Allaire Security Bulletin (ASB00-03)
                  Patch Available For Potential Information Exposure By The CFCACHE Tag

                  Originally Posted: January 4, 2000
                  Last Updated: January 4, 2000

                  Summary
                  The CFCACHE tag is a feature available in ColdFusion 4.x to perform template caching to
                  increase page delivery performance by intelligently compiling and storing the output of CFML
                  pages for faster access. When this tag is utilized in a .CFM page it creates several temporary
                  files, including one that contains absolute filenames with directory path information, URL
                  parameters and timestamps. In ColdFusion 4.0x, these files are stored in the same directory as
                  the .CFM page, usually in a publicly accessible web document directory. Because these files are
                  accessible to browsers in the web document directory, users wishing to do so could download
                  this file with a browser and obtain information about the web document directory structure or
                  URL parameters used to call site pages that would not otherwise be accessible. Allaire has
                  released a new version of the CFCACHE tag that is also available in ColdFusion 4.5 that allows
                  users to specify a non-web document directory to store the temporary file, making them
                  inaccessible to browsers. 

                  Issue
                  When utilized in a .CFM page, the CFCACHE tag creates two types of files: a "cfcache.map"
                  file, containing pointers to temporary cache files, and the temporary cache ".tmp" files
                  themselves, which contain the cached HTML output. The "cfcache.map" file includes absolute
                  filenames with full directory path information, URL parameters and timestamps. In ColdFusion
                  4.0x, since this map file is stored in the same directory of the cached page, usually in a publicly
                  accessible web document directory, the file is accessible to browsers. Users wishing to do so
                  could download these files with a browser and obtain information about the web document
                  directory structure or URL parameters used to call site pages that would not otherwise be
                  accessible.

                  The CFCACHE tag creates the following files in each web directory from which it is invoked:

                     1.Multiple .tmp files, which contain the HTML code from a processed .CFM page 
                     2.A single .map file, containing pointers to .tmp files within the directory 

                  The .map file includes the following information:

                     1.Full path for each managed .tmp file in the directory. 
                     2.A timestamp indicating when the cache file was created. 
                     3.A line referring to the requested page and the full URL (including variables) that was
                       passed to it. 

                  For example, a sample cfcache.map file might look like this:

                     [product.cfm?product_id=9]
                     Mapping=C:\Inetpub\wwwroot\products\CFC155.tmp
                     SourceTimeStamp=10/06/1999 08:02:06 AM 

                  If downloaded, these files expose template path and URL information not
                  normally publicly available that could be used as an additional
                  reconnaissance tool by users with malicious intent.

                  Affected Software Versions
                  · ColdFusion Server 4.0x (all editions)

                  What Allaire is Doing
                  Allaire has published this bulletin notifying customers of the problem. Allaire
                  has also releasing the new CFCACHE tag which will allow site administrators
                  to specify the directory in which the temporary "cfcache.map" and "*.tmp" files
                  are stored, allowing them to store the files in non-public directories to prevent
                  unauthorized access, and has included this new version of the CFCACHE tag
                  in ColdFusion 4.5.

                       Download - ColdFusion CFCACHE.CFM tag file. 

                  What Customers Should Do
                  Customers should make a backup copy of their existing CFCACHE.CFM file in
                  the \CFUSION\BIN\CFTags\ directory, then download and copy the new
                  CFCACHE.CFM file into their \CFUSION\BIN\CFTags\ directory, replacing the
                  old CFCACHE.CFM file. They should then modify their site to make use of the
                  new "CacheDirectory" attribute of the tag, specifying a directory that is not
                  part of the web document directory structure and inaccessible to Internet
                  clients. The format of the new attribute is: 

                         <CFCACHE Action="CACHE" 
                            CacheDirectory="D:\files\private\secure\cache"> 

                  Note that all tag attributes available to the previously released CFCACHE tag
                  are still available in this new tag.

                  A sample of the new cfcache.map file is below:

                     [C:\Inetpub\wwwroot\index.cfm]
                     Mapping=D:\files\cache\CFC95.tmp
                     SourceTimeStamp=10/18/1999 02:14:28 AM

                  Customers should also closely monitor their web logs for browser HTTP
                  requests for "cfcache.map" and "*.tmp" files as they would requests for files in
                  the /cfdocs or /cfide/administrator directories, treating these requests as
                  malicious reconnaissance probes. 

                  Revisions
                  January 4, 2000 -- Bulletin first created.

                  Reporting Security Issues
                  Allaire is committed to addressing security issues and providing customers
                  with the information on how they can protect themselves. If you identify what
                  you believe may be a security issue with an Allaire product, please send an
                  email to secure@allaire.com. We will work to appropriately address and
                  communicate the issue. 

                  Receiving Security Bulletins
                  When Allaire becomes aware of a security issue that we believe significantly
                  affects our products or customers, we will notify customers when appropriate.
                  Typically this notification will be in the form of a security bulletin explaining the
                  issue and the response. Allaire customers who would like to receive
                  notification of new security bulletins when they are released can sign up for
                  our security notification service. 

                  For additional information on security issues at Allaire, please visit the
                  Security Zone at:
                  http://www.allaire.com/security

                  THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
                  ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
                  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
                  ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
                  DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
                  EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
                  DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
                  CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.