pf » ColdFusion Server Security Scanner

October 21, 2009

ColdFusion Server Security Scanner

My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.

The site generates an email report detailing what security issues were found, here's an example:

I would love to hear your feedback!

Permalink | Add Comment |

add to del.icio.us | Tags: coldfusion, security, hotfixes, scanner

Related Entries

You May Need to Reapply CF Security Hotfix CVE-2009-1877 - October 22, 2009
Hands on ColdFusion Security Training - February 4, 2010
ColdFusion 9 Solr Vulnerability - Are you at Risk? - January 29, 2010
CFLogin Security Considerations - December 10, 2009
FuseGuard Released - Protects your ColdFusion Apps - November 12, 2009

This entry was:

Trackbacks

Trackback Address: 721/62F7D5F989F7D5BBFD08F9B309B3D53A

Comments

On 10/21/2009 at 9:10:47 PM EDT Gary Fenton wrote:

Very nice, Pete. Why didn't anyone think of this before? :-) It only took a couple of seconds to run so I don't know how many tests it did, but considering there is no other tool or relatively quick way to find out what you're supposed to do to secure a CF server, this is brilliant! Thank you!

I'm off to fix the 1 warning I was given. Something about a file upload vulnerability in Fckeditor. Is that a problem even if I don't use Fckeditor? (TinyMCE is my choice!)

On 10/21/2009 at 10:22:01 PM EDT Mark Mandel wrote:

I have yet to try this out, but I think this is an amazing idea!

Thanks for putting in the time and effort to make it publicly available.

On 10/22/2009 at 9:57:04 AM EDT steveeray wrote:

It said "You may not be running the latest version of ColdFusion 8. Consider upgrading to ColdFusion 8.0.1". I'm running 8.0.1 with cumulative HF 3.

On 10/22/2009 at 10:04:15 AM EDT David Hammond wrote:

Concerning the "Server Software Disclosure" warning, here's an article that describes how to change the server header in IIS7.

http://blogs.technet.com/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx

The comments also contain an interesting discussion of whether this is really necessary from a security standpoint, and some insinuations about why Microsoft didn't make this a simple change.

On 10/22/2009 at 10:08:42 AM EDT David Hammond wrote:

Darn it, I meant to say concerning the "Server Header Version Disclosure" warning. The "Server Software Disclosure" is a simple change in IIS.

On 10/22/2009 at 10:09:09 AM EDT Pete Freitag wrote:

@Gary - The FCKeditor vulnerability is an important one, it is installed as part of ColdFusion 8, and is located under /CFIDE/ See http://www.petefreitag.com/item/704.cfm for more info.

On 10/22/2009 at 10:12:14 AM EDT Pete Freitag wrote:

@Mark thanks!

@steveeray would you mind emailing me your server domain so I can look into it. Is it possible that some files still existed in your CFIDE after the update.

@David great link, thanks!

On 10/22/2009 at 10:53:30 AM EDT Pete Freitag wrote:

@David, it looks like that latest version of Microsoft URLScan supports IIS 7 / Windows 2008: http://www.iis.net/extensions/UrlScan

On 10/22/2009 at 4:34:16 PM EDT Brad Wood wrote:

I love this. Great idea! I never knew I needed to apply an Apache patch.

Unfortunately I have some other servers I would like to check but I do not have an E-mail address at those domains since our work E-mails are all on a secondary domain that the site doesn't operate on. Is there a way I can check those?

On 10/22/2009 at 5:06:17 PM EDT Pete Freitag wrote:

@Brad, yes I added a feature that allows you to use any email address provided that you can create a temporary file in the web root using a certain file name. Just enter the domain and email and it will tell you how to do it.

On 10/22/2009 at 5:32:30 PM EDT Gary Fenton wrote:

HackMyCF does *NOT* perform any comparason check against email/web domains specified. I specified 2 totally different domains and it did the test and emailed me the result. Which is just as well as we have no email addresses set up for the website's domain. :-)

On 10/27/2009 at 5:12:43 PM EDT Anonymous wrote:

strange the tool tell us that we have the Apache vulnerability but the server has been patched (twice) following the adobe technote (which is referenced in the report) Thank you for the tool