Allaire Security Bulletin (ASB99-07) Solution Available for Denial-of-Service Attack Using CF Admin. Start/Stop Utility Originally Posted: May 19, 1999 Last Updated: May 19, 1999 Summary The ColdFusion Administrator includes a utility for starting and stopping the ColdFusion service from a browser. When Basic Security is enabled, this utility is protected by the Administrator password. However, when Advanced Security is enabled, the start/stop utility is not password protected and can be accessed by an unauthorized user to stop the ColdFusion Server. The exploit is easily addressed by securing the utility with Web server security or removing the utility from the system. Issue The ColdFusion Administrator Start/Stop Utility is a browser-based Java applet that is designed to let administrators start and stop the ColdFusion service. The utility is made available through the file "startstop.html" stored in the "/CFIDE/Administrator/" directory. When Basic Security is enabled this utility is secured by the same password used to secure the Administrator. When Advanced Security is enabled, it overrides the browser-based password security imposed on the Start/Stop Utility. If a server is running Advanced Security, an unauthorized user could access the startstop.html page to stop the server. Affected Software Versions * ColdFusion Server 4.0 (all editions) * ColdFusion Server 4.0.1 (all editions) What Allaire is Doing Allaire intends to address this exploit in the next release of ColdFusion Server. In the mean time, Allaire has released this bulletin to notify customers of the issue. Allaire recommends that customers using Advanced Security remove the start/stop utility, or if it is required, secure it with Web server security. What Customers Should Do Customers who are using Advanced Security should remove the file "startstop.html" from the /CFIDE/Administrator directory. If the browser-based start/stop functionality is required, the file can be secured with standard Web server security to prevent unauthorized access. The recommended way to stop and start the ColdFusion services is via the standard operating system remote service management tools. Depending on how your operating system is set up, and the services it is running, you may be able to connect to the service manager remotely, or you may be able to TELNET into the server to issue a command line restart command. In general, Allaire recommends that customers secure the entire /CFIDE/Administrator directory with Web server security in addition to either Basic or Advanced ColdFusion Security. Access to the /CFIDE/Administrator directory should be limited to administrators, and it should be protected with strong, difficult to guess passwords. Revisions May 19, 1999 -- Bulletin first released. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: [4]http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. < a l l a i r e > Copyright © 1995-99 Allaire Corp., All rights reserved. [5]Site problems? [6]Service questions? [7]Privacy Policy References 1. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10968&Method=Full#allaireHome 2. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10968&Method=Full#tools 3. javascript:history.back() 4. http://www.allaire.com/security 5. mailto:webmaster@allaire.com 6. mailto:info@allaire.com 7. http://www.allaire.com/privacy/