ColdFusion Server Security Report
Would you like us to email you when new issues are found? Yes, Sign Me Up!
| Operating System: | CentOS |
| Web Server: | Apache/2.2.3 (CentOS) |
| ColdFusion Version: | 8,0,1,195765 |
We found 11 security issues on your server example.com
critical
Apache Double Encoded Null Byte Vulnerability
CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
More Information: http://www.adobe.com/support/security/bulletins/apsb09-12.html
critical
BlaseDS/AMF External XML Entity Injection
CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don't use BlaseDS or Flash Remoting because it is enabled in CF by default.
More Information: http://kb2.adobe.com/cps/822/cpsid_82241.html
critical
File Upload Vulnerability in CF8 FCKeditor
FCKeditor file upload connector appears to be enabled. This would allow any remote user to upload files to your server.
More Information: http://www.adobe.com/support/security/bulletins/apsb09-09.html
critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Cross Site Scripting Vulnerability CVE-2010-1293
CVE-2010-1293 detected. Apply the hotfixes located in Adobe Security Notice apsb10-11
More Information: http://www.adobe.com/support/security/bulletins/apsb10-11.html
important
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/750.cfm
important
CFTOKEN is not a UUID
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
important
Solr Search Service Exposed
CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy.
More Information: http://www.adobe.com/support/security/bulletins/apsb10-04.html
important
RDS is Enabled over HTTP
RDS should be restricted to SSL https connections only, or disabled on production servers.
important
CVE-2010-2861 Detected
Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
More Information: http://www.adobe.com/support/security/bulletins/apsb10-18.html
warning
ColdFusion Documentation Public
The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
Please note, this tool is not able to test for all potential security issues that may exist. It simply points out issues that it can detect.
Need Help Securing Your Server?
Need a ColdFusion security expert to review your code or server? Foundeo Inc. can help you patch your server or check it for additional security vulnerabilities or review your ColdFusion source code. Contact Us to get started.
Is your CFML Code Secure?
Foundeo Inc. can help review your source code to find security vulnerabilities. Contact Us for pricing.
We also have a CFML Security Checklist PDF you can purchase for $9.99 to help you audit your source code.
Severity Key
Critical
Found 5 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Important
Found 5 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Warning
Found 1 Warning
You should consider fixing these issues, however, they do not pose a large risk.
See a List of ColdFusion Security Vulnerabilities detected by this tool.