Rhino Security Labs

Warning: Your ColdFusion application could be putting your business at risk

What is Coldfusion?

fire your IT manager

ColdFusion is a popular web-application development language, created and maintained by Adobe. Unfortunately, it’s also one of the least secure. If you are developing a new ColdFusion app, or maintaining a legacy code base, there are a few areas you may want to review to make sure you’re not opening yourself up to unexpected risks.

Coldfusion risks

Every development language has its own set of quirks and vulnerabilities. Unfortunately, ColdFusion is particularly vulnerable to some common attacks. Adobe has never been known for having a strong security culture and as ColdFusion has grown under their guidance, security controls have fallen behind.

Specifically, ColdFusion is vulnerable to login bypass exploits in all of the recent release versions (v6-v10). The details shift slightly between versions, but exploits for these vulnerabilities are widely documented and can be exploited using freely available scripts.

Similarly, ColdFusion has a number of file-disclosure weaknesses which can be exploited to obtain password hashes and other sensitive data from the system.  Since administrative access to the Coldfusion console can allow an attacker to upload a webshell, this attack opens the doors to a more sophisticated compromise.

Your options

From a security standpoint, the ideal solution may be to abandon ColdFusion as a development platform. But this may only be realistic if you’ve not yet begun a project or were already planning a move. For some businesses the benefit outweighs the hassle of migrating to a new development language.

If you’re dedicated to using ColdFusion (or are otherwise stuck with it), general security best practices will help keep you protected.

Patching your code to use the latest version of the language will address many of the documented exploits and help you stay in front new vulnerabilities. You’ll have to weigh the impact of patches on your development process, but in most cases, the benefit of keeping your code base patched will outweigh operational risks.

IP whitelisting and similar techniques may also come into play if they are feasible in your environment.

Depending on your situation, it may be a good idea to have an application penetration test performed against your ColdFusion server and applications. A penetration test will uncover both ColdFusion-specific issues as well as general security vulnerabilities you may not have caught with your own reviews. This security assessment provides you with specific remediation steps your development team can address, as well as an executive summary for IT management.