Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:
- Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server. It's not typical that it would be, but if you setup up your server not realizing this you could be potentially exposing sensitive information. Thanks to Charlie Arehart for the idea, he has seen this problem in the wild multiple times.
- CVE-2010-2861 Path Traversal Vulnerability Scanner Improved - The scanner may have previously missed detecting this issue on CF7 servers. It's also important to note that Adobe did not release a patch for this issue for CF7 (because it is no longer supported) so make sure you upgrade your server to a more recent version of ColdFusion, or block /CFIDE
- Added support for XSS Issue CVE-2007-0817 - This issue is only found on CF6 and CF7 servers.
I have to thank the folks that have subscribed to the HackMyCF paid service for allowing me to keep the scanner up to date!
Comments
Great stuff, this is always a concern of mine, safe guarding a site and then trying to break it. Do you know of any vulnerabilities with CF9 out of the box?
@Thomas - Yes there are a number of vulnerabilities in CF9 that need to be patched (a patch was just released yesterday in fact) see http://www.adobe.com/support/security/#coldfusion for more info.