ColdFusion Server Security Scanner
October 21, 2009
My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.
The site generates an email report detailing what security issues were found, here's an example:
I would love to hear your feedback!
Trackback Address: 721/62F7D5F989F7D5BBFD08F9B309B3D53A
Very nice, Pete. Why didn't anyone think of this before? :-) It only took a couple of seconds to run so I don't know how many tests it did, but considering there is no other tool or relatively quick way to find out what you're supposed to do to secure a CF server, this is brilliant! Thank you!
I'm off to fix the 1 warning I was given. Something about a file upload vulnerability in Fckeditor. Is that a problem even if I don't use Fckeditor? (TinyMCE is my choice!)
I have yet to try this out, but I think this is an amazing idea!
Thanks for putting in the time and effort to make it publicly available.
It said "You may not be running the latest version of ColdFusion 8. Consider upgrading to ColdFusion 8.0.1". I'm running 8.0.1 with cumulative HF 3.
Concerning the "Server Software Disclosure" warning, here's an article that describes how to change the server header in IIS7.
The comments also contain an interesting discussion of whether this is really necessary from a security standpoint, and some insinuations about why Microsoft didn't make this a simple change.
Darn it, I meant to say concerning the "Server Header Version Disclosure" warning. The "Server Software Disclosure" is a simple change in IIS.
@steveeray would you mind emailing me your server domain so I can look into it. Is it possible that some files still existed in your CFIDE after the update.
@David great link, thanks!
@David, it looks like that latest version of Microsoft URLScan supports IIS 7 / Windows 2008: http://www.iis.net/extensions/UrlScan
I love this. Great idea! I never knew I needed to apply an Apache patch.
Unfortunately I have some other servers I would like to check but I do not have an E-mail address at those domains since our work E-mails are all on a secondary domain that the site doesn't operate on. Is there a way I can check those?
@Brad, yes I added a feature that allows you to use any email address provided that you can create a temporary file in the web root using a certain file name. Just enter the domain and email and it will tell you how to do it.
HackMyCF does *NOT* perform any comparason check against email/web domains specified. I specified 2 totally different domains and it did the test and emailed me the result. Which is just as well as we have no email addresses set up for the website's domain. :-)
strange the tool tell us that we have the Apache vulnerability but the server has been patched (twice) following the adobe technote (which is referenced in the report) Thank you for the tool
Hi Pete- I ran HackMyCf before I applied any security patches on my 8.01 server yet it found nothing. Could it be because I have CFAdmin behind a firewall or an alternate port.
Doug - yes if it can't find /CFIDE then it really limits what it can find. But that is a good thing!
Does that mean I do not need to apply these patches since I have secured CFIDE. We have always moved them to an alternate port and left that without public access. Only someone on our VPN can see it which is extremely limited.
I have a second question as well. In our PCI Compliance we found we were open to XSS attacks on our forms. One of the developers wrote something that escapes <>" and "" and the example code the compliance company sent no longer works.
I know this is a stretch to answer but if we prevent those characters could that be the end of the PCI Compliance certification issue. IT seems too easy.
Properly escaping ALL user-controlled strings on your site is neccessary to prevent XSS.
@Doug - I would still recommend applying the patches even if our remote tool can't find them it doesn't mean a hacker can't.
As for the XSS, you really need to remove more than just <>"' to be protected in all cases and HTMLEditFormat doesn't totally do the trick, for example HTMLEditFormat doesn't escape single quotes.
To be free of XSS concerns you need to strip out <>'"();#