Allaire Security Bulletin (ASB99-08)
   Pages Encrypted with CFCRYPT.EXE Can Be Illegally Decrypted
   
   Originally Posted: May 19, 1999
   Last Updated: May 19, 1999
   Summary
   ColdFusion supports the ability to "encrypt" the CFML templates in an
   application or component, using the CFCRYPT.EXE utility, so they can
   be redistributed or sold without exposing the source code to casual
   viewing. Allaire has received reports of illegal utilities that will
   "decrypt" encrypted CFML templates. In general, this does not mean
   that end users can access source code through a browser, because under
   normal use, CFML is pre-processed on the server. The decoding exploit
   only affects applications or components that are being distributed to
   other users as source (e.g. custom tags or third party applications
   built on ColdFusion Server).
   
   Issue
   The encryption capability in ColdFusion was designed to make it more
   difficult to view the code in applications or components that are
   redistributed as source. ColdFusion uses industry standard encryption
   technology, but as with any interpreted language such as CFML or Perl
   and any byte-coded language such as Java, it is theoretically possible
   to reverse engineer either encrypted scripts or compiled applications.
   
   In order to create a decryption utility, one must first reverse
   engineer the ColdFusion template encryption process. Although this is
   illegal, Allaire has received reports of the availability of
   decryption utilities for this purpose. (It should be noted that
   Allaire has a decryption utility that is reserved for special
   technical support cases where customers have accidentally encrypted
   their only copy of their own original source code.)
   
   It is important to understand that this exploit only affects
   applications that are redistributed. Under proper server
   configuration, end users cannot access source code in a ColdFusion
   application because it is pre-processed on the server each time a page
   is requested. Also, most Web server programming environments including
   Perl and ASP do not provide support for even basic encryption.
   
   Affected Software Versions
     * ColdFusion Application Server 3.x (all editions)
     * ColdFusion Server 4.x (all editions)
       
   What Allaire is Doing
   Allaire is investigating the possibility of including stronger and
   more flexible encryption options in the next release of ColdFusion
   Server.
   What Customers Should Do
   In general, people using CFRYPT.EXE to hide source code should
   recognize that there is the possibility of pages being illegally
   decrypted. Customers who are creating commercial applications for
   redistribution or sale should include a license agreement that clearly
   states users are not authorized to decrypt encrypted pages.
   Organizations using CFCRYPT.EXE to protect code internally should
   recognize the risk that decoding may pose and adjust accordingly.
   Revisions
   May 19, 1999 -- Bulletin first released.
   
   Reporting Security Issues
   Allaire is committed to addressing security issues and providing
   customers with the information on how they can protect themselves. If
   you identify what you believe may be a security issue with an Allaire
   product, please send an email to secure@allaire.com. We will work to
   appropriately address and communicate the issue.
   
   Receiving Security Bulletins
   When Allaire becomes aware of a security issue that we believe
   significantly affects our products or customers, we will notify
   customers when appropriate. Typically this notification will be in the
   form of a security bulletin explaining the issue and the response.
   Allaire customers who would like to receive notification of new
   security bulletins when they are released can sign up for our security
   notification service.
   
   For additional information on security issues at Allaire, please visit
   the Security Zone at:
   [4]http://www.allaire.com/security
   THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS
   IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES,
   EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
   AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE
   CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
   INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
   BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR
   ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   
   < a l l a i r e >
   Copyright © 1995-99 Allaire Corp., All rights reserved.
   [5]Site problems?    [6]Service questions?     [7]Privacy Policy

References

   1. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10969&Method=Full#allaireHome
   2. LYNXIMGMAP:http://www1.allaire.com/handlers/index.cfm?ID=10969&Method=Full#tools
   3. javascript:history.back()
   4. http://www.allaire.com/security
   5. mailto:webmaster@allaire.com
   6. mailto:info@allaire.com
   7. http://www.allaire.com/privacy/