a product of
Foundeo Inc.
This report is for a Railo CFML Server, see also an example security report for Lucee or ColdFusion 11

Railo Server Security Report [example.com]

Do you know this much about your ColdFusion server? - Subscribe for $10/month
Railo Version: 4.1.0.000
Operating System: UNIX Linux amd64 2.6.32-042stab063.2 i686
Web Server: nginx/1.2.5
Server Local IP: 10.0.0.80
Probe API Version: 1.4
Java JVM: 1.7.0_24 Oracle Corporation running as root
JEE Server: Apache Tomcat/7.0.22

We found 15 security issues on your server example.com

critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information.
critical
Railo Contains Unpatched Security Vulnerabilites Fixed in Lucee
The Railo project has not released an update in over a year. The source code for Railo has been forked into a new project called Lucee. There have been several security vulnerabilities fixed in Lucee that also existed in Railo, but remain unpatched in Railo. Because of this we do not recommend using Railo at this time, upgrade to Lucee instead.
More Information: http://docs.lucee.org/guides/updating-lucee/migrate-from-railo.html
important
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
important
JVM Security Update Available
The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Java 7 is EOL as of April 2015, upgrade to Java 8 if possible. Java 8 is not supported by CF9 or below.
More Information: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixJAVA
important
Railo Security Issue 2508
A Path Traversal Bug in Railo 4 Admin. Fixed in Versions 4.1.1.000 and 4.0.5.004
More Information: https://issues.jboss.org/browse/RAILO-2508
important
Railo Security Issue 2635
Input of Chr(0) to the ReplaceList function can cause infinate loop / crash. Fixed in Version 4.1.1.008
More Information: https://issues.jboss.org/browse/RAILO-2635
important
Railo Security Issue 2773
The version of railo you are using does not set the HTTPOnly flag on client cookies. Fixed in Version 4.2.0.000 and 4.1.2.005
More Information: https://issues.jboss.org/browse/RAILO-2773
important
Railo Administrator is Public
Railo Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/715.cfm
important
Tomcat 7 Vulnerability
The version of Tomcat 7 you are running contains security vulnerabilities that are fixed in Tomcat Version 7.0.94 or greater.
More Information: https://tomcat.apache.org/security-7.html
important
Lucee Invalid Cookie name DOS 2015-05-28
An invalid cookie name can cause a stacktrace and potentially crash Tomcat. Fixed in Lucee 4.5.1.016 and 5.0.0.50. Not fixed in Railo to date.
More Information: https://luceeserver.atlassian.net/browse/LDEV-348
important
Lucee Security Issue 2015-08-06
Lucee fixed an XSS issue in version 4.5.1.023. This issue remains unpatched in Railo.
More Information: https://groups.google.com/d/topic/lucee/KYzqrcejCow/discussion
important
Lucee Security Issue 2015-10-20
Lucee fixed an XSS vulnerability in the default error and debug templates. This issue is fixed in Lucee 4.5.1.024+ 4.5.2.017+ and 5.0.0.98+
More Information: http://lucee.org/blog/new-lucee-security-patch-available.html
warning
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
warning
Railo Server Context is Public
The URI /railo-server-context/ is open to the public and should be blocked.
More Information: http://www.petefreitag.com/item/715.cfm

Please note, this tool is not able to test for all potential security issues that may exist.

Dig Deeper & Stay Updated with Our Paid Service

When you Signup for our service you can:

Pricing starts at $10/month

Severity Key

Critical
Found 3 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.

Important
Found 10 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.

Warning
Found 2 Warnings
You should consider fixing these issues, however, they do not pose a large risk.

Scan ID:

See a full List of Railo & ColdFusion Security Vulnerabilities detected by this tool.