[22038] in bugtraq
RE: cold fusion 5.0 cfrethrow exploit
daemon@ATHENA.MIT.EDU (Jeff Palmer)
Tue Jul 31 14:46:30 2001
Date: Tue, 31 Jul 2001 13:39:41 -0400 (EDT)
From: Jeff Palmer <scorpio@drkshdw.org>
To: "Johnson, Michael" <Michael.Johnson@ASTStockplan.com>
Cc: "'Eric Lackey'" <eric@isdn.net>,
"'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
In-Reply-To: <5BA9C874D66DD511860600034708613E6BF794@MAIL01>
Message-ID: <20010731133031.F3444-100000@jeff.isni.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> Anyone seen a proof of concept for the 'huge allaire exploit' that they are
> telling everyone to put that patch on for? I think its a hoax as I have not
> seen it yet ...just some marketing ploy to get everyone to upgrade...
>
> -MJ?
>
Let me start by saying I am not a ColdFusion programmer or anything near
there. I do however admin 2 RH servers for a company in texas who use CF.
With permission, I have tested this exploit, and have verified it works
as advertised (restarts the CF server on redhat linux)
Once, apache crashed along with it (signal 11. It dumped core but I
didn't take time to debug why) Therefore it didn't restart. It effectively
killed the web server. (This happened once out of nearly 100 tests, on a
devel box)
There are things you need to consider here.
#1) Most organizations still use the NT version of the server. So if
this was a marketing ploy, I'd assume allaire would show an NT
vulnerability?
#2) This exploit only affects systems where users have write access to a
website. If your server only offers access to developers, you are not
vulnerable (Unless you upset one of your employees, in which case, you
have many more problems than a simple server restart)
Regards,
Jeff Palmer
scorpio@drkshdw.org
