COMMAND
Cold Fusion
SYSTEMS AFFECTED
ColdFusion Server Professional 4.5.1 Eval for Windows (SP2)
PROBLEM
Niels Heinen found following. The vulnerability can crash the
ColdFusion server and in some cases the system it is installed
on. The problem will potentially cause the denial of web-based
services on the server.
Vulnerable are all servers running ColdFusion version 4.5.1 with
certain optional example scripts. To be vulnerable, the
administrator must have first chosen the example scripts during
installation.
During installation of the ColdFusion server, the user is given
the chance to load specific example scripts. One of these
example scripts is a search engine. This search engine has the
ability to detect whether the directories on the server are
indexed. If the directories are not indexed, the search engine
calls a second script that indexes the directories. Requests to
this indexing script can also be made by a remote user through a
web browser.
The problem is that while doing this, the CPU usage will rise to
70% load. If several requests are made, the server's CPU
increases to 100% load level and remains there. In some tests,
the ColdFusion server (cfserver.exe) stopped handling requests
completely.
A malicious user could potentially launch a denial of service
attack by requesting the indexing script several times.
SOLUTION
Allaire created a document last year (recently updated). This
document covers the example scripts that are (optionally)
installed with the server. Allaire clearly advocates the removal
of these examples as a best practice.
This document is available on the Allaire web site at:
http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full
In future Allaire will make the second, indexing script only
accessible from the local host like all the other example scripts.