Allaire's Response to ColdFusion Server 4.5.1 DoS Vulnerability
"In Response to Ryan Hill's 'ColdFusion Server 4.5.1 DoS Vulnerability.' Exploit Announcement:
"We tested denial of service scenarios with various ColdFusion Administrator settings that we believed were relevant to Mr. Hill's Exploit Announcement issue. Our test results indicated that such an attack attempt must originate from an individual possessing insider site information using denial of service attack techniques, and therefore represents the threat level of a conventional denial of service attack against any site.
"Below are what we believe an attacker would need to perpetrate a successful attack involving the use of <CFCACHE>:
"Using exactly the same number of full-speed load test robots as the ColdFusion Administrator setting for 'Limit Simultaneous Requests' creates a stress condition the server will recover normally from. Using a large number of load test robots could cause the deadlock condition if all of the above information is known, conditions are right and all settings are set as described, but our testing indicates a substantially higher number of automated test robots would be required than the number of Simultaneous Requests set in the ColdFusion Administrator. Additionally, the attack could not be initiated via a regular Internet browser issuing repeated identical requests.
"To further reduce the chance of successful attacker reconnaissance in attempting such an attack, Allaire released Allaire Security Bulletin (ASB00-03): Patch Available For Potential Information Exposure By The CFCACHE Tag (URL: http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full ) on January 4, 2000. The Bulletin recommends ColdFusion customers use this patch to relocate temporary cache files to a secure, non-web browser accessible document directory. Without the information available from a system where the patch and bulletin recommendations have _not_ been implemented, the proposed exploit _must_ run a typical denial of service attack in order to locate a ColdFusion template that uses the <CFCACHE> tag.
"The knowledge that Mr. Hill's exploit assumes is only available when users have not implemented the patch or recommendations printed in ASB00-03.
"In summary, the amount of site administrative and developer information coupled with the demanding requirements to successfully launch such an attack must originate from an individual possessing insider site information using denial of service attack techniques and tools, and approximates the same threat level as a conventional denial of service attack against virtually any site."
Malcolm Gin
Security Response Team Coordinator
So I guess the moral of the story is, know the people you hire!
Latest ColdFusion Talk (CF-Talk)
- ColdFusion, Flex and EXTJS
- Get the UTC offset of a future date
- Data parse error
- CFDIV does not work in IE8 and any one review domain?
- ColdFusion-based picture-gallery
- cfxImage (gafware) IE8 JPEG colour rendering problem
- scraping meta tags
- Same page loading in MACHII on new events
- Change JRun's 404 message?
- Creating a new transparent image
Latest ColdFusion Jobs (CF-Jobs)
- ColdFusion Developer - Columbus, OH - 6+ Month Contract
- COLDFUSION CONTRACT-ATLANTA
- Vista, CA - Full Time ColdFusion Developer Needed
- Web Developer in Buffalo Grove, IL
- Job Posting - Coldfusion Developer, Fairfax, VA
- Job Posting- ColdFusion Developer in Falls Church VA
- Job Post - ColdFusion developer for ICMA
- Coldfusion Opening in Arlington, VA
- chinese ColdFusion programmer seek remote job
- Coldfusion / Flex Developer
