Open Letter to site admins I might be contacting in the near future about the security of your ColdFusion site

Hi:
If you are reading this article, it's probably down to one of two reasons:

1. you're one of my regular blog readers, in which case this will have just found its way in front of you just like anything else I write;
2. you are a person I have successfully contacted who - hopefully - the administrator of a ColdFusion-driven website that I have noticed as having some security issues.

The article is targeted at the second group of people. If I have contacted you directly, it is vitally important you read this, and follow-up on it.

For obvious reason I will not go into how I came to be contacting you. But via commonplace, publicly-accessible resources on the internet, I was able to determine that you have at least one non-trivial security problem on your website. Here is some information for you to follow-up on.

Update:

I have added in some more material that was suggested in various user comments.

ColdFusion Patching

Please make sure your ColdFusion application server is fully patched and up to date. There is a good chance it is not. At time of writing versions 9 and 10 of ColdFusion are still being actively patched. Patching details can be found on the Adobe website:

• ColdFusion Help / Hot fixes | ColdFusion 9
• ColdFusion 10 patching is done within ColdFusion Administrator, but there's at least one mandatory update that needs to be manually installed: "ColdFusion 10 Mandatory Update"
• ColdFusion 8 patches are still available: "Hot Fixes | Cold Fusion 8 and 8.0.1"

If you are running a version of ColdFusion older than ColdFusion 9, you really ought to upgrade it. If you are on ColdFusion 9, you really ought to be in the process of upgrading it, as it reaches the end of its support life at the end of 2014. No more security patches will be released for it after that time.

There is a great service called HackMyCF which can help you to more formally and rigorously identify issues with your website. the service is provided by Foundeo, who are stalwarts in our community, and can be trusted. I have no tie to them, I just know them from the community.

ColdFusion Security

A ColdFusion install is not - by default - terribly secure. There are a number of additional steps that are absolutely vital for you to undertake on any public-facing ColdFusion server. These are detailed in the ColdFusion Lockdown Guide:

• ColdFusion 10 Lockdown Guide (PDF) - Adobe
• [PDF] Adobe® ColdFusion® 9 Server Lockdown Guide
• ColdFusion 8 developer security guidelines
• This is an unofficial guide for securing CFMX6 & 7 servers: "Securing Your ColdFusionMX Installation on Windows". Russ knows his stuff, so it will be good advice

As David Epler says in his comment:

For anyone needing to patch ColdFusion 8.0.1 or 9.0.x, would recommend Unofficial Updater 2, http://www.uu-2.info/. Also highly recommend people reading Charlie Arehart's post, http://www.carehart.org/blog/client/index.cfm/2014/3/14/cf9_and_earlier_hotfix_guide, before patching to know the issues one might run into.

Lastly, recommend people to sign up to Adobe Security Notification Service, http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert. It won't notify on all ColdFusion updates, but if they are security related it will.

General site / code security

• You must block external access to http://yourdomain.com/CFIDE/administrator. It is absolutely critical that that URL cannot be accessed from the outside world. It is a vector for known, real-world, site hacking.
• Always use an error template and a global error handler. Website errors happen, but you do not want to be exposing the error message to the outside world. Error messages often show areas in which a website can be exploited.
• Make sure that if you browse to http://yourdomain.com/Application.cfm that your error template displays, rather than a generic ColdFusion error message. Unless configured properly, that URL generally bypasses a site's error template.
• Never have either debugging output or robust exception handling enabled on public-facing websites.
• This is a bit technical, but all dynamic values being passed to a database must be done via parameters, not via hard-coded values. This is a non-trivial security vector (and one that is obvious if your error pages aren't configured properly!)
• [there's plenty of other stuff to consider too]

Community

Please join the online ColdFusion / CFML community. By this I mean read some blogs, sign up to some forums, follow people on Twitter. We discuss security stuff all the time, and it's the best and fastest way to find out if any new security issues crop up. The internet is not an environment in which one can set up a website and then just leave it and it'll be OK. One needs to stay on top of what's going on in the industry, and be aware of security concerns.

We can also help you with problems you have (either just for free, or we can provide consultancy for bigger jobs).

Why am I telling you this?

I can go into more details via email (or however I made contact with you), but I've spotted a problem on your website.

I've been in the ColdFusion community for years, and have got to the point where I figure I should be giving something back to the community. I maintain this blog for one, and more recently have become concerned about lax security (and the exploitation thereof) in our community. So have decided to try to help tighten up security around the place. Adobe has got a lot of bad press recently (some fair, some not so fair) about ColdFusion exploits, and ColdFusion's reputation in the marketplace affects us all. I don't do consultancy so I'm not looking to gain anything from this other than trying to help out. And I am legit... read the blog or ask people.

Cheers for reading this. I hope you follow up.

--
Adam