ColdFusion Server Security Scanner
My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.
The site generates an email report detailing what security issues were found, here's an example:
I would love to hear your feedback!
- Determining Which Cumulative Hotfixes are Installed on ColdFusion - September 20, 2011
- You May Need to Reapply CF Security Hotfix CVE-2009-1877 - October 22, 2009
- Fixinator and Foundeo Security Bundle - May 14, 2019
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
I'm off to fix the 1 warning I was given. Something about a file upload vulnerability in Fckeditor. Is that a problem even if I don't use Fckeditor? (TinyMCE is my choice!)
Thanks for putting in the time and effort to make it publicly available.
The comments also contain an interesting discussion of whether this is really necessary from a security standpoint, and some insinuations about why Microsoft didn't make this a simple change.
@steveeray would you mind emailing me your server domain so I can look into it. Is it possible that some files still existed in your CFIDE after the update.
@David great link, thanks!
Unfortunately I have some other servers I would like to check but I do not have an E-mail address at those domains since our work E-mails are all on a secondary domain that the site doesn't operate on. Is there a way I can check those?
Thank you for the tool
I ran HackMyCf before I applied any security patches on my 8.01 server yet it found nothing. Could it be because I have CFAdmin behind a firewall or an alternate port.
I have a second question as well. In our PCI Compliance we found we were open to XSS attacks on our forms. One of the developers wrote something that escapes <>" and "" and the example code the compliance company sent no longer works.
I know this is a stretch to answer but if we prevent those characters could that be the end of the PCI Compliance certification issue. IT seems too easy.
Properly escaping ALL user-controlled strings on your site is neccessary to prevent XSS.
As for the XSS, you really need to remove more than just <>"' to be protected in all cases and HTMLEditFormat doesn't totally do the trick, for example HTMLEditFormat doesn't escape single quotes.
To be free of XSS concerns you need to strip out <>'"();#
- What is the difference between ASCII Chr(10) and Chr(13)
- Fixinator and Foundeo Security Bundle
- Running CFML on AWS Lambda with FuseLess Slides
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token