Allaire Security Bulletin (ASB00-14): Workaround for Denial of Service Attack Against ColdFusion Administrator

May 29, 2000

Allaire was recently been notified by Foundstone, Inc. of a denial of service attack against an unprotected installation of the ColdFusion Administrator. The denial of service occurs during the process of converting the input password and the stored password into forms suitable for comparison when the input password is very large. It appears that this issue only affects ColdFusion Servers that have not followed Allaire's recommendations in the Allaire Security Best Practices article 10954. A workaround has been provided.

Allaire Security Bulletin (ASB00-14)

Latest ColdFusion Talk (CF-Talk)

Authenticating against NET 2 0 website
Validating mailing addresses or determining Zip+4 zipcodes
SOT: "Lessons from a lost decade: Developing for a disposable Web"
cfchart and bar colors
Phantom Scheduled Tasks
null500 on nested custom tag
SOT: Default Flash behavior when crossdomain xml is absent
Old ColdFusion doc needs to learn new Java tricks
iText PDF signature
session variable timeout

Latest ColdFusion Jobs (CF-Jobs)

ColdFusion Software Engineer - Stamford, CT
Junior ColdFusion Position
Senior ColdFusion Guru in DC metro area
Expert needed for Coldfusion Performance Tuning
Web Developer (Enterprise Consulting Services) - Boston, MA
Certified ColdFusion Developer with 9 years experience available for telecommuting work
Senior Coldfusion Developer (Boston)
Previous Post (Sr ColdFusion Engineer) job location: Woburn, MA
Sr ColdFusion engineer position
Coldfusion with Oracle and PHP

Want a number like 800-ColdFusion?

My Toll Free 800 Number provides a vanity phone number service to clients who want more than just digits. How would you like 800-coldfusion?