HackMyCF Scanner Updated
By Pete Freitag
Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:
- Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server. It's not typical that it would be, but if you setup up your server not realizing this you could be potentially exposing sensitive information. Thanks to Charlie Arehart for the idea, he has seen this problem in the wild multiple times.
- CVE-2010-2861 Path Traversal Vulnerability Scanner Improved - The scanner may have previously missed detecting this issue on CF7 servers. It's also important to note that Adobe did not release a patch for this issue for CF7 (because it is no longer supported) so make sure you upgrade your server to a more recent version of ColdFusion, or block /CFIDE
- Added support for XSS Issue CVE-2007-0817 - This issue is only found on CF6 and CF7 servers.
I have to thank the folks that have subscribed to the HackMyCF paid service for allowing me to keep the scanner up to date!
HackMyCF Scanner Updated was first published on February 01, 2011.
If you like reading about hackmycf, security, scanner, or xss then you might also like:
- Announcing HackMyCF Paid Subscriptions
- Fixinator and Foundeo Security Bundle
- HackMyCF Adds SSL/TLS Scanner
- New HackMyCF Features
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.