a product of
Foundeo Inc.

ColdFusion 9 Security Report
Example of a Security Report produced by HackMyCF for ColdFusion 9

This report is for a ColdFusion 9.0.1 Server, see an example security report for ColdFusion 2016 or ColdFusion 11 or ColdFusion 10 or ColdFusion 2018 or a Lucee Security Report
Want reports like this for your ColdFusion or Lucee servers? HackMyCF starts at $10/month
  • Automatically scans your server on a daily, weekly, monthly or quarterly basis
  • Get Notified when ColdFusion, Java, CommandBox, etc. need to be updated.
  • Daily, Weekly, Monthly or Quarterly email report with info like below about your servers.

ColdFusion Server Security Report [example.com]

ColdFusion Version: 9,0,1,274733
Operating System: UNIX Linux amd64 2.6.32-042stab063.2 i686
Web Server: Apache/2.2.22 (Unix)
Web Server Software: Apache/2.2.22 (Unix) DAV/2 JRun/4.0 mod_ssl/2.2.22 OpenSSL/0.9.8f
Probe API Version: 1
Java JVM: 1.6.0_22 Sun Microsystems Inc. running as cfuser
JEE Server: JRun/4.0
Hotfix Jars: chf9010001.jar,empty.txt,hf901-00001.jar
Security Hotfixes (9.0.1): warning ColdFusion 9 EOL (12/31/2014) - This version has reached End of Life - core support ended on 12/31/2014, extended support ended on 12/31/2016, security patches are no longer being issued for this version (even if security issues exist)
warn APSB14-23 Oct 2014 - Not Installed
warn APSB13-27 Nov 2013 - Not Installed
warn APSB13-19 July 2013 - Not Installed
warn APSB13-13 May 2013 - Not Installed
warn APSB13-10 Apr 2013 - Not Installed
warn APSB13-03 Jan 2013 - Not Installed
check APSB12-26 Dec 2012 - Not Installed
warning APSB12-21 Sept 2012 - Not Installed
warning APSB12-15 June 2012 - Not Installed
warning APSB12-06 March 2012 - Not Installed
warning APSB11-29 December 2011 - Not Installed
warning APSB11-14 June 2011 - Not Installed
check APSB11-04 February 2011 - Installed
check APSB10-18 August 2010 - Installed via APSB11-04

Please note, we mark security hotfixes as installed above based on the existance of jar files, please ensure that you have properly installed all hotfix files by following instructions in the Adobe KB article (though we do perform some extra steps to look for common installation errors). Due to the possibility of human error in applying security hotfixes we cannot not guarantee accuracy of the security hotfix install list above.
Cumulative Hotfixes: warning ColdFusion 9.0.1 Cumulative Hotfix 4 Not Installed
warning ColdFusion 9.0.1 Cumulative Hotfix 3 Not Installed
warning ColdFusion 9.0.1 Cumulative Hotfix 2 Not Installed
check ColdFusion 9.0.1 Cumulative Hotfix 1 Installed

Please note, Cumulative Hotfixes focus on bug fixes and may or may not include security hotfixes, they are not required and Adobe may only recommend installing them if you are experiencing one of the issues resolved (please read the linked KB article).
Is Latest? Name File Date
warning Newer Connector Available JRun Apache Connector
mod_jrun22.so 2010-06-14
Found 3 web server connectors, all having the same version.

To Update Your Connector: Make sure you have applied all hotfixes first, then run wsconfig. If you are on Windows you need to right click on wsconfig.exe and select: Run As Administrator. For CF2016 and up you can Upgrade the connector in wsconfig, for CF10 and CF11 you will need to Remove and then Add the connector(s) again. Note, connector updates may not be required for security but generally increase server stability.
Tip: Make sure you have checked your server for log4j jar files that might have been included in third party libraries. More Info

TLS / SSL Report

Common Name: check www.example.com
Certificate Expiration Date:
warn March 3, 2023 (27 days)
Public Key Size: check 2048 (2048 or greater recommended)
Signature Algorithm: check sha256WithRSAEncryption
Contains Anchor Certificate: check No
Valid Chain Order: check Yes
Protocol Support: check SSLv2 Disabled
(SSLv2 should be disabled, it has been considered weak for over 10 years and has been disabled in browsers by default since IE7)
warn SSLv3 Enabled
Preferred Cipher Suite: AES128-SHA (128 bit keysize) HTTP 200 OK
(SSLv3 should be disabled, it has been considered weak since October 2014 due to the Poodle Vulnerability. Disabling may cause compatibility issues with IE on Windows XP, and old android clients)
warn TLSv1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(Disabling TLSv1 is Recommended, see TLS Browser Support Chart)
check TLSv1.1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK
(TLS 1.1 may be considered an early TLS with respect to PCI DSS 3.1 compliance. Talk to your QSA for details.)
check TLSv1.2 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-GCM-SHA384 (256 bit keysize) HTTP 200 OK
(TLS 1.2 should be enabled)
Compression Supported:check No (Compression should be disabled due to CRIME)
Heartbleed: check Not Vulnerable
Logjam: warn 1024 bit DH Group Using a common prime! (a unique 2028 bit DH group is recommended More Info)
Session Renegotiation: check Client Initiated Session Renegotiation Disabled
check Secure Session Renegotiation Supported
OpenSSL CCS Injection check Not Vulnerable More Info
Strict Transport Security warn Not Enabled More Info

We found 28 security issues on your server example.com

SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information.
Backdoor Discovered
Found /CFIDE/h.cfm that matched the signature of a backdoor script capable of manipulating the file system, running executables and running database queries remotely. Your server appears to have been compromised by an attacker.
Security Hotfix APSB13-03 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-03 was not found on your server. This hotfix resolves authentication issues that could allow an attacker to take control of your server.
More Information: http://www.adobe.com/support/security/bulletins/apsb13-03.html
CVE-2010-2861 Detected
Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
More Information: http://www.adobe.com/support/security/bulletins/apsb10-18.html
Cross Site Scripting Vulnerability CVE-2011-0583
CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
More Information: http://www.adobe.com/support/security/bulletins/apsb11-04.html
Apache Double Encoded Null Byte Vulnerability
CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
More Information: http://www.adobe.com/support/security/bulletins/apsb09-12.html
BlaseDS/AMF External XML Entity Injection
CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don't use BlaseDS or Flash Remoting because it is enabled in CF by default.
More Information: https://www.adobe.com/support/security/bulletins/apsb10-05.html
AdminAPI Exposed to the Public
The /CFIDE/adminapi/ directory is open to the public it should be locked down to prevent exploit.
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/750.cfm
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
RDS may be Enabled
RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
More Information: http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
More Information: https://poodle.io
Solr Search Service Exposed
CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
More Information: http://www.adobe.com/support/security/bulletins/apsb10-04.html
OpenSSL Record of Death CVE-2010-0740
CVE-2010-0740 detected. The version of OpenSSL you are running (version 0.9.8f through 0.9.8m) allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection.
More Information: http://www.openssl.org/news/secadv_20100324.txt
Apache 2.2 Security Update Available
The version of Apache you are running does not contain the most recent security fixes.
More Information: http://httpd.apache.org/security/vulnerabilities_22.html
Security Hotfix APSB12-26 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-26 was not found to be installed on your server. This hotfix resolves a sandbox permission issue.
More Information: http://www.adobe.com/support/security/bulletins/apsb12-26.html
Security Hotfix APSB12-25 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-25 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-5674.
More Information: http://www.adobe.com/support/security/bulletins/apsb12-25.html
Security Hotfix APSB12-21 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-21 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-2048.
More Information: http://www.adobe.com/support/security/bulletins/apsb12-21.html
Security Hotfix APSB13-19 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server.
More Information: http://www.adobe.com/support/security/bulletins/apsb13-19.html
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
More Information: https://weakdh.org/
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
More Information: https://weakdh.org/
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
SSL Certificate Expires Soon
Your SSL certificate will expire soon, please make sure you renew it.
ColdFusion Documentation Public
The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
Unsupported ColdFusion Version
The version of ColdFusion that you are running is no longer supported by Adobe. Security patches are no longer issued for this version. Upgrade to ColdFusion 11 or greater.
More Information: http://www.adobe.com/go/coldfusion

Please note, this tool is not able to test for all potential security issues that may exist.

Dig Deeper & Stay Updated with Our Paid Service

When you Signup for our service you can:

Pricing starts at $10/month

Severity Key

Found 9 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.

Found 12 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.

Found 7 Warnings
You should consider fixing these issues, however, they do not pose a large risk.

Scan ID:

See a List of ColdFusion Security Vulnerabilities detected by this tool.