HackMyCF Scanner Updated
Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:
- Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server. It's not typical that it would be, but if you setup up your server not realizing this you could be potentially exposing sensitive information. Thanks to Charlie Arehart for the idea, he has seen this problem in the wild multiple times.
- CVE-2010-2861 Path Traversal Vulnerability Scanner Improved - The scanner may have previously missed detecting this issue on CF7 servers. It's also important to note that Adobe did not release a patch for this issue for CF7 (because it is no longer supported) so make sure you upgrade your server to a more recent version of ColdFusion, or block /CFIDE
- Added support for XSS Issue CVE-2007-0817 - This issue is only found on CF6 and CF7 servers.
I have to thank the folks that have subscribed to the HackMyCF paid service for allowing me to keep the scanner up to date!
- Announcing HackMyCF Paid Subscriptions - January 4, 2011
- HackMyCF Adds SSL/TLS Scanner - May 27, 2015
- New HackMyCF Features - October 24, 2013
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- HackMyCF Updated for APSB11-29 Security Hotfix - December 15, 2011
Great stuff, this is always a concern of mine, safe guarding a site and then trying to break it. Do you know of any vulnerabilities with CF9 out of the box?
@Thomas - Yes there are a number of vulnerabilities in CF9 that need to be patched (a patch was just released yesterday in fact) see http://www.adobe.com/support/security/#coldfusion for more info.
- Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151
- Java 9 Security Enhancements
- Upcoming CFML Conferences in April 2017
- CFSummit 2016 Slides
- Securing Legacy CFML - dev.Objective() 2016 Slides
- My CFSummit 2015 Slide Decks
- Adding Chrome Custom Search for CFDocs
- Disable Flash Remoting on ColdFusion Servers