|
|
Allaire ColdFusion 4.0x CFCACHE Vulnerability
Solution: Allaire has released a new CFCACHE.CFM to remedy this problem. It can be downloaded at: http://download.allaire.com/AllaireSecurityBulletin(ASB00-03)New4.0xCfcache.zip This new .cfm has been included with ColdFusion 4.5, and allows the administrator to specify the location of the .tmp and cfcache.map files. To implement this patch, take the following actions (quoted verbatim from Allaire Security Bulletin ASB00-03, referenced in its entirety in the credit section): What Customers Should Do Customers should make a backup copy of their existing CFCACHE.CFM file in the \CFUSION\BIN\CFTags\ directory, then download and copy the new CFCACHE.CFM file into their \CFUSION\BIN\CFTags\ directory, replacing the old CFCACHE.CFM file. They should then modify their site to make use of the new "CacheDirectory" attribute of the tag, specifying a directory that is not part of the web document directory structure and inaccessible to Internet clients. The format of the new attribute is: <CFCACHE Action="CACHE" CacheDirectory="D:\files\private\secure\cache"> Note that all tag attributes available to the previously released CFCACHE tag are still available in this new tag. A sample of the new cfcache.map file is below: [C:\Inetpub\wwwroot\index.cfm] Mapping=D:\files\cache\CFC95.tmp SourceTimeStamp=10/18/1999 02:14:28 AM Customers should also closely monitor their web logs for browser HTTP requests for "cfcache.map" and "*.tmp" files as they would requests for files in the /cfdocs or /cfide/administrator directories, treating these requests as malicious reconnaissance probes. |
|
Privacy Statement |