-[ Exploit Announcement Title: Cold Fusion Server 4.5.1 Denial-of-Service Attack using CFCACHE. OS: Windows NT 4.0 Affected Product Versions: Cold Fusion Server 4.5.x, Professional & Enterprise. -[ Acknowledgements Thanks are due to Patrick Keating, for his help diagnosing and discovering this issue. -[ Summary ColdFusion is a complete Web application server for developing and delivering scalable e-business applications. An included component of the Cold Fusion Markup Language (CFML) tag set includes a tag called CFCACHE. CFCACHE allows you to speed up pages considerably in cases where the dynamic content doesn't need to be retrieved each time a user accesses the page. To accomplish this, it creates temporary files that contain the static HTML returned from a particular run of the ColdFusion page. -[ The Exploit It is possible to cause the Cold Fusion Server service to hang and stop responding to client requests when requesting a cache file that isn't stored in memory and there are no available running thread request slots available on the server. The Cold Fusion Server service must be restarted so that the running and queued request threads can be cleared. -[ The Details CFCACHE uses a client thread request when creating temporary cache pages that will hang Cold Fusion Server if there are no available execution thread slots. An example of this exploit using the default limit of 5 simultaneous requests would be to send 6 simultaneous page requests to a CFCACHE'd page which hasn't been loaded into a temporary cache file. Using CFSTAT, a utility included with Cold Fusion Server, you can clearly see that the server has stopped responding to client requests with 5 threads running in the active thread space and 1 thread stuck in the queue. The 5 active threads never timeout or exit and the server never recovers from this hung state. The only way to regain control of the server is to restart the Cold Fusion Server service on the affected machines. The severity of this bug is fairly high considering that the exploit is so simple to perform and does not require malformed data, edited packets or any exploit programs to potentially knock thousands of vulnerable Cold Fusion Servers off-line. -[ Patch Availability or Workaround No known patches, however, you have the choice of avoiding the use of CFCACHE or a possible workaround would be to manually or programmatically (spider) CFCACHE pages so that the temporary files are created under a no-load situation. Once the temporary cache pages are created, this vulnerability is no longer a threat. This workaround is not very practical however, and can become very time consuming if the website has many pages using this functionality. Allaire's Unofficial response to this bug: "What are the chances that 5 people would simultaneously request the same page?" -[ Exploit Published: 05/08/2000 Vendor Notification: 05/08/2000 Release to Public: 05/08/2000 Regards, Ryan Ryan Hill, MCSE Director of Systems Integration Market Matrix, Inc. - http://www.marketmatrix.com ------------------------------------------------------------------------------ Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
