RE: cold fusion 5.0 cfrethrow exploit

[Jeff Palmer <scorpio () drkshdw org>]

> Anyone seen a proof of concept for the 'huge allaire exploit' that they are
> telling everyone to put that patch on for? I think its a hoax as I have not
> seen it yet ...just some marketing ploy to get everyone to upgrade...
>
> -MJ?

Let me start by saying I am not a ColdFusion programmer or anything near
there.  I do however admin 2 RH servers for a company in texas who use CF.

With permission,  I have tested this exploit, and have verified it works
as advertised  (restarts the CF server on redhat linux)

Once,  apache crashed along with it (signal 11.  It dumped core but I
didn't take time to debug why) Therefore it didn't restart. It effectively
killed the web server. (This happened once out of nearly 100 tests,  on a
devel box)

There are things you need to consider here.

#1)  Most organizations still use the NT version of the server. So if
this was a marketing ploy,  I'd assume allaire would show an NT
vulnerability?

#2) This exploit only affects systems where users have write access to a
website.  If your server only offers access to developers,  you are not
vulnerable  (Unless you upset one of your employees, in which case,  you
have many more problems than a simple server restart)


Regards,

Jeff Palmer
scorpio () drkshdw org