The solution {remove CFDOCS directory} presented for this "vulnerability"
is something I'd heard was an advisable thing to do for production servers
in the past.
So many of you may already know this but I thought it would be a good thing
to post.
I thought it might also be a good opportunity to review other CF security
"rules of thumb".
Then again this may be more appropriate in the CFServer list.
--------------------------------------------------------------------
- Vulnerability in ColdFusion servers -
Oxygen3 24h-365d, by Panda Software
Los Angeles, 13 December 2000 -- The example pages of the ColdFusion
search engine could allow a hacker to launch a denial of service (DOS)
attack.
ColdFusion works as an extension to a web server in order to provide it
with more advanced programming capacities. Its use as a web application
server is widespread in professional environments to develop Internet or
Intranet solutions.
The vulnerability discovered in ColdFusion affects some scripts that
are optionally loaded by the administrator during configuration. If the
administrator decides to enter the search engine scripts, a malicious
user could use the these pages in order to launch an attack which would
cause the server to fail.
The search engine ships as a component used to index directories to be
searched. This process uses a great deal of CPU space and only happens
when the search script detects that the directories in question are not
indexed. Due to the vulnerability, a malicious user could execute these
scripts remotely from a web browser.
During the indexing process, CPU use reaches some 70%. The problem
becomes more serious because of the possibility that the attacker has
of multiple script executions, which can increase CPU use to 100%. This
total consumption of system resources causes the ColdFusion server to
fail and not respond to any more requests. In order to restore normal
service it is necessary to restart the server, although to solve the
problem completely it is recommendable to remove the directory "CFDOCS"
created during normal installation.
--------------------------------------------------------------------
To subscribe/unsubscribe, please send a
mail to [EMAIL PROTECTED] with the words
"subscribe oxygen3.com" or "unsubscribe oxygen3.com" (without quotes) in the
body
of the message.
If you have any questions about this news item, please contact:
mailto:[EMAIL PROTECTED]
Oxygen3 24h-365d is created and distributed daily by Panda Software.
--------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
