Railo Server Security Report [example.com]
||UNIX Linux amd64 2.6.32-042stab063.2 i686
|Server Local IP:
|Probe API Version:
||1.7.0_24 Oracle Corporation running as root
We found 15 security issues on your server example.com
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information.
Railo Contains Unpatched Security Vulnerabilites Fixed in Lucee
The Railo project has not released an update in over a year. The source code for Railo has been forked into a new project called Lucee. There have been several security vulnerabilities fixed in Lucee that also existed in Railo, but remain unpatched in Railo. Because of this we do not recommend using Railo at this time, upgrade to Lucee instead.
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
JVM Security Update Available
The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Java 7 is EOL as of April 2015, upgrade to Java 8 if possible. Java 8 is not supported by CF9 or below.
Railo Security Issue 2508
A Path Traversal Bug in Railo 4 Admin. Fixed in Versions 4.1.1.000 and 4.0.5.004
Railo Security Issue 2635
Input of Chr(0) to the ReplaceList function can cause infinate loop / crash. Fixed in Version 4.1.1.008
Railo Security Issue 2773
The version of railo you are using does not set the HTTPOnly flag on client cookies. Fixed in Version 4.2.0.000 and 4.1.2.005
Railo Administrator is Public
Railo Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
Tomcat 7 Vulnerability
The version of Tomcat 7 you are running contains security vulnerabilities that are fixed in Tomcat Version 7.0.94 or greater.
Lucee Invalid Cookie name DOS 2015-05-28
An invalid cookie name can cause a stacktrace and potentially crash Tomcat. Fixed in Lucee 4.5.1.016 and 22.214.171.124. Not fixed in Railo to date.
Lucee Security Issue 2015-08-06
Lucee fixed an XSS issue in version 4.5.1.023. This issue remains unpatched in Railo.
Lucee Security Issue 2015-10-20
Lucee fixed an XSS vulnerability in the default error and debug templates. This issue is fixed in Lucee 4.5.1.024+ 4.5.2.017+ and 126.96.36.199+
Session Cookies are not marked HTTPOnly
Railo Server Context is Public
The URI /railo-server-context/ is open to the public and should be blocked.
Please note, this tool is not able to test for all potential security issues that may exist.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues such as JVM vulnerabilities, missing ColdFusion hotfixes, etc (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Found 3 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Found 10 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Found 2 Warnings
You should consider fixing these issues, however, they do not pose a large risk.