[ SOURCE: http://www.secureroot.com/security/advisories/9768317636.html ] ************************************************************************** Subject: ColdFusion Denial of Service vulnerability in sample script Software: ColdFusion Server Professional 4.5.1 Eval for Windows (SP2) Risk Level: Medium Author: Niels Heinen Vendor Status: The vendor has released a document concerning this problem Exploitable: Remotely ************************************************************************** Impact of the vulnerability: ============================= The vulnerability can crash the ColdFusion server and in some cases the system it is installed on. The problem will potentially cause the denial of web- based services on the server. Who's vulnerable ? =================== All servers running ColdFusion version 4.5.1 with certain optional example scripts. To be vulnerable, the administrator must have first chosen the example scripts during installation. Technical description: ======================== During installation of the ColdFusion server, the user is given the chance to load specific example scripts. One of these example scripts is a search engine. This search engine has the ability to detect whether the directories on the server are indexed. If the directories are not indexed, the search engine calls a second script that indexes the directories. Requests to this indexing script can also be made by a remote user through a web browser. The problem is that while doing this, the CPU usage will rise to 70% load. If several requests are made, the server's CPU increases to 100% load level and remains there. In some tests, the ColdFusion server (cfserver.exe) stopped handling requests completely. A malicious user could potentially launch a denial of service attack by requesting the indexing script several times. Solution: ========== Allaire created a document last year (recently updated). This document covers the example scripts that are (optionally) installed with the server. Allaire clearly advocates the removal of these examples as a best practice. This document is available on the Allaire web site at: http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full In future Allaire will make the second, indexing script only accessible from the local host. like all the other example scripts. More information: ================== Bug Finder: Niels Heinen Allaire web site: http://www.allaire.com Allaire security email: security@allaire.com SecurityWatch.com: http://www.securitywatch.com We wish to thank Allaire and especially Malcolm Gin for the quick response and level of cooperation. Disclaimer: ============= ************************************************************************** All documents and services are provided as is. Ubizen expressly disclaims all warranties, express or implied, including without limitation any implied warranties of merchantability or fitness for a particular purpose, and warranties as to the accuracy, completeness or adequacy of information. Ubizen cannot be held accountable for any incorrect or erroneous information. By using the provided documents or services, the user assumes all risks. **************************************************************************