Date: Friday, 30 Apr 1999 17:00:00 -0400
>From: securityzone@allaire.com
To: SecurityZone@allaire.com
Subject: ColdFusion Security Alert

***************************************************************
** Allaire respects the Web and the privacy of those who use
** it.  To avoid future messages from Allaire, send
** e-mail to securityzone@allaire.com with the subject: REMOVE
***************************************************************


Dear ColdFusion Customer --

I am writing to notify you of security vulnerabilities exposed by the example
applications installed with ColdFusion Server doc
umentation in versions 2.0 and higher. You may have already heard about these issues
in one of the email communications that we
 sent when we first reported them to customers in February 1999, in the Allaire
Security Zone (http://www.allaire.com/security)
.

PROBLEM
The example applications installed with the ColdFusion Server documentation expose
vulnerabilities that include the ability to
view, delete, and upload files. These issues affect example applications included in
ColdFusion Server 2.0 and higher.

SOLUTION
We strongly recommend you address these issues using one of the solutions below:

1. Remove the documentation directory (CFDOCS) from the server (this will not affect
functionality of the server). In general,
we recommend that you do not install sample code, example applications, or
documentation on servers accessible on the Internet.


2. Install the ColdFusion Server 4.0.1 Update, available for download from the
DevCenter (http://www.allaire.com/developer). (N
ote the 4.0.1 Update requires ColdFusion Server 4.0.)

DETAILED INFORMATION
More details on these issues and ColdFusion security in general are available in the
Allaire Security Zone, http://www.allaire.
com/security (see bulletins ASB99-01 and ASB99-02). We strongly recommend that you
take a moment to visit the Security Zone to
familiarize yourself with ColdFusion security issues.

We first addressed these sample application issues in early February. We are
contacting customers again because today we receiv
ed reports of stepped up attacks exploiting these vulnerabilities, and we want to
ensure that customers take steps to protect t
hemselves. We apologize that you may have received this letter late on a Friday, but
given the importance of this issue, we fel
t it was necessary to contact customers again today.

Thank you again for choosing ColdFusion. We value your commitment and support. If
you have additional questions please feel fre
e to visit our site or email us at info@allaire.com.

Regards,
Steve Clark
Vice President of Marketing, Allaire