ColdFusion 9 Security Report
Example of a Security Report produced by HackMyCF for ColdFusion 9
This report is for a ColdFusion 9.0.1 Server, see an example security report for ColdFusion 2016 or ColdFusion 11 or ColdFusion 10 or ColdFusion 2018
or a Lucee Security Report
Want reports like this for your ColdFusion or Lucee servers?
HackMyCF starts at $20/month
- Automatically scans your server on a daily, weekly, monthly or quarterly basis
- Get Notified when ColdFusion, Java, CommandBox, etc. need to be updated.
- Daily, Weekly, Monthly or Quarterly email report with info like below about your servers.
ColdFusion Server Security Report [example.com]
| ColdFusion Version: | 9,0,1,274733 | ||||||||
| Operating System: | UNIX Linux amd64 2.6.32-042stab063.2 i686 | ||||||||
| Web Server: | Apache/2.2.22 (Unix) | ||||||||
| Web Server Software: | Apache/2.2.22 (Unix) DAV/2 JRun/4.0 mod_ssl/2.2.22 OpenSSL/0.9.8f | ||||||||
| Probe API Version: | 1 | ||||||||
| Java JVM: | 1.6.0_22 Sun Microsystems Inc. running as cfuser | ||||||||
| JEE Server: | JRun/4.0 | ||||||||
| Hotfix Jars: | chf9010001.jar,empty.txt,hf901-00001.jar | ||||||||
| Security Hotfixes (9.0.1): |
 ColdFusion 9 EOL (12/31/2014) - This version has reached End of Life - core support ended on 12/31/2014, extended support ended on 12/31/2016, security patches are no longer being issued for this version (even if security issues exist) APSB14-23 Oct 2014 - Not Installed APSB13-27 Nov 2013 - Not Installed APSB13-19 July 2013 - Not Installed APSB13-13 May 2013 - Not Installed APSB13-10 Apr 2013 - Not Installed APSB13-03 Jan 2013 - Not Installed APSB12-26 Dec 2012 - Not Installed APSB12-21 Sept 2012 - Not Installed APSB12-15 June 2012 - Not Installed APSB12-06 March 2012 - Not Installed APSB11-29 December 2011 - Not Installed APSB11-14 June 2011 - Not Installed APSB11-04 February 2011 - Installed APSB10-18 August 2010 - Installed via APSB11-04Please note, we mark security hotfixes as installed above based on the existance of jar files, please ensure that you have properly installed all hotfix files by following instructions in the Adobe KB article (though we do perform some extra steps to look for common installation errors). Due to the possibility of human error in applying security hotfixes we cannot not guarantee accuracy of the security hotfix install list above. |
||||||||
| Cumulative Hotfixes: |
ColdFusion 9.0.1 Cumulative Hotfix 4 Not Installed ColdFusion 9.0.1 Cumulative Hotfix 3 Not Installed ColdFusion 9.0.1 Cumulative Hotfix 2 Not Installed ColdFusion 9.0.1 Cumulative Hotfix 1 Installed Please note, Cumulative Hotfixes typically include all the prior hotfixes as well. So if you are on update 1, you can install update 3, and update 2 will also be installed. There are sometimes exceptions, or additional steps that you need to take. Please read the linked KB article for each hotfix you will be installing. |
||||||||
| Connectors: |
To Update Your Connector: Make sure you have applied all hotfixes first, then run wsconfig. If you are on Windows you need to right click on wsconfig.exe and select: Run As Administrator. For CF2016 and up you can Upgrade the connector in wsconfig, for CF10 and CF11 you will need to Remove and then Add the connector(s) again. Note, connector updates may not be required for security but generally increase server stability.
|
TLS / SSL Report
| Common Name: |
www.example.com
|
| Certificate Expiration Date: |
May 28, 2024 (29 days)
|
| Public Key Size: |
2048 (2048 or greater recommended) |
| Signature Algorithm: |
sha256WithRSAEncryption
|
| Contains Anchor Certificate: |
No
|
| Valid Chain Order: |
Yes
|
| Protocol Support: |
SSLv2 Disabled
(SSLv2 should be disabled, it has been considered weak for over 10 years and has been disabled in browsers by default since IE7) SSLv3 Enabled
Preferred Cipher Suite: AES128-SHA (128 bit keysize) HTTP 200 OK (SSLv3 should be disabled, it has been considered weak since October 2014 due to the Poodle Vulnerability. Disabling may cause compatibility issues with IE on Windows XP, and old android clients) TLSv1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK (Disabling TLSv1 is Recommended, see TLS Browser Support Chart) TLSv1.1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK (TLS 1.1 may be considered an early TLS with respect to PCI DSS 3.1 compliance. Talk to your QSA for details.) TLSv1.2 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-GCM-SHA384 (256 bit keysize) HTTP 200 OK (TLS 1.2 should be enabled if TLS 1.3 is not) |
| Compression Supported: | No (Compression should be disabled due to CRIME) |
| Heartbleed: |
Not Vulnerable
|
| Logjam: |
1024 bit DH Group Using a common prime!
(a unique 2028 bit DH group is recommended More Info)
|
| Session Renegotiation: |
Client Initiated Session Renegotiation Disabled Secure Session Renegotiation Supported |
| OpenSSL CCS Injection |
Not Vulnerable
More Info
|
| Strict Transport Security |
Not Enabled
More Info
|
We found 28 security issues on your server example.com
critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: http://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information (such as a stack trace).
critical
Backdoor Discovered
Found /CFIDE/h.cfm that matched the signature of a backdoor script capable of manipulating the file system, running executables and running database queries remotely. Your server appears to have been compromised by an attacker.
critical
Security Hotfix APSB13-03 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-03 was not found on your server. This hotfix resolves authentication issues that could allow an attacker to take control of your server.
More Information: http://www.adobe.com/support/security/bulletins/apsb13-03.html
critical
CVE-2010-2861 Detected
Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
More Information: http://www.adobe.com/support/security/bulletins/apsb10-18.html
critical
Cross Site Scripting Vulnerability CVE-2011-0583
CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
More Information: http://www.adobe.com/support/security/bulletins/apsb11-04.html
critical
Apache Double Encoded Null Byte Vulnerability
CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
More Information: http://www.adobe.com/support/security/bulletins/apsb09-12.html
critical
BlaseDS/AMF External XML Entity Injection
CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don't use BlaseDS or Flash Remoting because it is enabled in CF by default.
More Information: https://www.adobe.com/support/security/bulletins/apsb10-05.html
critical
EOL ColdFusion Version
The version of ColdFusion that you are running has reached End of Life, and is no longer supported by Adobe. Security patches are no longer issued for this version. CF8 EOL 2012, CF9 EOL 2014, CF10 EOL 2017, CF11 EOL 2019, CF2016 EOL 2021, CF2018 Ends Core Support 7/13/2023, Extended Support 7/13/2024. ColdFusion 2021 has core support until 2025. ColdFusion 2023 has core support until 2028
More Information: https://helpx.adobe.com/support/programs/eol-matrix.html
critical
AdminAPI Exposed to the Public
The /CFIDE/adminapi/ directory is open to the public it should be locked down to prevent exploit.
important
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: http://www.petefreitag.com/item/750.cfm
important
CFTOKEN is not a UUID
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
important
RDS may be Enabled
RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
important
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
important
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
More Information: https://poodle.io
important
Solr Search Service Exposed
CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
More Information: http://www.adobe.com/support/security/bulletins/apsb10-04.html
important
OpenSSL Record of Death CVE-2010-0740
CVE-2010-0740 detected. The version of OpenSSL you are running (version 0.9.8f through 0.9.8m) allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection.
More Information: http://www.openssl.org/news/secadv_20100324.txt
important
Apache 2.2 Security Update Available
The version of Apache you are running does not contain the most recent security fixes.
More Information: http://httpd.apache.org/security/vulnerabilities_22.html
important
Security Hotfix APSB12-26 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-26 was not found to be installed on your server. This hotfix resolves a sandbox permission issue.
More Information: http://www.adobe.com/support/security/bulletins/apsb12-26.html
important
Security Hotfix APSB12-25 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-25 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-5674.
More Information: http://www.adobe.com/support/security/bulletins/apsb12-25.html
important
Security Hotfix APSB12-21 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-21 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-2048.
More Information: http://www.adobe.com/support/security/bulletins/apsb12-21.html
important
Security Hotfix APSB13-19 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server.
More Information: http://www.adobe.com/support/security/bulletins/apsb13-19.html
warning
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: http://www.petefreitag.com/item/764.cfm
warning
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
More Information: https://weakdh.org/
warning
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
More Information: https://weakdh.org/
warning
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
warning
SSL Certificate Expires Soon
Your SSL certificate will expire soon, please make sure you renew it.
warning
ColdFusion Documentation Public
The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
Please note, this tool is not able to test for all potential security issues that may exist.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues such as JVM vulnerabilities, missing ColdFusion hotfixes, etc (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Severity Key
Critical
Found 10 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Important
Found 12 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Warning
Found 6 Warnings
You should consider fixing these issues, however, they do not pose a large risk.
See a List of ColdFusion Security Vulnerabilities detected by this tool.