ColdFusion 8 Security Whitepaper
Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.
The white paper is not very detailed, but here's a quick summary of their findings:
- New Authentication for CF Admin has raised the overall security of the product
- Server Monitoring Features - Exceeded industry standards
- Remote Debugging - Should be disabled on all internet facing servers
- AJAX Features - "AJAX introduces several potential security issues which can be attacked in new creative ways and also increases the likelihood of client side attacks in poor implementations. However, Adobe is aware of these attacks and has mitigated the risks associated with their exploitation."
- New Tags - Adheared to sandbox security model, tested with mailformed data.
- "In respect to code level security, the source code was well written and adhered to Sun Microsystems guidelines for writing secure code."
One line I did find to be curious was this one:
ColdFusion remote debugging relies on RDS (Remote Development Services) thereby leveraging security features provisioned by this tried and tested protocol.
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
- Session Loss and Session Fixation in ColdFusion - March 1, 2013
- Understanding HashDos and postParameterLimit - August 1, 2012
- ColdFusion 10 Security Enhancements Presentation - June 7, 2012
- Writing Secure CFML cfObjective 2013 Slides
- Upgrading to Java 7 on Linux
- J2EE Sessions in CF10 Uses Secure Cookies
- Learn about ColdFusion Security at cfObjective 2013
- Session Loss and Session Fixation in ColdFusion
- FuseGuard 2.3 Released
- CKEditor Spell Checker Plugin
- Adobe Says Go Ahead and Upgrade your ColdFusion JVM