New HackMyCF Features

coldfusion HackMyCF, my company's ColdFusion (and Railo too) server security scanner was recently updated with some cool new features for our paid subscribers.

This entry was:

Bug Loading Scripts for CFFileUpload and CFMediaPlayer

coldfusion It has recently come to my attention that there are some hard coded references to /CFIDE/scripts/ in some of the JS files that are used by the new (in CF9) tags CFFileUpload and CFMediaPlayer.

This entry was:

Changing the ColdFusion CFIDE Scripts Location

coldfusion One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the /CFIDE/scripts/ folder is in it's default location. There have been security vulnerabilities located in this folder in the past, most notably was the FCKEditor Vulnerability in ColdFusion 8.

This entry was:

Is your ColdFusion Administrator Actually Public?

coldfusion Every so often I get an email back from someone who ran saying something like this:

Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true.

This entry was:

Howto Require SSL for ColdFusion Administrator

coldfusion A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.

This entry was:


did you hack my cf?