other files that are on a server. This is not a problem with ColdFusion Server itself, but it is an issue that can affect ColdFusion users (see IIS #21 for more info). URL: http://home.ntware.com/bugs/cf__cold_fusion___4.html
|
|
CF (Cold Fusion) # 5 - Following is based on Allaire Security Bulletin. Some databases, including Microsoft SQL Server and Sybase SQL Server, support the ability to send multiple SQL statements with each query. URL or form variables in a dynamic query in many development environments (e.g. ColdFusion, ASP, CGI, etc.) can, in some cases, be used to append malicious SQL statements to existing queries. Customers can protect themselves with proper coding techniques and database security configuration. This is not a security issue with ColdFusion itself. However, it's a feature of some popular database systems that ColdFusion customers should take measures to address in their applications. URL: http://home.ntware.com/bugs/cf__cold_fusion___5.html
|
|
CF (Cold Fusion) # 6 - Cameron Childress found following. The problem outlined below seems to effect all Allaire Forums 2.0.x versions. A file named GetFile.cfm is found in the root directory of Allaire Forums 2.0.x distributions. This file will allow anyone to access any file on servers running Forums. For example, the following URL string format can be used to call the server's boot.ini file: URL: http://home.ntware.com/bugs/cf__cold_fusion___6.html
|
|
CF (Cold Fusion) # 7 - Following is based on L0pht Security Advisory by Weld Pond. Although this vulnerability has been known for a while L0pht thinks it is worse than originally thought. Users can upload and potentially execute files on the web server. Furthermore, few sites seem to have fixed the problem. Major commercial, government, and military sites have been found to still be vulnerable. URL: http://home.ntware.com/bugs/cf__cold_fusion___7.html
|
|
CF (Cold Fusion) # 8 - According to CF Team pages encrypted with CFCRYPT.EXE can be illegally decrypted. Matt Chapman wrote such program that will do. URL: http://home.ntware.com/bugs/cf__cold_fusion___8.html
|
|
CF (Cold Fusion) # 9 - ColdFusion Server includes several undocumented CFML tags and functions that are used in the ColdFusion Administrator. As a result, developers who have permission to create Web applications and executable ColdFusion templates on a ColdFusion server can make use of the undocumented functions and tags to potentially gain unauthorized access to administrative settings including registry, database and advanced security settings. URL: http://home.ntware.com/bugs/cf__cold_fusion___9.html
|
|
CF (Cold Fusion) #10 - Using the expression evaluator an attacker could back up the system logs for later comparison (upon attack) and modify via uploading to the server and moving the files. The attacker could then proceed to back up the expression evaluator (exprcalc.cfm specifically), also for later modification. For other attacks which will not be focused on, an attacker could also call sendmail.cfm without any arguements to return a system date time stamp as well as directory structures. URL: http://home.ntware.com/bugs/cf__cold_fusion___10.html
|
|
Explore ColdFusion Server Advanced Security - ColdFusion Server's Advanced Security feature permeates all levels of Web application development, from the highest level of application architecture to the lowest level of granular control. To build the most secure and stable Web applications possible, you must acquaint yourself with the ins and outs of Advanced Security. URL: http://www.allaire.com/handlers/index.cfm?ID=17282&Method=Full
|
|
Security Resources - Use the following resources to find additional information about security issues. Please note that these are non-Allaire sites and Allaire makes no warranty in connection with the services found on them. URL: http://www.allaire.com/developer/securityzone/Resources.cfm
|
Computers & Internet
< ColdFusion >@
