K-015: ColdFusion Information Exposure (CFCACHE Tag)

PROBLEM:       Certain files that are not normally publicly available may be
               downloaded and used as system reconnaissance information by
               users with malicious intent.
PLATFORM:      Systems running ColdFusion Server 4.0x (all editions).
DAMAGE:        The information about a server's web document directory
               structure and URL parameters used to call site pages can
               provide useful information for planning an attack on that
               server.
SOLUTION:      Download the new CFCACHE.CFM file and follow the directions
               given in the advisory. The solution has been incorporated in
               ColdFusion 4.5.
VULNERABILITY  The risk is MEDIUM. The information about the vulnerability
ASSESSMENT:    is publically available.


The text of the advisory was taken from the URL http://www.securiteam.com
/windowsntfocus/ColdFusion_Information_Exposure__CFCACHE_Tag_.html on
January 12, 2000.  The text was dated 5/1/2000.

[Start Beyond-Security's SecuriTeam.com Advisory]

Title
ColdFusion Information Exposure (CFCACHE Tag)


Summary
The CFCACHE tag is a feature in ColdFusion 4.x that performs
template caching to increase page delivery performance by
intelligently compiling and storing the output of CFML pages for
faster access. When this tag is utilized in a .CFM page it creates
several temporary files, including one that contains absolute
filenames with directory path information, URL parameters and
timestamps. In ColdFusion 4.0x, these files are stored in the same
directory as the .CFM page, usually in a publicly accessible web
document directory. Because these files are accessible to browsers
in the web document directory, users wishing to do so could download
this file with a browser and obtain information about the web
document directory structure or URL parameters used to call site
pages that would not otherwise be accessible. Allaire has released a
new version of the CFCACHE tag that is also available in ColdFusion
4.5 that allows users to specify a non-web document directory to
store the !


Details
Vulnerable systems:
ColdFusion Server 4.0x (all editions)

When utilized in a .CFM page, the CFCACHE tag creates two types of
files: a "cfcache.map" file, containing pointers to temporary cache
files, and the temporary cache ".tmp" files themselves, which
contain the cached HTML output. The "cfcache.map" file includes
absolute filenames with full directory path information, URL
parameters and timestamps. In ColdFusion 4.0x, since this map file
is stored in the same directory of the cached page, usually in a
publicly accessible web document directory, the file is accessible
to browsers. Users wishing to do so could download these files with
a browser and obtain information about the web document directory
structure or URL parameters used to call site pages that would not
otherwise be accessible.

The CFCACHE tag creates the following files in each web directory
from which it is invoked:

1. Multiple .tmp files, which contain the HTML code from a processed
.CFM page
2. A single .map file, containing pointers to .tmp files within the
directory

The .map file includes the following information:

1. Full path for each managed .tmp file in the directory.
2. A timestamp indicating when the cache file was created.
3. A line referring to the requested page and the full URL
(including variables) that was passed to it.

For example, a sample cfcache.map file might look like this:

  [product.cfm?product_id=9]
  Mapping=C:\Inetpub\wwwroot\products\CFC155.tmp
  SourceTimeStamp=10/06/1999 08:02:06 AM

If downloaded, these files expose template path and URL information
not normally publicly available that could be used as an additional
reconnaissance tool by users with malicious intent.

Patch:
Allaire has published a security bulletin, notifying customers of
the problem. Allaire has also releasing the new CFCACHE tag which
will allow site administrators to specify the directory in which the
temporary "cfcache.map" and "*.tmp" files are stored, allowing them
to store the files in non-public directories to prevent unauthorized
access, and has included this new version of the CFCACHE tag in
ColdFusion 4.5.

Download - ColdFusion CFCACHE.CFM tag file.

Customers should make a backup copy of their existing CFCACHE.CFM
file in the \CFUSION\BIN\CFTags\ directory, then download and copy
the new CFCACHE.CFM file into their \CFUSION\BIN\CFTags\ directory,
replacing the old CFCACHE.CFM file. They should then modify their
site to make use of the new "CacheDirectory" attribute of the tag,
specifying a directory that is not part of the web document
directory structure and inaccessible to Internet clients. The format
of the new attribute is:

    

Note that all tag attributes available to the previously released
CFCACHE tag are still available in this new tag.

A sample of the new cfcache.map file is below:

  [C:\Inetpub\wwwroot\index.cfm]
  Mapping=D:\files\cache\CFC95.tmp
  SourceTimeStamp=10/18/1999 02:14:28 AM

Customers should also closely monitor their web logs for browser
HTTP requests for "cfcache.map" and "*.tmp" files as they would
requests for files in the /cfdocs or /cfide/administrator
directories, treating these requests as malicious reconnaissance
probes.


Additional information
The information was provided by: Allaire Security Zone.

[End Beyond-Security's SecuriTeam.com Advisory]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)