安全研究
安全漏洞
Allaire ColdFusion index.cfm远程拒绝服务攻击漏洞
发布日期:2000-06-07
更新日期:2000-06-07
受影响系统:
Allaire ColdFusion Server 2.0不受影响系统:
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 3.0
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 3.0.1
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 3.1
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 3.1.1
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 3.1.2
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 4.0
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 4.0.1
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 4.5
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 4.5.1
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- RedHat Linux 7.0
- Sun Solaris 8.0
- SuSE Linux 7.0
Allaire ColdFusion Server 4.6描述:
BUGTRAQ ID: 1314
CVE(CAN) ID: CVE-2000-0538
Allaire ColdFusion是一种流行的Web功能扩展软件包,可以运行在Windows、HP-UX、Linux等多种平台上。
Allaire ColdFusion v4.5.1及其以前版本在处理口令验证请求过程中存在一个安全漏洞,如果在管理员登录页面的口令域里输入超过40000个字符,CPU占用率将达到100%,进程挂起,造成拒绝服务攻击。
登录页面表单默认会阻止你输入超过40000个字符,然而恶意用户可以下载页面到本地,修改后向ColdFusion服务器提交超过40000个字符。为了恢复正常功能,必须重启ColdFusion服务。
管理员登录页面可以通过如下链接获得:
http://www.target.com/cfide/administrator/index.cfm
修改域尺寸和POST action,就允许提交超过40000个字符。
<*来源:Stuart McClure (stuart.mcclure@foundstone.com)
链接:http://www.macromedia.com/v1/cfdocs/allaire_support/adminsecurity.htm
http://www.fusionauthority.com/alert/index.cfm?alertid=25#Sec1
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 备份所有数据,按如下链接文章提供的步骤修补:
http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full
厂商补丁:
Allaire
-------
Allaire已经为此发布了一个安全公告(ASB00-14)以及相应补丁:
ASB00-14:Workaround available for Denial of Service attack against ColdFusion Administrator
链接:
补丁下载:
http://www.macromedia.com/support/coldfusion/
浏览次数:7400
严重程度:0(网友投票)
绿盟科技给您安全的保障