How much do you know about your Railo server security?
HackMyCF starts at $10/month
- Automatically scans your server on a daily, weekly, monthly or quarterly basis
- Get Notified when something needs to be upgraded
- Daily, Weekly, Monthly or Quarterly email report with info like below about your servers.
Scan My ServerRailo Server Security Report [example.com]
| Railo Version: | 4.1.0.000 |
| Operating System: | UNIX Linux amd64 2.6.32-042stab063.2 i686 |
| Web Server: | nginx/1.2.5 |
| Server Local IP: | 10.0.0.80 |
| Probe API Version: | 1.4 |
| Java JVM: | 1.7.0_24 Oracle Corporation running as root |
| JEE Server: | Apache Tomcat/7.0.22 |
We found 15 security issues on your server example.com
critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information (such as a stack trace).
critical
Railo Contains Unpatched Security Vulnerabilites Fixed in Lucee
The Railo project has not released an update in many years. The source code for Railo has been forked into a new project called Lucee. There have been several security vulnerabilities fixed in Lucee that also existed in Railo, but remain unpatched in Railo. Because of this we do not recommend using Railo at this time, upgrade to Lucee instead.
More Information: https://docs.lucee.org/guides/updating-lucee/migrate-from-railo.html
important
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
important
JVM Security Update Available
The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Java 7 is EOL as of April 2015, upgrade to Java 8 if possible. Java 8 is not supported by CF9 or below.
More Information: https://www.petefreitag.com/item/860.cfm
important
Railo Security Issue 2508
A Path Traversal Bug in Railo 4 Admin. Fixed in Versions 4.1.1.000 and 4.0.5.004
More Information: https://issues.jboss.org/browse/RAILO-2508
important
Railo Security Issue 2635
Input of Chr(0) to the ReplaceList function can cause infinate loop / crash. Fixed in Version 4.1.1.008
More Information: https://issues.jboss.org/browse/RAILO-2635
important
Railo Security Issue 2773
The version of railo you are using does not set the HTTPOnly flag on client cookies. Fixed in Version 4.2.0.000 and 4.1.2.005
More Information: https://issues.jboss.org/browse/RAILO-2773
important
Railo Administrator is Public
Railo Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/715.cfm
important
Tomcat 7 Vulnerability
Tomcat 7 has reached end of life and may contain security vulnerabilities.
More Information: https://tomcat.apache.org/security-7.html
important
Lucee Invalid Cookie name DOS 2015-05-28
An invalid cookie name can cause a stacktrace and potentially crash Tomcat. Fixed in Lucee 4.5.1.016 and 5.0.0.50. Not fixed in Railo to date.
More Information: https://luceeserver.atlassian.net/browse/LDEV-348
important
Lucee Security Issue 2015-08-06
Lucee fixed an XSS issue in version 4.5.1.023. This issue remains unpatched in Railo.
More Information: https://groups.google.com/d/topic/lucee/KYzqrcejCow/discussion
important
Lucee Security Issue 2015-10-20
Lucee fixed an XSS vulnerability in the default error and debug templates. This issue is fixed in Lucee 4.5.1.024+ 4.5.2.017+ and 5.0.0.98+
More Information: http://lucee.org/blog/new-lucee-security-patch-available.html
warning
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
warning
Railo Server Context is Public
The URI /railo-server-context/ is open to the public and should be blocked.
More Information: http://www.petefreitag.com/item/715.cfm
Please note, this tool is not able to test for all potential security issues that may exist.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues such as JVM vulnerabilities, missing ColdFusion hotfixes, etc (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Severity Key
Critical
Found 3 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Important
Found 10 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Warning
Found 2 Warnings
You should consider fixing these issues, however, they do not pose a large risk.
See a full List of Railo & ColdFusion Security Vulnerabilities detected by this tool.