ColdFusion 8 Security Whitepaper
Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.
The white paper is not very detailed, but here's a quick summary of their findings:
- New Authentication for CF Admin has raised the overall security of the product
- Server Monitoring Features - Exceeded industry standards
- Remote Debugging - Should be disabled on all internet facing servers
- AJAX Features - "AJAX introduces several potential security issues which can be attacked in new creative ways and also increases the likelihood of client side attacks in poor implementations. However, Adobe is aware of these attacks and has mitigated the risks associated with their exploitation."
- New Tags - Adheared to sandbox security model, tested with mailformed data.
- "In respect to code level security, the source code was well written and adhered to Sun Microsystems guidelines for writing secure code."
One line I did find to be curious was this one:
ColdFusion remote debugging relies on RDS (Remote Development Services) thereby leveraging security features provisioned by this tried and tested protocol.
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- New HackMyCF Features - October 24, 2013
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
- Docker Container exited with code 137
- Why is my cron.daily script not running?
- Announcing FuseGuard Version 3
- CFSummit 2017
- Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151
- Java 9 Security Enhancements
- Upcoming CFML Conferences in April 2017
- CFSummit 2016 Slides