Disable Flash Remoting on ColdFusion Servers

coldfusion Due to the recent security vulnerability ABSP15-20 / APSB15-21 in BlazeDS there has been increased interest in disabling flash remoting when not needed -- if you followed the lockdown guide for CF9, CF10, or CF11 you should already have it disabled.

This entry was:

Scope Injection in CFML

coldfusion Here is an interesting vulnerability that I have come across several times in real CFML code during code reviews, I have spoken about it at conferences but have never written about it. Since it doesn't really have a name, I call it Scope Injection, you'll see why in a minute.

This entry was:

How to Disable Robust Exception Information on Railo

coldfusion As you know one of the first things you should do on a production ColdFusion server is disable robust exception information (this includes things like source code, and file path disclosures in error messages), in the ColdFusion Administrator.

This entry was:

Using Railo, Secure The railo-context

coldfusion If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.

This entry was:

CFML on Google App Engine for Java

coldfusion java Yesterday I gained access to the Google App Engine for Java, early release program, and as any CFML developer would do, I tried getting a CFML server (both Railo and OpenBD) to run on it. I posted some of my experiences on twitter, unfortunately I was unsuccessful.

This entry was:


did you hack my cf?