[1][USEMAP] [2][USEMAP] [3][LINK] Allaire Security Bulletin (ASB00-01) Addressing Enhancing Authenticated Webtop User Security in Allaire Spectra 1.0 Originally Posted: January 4, 2000 Last Updated: January 4, 2000 Summary The Allaire Spectra 1.0 Webtop allows authenticated users to access sections of the Webtop they may not have been granted access to by typing explicit URLs. This exploit does not give anyone access to the Webtop who does not already have permissions to at least one section of the Webtop. Issue In the application settings file for the Spectra Webtop, there is a line of code that turns on security settings for the Webtop. This line of code is missing in Version 1.0 of Spectra. You can still secure sections of the Webtop via the Webtop Permissions area of the System Admin section, and those sections do not appear to the user. However, the user can access the secured section by typing in the explicit URL. This exploit does not give anyone access to the Webtop who does not already have permissions to at least one section of the Webtop. Affected Software Versions · Spectra 1.0. What Allaire is Doing Allaire intends to address this vulnerability in the next release of Spectra. In the interim, Allaire has released this bulletin to notify customers of the issue. Allaire recommends that customers deploying Spectra 1.0 add the missing line of code to the Spectra Webtop application settings file, as outlined below. What Customers Should Do Customers should add the missing line of code to the application settings file for the Webtop. To do this: 1. Open the file webroot/Allaire/spectra/webtop/application.cfm 2. Add the following line directly under the application initialize section:     Your code should then look like this: . . . . . . 3. Save the file and your Webtop security settings will work correctly. Note that if you have the ColdFusion "Trusted Cache" option enabled in the ColdFusion Administrator, you will need to turn it off, reload any Webtop section, then turn the "Trusted Cache" option on again for the change to take effect. Restarting the ColdFusion Server will also cause the change to take effect. Revisions January 4, 2000 -- Bulletin first created. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: [4]http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. < a l l a i r e > Copyright © 1995-2000 Allaire Corp., All rights reserved. [5]Year 2000 (Y2K) [6]Site problems? [7]Service questions? [8]Privacy Policy References 1. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=13976&Method=Full#allaireHome 2. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=13976&Method=Full#tools 3. javascript:history.back() 4. http://www.allaire.com/security 5. http://www.allaire.com/developer/year2000 6. mailto:webmaster@allaire.com 7. mailto:info@allaire.com 8. http://www.allaire.com/privacy/