Allaire Macromedia ColdFusion 4.0x CFCACHE Vulnerability

Allaire Macromedia ColdFusion is a Web application server. It supports quick development, publication, and management of Web content.

ColdFusion Version 4.x includes a function called CFCACHE. This function improves server performance by caching the HTML output of processed CFM pages. When the CFCACHE tag is used in a CFM page, it creates temporary files. Some of these files are .tmp files, which contain the actual HTML output. It also creates a cfcache.map file, which contains pointers to the .tmp files, including absolute pathnames, timestamps, and other URL information. This information could be potentially harmful if exposed to the public. These files are all placed in the same Web-accessible directory as the CFM file, and can be remotely accessed via an explicit URL.

A second vulnerability exists with CFCACHE making it possible to remotely halt the operation of Allaire ColdFusion Server by requesting a cached file that is no longer stored in memory and contains a CFCACHE tag. Other conditions necessary in order to reliably cause a denial of service in this instance are:

• that there are no running thread request slots available at the time of the cached file request
• knowledge of the timeout period
• knowledge of the last cached date/time
• 'Limit Simultaneous Requests' setting (5 is the default)
• the use of a load generator or DoS tool

Most of these requirements can be met by performing various reconnaissance actions against the server, or ignored by making relatively safe assumptions. For example, an attacker may take into account the default settings and the traffic levels/popularity of the server.

By exploiting the first vulnerability, an attacker can retrieve sensitive information, which can be used in subsequent attacks against the host such as file disclosure attacks.

By exploiting the second vulnerability (keeping in mind that the default number of cached file requests that ColdFusion Server can handle is 5), an attacker could send 6 simultaneous requests for the same cached file no longer in memory, which could possibly cause the server to stop responding. If this occurs, then the server must be restarted in order to regain normal functionality.

Allaire released a new CFCACHE.CFM file to fix this problem. You can get this file or upgrade to a newer release from theAllaire Web site. This new .cfm has been included with ColdFusion 4.5, and allows the administrator to specify the location of the .tmp and cfcache.map files. To implement this patch, take the following actions (quoted verbatim from Allaire Security Bulletin ASB00-03, referenced in its entirety in the credit section) : What Customers Should Do Customers should make a backup copy of their existing CFCACHE.CFM file in the \CFUSION\BIN\CFTags\ directory, then download and copy the new CFCACHE.CFM file into their \CFUSION\BIN\CFTags\ directory, replacing the old CFCACHE.CFM file. They should then modify their site to make use of the new "CacheDirectory" attribute of the tag, specifying a directory that is not part of the web document directory structure and inaccessible to Internet clients. The format of the new attribute is : <CFCACHE Action="CACHE" CacheDirectory="D:\files\private\secure\cache"> Note that all tag attributes available to the previously released CFCACHE tag are still available in this new tag. A sample of the new cfcache.map file is below: [C:\Inetpub\wwwroot\index.cfm] Mapping=D:\files\cache\CFC95.tmp SourceTimeStamp=10/18/1999 02:14:28 AM Customers should also closely monitor their web logs for browser HTTP requests for "cfcache.map" and "*.tmp" files as they would requests for files in the /cfdocs or /cfide/administrator directories, treating these requests as malicious reconnaissance probes.