ColdFusion 8 Security Whitepaper
By Pete Freitag
Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.
The white paper is not very detailed, but here's a quick summary of their findings:
- New Authentication for CF Admin has raised the overall security of the product
- Server Monitoring Features - Exceeded industry standards
- Remote Debugging - Should be disabled on all internet facing servers
- AJAX Features - "AJAX introduces several potential security issues which can be attacked in new creative ways and also increases the likelihood of client side attacks in poor implementations. However, Adobe is aware of these attacks and has mitigated the risks associated with their exploitation."
- New Tags - Adheared to sandbox security model, tested with mailformed data.
- "In respect to code level security, the source code was well written and adhered to Sun Microsystems guidelines for writing secure code."
One line I did find to be curious was this one:
ColdFusion remote debugging relies on RDS (Remote Development Services) thereby leveraging security features provisioned by this tried and tested protocol.
ColdFusion 8 Security Whitepaper was first published on July 31, 2007.
If you like reading about coldfusion, security, coldfusion 8, or whitepaper then you might also like:
- Speaking at ColdFusion Summit Online Next Week
- OpenSSL and ColdFusion / Lucee / Tomcat
- ColdFusion Security Training Class December 2022
- ColdFusion Summit 2022 Slides
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.