Macromedia Security Bulletin (MPSB01-08)

Best practice recommended to address new security issue in example applications released with ColdFusion Server versions 4.x and earlier.

Originally Posted: August 7, 2001

Summary

Example applications included in ColdFusion include demonstrations of file uploading and sending email. These example applications are restricted to the localhost domain in version 4.x, but a new vulnerability has been identified that could allow spoofing this domain, giving unauthorized access to the example applications. Unauthorized users could send emails or upload executable files to the web server root. This new vulnerability also affects a patch previously released (ASB99-01) for the Expression Evaluator, which was included as a sample application in versions 2.0, 3.x and 4.0.

To address these issues, Macromedia strongly recommends that customers remove all sample applications and example code from production servers running any version of ColdFusion Server. The security issues DO NOT affect ColdFusion Server 5.

The intent of example applications is to allow a local developer to view several examples of ColdFusion applications running locally on an installed ColdFusion Server. Included in each of the example applications is a simple check against the "HTTP Host" variable validating that the source request has come from either localhost or ip-address 127.0.0.1. The intent of this check is to restrict use of the example applications to access from the machines where they are installed. There are two CGI variables that can provide this information -- CGI.Host and CGI.REMOTE_ADDR. The example applications in versions specified below use CGI.Host. It is possible to easily spoof the IP address for CGI.Host on an HTTP request, and as a result gain access to the example applications.

ColdFusion Server 5 switched from checking CGI.host to checking CGI.REMOTE_ADDR (the IP address from which the webserver received the request.) While it is possible to spoof an IP address at the IP protocol level - if this address is 127.0.0.1 (i.e. localhost), no commercial-grade router will forward the message to a different domain. Certainly none of the internet backbone routers will forward it. In other words - the attacker needs to be on the same LAN as the web server to be able to try this kind of attack against ColdFusion 5. Even in this case, the "in-house" attacker will not receive a response. Nevertheless, Macromedia still recommends that customers do not install example applications or sample code on production servers, the default install option.

If you are attempting to verify local users the use of CGI.REMOTE_ADDR is recommended.

The "Web Publish" example script exposes the ability to upload a file to the web server. Once uploaded it can be executed from a URL. A remote attacker could therefore compromise the server either silently or noticeably.

The "Email" example script demonstrates the ability to create and send an email message, including the ability to add an attachment. Because an attachment can be mailed to any valid email address, it exposes the ability to view any file on the system. A remote attacker could therefore possibly view secure information housed on the server.

Debug Mode - Cold Fusion 4.5 allows the full path of any .cfm file to be obtained by appending "mode=debug" on to the URL of the .cfm file being accessed. For example, if the file http://yourtarget/index.cfm exists, a remote user can access http://yourtarget/index.cfm?mode=debug to obtain the full path of the index.cfm file. As recommended in the Security Best Practices, to avoid this issue customers are advised to add an IP address to the Admin debug page. This restricts debug info to only the specified address.

Affected Software Versions

• ColdFusion Server for Windows 2.x, 3.x, 4.x (All Editions)
• ColdFusion Server for Solaris 4.x (All Editions)
• ColdFusion Server for HPUX 4.x (All Editions)
• ColdFusion Server for Linux 4.5.x (All Editions)
• Expression Evaluator Patch (ASB99-01)

What Macromedia Is Doing

Macromedia has notified customers of the security issues through standard communication channels.

No patch will be released for these issues. In general, Macromedia continues to recommend that customers remove all example applications and documentation (the entire CFDOCS directory) from production servers and restrict access to CFDOCS on developer workstations.

What Customers Should Do

Customers are advised to verify all production servers ensuring that example applications are not installed and to remove them if they are. Examples are installed in /CFDOCS/exampleapps/*

Customers should completely remove the CFDOCS directory on production servers and restrict access to it on developer workstations.

Furthermore, Macromedia recommends that customers do not install any documentation, sample code, example applications, and tutorials on production servers. The examples that are optionally installed with ColdFusion are installed in the CFDOCS directory, which is normally installed in the root of the Web server directory. This directory should not be installed on production servers and access to the CFDOCS directory should be restricted on developer workstations. As a general security best practice, sample code and example applications should never be installed on production servers.

Customers are also advised to add an IP address to the Admin debug page therefore restricting debug info to only the specified address.

Macromedia provides documented Security Best Practices that all customers are advised to review prior to the deployment of production web applications.

Revisions

August 7, 2001 - Bulletin first released.

Credit

Macromedia would like to thank Internet Security Systems (ISS) X-Force for bringing this issue to our attention.

Reporting Security Issues

Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.

Receiving Security Bulletins

When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Macromedia, please visit: http://www.macromedia.com/security.

THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Macromedia reserves the right, from time to time, to update the information in this document with current information.