Allaire Security Bulletin (ASB99-10) Addressing Potential Security Issues with Undocumented CFML Tags and Functions Used in the ColdFusion Administrator Originally Posted: July 29, 1999 Last Updated: July 29, 1999 Summary ColdFusion Server includes several undocumented CFML tags and functions that are used in the ColdFusion Administrator. In the context of the ColdFusion Administrator, access to the functionality provided by these undocumented tags and functions is restricted to people with administrative privileges. However, the functionality can be used just like any other CFML tag or function in a ColdFusion application hosted on a server. As a result, developers who have permission to create Web applications and executable ColdFusion templates on a ColdFusion server can make use of the undocumented functions and tags to potentially gain unauthorized access to administrative settings including registry, database and advanced security settings. The availability of illegal de-encoding utilities that can de-encode the ColdFusion Administrator has made knowledge of the undocumented tags and functions more widely known. Issue The ColdFusion Administrator is a ColdFusion Web application used to set various ColdFusion Server options. The Administrator makes use of CFML functions and tags to perform these tasks and employs several tags and functions not currently documented in the CFML Language Reference. While currently unsupported, ColdFusion developers who have permission to create Web applications and executable ColdFusion templates on a ColdFusion server can make use of these functions and tags in their Web applications to perform certain administrative tasks. The availability of the undocumented tags potentially gives developers who have permission to place applications on a ColdFusion server the ability to gain unauthorized access to registry, database, and Advanced Security settings. In most cases, this does not pose a security risk because the developers who have access to a server are trusted. However, in a hosted-application environment, such as an ISP or a corporate data center that is hosting multiple independent developer's applications on a single server, the availability of the undocumented tags used in the ColdFusion Administrator makes it more difficult to prevent malicious actions by developers who may be using the hosting server. The undocumented tags used in the ColdFusion Administrator bypass both ColdFusion Basic Security, which can be used to disable some tags, and ColdFusion Advanced Security, which can be used to disable all documented CFML tags. Currently, no ColdFusion functions can be disabled. In general, creating secure hosted-application environments requires the use of several layers of security including network, firewall, operating system, ColdFusion Server, Web server, and database server security. In addition to standard CFML tags and functions, the ColdFusion 4.0.1 Administrator makes use of the following functions and tags: Administrative Functions: * CF_SETDATASOURCEUSERNAME() Sets the default user name for a ColdFusion data source * CF_SETDATASOURCEPASSWORD() Sets the default password for the ColdFusion data source * CF_ISCOLDFUSIONDATASOURCE() Verifies a connection to a ColdFusion data source * CF_GETDATASOURCEUSERNAME() Gets the default user name for a ColdFusion data source * CFUSION_VERIFYMAIL() Verifies the connection to the default ColdFusion SMTP mail server * CFUSION_GETODBCINI() Gets ODBC data source information from the Registry * CFUSION_SETODBCINI() Sets ODBC data source information in the Registry * CFUSION_GETODBCDSN() Gets the ODBC data source names from the Registry * CFUSION_SETTINGS_REFRESH() Refreshes some ColdFusion settings not requiring a restart * CFUSION_DBCONNECTIONS_FLUSH() Disconnects all currently connected ColdFusion datasources Administrative Tags: * CFINTERNALDEBUG Used for internal ColdFusion debugging by product development and to PCode templates without executing them (used by the CFML Syntax Checker). * CFNEWINTERNALADMINSECURITY Used for updates to Advanced Security information. * CFNEWINTERNALREGISTRY Used for registry updates. This tag is identical to the CFREGISTRY tag but by-passes Basic security. Affected Software Versions · ColdFusion Server (all versions and editions). What Allaire is Doing Allaire has published this security bulletin and notified customers about the issue through our standard secuity notificiation procedures. Allaire is planning to document all tags and functions in future releases, and to expand the scope of the services available as part of the Server Sandbox Security in the next release of ColdFusion Server Enterprise Edition, in order to give customers hosting multiple applications on the same server additional facilities for securing their environments. More technical documentation is being developed to give adminstrators additional information about configuring security for environments hosting multiple applications. What Customers Should Do In general, Allaire recommends that server administrators restrict access to servers to trusted developers and tested applications in order to prevent the installation of malicious application code. Properly securing environments where multiple untrustworthy developers, clients or untested web applications (ColdFusion, ASP, CGI, Java, etc.) are hosted on a single server requires the full use of network, firewall, operating system, Web server, application server, and database security. These environments should only be configured and managed by experienced administrators with adequate knowledge to secure the environments. Allaire also recommends that server administrators follow the best practices for securing the ColdFusion Administrator documented in [4]KB Article 10954 Security Best Practice: Securing the ColdFusion Administrator. Revisions July 29, 1999 -- Bulletin first created. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: [5]http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. < a l l a i r e > Copyright © 1995-99 Allaire Corp., All rights reserved. [6]Site problems? [7]Service questions? [8]Privacy Policy References 1. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=11714&Method=Full#allaireHome 2. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=11714&Method=Full#tools 3. javascript:history.back() 4. http://www.allaire.com/handlers/index.cfm?ID=10954&Method=Full 5. http://www.allaire.com/security 6. mailto:webmaster@allaire.com 7. mailto:info@allaire.com 8. http://www.allaire.com/privacy/