Unfortunately, Mike's proposed workaround below will not work. There is no
known workaround to the issue. It affects all servers, regardless of
application, security contexts, HTTP method filtering, port, etc.
Unless you completely trust every end user who is able to connect to your
your ColdFusion server machine, the patch must be applied to production
servers to be secure from these vulnerabilities.
Please refer to the updated Security Bulletin on the Security Zone
(http://www.allaire.com/security) and associated FAQ for answers to these
and other commonly asked questions.
We can't overemphasize the importance of applying the patch immediately to
all affected servers.
While we are not aware of any known exploit attempts using these
vulnerabilities, we believe it's just of time before hackers turn their
attention to this Bulletin and begin reverse engineering efforts to
determine the exploit details. We want to give our customers the largest
window of opportunity to apply the patch before that happens. It may just
be a matter of days before hackers successfully begin probing sites for
servers vulnerable to exploit attempts.
Fortunately, because the vulnerabilities were discovered internally in the
course of a routine product security audit, rather than external
notification, customers have the advantage at the moment of being notified
of the problem, have a patch available and can apply the fix before hackers
are able to begin probing expeditions. But as we know, the clock is surely
ticking, so (again), it's critical that administrators apply the patch
without delay to protect their servers.
Please forward any direct inquiries regarding this or other product
security-related issues to [EMAIL PROTECTED]
Thanks
Damon Cooper
==========
Date: Wed, 11 Jul 2001 17:02:07 -0400
From: [EMAIL PROTECTED] (Michael Dinowitz)
To: [EMAIL PROTECTED]
Subject: Re: Important ColdFusion Security Patch Released Today
Message-ID: <00df01c10a4c$c56c83e0$[EMAIL PROTECTED]>
There is a potential workaround if what I'm seeing is true. Have your
webserver block any HTTP method other than get and post. If your webserver
can do that, you should be safe. I'll say more later.
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
