Wednesday 23 September 2015

ColdFusion / Lucee: the first two things I do when I find a new CFML site

G'day:
I just had to email yet another ColdFusion-based website about security holes in their website. Which I found via a Google search result when searching for [something else]. It'll be interesting to see if they do anything about it.

If you run a ColdFusion website, do this:

http://yourdomain.com/CFIDE/administrator

Or on a Lucee website:

http://yourdomain.com/lucee/admin/web.cfm
http://yourdomain.com/lucee/admin/server.cfm

Or on Railo:

http://yourdomain.com/railo-context/admin/web.cfm
http://yourdomain.com/railo-context/admin/server.cfm

If you see anything other than a 404 page, your site is possibly insecure. You must not expose your admin UI to the public.

Then try this:

http://yourdomain.com/Application.cfm

If you get a CFML error message instead of your web server error page, you are also emitting information about your site you should not be.

Whenever I hear about a CFML website, I check those two things. depressingly often I find them not secure. And note: if you're in the habit of announcing the launch of new CFML-driven websites, make sure you've done this stuff first.

As I have said before: "Don't advertise yourself as a CFML website". Ideally you should not even be exposing URLs which have a .cfm extension, as this is giving away information you should not be giving away. That said, I would not worry too much about that, but definitely do worry about having you CF Administrator exposed.

What you really ought to do whenever you are going to launch a new CFML-driven website is engage Foundeo (disclosure: I have nothing to do with Foundeo, and I am making this recommendation solely because I respect the work they do) to do a security audit for you:  HackMyCF. They'll check all sorts of stuff for you, and make sure you're secure. And you really must do this sort of thing as a matter of course.

Don't leave yourself exposed and become one of those news stories.

--
Adam