Rule 1: All Samples Are Evil

There is no other way to describe this: samples are evil! The simple fact is that sample applications shipped with other software are designed to demonstrate some cool functionality, not to be secure. The examples abound of sample problems:

• MSADC Sample <http://www.securityfocus.com/bid/529/> This was probably the most famous vulnerability of 1999. In a nutshell , an attacker could pass commands to a Web server through sample databases installed with IIS 4.0 and execute commands on the server. In addition, a component called vbBusObj allowed the same thing, but using a slightly different method that was not fixed in the original patch. Both the sample database and the vbBusObj were samples installed with a default install of IIS 4.0.

• Cold Fusion Expression Evaluator <http://www.securityfocus.com/bid/115> This is probably my favorite sample of all time, the expression evaluator from Cold Fusion 2.x through 4.0. In a nutshell, it allows an attacker to go to a Web form and send commands to the server which get executed there under the IIS service account (LocalSystem). It is a bit more involved than that but that is the gist of it.

What this really means is one thing, which is a fundamental piece of hardening any server app: Samples do not belong anywhere near a production system!

All samples should be considered evil and they should never be left, or installed, on a production system.