FYI - ----- Original Message ----- From: Ryan Hill <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 08, 2000 9:28 PM Subject: Cold Fusion Server 4.5.1 DoS Vulnerability. > -[ Exploit Announcement > > Title: Cold Fusion Server 4.5.1 Denial-of-Service Attack using CFCACHE. > OS: Windows NT 4.0 > Affected Product Versions: Cold Fusion Server 4.5.x, Professional & > Enterprise. > > -[ Acknowledgements > Thanks are due to Patrick Keating, for his help diagnosing and discovering > this issue. > > -[ Summary > ColdFusion is a complete Web application server for developing and > delivering scalable e-business applications. An included component of the > Cold Fusion Markup Language (CFML) tag set includes a tag called CFCACHE. > CFCACHE allows you to speed up pages considerably in cases where the dynamic > content doesn't need to be retrieved each time a user accesses the page. To > accomplish this, it creates temporary files that contain the static HTML > returned from a particular run of the ColdFusion page. > > -[ The Exploit > It is possible to cause the Cold Fusion Server service to hang and stop > responding to client requests when requesting a cache file that isn't stored > in memory and there are no available running thread request slots available > on the server. The Cold Fusion Server service must be restarted so that the > running and queued request threads can be cleared. > > -[ The Details > CFCACHE uses a client thread request when creating temporary cache pages > that will hang Cold Fusion Server if there are no available execution thread > slots. An example of this exploit using the default limit of 5 simultaneous > requests would be to send 6 simultaneous page requests to a CFCACHE'd page > which hasn't been loaded into a temporary cache file. Using CFSTAT, a > utility included with Cold Fusion Server, you can clearly see that the > server has stopped responding to client requests with 5 threads running in > the active thread space and 1 thread stuck in the queue. The 5 active > threads never timeout or exit and the server never recovers from this hung > state. The only way to regain control of the server is to restart the Cold > Fusion Server service on the affected machines. > > The severity of this bug is fairly high considering that the exploit is so > simple to perform and does not require malformed data, edited packets or any > exploit programs to potentially knock thousands of vulnerable Cold Fusion > Servers off-line. > > -[ Patch Availability or Workaround > > No known patches, however, you have the choice of avoiding the use of > CFCACHE or a possible workaround would be to manually or programmatically > (spider) CFCACHE pages so that the temporary files are created under a > no-load situation. Once the temporary cache pages are created, this > vulnerability is no longer a threat. This workaround is not very practical > however, and can become very time consuming if the website has many pages > using this functionality. > > Allaire's Unofficial response to this bug: > "What are the chances that 5 people would simultaneously request the same > page?" > > -[ Exploit Published: 05/08/2000 > Vendor Notification: 05/08/2000 > Release to Public: 05/08/2000 > > Regards, > Ryan > > Ryan Hill, MCSE > Director of Systems Integration > Market Matrix, Inc. - http://www.marketmatrix.com > -------------------------------------------------------------------------- ---- > Archives: http://www.eGroups.com/list/cf-talk > To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. ------------------------------------------------------------------------------ Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.