ColdFusion Server Security Scanner

October 21, 2009
coldfusion

My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.

The site generates an email report detailing what security issues were found, here's an example:

I would love to hear your feedback!


| Add Comment | add to del.icio.us | Tags: , , ,

Related Entries

This entry was:

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 721/62F7D5F989F7D5BBFD08F9B309B3D53A

Comments

On 10/21/2009 at 11:10:47 PM EDT Gary Fenton wrote:
1
Very nice, Pete. Why didn't anyone think of this before? :-) It only took a couple of seconds to run so I don't know how many tests it did, but considering there is no other tool or relatively quick way to find out what you're supposed to do to secure a CF server, this is brilliant! Thank you!

I'm off to fix the 1 warning I was given. Something about a file upload vulnerability in Fckeditor. Is that a problem even if I don't use Fckeditor? (TinyMCE is my choice!)

On 10/22/2009 at 12:22:01 AM EDT Mark Mandel wrote:
2
I have yet to try this out, but I think this is an amazing idea!

Thanks for putting in the time and effort to make it publicly available.

On 10/22/2009 at 11:57:04 AM EDT steveeray wrote:
3
It said "You may not be running the latest version of ColdFusion 8. Consider upgrading to ColdFusion 8.0.1". I'm running 8.0.1 with cumulative HF 3.

On 10/22/2009 at 12:04:15 PM EDT David Hammond wrote:
4
Concerning the "Server Software Disclosure" warning, here's an article that describes how to change the server header in IIS7.

http://blogs.technet.com/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx

The comments also contain an interesting discussion of whether this is really necessary from a security standpoint, and some insinuations about why Microsoft didn't make this a simple change.

On 10/22/2009 at 12:08:42 PM EDT David Hammond wrote:
5
Darn it, I meant to say concerning the "Server Header Version Disclosure" warning. The "Server Software Disclosure" is a simple change in IIS.

On 10/22/2009 at 12:09:09 PM EDT Pete Freitag wrote:
6
@Gary - The FCKeditor vulnerability is an important one, it is installed as part of ColdFusion 8, and is located under /CFIDE/ See http://www.petefreitag.com/item/704.cfm for more info.

On 10/22/2009 at 12:12:14 PM EDT Pete Freitag wrote:
7
@Mark thanks!

@steveeray would you mind emailing me your server domain so I can look into it. Is it possible that some files still existed in your CFIDE after the update.

@David great link, thanks!

On 10/22/2009 at 12:53:30 PM EDT Pete Freitag wrote:
8
@David, it looks like that latest version of Microsoft URLScan supports IIS 7 / Windows 2008: http://www.iis.net/extensions/UrlScan

On 10/22/2009 at 6:34:16 PM EDT Brad Wood wrote:
9
I love this. Great idea! I never knew I needed to apply an Apache patch.

Unfortunately I have some other servers I would like to check but I do not have an E-mail address at those domains since our work E-mails are all on a secondary domain that the site doesn't operate on. Is there a way I can check those?

On 10/22/2009 at 7:06:17 PM EDT Pete Freitag wrote:
10
@Brad, yes I added a feature that allows you to use any email address provided that you can create a temporary file in the web root using a certain file name. Just enter the domain and email and it will tell you how to do it.

On 10/22/2009 at 7:32:30 PM EDT Gary Fenton wrote:
11
HackMyCF does *NOT* perform any comparason check against email/web domains specified. I specified 2 totally different domains and it did the test and emailed me the result. Which is just as well as we have no email addresses set up for the website's domain. :-)

On 10/27/2009 at 7:12:43 PM EDT Anonymous wrote:
12
strange the tool tell us that we have the Apache vulnerability but the server has been patched (twice) following the adobe technote (which is referenced in the report) Thank you for the tool

On 02/15/2010 at 4:23:33 PM EST doug wrote:
13
Hi Pete- I ran HackMyCf before I applied any security patches on my 8.01 server yet it found nothing. Could it be because I have CFAdmin behind a firewall or an alternate port.

On 02/15/2010 at 4:51:37 PM EST Pete Freitag wrote:
14
Doug - yes if it can't find /CFIDE then it really limits what it can find. But that is a good thing!

On 02/15/2010 at 7:12:07 PM EST Doug wrote:
15
Does that mean I do not need to apply these patches since I have secured CFIDE. We have always moved them to an alternate port and left that without public access. Only someone on our VPN can see it which is extremely limited.

I have a second question as well. In our PCI Compliance we found we were open to XSS attacks on our forms. One of the developers wrote something that escapes <>" and "" and the example code the compliance company sent no longer works.

I know this is a stretch to answer but if we prevent those characters could that be the end of the PCI Compliance certification issue. IT seems too easy.

On 02/16/2010 at 2:00:13 AM EST Brad Wood wrote:
16
@Doug: No need to write you own functions. Use the HTMLEditFormat() function to make a string safe to include in HTML, and use the jsStringFormat() function to make a string safe for JavaScript.

Properly escaping ALL user-controlled strings on your site is neccessary to prevent XSS.

On 02/16/2010 at 1:14:56 PM EST Pete Freitag wrote:
17
@Doug - I would still recommend applying the patches even if our remote tool can't find them it doesn't mean a hacker can't.

As for the XSS, you really need to remove more than just <>"' to be protected in all cases and HTMLEditFormat doesn't totally do the trick, for example HTMLEditFormat doesn't escape single quotes.

To be free of XSS concerns you need to strip out <>'"();#

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?



Archives:
2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002