COMMAND
cold fusion
SYSTEMS AFFECTED
Cold Fusion Application Server 2.0 (all editions)
Cold Fusion Application Server 3.0 (all editions)
Cold Fusion Application Server 3.1 (all editions)
ColdFusion Server 4.0 (all editions)
PROBLEM
Following is based on Allaire Security Bulletin. One of the
sample applications installed with ColdFusion Server, the
Expression Evaluator, exposes the ability to read and delete files
on the server. A range of sample code and example applications
are provided with ColdFusion Server to assist customers in
learning and using the product. Among these is an application
called the Expression Evaluator, which is installed in the
//CFDOCS/expeval/ directory. The Expression Evaluator lets users
process expressions such as 1 + 1 to see how ColdFusion expression
evaluation works. Used normally, the application is restricted to
access from the local machine based on the 127.0.0.1 IP address.
However, some pages in the Expression Evaluator can be accessed
directly, exposing the ability to read and delete files anywhere
on the server where the evaluator is installed.
SOLUTION
Allaire has released a patch that modifies the Expression
Evaluator so that all the pages in the Evaluator are restricted to
access from the local machine where the Expression Evaluator is
installed based on the 127.0.0.1 IP address. Furthermore, it is
recommended that customers remove (or not install in the first
place) all documentation, sample code, example applications, and
tutorials from production servers (e.g. servers accessible by end
users via the Internet, intranets or extranets). The CFDOCS
directory should be secured on developer workstations. The
examples that are installed with ColdFusion are installed in the
CFDOCS directory, which is normally installed in the root Web
server directory. These examples can be removed by deleting the
CFDOCS directory. Instead of deleting these files, the entire
CFDOCS directory can be secured with standard Web server security.