Why should one be careful about securing ColdFusion ARchive (CAR) files?
Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)
https://coldfusion.a...
I did it primarily to bring attention to the matter, but a secondary benefit of that smaller post is that some may prefer seeing (and sharing) a brief post rather than such a large one as this. :-)
I like the idea of limiting this feature from “sub-admin” accounts
In fact, I am realizing now that I left that to folks imaginations, but I should have been more specific. So I just created a new section, "Should I perhaps add my own own password/encryption to the file?", acknowledging your helpful comment here and noting your idea and a bit more. Again, thanks.
From my blog: "I can confirm that .car files created in CF11 do NOT contain those [ 'seed' and 'algorithm'] strings. But before you start celebrating, I must warn you that this probably means that the situation is even worse than for more recent versions. Because CF11 will write (encrypted) passwords into a .car file, and yes: those files can be used to reconfigure another server, passwords included ! Which probably means that all CF11 runtimes use the same seed and algorithm, rendering CF11.car files containing passwords even more insecure than later versions…"
All details on https://nukleos.word...