Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: cf13.htm

ColdFusion Web Application Serverup to 4.5.1 password parsing DoS



    ColdFusion Web Application Server (Windows NT, Solaris, HP-UX) up through and including 4.5.1.


    Following is based on  Security Advisory by Allaire's  ColdFusion.
    A  denial  of  service  vulnerability  exists  within  the Allaire
    ColdFusion  web  application  server  which  allows an attacker to
    overwhelm the web server and deny legitimate web page requests.

    The problem lies within the ColdFusion mechanism that manages  the
    parsing of passwords within authentication requests. This  problem
    makes  the  ColdFusion  Administrator  login  page vulnerable to a
    denial of  service attack.   The denial  of service  occurs during
    the  process  of  converting  the  input  password  and the stored
    password  into  forms  suitable  for  comparison  when  the  input
    password is very large (>40,000 characters).

    For proof of  concept use the  well-known HTML tag  field overflow
    technique to overflow the HTML password field on the Administrator
    login page:

    The attacker simply changes the field size and POST action in  the
    HTML  tags  on  the  page  to  allow  a  large string (over 40,000
    characters) to be submitted to the ColdFusion server.  Small input
    strings  may  not  immediately  crash  the system but large enough
    strings will bring the system to a halt.


    Allaire provides the  following workaround: Customers  should back
    up all existing data and implement the recommendations made in the
    article, 'Securing  the ColdFusion  Administrator (10954)'.   This
    should resolve the issue.  The article can be found at

    A  fix  is  expected  in  the  future  release  of  ColdFusion 4.6

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH