List of ColdFusion Security Issues & Vulnerabilities Detected

Here's a list of ColdFusion Security Problems, Issues and Vulnerabilities that this site can detect.

This list is updated frequently as we detect more issues, also note that we can't detect these issues in all cases on all servers, even if the issue has not been patched yet.

Signup for our Automated ColdFusion Security Scanning Service to stay up to date.

• Session Cookies are not marked HTTPOnly - Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
• ColdFusion 9 Update Available - You may not be running the latest version of ColdFusion 9, consider updating to ColdFusion 9.0.1
• BlaseDS/AMF External XML Entity Injection - CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don't use BlaseDS or Flash Remoting because it is enabled in CF by default.
• ColdFusion Example Applications Installed - The ColdFusion example applications are installed at /cfdocs/exampleapps/, they should not be installed on a production server.
• Hotfix Install Error Detected - We detected a problem with the installation of your hotfix. Please confirm that you have followed all steps.
• Security Hotfix APSB11-04 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB11-04 was not found to be installed on your server. This hotfix also contains most prior security hotfixes.
• Railo Administrator is Public - Railo Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
• File Upload Vulnerability in CF8 FCKeditor - The cf5_upload.cfm and cf5_connector.cfm files must be deleted. If not you may allow a remote user to upload a CFM file to the server. The apsb09-09 hotfix was not applied or all steps were not completed.
• Cross Site Scripting Vulnerability CVE-2009-1877 - CVE-2009-1877 detected. Apply the hotfixes located in Adobe Security Notice apsb09-12
• CFTOKEN is not a UUID - CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
• ColdFusion Update Available - You may not be running the latest version of ColdFusion 6, consider updating to ColdFusion MX 6.1
• Hotfix APSB11-29 Not Installed - Apply the hotfixes located in Adobe Security Notice apsb11-29.
• Robust Exception Information is Enabled - Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
• RDS is Enabled over HTTP - RDS should be restricted to SSL https connections only, or disabled on production servers.
• The JVM is Running under Privledged User Account - The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an unprivledged user account.
• Cross Site Scripting Vulnerability CVE-2007-0817 - CVE-2007-0817 detected. Apply the hotfixes located in Adobe Security Notice APSB07-04
• Vulnerability in Railo Version - The version of Railo you are using contains known security vulnerabilities, please update to the latest version.
• Security Hotfix APSB12-06 Not Installed - The security hotfix referenced in Adobe Security Bulletin APSB12-06 was not found to be installed on your server.
• SSL Version 2 Enabled - Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
• ColdFusion Documentation Public - The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
• Apache 2.2 Security Update Available - The version of Apache you are running does not contain the most recent security fixes.
• Hotfix APSB11-14 Not Installed - Apply the hotfixes located in Adobe Security Notice apsb11-14.
• The /CFIDE/scripts directory is in default location. - Consider changing the default location of /CFIDE/scripts/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
• WEB-INF is Exposed - A request for /WEB-INF/web.xml returned the contents of the file. The WEB-INF directory is necessary for ColdFusion to function, but should not be public (it may contain passwords or other system information).
• Exposed _mmServerScripts - You have a _mmServerScripts folder from Dreamweaver that allows remote execution. This create information disclosure and also possibly allows remote SQL execution. Delete all _mmServerScript folders.
• JSON Prefix is disabled - The Prefix serialized JSON with: // setting is not enabled in the ColdFusion Administrator. This is recommended for preventing JSON hijacking.
• Robust Exception Information is Enabled - Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
• ColdFusion Update Available - You may not be running the latest version of ColdFusion 7, update to ColdFusion 7 Update 2: Version 7.0.2 Update to ColdFusion 7.0.2 and apply Cumulative Hot Fix 3 for additional security fixes.
• File Upload Vulnerability in CF8 FCKeditor - FCKeditor file upload connector appears to be enabled. This would allow any remote user to upload files to your server.
• XSS Injection in cfform.js - A document.write call was found in your /CFIDE/scripts/cfform.js file, an attacker may be injecting a javascript, please check your cfform.js file.
• CVE-2010-2861 Detected - Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
• Apache Double Encoded Null Byte Vulnerability - CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
• Server Software Disclosure - Your web server responds to each request with an unnecessary HTTP header X-Powered-By which contains information about software installed on the server. This information may be used to target your site as vulnerabilities become known.
• ColdFusion Update Available - You may not be running the latest version of ColdFusion 8, consider updating to ColdFusion 8.0.1
• OpenSSL Security Update Available - The version of OpenSSL you are running does not contain the most recent security fixes.
• Cross Site Scripting Vulnerability CVE-2011-4368 - CVE-2011-4368 detected. Apply the hotfix located in Adobe Security Notice apsb11-29.
• Cross Site Scripting Vulnerability CVE-2009-1872 - CVE-2009-1872 detected. Apply the hotfixes located in Adobe Security Notice apsb09-12
• Cross Site Scripting Vulnerability CVE-2010-1293 - CVE-2010-1293 detected. Apply the hotfixes located in Adobe Security Notice apsb10-11
• ColdFusion Administrator is Public - ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
• JVM DOS Vulnerability CVE-2010-4476 Detected - The JVM version you are using is vulnerable to a Denial of Service Attack. This issue has been fixed in Java Version 1.6.0_24, Adobe has also certified this JVM for use with ColdFusion 8.0-9.0.1
• Cross Site Scripting Vulnerability CVE-2011-0583 - CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
• OpenSSL Record of Death CVE-2010-0740 - CVE-2010-0740 detected. The version of OpenSSL you are running (version 0.9.8f through 0.9.8m) allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection.
• Server Header Version Disclosure - The HTTP Server header is disclosing version numbers. An attacker may use this to identify your server as vulnerabilities become known matching the version you are using.
• File Upload Vulnerability in FCKeditor - FCKeditor file upload connector appears to be enabled on standalone install at /FCKeditor/. This would allow any remote user to upload files to your server.
• Solr Search Service Exposed - CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.