One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the /CFIDE/scripts/ folder is in it's default location. There have been security vulnerabilities located in this folder in the past, most notably was the FCKEditor Vulnerability in ColdFusion 8.

Every so often I get an email back from someone who ran HackMyCF.com saying something like this:

Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true.

Adobe has posted a ColdFusion 9 Performance Brief, outlining several performance improvements over ColdFusion 7 and 8. The brief reports a 40% performance improvement over ColdFusion 8, and a 500% improvement over ColdFusion 7, running CanvasWiki.

I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.

Requirement 4.

There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.

Whether or not this hotfix is required on IIS has been a question posed by many.

Have you ever noticed that IIS tends to brand every HTTP response with the header X-Powered-By: ASP.NET - it will do this even if your site is not powered by ASP.

Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.

mod_rewrite is easily my favorite module for Apache. You can use it to create very clean urls, and you can even use it for security validation.

I found some instructions for converting SSL certificates generated for IIS to private key, and cert files you can use on unix, or Apache for windows.

First Export your IIS certificate into a pfx file (this is something you should do anyways for backup)

Run mmc.

I wrote some batch files today for restarting services on windows. The bat files can be used to restart ColdFusion MX or IIS services on Windows NT/2000/XP.

Batch File to restart ColdFusion MX

@echo off

REM - File: cfmxrestart.