[15240] in bugtraq
New Allaire ColdFusion DoS
daemon@ATHENA.MIT.EDU (stuart.mcclure@FOUNDSTONE.COM)
Thu Jun 8 04:06:37 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BFD045.95E69D30"
Message-Id: <2153DBA073F0D311911100B0D01A826F05B66E@mail.foundstone.com>
Date: Wed, 7 Jun 2000 01:59:45 -0400
Reply-To: stuart.mcclure@FOUNDSTONE.COM
From: stuart.mcclure@FOUNDSTONE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BFD045.95E69D30
Content-Type: text/plain;
charset="ISO-8859-1"
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Allaire's ColdFusion
----------------------------------------------------------------------------
---------
FS Advisory ID: FS-060700-1-CFM
Release Date: June 7, 2000
Product: ColdFusion Web Application Server
Vendor: Allaire Corporation (http://www.allaire.com)
Vendor Advisory: http://www.allaire.com/security
Type: Denial of service attack
Severity: Medium to High
Author: Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: Windows NT, Solaris, HP-UX
Vulnerable versions: All ColdFusion versions up through and including
4.5.1.
Foundstone advisory: http://www.foundstone.com
----------------------------------------------------------------------------
---------
Description
A denial of service vulnerability exists within the Allaire
ColdFusion
web application server which allows an attacker to overwhelm the web
server
and deny legitimate web page requests.
Details
The problem lies within the ColdFusion mechanism that manages the
parsing of
passwords within authentication requests. This problem makes the
ColdFusion
Administrator login page vulnerable to a denial of service attack.
The denial
of service occurs during the process of converting the input
password and the
stored password into forms suitable for comparison when the input
password is
very large (>40,000 characters).
Proof of Concept
Use the well-known HTML tag field overflow technique to overflow the
HTML
password field on the Administrator login page:
http://vulnerable.server.here/cfide/administrator/index.cfm
The attacker simply changes the field size and POST action in the
HTML tags on
the page to allow a large string (over 40,000 characters) to be
submitted to
the ColdFusion server. Small input strings may not immediately crash
the
system but large enough strings will bring the system to a halt.
Solution
Workaround
Allaire provides the following workaround: Customers should back up
all
existing data and implement the recommendations made in the article,
'Securing the ColdFusion Administrator (10954)'. This should resolve
the
issue. The article can be found at
http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full
Fix
A fix is expected in the future release of ColdFusion 4.6 (Q4,2000).
Credit
We would like to thank Allaire for their prompt and serious
attention to the
problem.
Disclaimer
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000
OF
FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF
PRINTING,
BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS
TO
ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER
ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY
MAY BE
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY
IS NOT
MODIFIED IN ANY WAY.
------_=_NextPart_001_01BFD045.95E69D30
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DISO-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>New Allaire ColdFusion DoS</TITLE>
</HEAD>
<BODY>
<P><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, =
Inc.</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; <A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; "Securing the Dot Com =
World" &=
nbsp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Security Advisory</FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Allaire's ColdFusion</FONT>
</P>
<P><FONT =
SIZE=3D2>---------------------------------------------------------------=
----------------------</FONT>
<BR><FONT SIZE=3D2>FS Advisory =
ID: =
FS-060700-1-CFM</FONT>
</P>
<P><FONT SIZE=3D2>Release =
Date: June =
7, 2000</FONT>
</P>
<P><FONT =
SIZE=3D2>Product: &=
nbsp; ColdFusion Web Application =
Server</FONT>
</P>
<P><FONT =
SIZE=3D2>Vendor: &n=
bsp; Allaire Corporation (<A =
HREF=3D"http://www.allaire.com" =
TARGET=3D"_blank">http://www.allaire.com</A>)</FONT>
</P>
<P><FONT SIZE=3D2>Vendor =
Advisory: <A =
HREF=3D"http://www.allaire.com/security" =
TARGET=3D"_blank">http://www.allaire.com/security</A></FONT>
</P>
<P><FONT =
SIZE=3D2>Type: &nbs=
p; Denial of service =
attack</FONT>
</P>
<P><FONT =
SIZE=3D2>Severity: =
Medium to High</FONT>
</P>
<P><FONT =
SIZE=3D2>Author: &n=
bsp; Stuart McClure =
(stuart.mcclure@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, Inc. (<A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A>)</FONT>
</P>
<P><FONT SIZE=3D2>Operating Systems: =
Windows NT, Solaris, HP-UX</FONT>
</P>
<P><FONT SIZE=3D2>Vulnerable versions: All ColdFusion =
versions up through and including 4.5.1.</FONT>
</P>
<P><FONT SIZE=3D2>Foundstone advisory: <A =
HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
----------------------</FONT>
</P>
<P><FONT SIZE=3D2>Description</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> A denial =
of service vulnerability exists within the Allaire ColdFusion </FONT>
<BR><FONT SIZE=3D2> web =
application server which allows an attacker to overwhelm the web =
server</FONT>
<BR><FONT SIZE=3D2> and deny =
legitimate web page requests.</FONT>
</P>
<P><FONT SIZE=3D2>Details</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> The =
problem lies within the ColdFusion mechanism that manages the parsing =
of </FONT>
<BR><FONT SIZE=3D2> passwords =
within authentication requests. This problem makes the ColdFusion =
</FONT>
<BR><FONT SIZE=3D2> =
Administrator login page vulnerable to a denial of service attack. The =
denial </FONT>
<BR><FONT SIZE=3D2> of =
service occurs during the process of converting the input password and =
the </FONT>
<BR><FONT SIZE=3D2> stored =
password into forms suitable for comparison when the input password is =
</FONT>
<BR><FONT SIZE=3D2> very =
large (>40,000 characters).</FONT>
</P>
<P><FONT SIZE=3D2>Proof of Concept</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> Use the =
well-known HTML tag field overflow technique to overflow the HTML =
</FONT>
<BR><FONT SIZE=3D2> password =
field on the Administrator login page:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; <A =
HREF=3D"http://vulnerable.server.here/cfide/administrator/index.cfm" =
TARGET=3D"_blank">http://vulnerable.server.here/cfide/administrator/inde=
x.cfm</A> </FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> The =
attacker simply changes the field size and POST action in the HTML tags =
on </FONT>
<BR><FONT SIZE=3D2> the page =
to allow a large string (over 40,000 characters) to be submitted to =
</FONT>
<BR><FONT SIZE=3D2> the =
ColdFusion server. Small input strings may not immediately crash the =
</FONT>
<BR><FONT SIZE=3D2> system =
but large enough strings will bring the system to a halt.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>Solution</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
Workaround</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> Allaire =
provides the following workaround: Customers should back up all </FONT>
<BR><FONT SIZE=3D2> existing =
data and implement the recommendations made in the article, </FONT>
<BR><FONT SIZE=3D2> 'Securing =
the ColdFusion Administrator (10954)'. This should resolve the </FONT>
<BR><FONT SIZE=3D2> issue. =
The article can be found at </FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://www.allaire.com/Handlers/index.cfm?ID=3D10954&Method=3DFu=
ll" =
TARGET=3D"_blank">http://www.allaire.com/Handlers/index.cfm?ID=3D10954&M=
ethod=3DFull</A></FONT>
</P>
<P><FONT SIZE=3D2> Fix</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> A fix is =
expected in the future release of ColdFusion 4.6 (Q4,2000).</FONT>
</P>
<P><FONT SIZE=3D2>Credit</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> We would =
like to thank Allaire for their prompt and serious attention to the =
</FONT>
<BR><FONT SIZE=3D2> =
problem.</FONT>
</P>
<P><FONT SIZE=3D2>Disclaimer</FONT>
</P>
<P><FONT SIZE=3D2> THE =
INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000 OF =
</FONT>
<BR><FONT SIZE=3D2> =
FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, =
</FONT>
<BR><FONT SIZE=3D2> BUT NO =
REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO </FONT>
<BR><FONT SIZE=3D2> ITS =
ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER =
</FONT>
<BR><FONT SIZE=3D2> ACCEPTS =
ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR</FONT>
<BR><FONT SIZE=3D2> =
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, =
OR</FONT>
<BR><FONT SIZE=3D2> RELIANCE =
PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY =
BE</FONT>
<BR><FONT SIZE=3D2> =
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS =
NOT</FONT>
<BR><FONT SIZE=3D2> MODIFIED =
IN ANY WAY.</FONT>
<BR><FONT SIZE=3D2> </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BFD045.95E69D30--
