This guide is made public to help ColdFusion administrators with applying the ColdFusion & Jrun hotfixes released by Adobe in the security update for vulnerability APSB09-12. It's purpose is to reduce the time required to update a ColdFusion server and provide a checklist that can be referred to during the updating process. All information compiled for this guide has been sourced from Adobe security bulletins and we provide this in the hope it will be a useful resource but provide no warranty and do not accept any liability for it's use.

Read more...

Adobe has just released hotfix updates to address recently discovered cross site scripting vulnerabilities in ColdFusion 7 / 8 & JRun 4.0 servers. Some of which would allow an attacker to retreive CF admin login details from an unsuspecting administrator. Details of some of these ColdFusion vulnerabilities have been posted here by Digital Security Research Group which include XSS vulnerabilities in the following CFIDE scripts:

Read more...

Recently detailed by Ray Camden on his blog in this post, when using cflogin, any string in a users password field after a ":" will be removed before being stored in the cflogin scope. This may be a very infrequent but very hard to diagnose problem for anyone generating passwords from random strings and using cflogin to manage their website user logins.

Read more...

DO NOT store usernames or passwords in or trust your application variables as they can be accessed by other websites on the same server instance. Many ColdFusion developers will read this bold warning as old news but unfortunately many more are not aware of the problem and are storing very dangerous information like database, email or admin usernames and passwords within the application scope and leaving their databases & sites open to attack. Thanks to a recent comment (thanks Bradley) we have been reminded that it's time again to get this warning out there.

Read more...

Peter Freitag has recently put his presentation slides online from the Hardening ColdFusion talk he did at cfObjective 2009. The presentation focusses on the Server Administration side of CF security and walks you through many of the install options and config settings that can be changed to make things harder for hackers.

Read more...