[Looking for Charlie's main web site?]

Why should one be careful about securing ColdFusion ARchive (CAR) files?

Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

[....Continue Reading....]

Comments
If it may interest any readers here, I have also posted an entry on the Adobe CF portal, which is more brief, offering the TLDR-level info, and pointing to this post for more:
https://coldfusion.a...

I did it primarily to bring attention to the matter, but a secondary benefit of that smaller post is that some may prefer seeing (and sharing) a brief post rather than such a large one as this. :-)
Great information! I have been using CAR files for many years. Would it be prudent to also zip/rar them again with encryption and password protection before propagating them to the other server(s)? You would need to extract the CAR from this zip/rar on the destination in order to import it, then delete the CAR after importing.
I like the idea of limiting this feature from “sub-admin” accounts
Thanks, Bill. And yep, that would be a good idea, and an example of another way to secure the file (especially before passing it around from server to server).

In fact, I am realizing now that I left that to folks imaginations, but I should have been more specific. So I just created a new section, "Should I perhaps add my own own password/encryption to the file?", acknowledging your helpful comment here and noting your idea and a bit more. Again, thanks.
Thanks for explaining the situation, Charlie. Allow me to add a bit of info about earlier versions.

From my blog: "I can confirm that .car files created in CF11 do NOT contain those [ 'seed' and 'algorithm'] strings. But before you start celebrating, I must warn you that this probably means that the situation is even worse than for more recent versions. Because CF11 will write (encrypted) passwords into a .car file, and yes: those files can be used to reconfigure another server, passwords included ! Which probably means that all CF11 runtimes use the same seed and algorithm, rendering CF11.car files containing passwords even more insecure than later versions…"

All details on https://nukleos.word...
# Posted By Wouter | 7/16/20 4:15 AM
Yep, that's a good clarification, and yes, it's that before then, cf had a fixed seed. That's indicated in some of the other resources I alluded to, where people talk about taking advantage such vulns. I didn't want to elaborate, but yours is a fair one to point out. Thanks.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting