ColdFusion Server 4.5.1 Denial of Service Attack Using CFCACHE
Title: ColdFusion Server 4.5.1 Denial-of-Service Attack using CFCACHE.
OS: Windows NT 4.0
Affected Product Versions: Cold Fusion Server 4.5.x, Professional &
Enterprise.
-[ Acknowledgements
Thanks are due to Patrick Keating, for his help diagnosing and discovering this issue.
-[ Summary
ColdFusion is a complete Web application server for developing and
delivering scalable e-business applications. An included component of the
ColdFusion Markup Language (CFML) tag set includes a tag called CFCACHE.
CFCACHE allows you to speed up pages considerably in cases where the dynamic content doesn't need to be retrieved each time a user accesses the page. To accomplish this, it creates temporary files that contain the static HTML returned from a particular run of the ColdFusion page.
-[ The Exploit
It is possible to cause the ColdFusion Server service to hang and stop
responding to client requests when requesting a cache file that isn't stored in memory and there are no available running thread request slots available on the server. The ColdFusion Server service must be restarted so that the running and queued request threads can be cleared.
-[ The Details
CFCACHE uses a client thread request when creating temporary cache pages
that will hang ColdFusion Server if there are no available execution thread slots. An example of this exploit using the default limit of 5 simultaneous requests would be to send 6 simultaneous page requests to a CFCACHE'd page which hasn't been loaded into a temporary cache file. Using CFSTAT, a utility included with ColdFusion Server, you can clearly see that the server has stopped responding to client requests with 5 threads running in the active thread space and 1 thread stuck in the queue. The 5 active threads never timeout or exit and the server never recovers from this hung state. The only way to regain control of the server is to restart the ColdFusion Server service on the affected machines.
The severity of this bug is fairly high considering that the exploit is so simple to perform and does not require malformed data, edited packets or any exploit programs to potentially knock thousands of vulnerable ColdFusion Servers off-line.
-[ Patch Availability or Workaround
No known patches, however, you have the choice of avoiding the use of CFCACHE or a possible workaround would be to manually or programmatically (spider) CFCACHE pages so that the temporary files are created under a no-load situation. Once the temporary cache pages are created, this vulnerability is no longer a threat. This workaround is not very practical however, and can become very time consuming if the website has many pages using this functionality.
Allaire's Unofficial response to this bug:
"What are the chances that 5 people would simultaneously request the same
page?"
-[ Exploit Published: 05/08/2000
Vendor Notification: 05/08/2000
Release to Public: 05/08/2000
The above announcement (quoted exactly) was released to the CF-Talk list on Monday, May 8, by Ryan Hill.
Latest ColdFusion Talk (CF-Talk)
- ColdFusion, Flex and EXTJS
- Get the UTC offset of a future date
- Data parse error
- CFDIV does not work in IE8 and any one review domain?
- ColdFusion-based picture-gallery
- cfxImage (gafware) IE8 JPEG colour rendering problem
- scraping meta tags
- Same page loading in MACHII on new events
- Change JRun's 404 message?
- Creating a new transparent image
Latest ColdFusion Jobs (CF-Jobs)
- ColdFusion Developer - Columbus, OH - 6+ Month Contract
- COLDFUSION CONTRACT-ATLANTA
- Vista, CA - Full Time ColdFusion Developer Needed
- Web Developer in Buffalo Grove, IL
- Job Posting - Coldfusion Developer, Fairfax, VA
- Job Posting- ColdFusion Developer in Falls Church VA
- Job Post - ColdFusion developer for ICMA
- Coldfusion Opening in Arlington, VA
- chinese ColdFusion programmer seek remote job
- Coldfusion / Flex Developer
