COMMAND

    cold fusion

SYSTEMS AFFECTED

    Cold Fusion Application Server 2.0 (all editions)
    Cold Fusion Application Server 3.0 (all editions)
    Cold Fusion Application Server 3.1 (all editions)
    ColdFusion Server 4.0 (all editions)

PROBLEM

    Following  is  based  on  Allaire  Security  Bulletin.  One of the
    sample  applications   installed  with   ColdFusion  Server,   the
    Expression Evaluator, exposes the ability to read and delete files
    on the server.   A range of  sample code and  example applications
    are  provided  with  ColdFusion  Server  to  assist  customers  in
    learning and  using the  product.   Among these  is an application
    called  the  Expression  Evaluator,  which  is  installed  in  the
    //CFDOCS/expeval/ directory.  The Expression Evaluator lets  users
    process expressions such as 1 + 1 to see how ColdFusion expression
    evaluation works.  Used normally, the application is restricted to
    access from the local machine  based on the 127.0.0.1 IP  address.
    However, some pages  in the Expression  Evaluator can be  accessed
    directly, exposing the ability  to read and delete  files anywhere
    on the server where the evaluator is installed.

SOLUTION

    Allaire  has  released  a  patch  that  modifies  the   Expression
    Evaluator so that all the pages in the Evaluator are restricted to
    access from the  local machine where  the Expression Evaluator  is
    installed based on the 127.0.0.1  IP address.  Furthermore, it  is
    recommended that  customers remove  (or not  install in  the first
    place) all documentation,  sample code, example  applications, and
    tutorials from production servers (e.g. servers accessible by  end
    users  via  the  Internet,  intranets  or  extranets).  The CFDOCS
    directory  should  be  secured  on  developer  workstations.   The
    examples that are installed  with ColdFusion are installed  in the
    CFDOCS  directory,  which  is  normally  installed in the root Web
    server directory.  These examples  can be removed by deleting  the
    CFDOCS directory.   Instead of  deleting these  files, the  entire
    CFDOCS directory can be secured with standard Web server security.