Pete Freitag Pete Freitag

HackMyCF Scanner Updated

Published on February 01, 2011
By Pete Freitag
coldfusion

Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:

  • Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server. It's not typical that it would be, but if you setup up your server not realizing this you could be potentially exposing sensitive information. Thanks to Charlie Arehart for the idea, he has seen this problem in the wild multiple times.

  • CVE-2010-2861 Path Traversal Vulnerability Scanner Improved - The scanner may have previously missed detecting this issue on CF7 servers. It's also important to note that Adobe did not release a patch for this issue for CF7 (because it is no longer supported) so make sure you upgrade your server to a more recent version of ColdFusion, or block /CFIDE
  • Added support for XSS Issue CVE-2007-0817 - This issue is only found on CF6 and CF7 servers.

I have to thank the folks that have subscribed to the HackMyCF paid service for allowing me to keep the scanner up to date!



hackmycf security scanner xss

HackMyCF Scanner Updated was first published on February 01, 2011.

If you like reading about hackmycf, security, scanner, or xss then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

CFBreak
The weekly newsletter for the CFML Community


Comments

Great stuff, this is always a concern of mine, safe guarding a site and then trying to break it. Do you know of any vulnerabilities with CF9 out of the box?
by Thomas Craig on 02/08/2011 at 5:10:57 PM UTC
@Thomas - Yes there are a number of vulnerabilities in CF9 that need to be patched (a patch was just released yesterday in fact) see http://www.adobe.com/support/security/#coldfusion for more info.
by Pete Freitag on 02/09/2011 at 12:32:27 PM UTC