[17986] in bugtraq
ColdFusion Denial of Service vulnerability in sample script
daemon@ATHENA.MIT.EDU (Niels Heinen)
Sun Dec 10 17:32:19 2000
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------msCC4882B432D184DF340EE569"
Message-Id: <3A30F6BB.7B4F4A99@ubizen.com>
Date: Fri, 8 Dec 2000 15:56:59 +0100
Reply-To: Niels Heinen <niels.heinen@UBIZEN.COM>
From: Niels Heinen <niels.heinen@UBIZEN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a cryptographically signed message in MIME format.
--------------msCC4882B432D184DF340EE569
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
**************************************************************************
Subject: ColdFusion Denial of Service vulnerability in sample script
Software: ColdFusion Server Professional 4.5.1 Eval for Windows (SP2)
Risk Level: Medium
Author: Niels Heinen
Vendor Status: The vendor has released a document concerning this
problem
Exploitable: Remotely
**************************************************************************
Impact of the vulnerability:
=============================
The vulnerability can crash the ColdFusion server and in some cases the
system it is installed on. The problem will potentially cause the denial
of web-
based services on the server.
Who's vulnerable ?
===================
All servers running ColdFusion version 4.5.1 with certain optional
example scripts. To be vulnerable, the administrator must have
first chosen the example scripts during installation.
Technical description:
========================
During installation of the ColdFusion server, the user is given the
chance to load specific example scripts. One of these example scripts
is a search engine. This search engine has the ability to detect whether
the directories on the server are indexed. If the directories are not
indexed, the search engine calls a second script that indexes the
directories. Requests to this indexing script can also be made by
a remote user through a web browser.
The problem is that while doing this, the CPU usage will rise to
70% load. If several requests are made, the server's CPU increases to
100% load level and remains there. In some tests, the ColdFusion server
(cfserver.exe) stopped handling requests completely.
A malicious user could potentially launch a denial of service attack
by requesting the indexing script several times.
Solution:
==========
Allaire created a document last year (recently updated).
This document covers the example scripts that are (optionally)
installed with the server. Allaire clearly advocates
the removal of these examples as a best practice.
This document is available on the Allaire web site at:
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full
In future Allaire will make the second, indexing script only
accessible from the local host. like all the other example scripts.
More information:
==================
Bug Finder: Niels Heinen
Allaire web site: http://www.allaire.com
Allaire security email: security@allaire.com
SecurityWatch.com: http://www.securitywatch.com
We wish to thank Allaire and especially Malcolm Gin for the quick
response and level of cooperation.
Disclaimer:
=============
**************************************************************************
All documents and services are provided as is. Ubizen expressly
disclaims
all warranties, express or implied, including without limitation any
implied warranties of merchantability or fitness for a particular
purpose, and warranties as to the accuracy, completeness or adequacy of
information. Ubizen cannot be held accountable for any incorrect or
erroneous information. By using the provided documents or services,
the user assumes all risks.
**************************************************************************
--------------msCC4882B432D184DF340EE569
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIILaQYJKoZIhvcNAQcCoIILWjCCC1YCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
CWswggJvMIIB2KADAgECAgsBAAAAAADihsYRFzANBgkqhkiG9w0BAQQFADBdMQswCQYDVQQG
EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTETMBEGA1UECxMKQ2xhc3MgMiBDQTEe
MBwGA1UEAxMVR2xvYmFsU2lnbiBDbGFzcyAyIENBMB4XDTAwMTAzMDE2MzUzNloXDTAxMTAz
MDE2MzUzNlowTDELMAkGA1UEBhMCYmUxFTATBgNVBAMTDG5pZWxzIGhlaW5lbjEmMCQGCSqG
SIb3DQEJARYXbmllbHMuaGVpbmVuQHViaXplbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAO8JgS9rwXUtbPL4dcZ5IocEjwoDq/TAgX77NrYT+H6meZ7qmczpm0/eLbxtfc5X
pb4Mce9/Yd8i+3/89J1gp5s0qeTYIZExgUGTDFqGnI4NIAIgxjHn/BA7IWgKroywzmzBc3AM
t86wA/LtPy/w2ltbnZIFiMF8cTFPUiZo35vTAgMBAAGjRjBEMBEGCWCGSAGG+EIBAQQEAwIF
oDAOBgNVHQ8BAf8EBAMCBPAwHwYDVR0jBBgwFoAUEW7XkWDLBuRXAFeonIC9djPlWVEwDQYJ
KoZIhvcNAQEEBQADgYEAyJgNrDc8hBQvOJPDoe9liDGGJxdV/BBEKMga40n8wZNE9cWWItgD
p2TyvbrgZ12EVkQzK4lp2174vcbaxNJYDiTLe5oTeX1CopbIialekK0LdW1x0F033y4sEdD6
hLtnpxhSz1IW6qI/MAJTdcLiL0obmSDB+EZxlZ6V62kVdV0wggNEMIICLKADAgECAgsCAAAA
AADWeLqi5jANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFs
U2lnbiBudi1zYTEbMBkGA1UECxMSUHJpbWFyeSBDbGFzcyAyIENBMSYwJAYDVQQDEx1HbG9i
YWxTaWduIFByaW1hcnkgQ2xhc3MgMiBDQTAeFw05OTAxMjgxMjAwMDFaFw0wNDAxMjgxMjAw
MDBaMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRMwEQYDVQQL
EwpDbGFzcyAyIENBMR4wHAYDVQQDExVHbG9iYWxTaWduIENsYXNzIDIgQ0EwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBANhRWw+Tx0lgd1EUjuOddXUeyYUOf0wDGRl2pO56K/yDBgPH
nBaavo5OEQpAf6wyidPBefz5RNGHU8/b07stXym5+roR+1Si28bT5rXAiC+1TgKH3MubGXn2
v900et4zhVroMnXPQ2FFDePIhztHEKHl3y1sBwZH+U7Y+/aEngzDAgMBAAGjeTB3MA4GA1Ud
DwEB/wQEAwIABjAdBgNVHQ4EFgQUEW7XkWDLBuRXAFeonIC9djPlWVEwHwYDVR0jBBgwFoAU
fOeysSzesadr6XYM4aP9TmzHufYwEQYJYIZIAYb4QgEBBAQDAgAGMBIGA1UdEwEB/wQIMAYB
Af8CAQAwDQYJKoZIhvcNAQEEBQADggEBAARDHuS6wKQebCQDOctCH6ksMwzv/BsHSKduR7cI
tVq4lbEtJc4CdpJwbtqOEMf8HckyrYpVIdnHVgT38m/Q4nvBlUXmyXcfNUwQB/JzAkwPcED4
PBumsCIil3Sd875h+Y7gVBY0am+USHyuBQX6V/j0mHTUk/XsEJlMY7fp6RFh0dRI0LIjohG8
qDgYDRA4/FvF3qNiMsp28AbZbgw2wUAmh0dRL5z4XmK99jI2jBSmR2L6XcWi2lkZUNJgHb9E
Ek890XTB13zjZlzuRQsJqRzfiCQQ3nYgfM0U3Y1as1a+IJzcDHZav4JS/PK8FjNEVgfTFTaq
V0G90YWQcbDD3HMwggOsMIIClKADAgECAgsCAAAAAADWeLiNjTANBgkqhkiG9w0BAQQFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMHUm9v
dCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTk5MDEyODEyMDAwMFoXDTA5
MDEyODEyMDAwMFowbTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex
GzAZBgNVBAsTElByaW1hcnkgQ2xhc3MgMiBDQTEmMCQGA1UEAxMdR2xvYmFsU2lnbiBQcmlt
YXJ5IENsYXNzIDIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSjP7v9EWO
F0Fu/Ni/IW+rBp1SwSwAnT+Ohbh/So+9oGMqykknrlqC9HTiVZL/wtGqeaK2+tWdggRPxrLG
XmOnOrrY7uuKb5+2uyhBwCL7TkgaBpLXv9fPudm9OE87DURuVUH+/Anb2L/zjiHx6BK19hOl
08ZMkyKwAv/uHQzEqGtPdWhW6NwoElD3qCSdLiQ5+wkF3uWjZEkh0Gh+cTCRsWDgOfRQ+HpN
mABrfHm6Ts5K4ro2HbfFNhWVnGRC6l/EuvVABb7hOlm9hKcZuN5NU1DOB9HSUdPvDYFs5udt
y118P3zM7E+DJyX/cFD2g1l1hAZmWCzeiY0Apkn5pUN3AgMBAAGjYzBhMA4GA1UdDwEB/wQE
AwIABjAdBgNVHQ4EFgQUfOeysSzesadr6XYM4aP9TmzHufYwHwYDVR0jBBgwFoAUYHtmGkUN
l8qJUC99BM00qP/8/UswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEAY91Z
zop5qpidTsWJZDd+ipNnLxDqbyfDjXdt8lxWlBkaaWAwRl2P8m1FPI41l3wvuFHi6Im9iM8n
HAg0XIjBaCTbkYXkz/v7Q43oJQEbxA73AEJIhh8kCFhajI3ya0csaJGxaUL9DY3JJuaShqZk
bpLFzj48fXHjI6Srx9Woqd+CpzvohtXDTxjjRNDg3PPFaC7+pS8FhMh+R0JTa4dK/jL/Xj5w
jLeoFcwXwv9G7NDsLbRuEiip+UDp69Rml1OpaVXAqaqyLs3RafS++Lt8ae5Uptue+1qmPv6a
75RRS3Xu2NThmvECVhOJDqdCi5aLhQwbhb4mrqummbwi8XPfQjGCAcYwggHCAgEBMGwwXTEL
MAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEzARBgNVBAsTCkNsYXNz
IDIgQ0ExHjAcBgNVBAMTFUdsb2JhbFNpZ24gQ2xhc3MgMiBDQQILAQAAAAAA4obGERcwCQYF
Kw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w
MDEyMDgxNDU2NTlaMCMGCSqGSIb3DQEJBDEWBBTCXV2KsAn47TxCODgQ+hEWdsnk3zBSBgkq
hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggq
hkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgMoZreYGzRqZ9Q1W
LqUGDvPa8gbzTya7Hip2Av+hIvVE8xW0dGdldHi3CEpaHotU6WQDWzVGRrZvhFnJlsF9jF/5
KLnFwsepSn59A56ESNQeq3bcNowPoxzAMiS1GpLlgTMcUiBlSqr7IP9WpZ3s5WwHuryR9AyX
4P3LjfzcyJi2
--------------msCC4882B432D184DF340EE569--
