 |
|
|
|
|
|
|
|
Allaire Security Bulletin (ASB00-06)
Patch Available for Allaire Forums 2.0.5 security issue.
Originally Posted: April 3, 2000
Last Updated: April 3, 2000
Summary
Allaire has recently been notified of a security issue in the Allaire Forums 2.0.5 software. This behavior allows users to view and post to secure discussion threads via unsecured conferences and/or through email. This issue affects multiple templates in the Forums software. Updated versions of the affected templates are available from the following link: Download - Allaire Forums 2.0.5 Security Patch.
Issue
Allaire has recently been notified of a security issue in the Allaire Forums 2.0.5 software. This behavior allows users to view and post to secure conference threads via unsecured conferences and/or through email. The security issue in the code exists in certain unscoped variables and the base-coding schema of forums itself. The flaw spans multiple files; (files are listed below), and involves a certain variable called "rightAccessAllForums." This variable was not scoped properly inside the forums code, allowing the user the ability to not only post and view conference of which they are not part, but also allowing users to sign up to Forums conferences which have not yet been created.
Affected Software Versions
What Allaire is Doing
Allaire has released new templates for Allaire Forums that should close this vulnerability. The new templates correct the coding problem by explicitly setting two values, "rightAccessAllForums" and "rightModerateAllForums" to be automatically hard-coded "False" in the Application.cfm; those values are then called for authentication in the rest of the files. These modifications also force Client.Forums_AccessAllowed to contain a list of all accessible forums.
The template files were created to replace the existing files on your system. It is recommended you back up your existing data before over-writing or replacing any files. You will also need to modify these files to reflect any personal coding changes you have made to your existing Forums installation.
Below is a listing of the new template files and the locations where they should be placed on your server:
|
File Name
|
Directory to Place In
|
| Application.cfm | {webroot}\{Forums Home Directory}\ |
| Conf_ThreadList.cfm | {webroot}\{Forums Home Directory}\ |
| MessageEdit_Action.cfm | {webroot}\{Forums Home Directory}\forms\ |
| Search_Results.cfm | {webroot}\{Forums Home Directory}\ |
| _NewSession.cfm | {webroot}\{Forums Home Directory}\Queries\ |
What Customers Should Do
Customers should back up all existing data and place the new templates in the proper directories (see above). This should resolve the issue. This fix also contains the coding fix for the cross-site scripting issue (ASB00-05).
Download - Allaire Forums 2.0.5 Security Patch
Please note that customers who have made any modifications to the Allaire Forums templates included in this patch will need to re-apply those changes after installing these templates. Customers should pay special attention to Application.cfm for database connectivity and configuration.
Revisions
April 3, 2000 -Bulletin first created.
Special thanks to Cameron Childress for bringing this issue to our attention.
Reporting Security Issues
Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.
Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.
For additional information on security issues at Allaire, please visit the Security Zone at:
http://www.macromedia.com/security
THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
|
|
|
|
|
|
|
