April 30, 1999 2:40 PM PDT

ColdFusion still shows security holes

Nearly three months after a fix was posted, dozens of Web sites, including major federal, state, and university sites, are still vulnerable to a security breach that allows hackers to read, delete, and upload files onto Web servers.

The breach involves ColdFusion, a Web application server made by Allaire. Using a sample application called Expression Evaluator, a hacker could gain access to a Web server.

Perhaps more importantly, using scripts written to exploit the breach, a hacker could access information not specifically located on the Web server itself, potentially putting private or confidential files at risk.

"There's no question that it's incredibly dangerous," said Ted Julian, a security analyst at Forrester Research. "When you're talking about file-level access, what more do you need?"

The breach was first documented in December in Phrack Magazine. In early February, Allaire acknowledged that hackers could use the breach to read and delete files and posted a fix on its Web site. But in recent weeks, Kevin Klinsky, a technical director at LogiSoft in Rochester, New York, discovered that the breach could also be used to upload files.

Klinsky also found more than two dozen Web sites that were still vulnerable to the breach. Some of the vulnerable sites were Web sites from the U.S. Army and the University of Virginia. Although those two breaches now appear to be closed, CNET News.com has found 20 more sites that are apparently still vulnerable.

"Now that it's been discovered, it's pretty easy to exploit," said Klinsky, who has posted an advisory about the breach on the L0pht Web security site.

Adam Berrey, Allaire's product marketing director, said the company has done what it can to fix the problem and contact customers about it. Berrey said Allaire notified ColdFusion customers as soon as it found the breach and has always warned customers not to install ColdFusion's documentation, of which Expression Evaluator is a part, on production servers.

Berrey also said Allaire's latest update of ColdFusion, released today, includes a patch within it.

Although it had not acknowledged that hackers could upload files through the breach, Berrey said that Allaire had not underplayed the severity of the breach. While Allaire was responsible to work with and alert system administrators to possible problems, he said system security is ultimately up to a firm's administrators.

"If you think about this from a security perspective, anybody who understands security should understand that this is a big enough problem and should fix it," Berrey said.

But at least two system administrators said they were unaware of the breach until contacted by CNET News.com.

Brad Smith, president of a Web hosting firm in Olethe, Kansas, said he has been one of ColdFusion's earliest customers, yet he hadn't heard anything about the breach.

"I'm not aware of any communication that we've received directly from Allaire," Smith said.

Likewise, Eric Brody, a database manager at a public university in California, said he didn't remember any communication or email from Allaire about the problem.

"Either they didn't express themselves clearly or I ignored it," Brody said.

According to Cormac Foster, site operation strategies analyst at Jupiter Communications, ColdFusion, which competes against Web application servers from Vignette, Netscape, and Oracle, has been popular with a lot of smaller Web developers because it is significantly less expensive than its competitors. Allaire's Berry said that there are more than 30,000 installations of ColdFusion and more than 100,000 developers working on the product. (CNET: The Computer Network, publisher of News.com, holds an equity stake in Vignette.)

Berry said the breach affects versions 2.0 through 4.0 of ColdFusion. He said he did not know how many customers had either downloaded the patch or deleted the program from their servers.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.