COMMAND

    ColdFusion

SYSTEMS AFFECTED

    ColdFusion Server 4.0 (all editions)

PROBLEM

    Following  is  based  on  Allaire  Security  Bulletin.  ColdFusion
    Server 4.0 includes some example applications and sample code that
    expose  security  issues.   The  ColdFusion  Server 4.0 ships with
    several example applications and more than 200 sample code  files.
    These  files  are  installed  with  documentation under the CFDOCS
    directory.  There are basically three sets of security issues that
    have  been  identified  with  the  example applications and sample
    code.   First, one  of the  features of  the example  applications
    is a  page that  displays the  source code  of the  examples in  a
    browser. This  page exposes  the ability  to view  source code  in
    other  files  on  the  server.  Second, the sample code, sometimes
    referred  to  as  "runnable  code  snippets," that are included as
    references  in  the  electronic  version  of  the  CFML   Language
    Reference  expose  a  number  of  security  issues  including  the
    ability to view files  and directory information, make  http calls
    from a machine, and launch denial-of-service attacks.  Third,  the
    Syntax Checker,  which is  provided to  verify that  existing CFML
    code will run on version 4.0,  can be used remotely to initiate  a
    denial-of-service attack by fully occupying the ColdFusion service
    with unnecessary file processing.

SOLUTION

    Allaire  will  address  these  issues  in  the  ColdFusion   4.0.1
    maintenance release, which  should be available  electronically at
    no  charge  to  ColdFusion  customers  in  April, 1999.  Until the
    maintenance release is available, customers can protect themselves
    from  the  potential  vulnerabilities   created  by  the   example
    applications  and  sample  code  installed  with ColdFusion 4.0 by
    removing the CFDOCS directory or restricting access to the  CFDOCS
    directory.  Customers should install the 4.0.1 maintenance release
    on  all  of  their  ColdFusion  Servers  4.0 when it is available.
    Furthermore,  it   is  recommended   that  customers   remove  all
    documentation, sample  code, example  applications, and  tutorials
    from production  servers.   The examples  that are  installed with
    ColdFusion  are  installed  in  the  CFDOCS  directory,  which  is
    normally installed in the root of the Web server directory.   This
    directory  should  not  be  installed  on  production  servers and
    access to the CFDOCS  directory should be restricted  on developer
    workstations.  As  a general security  best practice, sample  code
    and example  applications should  not be  installed on  production
    servers.