[1][USEMAP] [2][USEMAP] [3][LINK] Allaire Security Bulletin (ASB00-23) Spectra 1.0.1: Workaround available for administrative interface security issue Originally Posted: August 25, 2000 Last Updated: August 30, 2000 Summary Allaire Spectra 1.0.1 includes an administrative-level utility meant for configuring Spectra applications. This utility was inadvertently included in the commercial release of Allaire Spectra 1.0.1, and if not properly secured, could permit a malicious person to view or alter sensitive data used for configuring and administering Allaire Spectra applications. This issue does not affect Spectra 1.0 customers. Issue The directory /allaire/spectra/system/admin/ contains unnecessary files for administering and configuring Allaire Spectra. These files are accessible via a browser and were inadvertently installed and included with Allaire Spectra 1.0.1. These files could be used maliciously to damage or alter server data. Affected Software Versions * Spectra 1.0.1 (all editions - NT and Solaris) Note: Spectra 1.0 customers are not affected. What Allaire is Doing Allaire has embarked on an expansive customer and partner outreach program to notify users of the potential security issue directly. In addition, Allaire has published this bulletin, notifying customers of the potential issue. What Customers Should Do Customers should remove the following directory from all Spectra servers on which the directory exists. This directory is unnecessary and was only used in beta versions of 1.0.1 and inadvertently left: Note: this issue does not affect Spectra 1.0 customers and only those customers running Spectra 1.0.1. /allaire/spectra/system/admin/ Please Note: If customers have any questions or concerns regarding this particular issue, or about performing the described fix, they should contact secure@allaire.com. Acknowledgements Allaire would like to thank Peter Trumpp of [4]conceptware ag for bringing this issue to our attention. Revisions August 25, 2000 -- Bulletin first created. August 30, 2000 -- Bulletin posted to Security Zone. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: [5]http://www.allaire.com/security. THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Allaire reserves the right, from time to time, to update the information in this document with current information. < a l l a i r e > Copyright © 1995-2000 Allaire Corp., All rights reserved. [6]Year 2000 (Y2K) [7]Site problems? [8]Service questions? [9]Privacy Policy References 1. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=17372&Method=Full#allaireHome 2. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=17372&Method=Full#tools 3. javascript:history.back() 4. http://www.conceptware.com/ 5. http://www.allaire.com/security 6. http://www.allaire.com/developer/year2000 7. mailto:webmaster@allaire.com 8. mailto:info@allaire.com 9. http://www.allaire.com/privacy/