Allaire Security Bulletin (ASB00-14) Workaround available for Denial of Service attack against ColdFusion Administrator Originally Posted: June 7, 2000 Last Updated: June 7, 2000 Summary Allaire has recently been notified by Foundstone, Inc. (see Revisions section below for contact information) of a denial of service attack against an unprotected installation of the ColdFusion Administrator. This issue only affects ColdFusion Servers that have not followed Allaire's recommendations in the Allaire Security Best Practices article 10954. The article is available at the link below. Allaire Security Best Practices article 10954 Foundstone has further details and a sample exploit available at Foundstone, Inc.. Issue Allaire has recently been notified of a security issue in the Allaire ColdFusion Administrator. This issue makes the ColdFusion Administrator vulnerable to a denial of service attack. The denial of service occurs during the process of converting the input password and the stored password into forms suitable for comparison when the input password is very large. Affected Software Versions ColdFusion Server 4.x ColdFusion Server 4.5 ColdFusion Server 4.5.1 What Allaire is Doing Allaire has published this bulletin, notifying customers of the problem. Allaire has also previously published recommendations that prevent the issue. These recommendations are available in Allaire's Security Best Practices area of the Security Zone. What Customers Should Do Allaire provides the following workaround. Customers should back up all existing data and implement the recommendations made in the article, 'Securing the ColdFusion Administrator (10954)'. This should resolve the issue. The article can be found below. Securing the ColdFusion Administrator (Article 10954) Revisions June 7, 2000 -- Bulletin first created. Special thanks to Stuart McClure of Foundstone, Inc. for bringing this issue to our attention. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.