[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ColdFusion Denial of Service vulnerability in sample script

Title: ColdFusion Denial of Service vulnerability in sample script
Released by: Niels Heinen
Date: 9th December 2000
Printable version: Click here

Subject: ColdFusion Denial of Service vulnerability in sample script

Software: ColdFusion Server Professional 4.5.1 Eval for Windows (SP2)

Risk Level: Medium

Author: Niels Heinen

Vendor Status: The vendor has released a document concerning this


Exploitable: Remotely


Impact of the vulnerability:


The vulnerability can crash the ColdFusion server and in some cases the

system it is installed on. The problem will potentially cause the denial

of web-

based services on the server.

Who's vulnerable ?


All servers running ColdFusion version 4.5.1 with certain optional

example scripts. To be vulnerable, the administrator must have

first chosen the example scripts during installation.

Technical description:


During installation of the ColdFusion server, the user is given the

chance to load specific example scripts. One of these example scripts

is a search engine. This search engine has the ability to detect whether

the directories on the server are indexed. If the directories are not

indexed, the search engine calls a second script that indexes the

directories. Requests to this indexing script can also be made by

a remote user through a web browser.

The problem is that while doing this, the CPU usage will rise to

70% load. If several requests are made, the server's CPU increases to

100% load level and remains there. In some tests, the ColdFusion server

(cfserver.exe) stopped handling requests completely.

A malicious user could potentially launch a denial of service attack

by requesting the indexing script several times.



Allaire created a document last year (recently updated).

This document covers the example scripts that are (optionally)

installed with the server. Allaire clearly advocates

the removal of these examples as a best practice.

This document is available on the Allaire web site at:


In future Allaire will make the second, indexing script only

accessible from the local host.  like all the other example scripts.

More information:


Bug Finder: Niels Heinen

Allaire web site: http://www.allaire.com

Allaire security email: security@allaire.com

SecurityWatch.com: http://www.securitywatch.com

We wish to thank Allaire and especially Malcolm Gin for the quick

response and level of cooperation.




All documents and services are provided as is. Ubizen expressly


all warranties, express or implied, including without limitation any

implied warranties of merchantability or fitness for a particular

purpose, and warranties as to the accuracy, completeness or adequacy of

information.  Ubizen cannot be held accountable for any incorrect or

erroneous information. By using the provided documents or services,

the user assumes all risks.


(C) 1999-2000 All rights reserved.