I just had to email yet another ColdFusion-based website about security holes in their website. Which I found via a Google search result when searching for [something else]. It'll be interesting to see if they do anything about it.
If you run a ColdFusion website, do this:
Or on a Lucee website:
Or on Railo:
If you see anything other than a 404 page, your site is possibly insecure. You must not expose your admin UI to the public.
Then try this:
If you get a CFML error message instead of your web server error page, you are also emitting information about your site you should not be.
Whenever I hear about a CFML website, I check those two things. depressingly often I find them not secure. And note: if you're in the habit of announcing the launch of new CFML-driven websites, make sure you've done this stuff first.
As I have said before: "Don't advertise yourself as a CFML website". Ideally you should not even be exposing URLs which have a .cfm extension, as this is giving away information you should not be giving away. That said, I would not worry too much about that, but definitely do worry about having you CF Administrator exposed.
What you really ought to do whenever you are going to launch a new CFML-driven website is engage Foundeo (disclosure: I have nothing to do with Foundeo, and I am making this recommendation solely because I respect the work they do) to do a security audit for you: HackMyCF. They'll check all sorts of stuff for you, and make sure you're secure. And you really must do this sort of thing as a matter of course.
Don't leave yourself exposed and become one of those news stories.