Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. To determine the severity level in this case, refer to the colored dot beside the link to this tutorial on the previous page.
11/21/02
CAN 2002-1309
The Microsoft Internet Information Server (IIS) ISAPI filters that Macromedia
provides with Coldfusion MX 6 may be vulnerable to a buffer overflow attack.
When ColdFusion templates with filenames longer than 8,192 characters or with
HTTP headers longer than 4,096 characters are requested, IIS can become
unresponsive. It is not necessary that the template exist. This could be used
to construct a denial of service attack on a ColdFusion MX server. In addition,
it is possible that the various structures in the process heap can be
overwritten in such a way as to gain control of the remote IIS process with
SYSTEM level access.
CAN 2001-0535
Cold Fusion comes with a number of optional example applications.
Since the example applications are intended only to be used
to assist developers, they contain a host filter to prevent
access by hosts other than the local host. However, the filter
is based on an HTTP variable which is sent
by the web browser and can be easily falsified, thus allowing
an attacker to bypass the filter.
The vulnerability in the host filter exposes vulnerabilities in two of the example applications that could allow a remote attacker to execute commands or read files on the server. The Web Publishing application, found in /cfdocs/exampleapp/publish, could allow an attacker to upload files containing arbitrary commands, which could then be executed from a web browser. The E-mail application, found in /cfdocs/exampleapp/email, could allow an attacker to e-mail any file to any e-mail address, thus gaining the ability to read any file.
Cold Fusion versions prior to 5.0 are affected by this vulnerability. Cold Fusion 5.0 and higher are not affected because they use an improved method of checking a client's address.
CAN 2001-1120
Multiple vulnerabilities in Cold Fusion versions 2.0 through 4.5.1 SP2
could allow a remote attacker to read or delete arbitrary
files on the server, or to replace ColdFusion Server templates
with empty files.
6/12/02
CAN 2002-0879
CFXImage is a
custom Cold Fusion tag for editing and creating images. The CFXImage
documentation includes a file called showtemp.cfm which does
not validate user supplied file names, thus allowing a remote
attacker to view arbitrary files outside the web root. CFXImage versions
prior to 1.6.6.1 are affected by this vulnerability.
CAN 1999-0455
CAN 1999-0477
A vulnerability in the Cold Fusion Expression Evaluator utility
could allow an attacker to view and delete any file on the system, and
to upload files anywhere on the server. The ability to upload
executable files makes this vulnerability even more critical.
The file /cfdocs/expeval/exprcalc.cfm is intended to display the file uploaded by the user, and then delete it. However, it can easily be used to display and delete any file on the system. Furthermore, it can even be used to delete itself, so that subsequently uploaded files will not be deleted by the Expression Evaluator, and will remain on the server. Cold Fusion Application Server versions 2.0, 3.0, 3.1, and 4.0 have this vulnerability.
CVE 1999-0922
The example script sourcewindow.cfm allows a remote
user to view the source code of any file on the server.
CAN 1999-0923
Vulnerabilities in several of the sample scripts included
in the "snippets" directory could allow an attacker to
verify the existence of files on the server, view the source
code of Cold Fusion files, or create a denial of service.
CVE 1999-0924
The Syntax Checker is used to check the syntax of Cold Fusion
files. By sending a query which instructs it to check the
syntax of *.*, a heavy load can be created
on the CPU, thus slowing down the response to legitimate
requests.
CVE 1999-0756
Cold Fusion contains a Java applet designed to allow an
administrator to start or stop the Cold Fusion service.
When Basic Security is enabled, this utility is password-protected,
so that only an administrator can use it. However, when
Advanced Security is enabled, it overrides the password-protection.
This allows any remote user to stop the Cold Fusion service,
thus creating a denial of service. Cold Fusion 4.0 and
4.0.1 are affected by this vulnerability if Advanced Security
is enabled.
Firstly, upgrade to ColdFusion MX 6 server (or higher, if available), ensure that you have the latest ColdFusion MX Updater for the ColdFusion MX Server, and perform the update. If it is not possible to upgrade and you have a Cold Fusion version prior to 5.0, you should install the patch referenced in Macromedia Product Security Bulletin 01-07.
Secondly, online documentation and sample utilities should not be kept on operational web servers. Any files which are not needed should be deleted from the web server. In particular, for Cold Fusion 5.0 and earlier:
For more information about the MX 6 Buffer Overflow Vulnerability, see the Neohapsis posting and Macromedia's bulletin.
More information on the host filter bypass vulnerability, which exposes the vulnerabilities in the Web Publishing and E-mail example applications, can be found in Macromedia Security Bulletin 01-08 and an X-Force alert.
More information on the vulnerabilities in Cold Fusion versions prior to 5.0 can be found in Macromedia Product Security Bulletin 01-07.
More information on the CFXImage vulnerability can be found in ProCheckUp Security Bulletin 02-12.
More information about the Expression Evaluator vulnerability can be found in the L0pht Security Advisory and in Allaire Security Bulletin 99-01.
For more information about the sourcewindow, snippets, and syntax checker vulnerabilities, see Rain Forest Puppy and Allaire Security Bulletin 99-02.
More information about the Start/Stop vulnerability can be found in Allaire Security Bulletin 99-07.