ColdFusion Server Security Report
Want Better Reports? - Go Pro for $10/month Signup Here
| Operating System: | CentOS |
| Web Server: | Apache/2.2.3 (CentOS) |
| ColdFusion Version: | 8,0,1,195765 |
We found 16 security issues on your server example.com
critical
Apache Double Encoded Null Byte Vulnerability
CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
More Information: http://www.adobe.com/support/security/bulletins/apsb09-12.html
critical
BlaseDS/AMF External XML Entity Injection
CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don't use BlaseDS or Flash Remoting because it is enabled in CF by default.
More Information: http://kb2.adobe.com/cps/822/cpsid_82241.html
critical
File Upload Vulnerability in CF8 FCKeditor
FCKeditor file upload connector appears to be enabled. This would allow any remote user to upload files to your server.
More Information: http://www.adobe.com/support/security/bulletins/apsb09-09.html
critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Cross Site Scripting Vulnerability CVE-2010-1293
CVE-2010-1293 detected. Apply the hotfixes located in Adobe Security Notice apsb10-11
More Information: http://www.adobe.com/support/security/bulletins/apsb10-11.html
critical
CVE-2010-2861 Detected
Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
More Information: http://www.adobe.com/support/security/bulletins/apsb10-18.html
critical
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure
critical
Cross Site Scripting Vulnerability CVE-2011-0583
CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
More Information: http://www.adobe.com/support/security/bulletins/apsb11-04.html
important
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/750.cfm
important
CFTOKEN is not a UUID
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
important
Solr Search Service Exposed
CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
More Information: http://www.adobe.com/support/security/bulletins/apsb10-04.html
important
RDS is Enabled over HTTP
RDS should be restricted to SSL https connections only, or disabled on production servers.
important
OpenSSL Record of Death CVE-2010-0740
CVE-2010-0740 detected. The version of OpenSSL you are running (version 0.9.8f through 0.9.8m) allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection.
More Information: http://www.openssl.org/news/secadv_20100324.txt
important
Apache 2.2 Security Update Available
The version of Apache you are running does not contain the most recent security fixes.
More Information: http://httpd.apache.org/security/vulnerabilities_22.html
warning
ColdFusion Documentation Public
The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
warning
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
Please note, this tool is not able to test for all potential security issues that may exist. It simply points out issues that it can detect.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues (such as JVM vulnerabilities) and shows more info than free version (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Severity Key
Critical
Found 8 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Important
Found 6 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Warning
Found 2 Warnings
You should consider fixing these issues, however, they do not pose a large risk.
See a List of ColdFusion Security Vulnerabilities detected by this tool.