ColdFusion 8 Security Whitepaper
Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.
The white paper is not very detailed, but here's a quick summary of their findings:
- New Authentication for CF Admin has raised the overall security of the product
- Server Monitoring Features - Exceeded industry standards
- Remote Debugging - Should be disabled on all internet facing servers
- AJAX Features - "AJAX introduces several potential security issues which can be attacked in new creative ways and also increases the likelihood of client side attacks in poor implementations. However, Adobe is aware of these attacks and has mitigated the risks associated with their exploitation."
- New Tags - Adheared to sandbox security model, tested with mailformed data.
- "In respect to code level security, the source code was well written and adhered to Sun Microsystems guidelines for writing secure code."
One line I did find to be curious was this one:
ColdFusion remote debugging relies on RDS (Remote Development Services) thereby leveraging security features provisioned by this tried and tested protocol.
- New HackMyCF Features - October 24, 2013
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
- Session Loss and Session Fixation in ColdFusion - March 1, 2013
- Understanding HashDos and postParameterLimit - August 1, 2012
- Apache Security Patches on CentOS / RHEL
- FuseGuard 2.4 Released
- New HackMyCF Features
- Blocking .svn and .git Directories on Apache or IIS
- CFDocs site now Open Source
- Getting Size of Heap and Non Heap Memory in CFML
- Firefox Aurora now Supports Content Security Policy 1.0
- Writing Secure CFML cfObjective 2013 Slides