ColdFusion Server Security Report [example.com]
||UNIX Linux amd64 2.6.32-042stab063.2 i686
|Web Server Software:
||Apache/2.2.22 (Unix) DAV/2 JRun/4.0 mod_ssl/2.2.22 OpenSSL/0.9.8f
|Probe API Version:
||1.6.0_22 Sun Microsystems Inc. running as cfuser
|Security Hotfixes (9.0.1):
ColdFusion 9 EOL (12/31/2014) - This version has reached End of Life - core support ended on 12/31/2014, extended support ended on 12/31/2016, security patches are no longer being issued for this version (even if security issues exist)
APSB14-23 Oct 2014 - Not Installed
APSB13-27 Nov 2013 - Not Installed
APSB13-19 July 2013 - Not Installed
APSB13-13 May 2013 - Not Installed
APSB13-10 Apr 2013 - Not Installed
APSB13-03 Jan 2013 - Not Installed
APSB12-26 Dec 2012 - Not Installed
APSB12-21 Sept 2012 - Not Installed
APSB12-15 June 2012 - Not Installed
APSB12-06 March 2012 - Not Installed
APSB11-29 December 2011 - Not Installed
APSB11-14 June 2011 - Not Installed
APSB11-04 February 2011 - Installed
APSB10-18 August 2010 - Installed via APSB11-04
Please note, we mark security hotfixes as installed above based on the existance of jar files, please ensure that you have properly installed all hotfix files by following instructions in the Adobe KB article (though we do perform some extra steps to look for common installation errors). Due to the possibility of human error in applying security hotfixes we cannot not guarantee accuracy of the security hotfix install list above.
ColdFusion 9.0.1 Cumulative Hotfix 4 Not Installed
ColdFusion 9.0.1 Cumulative Hotfix 3 Not Installed
ColdFusion 9.0.1 Cumulative Hotfix 2 Not Installed
ColdFusion 9.0.1 Cumulative Hotfix 1 Installed
Please note, Cumulative Hotfixes focus on bug fixes and may or may not include security hotfixes, they are not required and Adobe may only recommend installing them if you are experiencing one of the issues resolved (please read the linked KB article).
Found 3 web server connectors,
all having the same version.
Newer Connector Available
||JRun Apache Connector
To Update Your Connector: Make sure you have applied all hotfixes first, then run wsconfig. If you are on Windows you need to right click on
wsconfig.exe and select: Run As Administrator. For CF2016 and up you can Upgrade the connector in
wsconfig, for CF10 and CF11 you will need to Remove and then Add the connector(s) again. Note, connector updates may not be required for security but generally increase server stability.
TLS / SSL Report
We found 28 security issues on your server example.com
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information.
Found /CFIDE/h.cfm that matched the signature of a backdoor script capable of manipulating the file system, running executables and running database queries remotely. Your server appears to have been compromised by an attacker.
Security Hotfix APSB13-03 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-03 was not found on your server. This hotfix resolves authentication issues that could allow an attacker to take control of your server.
Path Traversal Vulnerability detected (CVE-2010-2861 APSB10-18), this allows an attacker to read any file on the servers file system that ColdFusion has access to (within the same drive on windows).
Cross Site Scripting Vulnerability CVE-2011-0583
CVE-2011-0583 detected. Apply the hotfixes located in Adobe Security Notice apsb11-04. The detection of this vulnerability also indicates to a high degree of likelihood that the following vulnerabilities may also exist: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0584
Apache Double Encoded Null Byte Vulnerability
CVE-2009-1876 detected. Apply the Apache wsconfig.jar hotfix in Adobe Security Notice apsb09-12. This hotfix is only required for ColdFusion servers using the Apache Web Server.
BlaseDS/AMF External XML Entity Injection
CVE-2009-3960 detected. You must apply the hotfix specified in Adobe Security Bulliten APSB10-05, otherwise an attacker can read any file on the server that ColdFusion has permission to read. You need to do this even if you don't use BlaseDS or Flash Remoting because it is enabled in CF by default.
AdminAPI Exposed to the Public
The /CFIDE/adminapi/ directory is open to the public it should be locked down to prevent exploit.
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
CFTOKEN is not a UUID
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
RDS may be Enabled
RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
Certificate Signature Uses SHA1
Your SSL Certificate is signed using a SHA1 signature, which is considered weak. You may see security errors or warnings in Chrome.
SSL Version 3 Enabled
Your Web Server is accepting SSL V3 connections, vulnerabile to the POODLE (CVE-2014-3566) attack. Consider disabling this protocol, which may impact old clients such as IE6 on Windows XP. Disabling SSLv3 may also impact server side HTTPS clients (that consume your web services or APIs), and potentially bots / crawlers. You can use our IIS SSL tool to disable SSLv3 on IIS: https://foundeo.com/products/iis-weak-ssl-ciphers/
Solr Search Service Exposed
CVE-2010-0185 detected. ColdFusion 9 Apache Solr services are exposed to the public. Any data in solr search collections may be exposed to the public. Follow the instructions in APSB10-04 to remedy, or upgrade to ColdFusion 9.0.1.
OpenSSL Record of Death CVE-2010-0740
CVE-2010-0740 detected. The version of OpenSSL you are running (version 0.9.8f through 0.9.8m) allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection.
Apache 2.2 Security Update Available
The version of Apache you are running does not contain the most recent security fixes.
Security Hotfix APSB12-26 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-26 was not found to be installed on your server. This hotfix resolves a sandbox permission issue.
Security Hotfix APSB12-25 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-25 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-5674.
Security Hotfix APSB12-21 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB12-21 was not found to be installed on your server. This hotfix resolves a DOS vulnerability CVE-2012-2048.
Security Hotfix APSB13-19 Not Installed
The security hotfix referenced in Adobe Security Bulletin APSB13-19 was not found on your server.
Session Cookies are not marked HTTPOnly
LogJam: DH Group Uses a common prime.
Your HTTPS server is configured to use a common 1024bit prime. Security researchers estimate that a nation-state could break encryption on servers with a common 1024 bit DH group prime.
LogJam: DH Group Smaller than 2048 Supported
Your server supports a DH Group Size smaller than 2048 bits. It is recommended to use a unique 2048-bit Diffie-Hellman group. Note that Java 1.7 and below cannot connect to servers (eg with CFHTTP) using a DH group size larger than 1024.
SSL Certificate Public Key Below 2048 Bits
Your SSL certificate public key is below 2048 bits, consider making a new certificate signing request (CSR) and rekey your certificate with 2048 bit key or larger.
SSL Certificate Expires Soon
Your SSL certificate will expire soon, please make sure you renew it.
ColdFusion Documentation Public
The ColdFusion Server Documentation is public at /cfdocs/dochome.htm this identifies the ColdFusion server version you are using.
Unsupported ColdFusion Version
The version of ColdFusion that you are running is no longer supported by Adobe. Security patches are no longer issued for this version. Upgrade to ColdFusion 11 or greater.
Please note, this tool is not able to test for all potential security issues that may exist.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues such as JVM vulnerabilities, missing ColdFusion hotfixes, etc (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Found 9 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Found 12 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Found 7 Warnings
You should consider fixing these issues, however, they do not pose a large risk.