HackMyCF Scanner Updated
Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:
- Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server. It's not typical that it would be, but if you setup up your server not realizing this you could be potentially exposing sensitive information. Thanks to Charlie Arehart for the idea, he has seen this problem in the wild multiple times.
- CVE-2010-2861 Path Traversal Vulnerability Scanner Improved - The scanner may have previously missed detecting this issue on CF7 servers. It's also important to note that Adobe did not release a patch for this issue for CF7 (because it is no longer supported) so make sure you upgrade your server to a more recent version of ColdFusion, or block /CFIDE
- Added support for XSS Issue CVE-2007-0817 - This issue is only found on CF6 and CF7 servers.
I have to thank the folks that have subscribed to the HackMyCF paid service for allowing me to keep the scanner up to date!
- Announcing HackMyCF Paid Subscriptions - January 4, 2011
- HackMyCF Adds SSL/TLS Scanner - May 27, 2015
- New HackMyCF Features - October 24, 2013
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- HackMyCF Updated for APSB11-29 Security Hotfix - December 15, 2011
Great stuff, this is always a concern of mine, safe guarding a site and then trying to break it. Do you know of any vulnerabilities with CF9 out of the box?
@Thomas - Yes there are a number of vulnerabilities in CF9 that need to be patched (a patch was just released yesterday in fact) see http://www.adobe.com/support/security/#coldfusion for more info.
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained