If you saw the news today (July 14, 2020) about the new updates for CF2018 and 2016, you may have read seen the new admonition (a “strong recommendation”) from Adobe that one should be careful to “delete CAR files once they are used”.
What’s that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)
The bottom line is this: If you create (or are given) a CF “CAR” (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several).
No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the when that CAR is imported into a different CF Admin, the passwords will be enabled there. Perhaps more dismaying, a savvy coder could easily use that info to convert the “encrypted” passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).
Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to “secure” them? No, but a difference is that CAR files may be passed around in a way that other “sensitive” CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that?
And what if you don’t WANT to delete them, because they hold the CF Admin settings of record for an old CF instance you are removing? And should you be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?
If you’re interested in all this (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), I have posted a more elaborated blog entry on my own site addressing all those points. Of course, I’ll also explain what CAR files are used for, if you’re not familiar. I also share some observations about how I think the warning could be improved. Either way, do heed the warning, and check out my post to learn more on why.