ColdFusion Denial of Service vulnerability in sample script

[Niels Heinen <niels.heinen () UBIZEN COM>]

**************************************************************************

Subject: ColdFusion Denial of Service vulnerability in sample script
Software: ColdFusion Server Professional 4.5.1 Eval for Windows (SP2)
Risk Level: Medium
Author: Niels Heinen
Vendor Status: The vendor has released a document concerning this
problem
Exploitable: Remotely
**************************************************************************

Impact of the vulnerability:
=============================
The vulnerability can crash the ColdFusion server and in some cases the
system it is installed on. The problem will potentially cause the denial
of web-
based services on the server.

Who's vulnerable ?
===================
All servers running ColdFusion version 4.5.1 with certain optional
example scripts. To be vulnerable, the administrator must have
first chosen the example scripts during installation.

Technical description:
========================
During installation of the ColdFusion server, the user is given the
chance to load specific example scripts. One of these example scripts
is a search engine. This search engine has the ability to detect whether

the directories on the server are indexed. If the directories are not
indexed, the search engine calls a second script that indexes the
directories. Requests to this indexing script can also be made by
a remote user through a web browser.

The problem is that while doing this, the CPU usage will rise to
70% load. If several requests are made, the server's CPU increases to
100% load level and remains there. In some tests, the ColdFusion server
(cfserver.exe) stopped handling requests completely.

A malicious user could potentially launch a denial of service attack
by requesting the indexing script several times.

Solution:
==========
Allaire created a document last year (recently updated).
This document covers the example scripts that are (optionally)
installed with the server. Allaire clearly advocates
the removal of these examples as a best practice.

This document is available on the Allaire web site at:

http://www.allaire.com/Handlers/index.cfm?ID=16258&Method=Full

In future Allaire will make the second, indexing script only
accessible from the local host.  like all the other example scripts.

More information:
==================
Bug Finder: Niels Heinen
Allaire web site: http://www.allaire.com
Allaire security email: security () allaire com
SecurityWatch.com: http://www.securitywatch.com

We wish to thank Allaire and especially Malcolm Gin for the quick
response and level of cooperation.

Disclaimer:
=============
**************************************************************************

All documents and services are provided as is. Ubizen expressly
disclaims
all warranties, express or implied, including without limitation any
implied warranties of merchantability or fitness for a particular
purpose, and warranties as to the accuracy, completeness or adequacy of
information.  Ubizen cannot be held accountable for any incorrect or
erroneous information. By using the provided documents or services,
the user assumes all risks.
**************************************************************************

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature