Allaire Security Bulletin (ASB00-06) - Allaire has recently been notified of a security issue in the Allaire Forums 2.0.5 software. This behavior allows users to view and post to secure discussion threads via unsecured conferences and/or through email. This issue affects multiple templates in the Forums software. Updated versions of the affected templates are available from the following link: Download - Allaire Forums 2.0.5 Security Patch.
e1d1c4b8932ac01a330c6dd52f48934c9fe51519f19c1eadeba06ac77c0b4e3d
Allaire Security Bulletin (ASB00-06)
Patch Available for Allaire Forums 2.0.5 security issue.
Originally Posted: April 3, 2000
Last Updated: April 3, 2000
Summary
Allaire has recently been notified of a security issue in the Allaire Forums 2.0.5 software. This
behavior allows users to view and post to secure discussion threads via unsecured conferences
and/or through email. This issue affects multiple templates in the Forums software. Updated
versions of the affected templates are available from the following link: Download - Allaire
Forums 2.0.5 Security Patch.
Issue
Allaire has recently been notified of a security issue in the Allaire Forums 2.0.5 software. This
behavior allows users to view and post to secure conference threads via unsecured conferences
and/or through email. The security issue in the code exists in certain unscoped variables and the
base-coding schema of forums itself. The flaw spans multiple files; (files are listed below), and
involves a certain variable called "rightAccessAllForums." This variable was not scoped properly
inside the forums code, allowing the user the ability to not only post and view conference of
which they are not part, but also allowing users to sign up to Forums conferences which have
not yet been created.
Affected Software Versions
Allaire Forums 2.x
What Allaire is Doing
Allaire has released new templates for Allaire Forums that should close this vulnerability. The
new templates correct the coding problem by explicitly setting two values,
"rightAccessAllForums" and "rightModerateAllForums" to be automatically hard-coded "False"
in the Application.cfm; those values are then called for authentication in the rest of the files.
These modifications also force Client.Forums_AccessAllowed to contain a list of all accessible
forums.
The template files were created to replace the existing files on your system. It is recommended
you back up your existing data before over-writing or replacing any files. You will also need to
modify these files to reflect any personal coding changes you have made to your existing
Forums installation.
Below is a listing of the new template files and the locations where they should be placed on
your server:
File Name
Directory to Place In
Application.cfm
{webroot}\{Forums Home Directory}\
Conf_ThreadList.cfm
{webroot}\{Forums Home Directory}\
MessageEdit_Action.cfm
{webroot}\{Forums Home Directory}\forms\
Search_Results.cfm
{webroot}\{Forums Home Directory}\
_NewSession.cfm
{webroot}\{Forums Home Directory}\Queries\
What Customers Should Do
Customers should back up all existing data and place the new templates in the proper
directories (see above). This should resolve the issue. This fix also contains the coding fix for
the cross-site scripting issue (ASB00-05).
Download - Allaire Forums 2.0.5 Security Patch
Please note that customers who have made any modifications to the Allaire Forums
templates included in this patch will need to re-apply those changes after installing
these templates. Customers should pay special attention to Application.cfm for
database connectivity and configuration.
Revisions
April 3, 2000 -Bulletin first created.
Special thanks to Cameron Childress for bringing this issue to our attention.
Reporting Security Issues
Allaire is committed to addressing security issues and providing customers with the information
on how they can protect themselves. If you identify what you believe may be a security issue
with an Allaire product, please send an email to secure@allaire.com. We will work to
appropriately address and communicate the issue.
Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly affects our products
or customers, we will notify customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response. Allaire customers who would
like to receive notification of new security bulletins when they are released can sign up for our
security notification service.
For additional information on security issues at Allaire, please visit the Security Zone at:
https://www.allaire.com/security
THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.