Hackers whack ColdFusion users

New research on a five-month-old security vulnerability has put hackers on the prowl and a software company on the hot seat.

Last week, L0pht, a site that devotes itself to discussions on computer security, posted a warning about a vulnerability in the remote administration features of Allaire Corp.'s ColdFusion Application Server. The vulnerability enables a hacker to gain access to all the data stored on that Web server and, in the process, install software to create a back door into the rest of the network.

Since that warning was posted last week -- along with a patch from Allaire -- security experts estimate that more than 100 sites have been hit. Adam Berrey, product marketing director for ColdFusion, said the security breach resulted from an example application that shipped with the server's documentation. Once the application was deployed, a hacker could use it as a doorway to files on the server. "In February, when we first discovered this issue, we sent out an e-mail to all of our registered customers, and we also proactively contacted all of our key accounts," Berrey said. "We may not have the name of every single customer in our database but I think we've done a very aggressive job."

But customers are questioning whether Allaire did do enough to warn them. One of the companies that was missed was NetGrocer in New York. Ari Sabah, vice president of technology, said one of his developers learned of the problem from an e-mail sent by a friend who also worked with ColdFusion. The security flaw and the availability of a patch on Allaire's Web site had been discussed on the site's discussion group.

"Officially, we didn't get anything from [Allaire]," said an annoyed Sabah. "They were too busy going public. They forgot their customers and they forgot who got them there." Berrey said a patch for the problem was posted on Allaire's Web site during the first week of February and a maintenance release of the server, ColdFusion 4.01, will be available later today for free from the company's site.

Still, the ColdFusion hack is not necessarily new. In December, Phrack Magazine first publicised the vulnerability. But it wasn't until the past several weeks that it gained the attention of hackers, who have made it clear that many ColdFusion users haven't installed the patch. One site in America, an ISP that hosts at least 30 domains, was particularly hard hit.

A hacker, going by the name of MostHateD of GlobalHell, was able to penetrate the company's Web server and gain access to at least three hard drives. In the process, the hacker claimed to have gained access to banking records, mail server passwords, illegally copied software, and even a "nuke" utility -- an illegal piece of software that can be used to launch a denial of service attack against another server.

The vulnerability ties into remote administration tools with ColdFusion that are exposed by the sample application. Allaire has its own server-side scripts, similar to CGI, that can be manipulated by an attacker. Once inside, the attacker can upload and download files and replace binary files, said Chris Rouland, director of Internet Security Systems Inc.'s X-Force consulting group. Rouland analyzed the attack after being alerted to it by PC Week, ZDNet's US sister publication. "If you can replace a binary on a computer system, you can back door it and force it to do whatever you want to do," he said.