Due to the recent security vulnerability ABSP15-20 / APSB15-21 in BlazeDS there has been increased interest in disabling flash remoting when not needed -- if you followed the lockdown guide for CF9, CF10, or CF11 you should already have it disabled.

Here is an interesting vulnerability that I have come across several times in real CFML code during code reviews, I have spoken about it at conferences but have never written about it. Since it doesn't really have a name, I call it Scope Injection, you'll see why in a minute.

As you know one of the first things you should do on a production ColdFusion server is disable robust exception information (this includes things like source code, and file path disclosures in error messages), in the ColdFusion Administrator.

If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.

Yesterday I gained access to the Google App Engine for Java, early release program, and as any CFML developer would do, I tried getting a CFML server (both Railo and OpenBD) to run on it. I posted some of my experiences on twitter, unfortunately I was unsuccessful.