COMMAND

    Macromedia ColdFusion Example Applications

SYSTEMS AFFECTED

    Macromedia ColdFusion 4.x

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.     ISS   X-Force   has   discovered   multiple   remote
    vulnerabilities  in  Macromedia  ColdFusion.   ColdFusion  is   an
    enterprise application used to develop, maintain, administer,  and
    deliver Web sites on the Internet.  The vulnerabilities may  allow
    remote attackers  to execute  arbitrary commands  as a  privileged
    user on a vulnerable ColdFusion installation.

    Macromedia   ColdFusion   ships   with   several   small  "helper"
    applications that are meant to educate users on a small subset  of
    ColdFusion's features.   These applications  are not  installed by
    default, and Macromedia has documented and continues to  recommend
    that production  ColdFusion servers  should not  have the  example
    applications installed.

    ColdFusion  ships  with   two  vulnerable  "Exampleapps".    These
    applications may  be queried  via a  normal Web  browser.  Both of
    these example applications employ a rudimentary security mechanism
    to attempt to block all  access except from the ColdFusion  server
    itself.  It is possible  for remote attackers to spoof  the source
    of the query and bypass this restriction.

    Both vulnerable scripts behave like CGI (Common Gateway Interface)
    applications.  It  is possible for  the attacker to  interact with
    the example applications to  create files, view files,  or execute
    commands on the vulnerable target.

SOLUTION

    ColdFusion Server 5.0 is not vulnerable.

    Macromedia will not release a patch to address the vulnerabilities
    described in this advisory.  Macromedia recommends that  customers
    do not install example applications or documentation on production
    ColdFusion  servers.   Example  applications  are  stored  in  the
    /CFDOCS/exampleapps directory.

    Macromedia recommends  that the  entire /CFDOCS  directory tree be
    removed from production servers and only installed on  development
    installations that  that are  not exposed  to potentially  hostile
    networks.

    All ColdFusion  customers should  familiarize themselves  with the
    ColdFusion  "Best  Security  Practices"  document available at the
    following address:

        http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full