Date: Tue, 1 Jun 1999 11:45:35 -0700 From: aleph1@UNDERGROUND.ORG To: BUGTRAQ@netspace.org Subject: New Allaire Security Bulletin (ASB99-09) Dear Allaire Customer -- We have recently become aware of a serious security vulnerability that may affect customers using Microsoft Access with ColdFusion. This issue is not a problem with ColdFusion, but can occur when using some versions of the Microsoft Access ODBC driver. We have created a new Allaire Security Bulletin that documents this issue and the steps that customers can take to protect themselves. If you are using Microsoft Access with your Web applications we strongly recommend that you review this new bulletin: ASB99-09: Solutions to Issues that Allow Users to Execute Commands through Microsoft Access You can find this new bulletin and information about other security issues in the Allaire Security Zone: http://www.allaire.com/security As a Web application platform vendor, one of our highest concerns is the security of the systems our customers deploy. We understand how important security is to our customers, and we're committed to providing the technology and information customers need to build secure Web applications. Allaire has set up an email address that customers can use to report security issues associated with an Allaire product: secure@allaire.com. Thank you for your time and consideration on this issue. -- Allaire Security Response Team ---------------------------------------------------------------------------------------- Allaire Security Bulletin (ASB99-09) Solutions to Issues that Allow Users to Execute Commands through Microsoft Access Originally Posted: June 1, 1999 Last Updated: June 1, 1999 Summary Some Microsoft ODBC drivers for Microsoft Access may allow users to execute Visual Basic for Applications (VBA) commands on the hosted server without permission. URL, form and cookie variables in a dynamic query in many development environments (e.g. ColdFusion, ASP, CGI, etc.) can be used to exploit this hole appending malicious VBA statements to existing queries. This problem can be easily fixed by upgrading to the Microsoft ODBC driver for Access included in MDAC 2.1 sp1a, available from Microsoft. In general, Allaire recommends that customers use proper coding methods for validating dynamic query variables passed on URL strings, http forms or cookies. This is not a security issue with ColdFusion itself. However, ColdFusion customers using Access are vulnerable to this issue. (This issue is similar to the vulnerabilities documented in ASB99-04, which are associated with appending malicious SQL statements to query strings sent to some enterprise databases.) Issue In a Web application there are often circumstances where queries are built dynamically using variables that are passed on URLs or in forms. Some versions of the Microsoft Access ODBC driver support the ability to append VBA commands to a SQL string. As a result, a malicious attack could be made by using URL, form or cookie variables to send VBA commands through a query. These VBA commands could potentially be used to damage the server or to gain unauthorized access to information and systems. (The potential for a similar problem using SQL statements and some enterprise database was documented in ASB99-04). Some versions of the Microsoft Access ODBC driver allow for appending VBA commands to a SQL string. The VBA commands are appended by using the pipe character, or Chr(124), which is treated as a reserved character by the Access ODBC driver. See the following MS Knowledge Base article for details: http://support.microsoft.com/support/kb/articles/q147/6/87.asp This reserved character allows users to modify a URL, form or cookie variable to execute VBA commands against the Web server using the ODBC driver. The following string is an example of one that can be used to initiate an attack by writing a file to the web server’s hard drive: '|shell("cmd /c 1 > c:\temp\foo.txt")|' This string could be passed to an application using a URL variable, so the page could be called as follows: http://myserver/page.cfm?x='|shell("cmd /c 1 > c:\temp\foo.txt")|' This code, when executed as part of the following dynamically created query, will cause a file to be created at the location c:\temp\foo.txt. SELECT * FROM USERS WHERE lname = '#URL.X#' This code could also be vulnerable when processing form input from a template using a form variable called 'X'. Please note that you should always validate user-initiated input, including URL, form, and cookie variables. Affected Software Versions ColdFusion Server (all versions and editions) running with Microsoft Access through ODBC What Allaire is Doing This issue is not a problem with ColdFusion, but can occur when using Microsoft Access and some versions for the Access ODBC driver. It is not a problem with ColdFusion, but it can affect ColdFusion applications that use Access. To respond to this issue, Allaire has published an Allaire Security Bulletin (ASB99-09) notifying customers of the problem and remedies that can be used to address it. We have sent a notification of the bulletin to customers who have subscribed to Allaire Security Notifications. What Customers Should Do This issue appears to be fixed by the installation of the Microsoft Access ODBC driver included with MDAC 2.1 sp1a. We strongly recommend that customers install this ODBC driver. It should not adversely affect the functionality of ColdFusion applications using Access. This MDAC can be downloaded from the Microsoft site: http://download.microsoft.com/msdownload/mdac/sp1a/x86/en/mdac_typ.exe In addition, Allaire recommends that customers write their code to validate variables that are passed into SQL statements, configure their database security properly, and use standard database application development practices such as stored procedures where appropriate to protect themselves. These are general requirements of production applications regardless of the development platform. There are many ways to address the issues raised by the risk of malicious SQL statements being inserted into dynamic queries. The Allaire Technical Brief – Securing Databases for ColdFusion Applications, details some of the steps you can take to secure your databases. It is important to note that each individual application may require its own particular steps in both coding and database configuration in order to be fully secured. Some of the techniques for securing database applications built with ColdFusion are detailed in the Allaire Technical Brief - Securing Databases for ColdFusion Applications. Revisions June 1, 1999 -- Bulletin first released. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit: http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.