> Anyone seen a proof of concept for the 'huge allaire exploit' that they are > telling everyone to put that patch on for? I think its a hoax as I have not > seen it yet ...just some marketing ploy to get everyone to upgrade... > > -MJ? > Let me start by saying I am not a ColdFusion programmer or anything near there. I do however admin 2 RH servers for a company in texas who use CF. With permission, I have tested this exploit, and have verified it works as advertised (restarts the CF server on redhat linux) Once, apache crashed along with it (signal 11. It dumped core but I didn't take time to debug why) Therefore it didn't restart. It effectively killed the web server. (This happened once out of nearly 100 tests, on a devel box) There are things you need to consider here. #1) Most organizations still use the NT version of the server. So if this was a marketing ploy, I'd assume allaire would show an NT vulnerability? #2) This exploit only affects systems where users have write access to a website. If your server only offers access to developers, you are not vulnerable (Unless you upset one of your employees, in which case, you have many more problems than a simple server restart) Regards, Jeff Palmer scorpio@drkshdw.org
