[1][USEMAP] [2][USEMAP] [3][LINK] Allaire Security Bulletin (ASB00-03) Patch Available For Potential Information Exposure By The CFCACHE Tag Originally Posted: January 4, 2000 Last Updated: January 4, 2000 Summary The CFCACHE tag is a feature available in ColdFusion 4.x to perform template caching to increase page delivery performance by intelligently compiling and storing the output of CFML pages for faster access. When this tag is utilized in a .CFM page it creates several temporary files, including one that contains absolute filenames with directory path information, URL parameters and timestamps. In ColdFusion 4.0x, these files are stored in the same directory as the .CFM page, usually in a publicly accessible web document directory. Because these files are accessible to browsers in the web document directory, users wishing to do so could download this file with a browser and obtain information about the web document directory structure or URL parameters used to call site pages that would not otherwise be accessible. Allaire has released a new version of the CFCACHE tag that is also available in ColdFusion 4.5 that allows users to specify a non-web document directory to store the temporary file, making them inaccessible to browsers. Issue When utilized in a .CFM page, the CFCACHE tag creates two types of files: a "cfcache.map" file, containing pointers to temporary cache files, and the temporary cache ".tmp" files themselves, which contain the cached HTML output. The "cfcache.map" file includes absolute filenames with full directory path information, URL parameters and timestamps. In ColdFusion 4.0x, since this map file is stored in the same directory of the cached page, usually in a publicly accessible web document directory, the file is accessible to browsers. Users wishing to do so could download these files with a browser and obtain information about the web document directory structure or URL parameters used to call site pages that would not otherwise be accessible. The CFCACHE tag creates the following files in each web directory from which it is invoked: 1. Multiple .tmp files, which contain the HTML code from a processed .CFM page 2. A single .map file, containing pointers to .tmp files within the directory The .map file includes the following information: 1. Full path for each managed .tmp file in the directory. 2. A timestamp indicating when the cache file was created. 3. A line referring to the requested page and the full URL (including variables) that was passed to it. For example, a sample cfcache.map file might look like this: [product.cfm?product_id=9] Mapping=C:\Inetpub\wwwroot\products\CFC155.tmp SourceTimeStamp=10/06/1999 08:02:06 AM If downloaded, these files expose template path and URL information not normally publicly available that could be used as an additional reconnaissance tool by users with malicious intent. Affected Software Versions · ColdFusion Server 4.0x (all editions) What Allaire is Doing Allaire has published this bulletin notifying customers of the problem. Allaire has also releasing the new CFCACHE tag which will allow site administrators to specify the directory in which the temporary "cfcache.map" and "*.tmp" files are stored, allowing them to store the files in non-public directories to prevent unauthorized access, and has included this new version of the CFCACHE tag in ColdFusion 4.5. [4]Download - ColdFusion CFCACHE.CFM tag file. What Customers Should Do Customers should make a backup copy of their existing CFCACHE.CFM file in the \CFUSION\BIN\CFTags\ directory, then download and copy the new CFCACHE.CFM file into their \CFUSION\BIN\CFTags\ directory, replacing the old CFCACHE.CFM file. They should then modify their site to make use of the new "CacheDirectory" attribute of the tag, specifying a directory that is not part of the web document directory structure and inaccessible to Internet clients. The format of the new attribute is: Note that all tag attributes available to the previously released CFCACHE tag are still available in this new tag. A sample of the new cfcache.map file is below: [C:\Inetpub\wwwroot\index.cfm] Mapping=D:\files\cache\CFC95.tmp SourceTimeStamp=10/18/1999 02:14:28 AM Customers should also closely monitor their web logs for browser HTTP requests for "cfcache.map" and "*.tmp" files as they would requests for files in the /cfdocs or /cfide/administrator directories, treating these requests as malicious reconnaissance probes. Revisions January 4, 2000 -- Bulletin first created. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: [5]http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. < a l l a i r e > Copyright © 1995-2000 Allaire Corp., All rights reserved. [6]Year 2000 (Y2K) [7]Site problems? [8]Service questions? [9]Privacy Policy References 1. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full#allaireHome 2. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full#tools 3. javascript:history.back() 4. http://download.allaire.com/AllaireSecurityBulletin(ASB00-03)New4.0xCfcache.zip 5. http://www.allaire.com/security 6. http://www.allaire.com/developer/year2000 7. mailto:webmaster@allaire.com 8. mailto:info@allaire.com 9. http://www.allaire.com/privacy/